Privacy Policy

The Barcelona Port Authority (hereinafter APB), as data controller, guarantees an adequate and coherent level of protection for natural persons with respect to their personal data, subject to processing for the development of its powers, in accordance with the requirements of the General Data Protection Regulation (2016/679) and Organic Law 3/2018, of 5 December, on data protection and guarantee of digital rights.

The APB carries out personal data processing with full responsibility and loyally, and in accordance with the legal bases that allow the legality of the processing, in compliance with the General Data Protection Regulation and the Organic Law on the protection of personal data and guarantee of digital rights.

In order to comply with data protection legislation, the APB has prepared and published a Record of Processing Activities and has adopted technical and organisational security measures, appropriate to the risks evaluated and objectively identified for the rights and freedoms of the data subjects, to which the data processed and the treatments carried out by the APB could give rise.

The APB applies the principle of transparency in the processing of personal data, providing data subjects with the information required by the GDPR and the LOPDGDD in a concise, easily accessible, complete manner and in easy-to-understand language; at the same time, the exercise of rights in the Electronic Registry is facilitated through the electronic Office at https://seu.portdebarcelona.gob.es or in person at the SAU General Registry offices located on the Barcelona dock, World Trade Center - East Building, 08039 Barcelona.

On the other hand, the APB has a Data Protection delegate, in accordance with the provisions of Article 37.1.a) of the General Data Protection Regulation (2016/679) and Articles 34 and 36 of Organic Law 3/2018, on personal data protection and guarantee of digital rights. The APB also has a Data Protection Officer, whose email address is protecciodades@portdebarcelona.cat.

Below, more information is disseminated regarding each processing activity under the APB's scope of responsibility, inventoried in the Record of Processing Activities, and whose basic information has been provided in each data collection procedure:

 

1. Data controller

BARCELONA PORT AUTHORITY
Tax Identification Number (CIF). Q-0867012-G
Mailing address. Moll de Barcelona, World Trade Center – East Building
08039 Barcelona
E-mail: protecciodades@portdebarcelona.cat

 

2. Legal bases of the processing

The processing of the personal data of the interested persons, derived from the powers and functions of the APB, is based, for all purposes, on the following legal bases, which are detailed for each processing activity at Record of Processing Activities:

  • General Data Protection Regulation 2016/679
    Article 6.1. b. The processing is necessary for the execution of a contract in which the data subject is a party or for the implementation of pre-contractual measures at his request.
    Article 6.1.c. The processing is necessary for compliance with a legal obligation applicable to the controller.
    Article 6.1.e. The processing is necessary for the fulfilment of a mission carried out in the public interest or in the exercise of public powers vested in the data controller.
    Article 6.1. a. The processing has been carried out by obtaining the consent of the data subject.
  • Organic Law 3/2018 on the protection of personal data and guarantee of digital rights
    Article 8. Data processing due to legal obligation, public interest or exercise of public powers.
    The processing of personal data can only be considered based on compliance with a legal obligation enforceable by the controller, under the terms provided in Article 6.1.c) of Regulation (EU) 2016/679, when so provided by a rule of European Union Law or a rule with the force of law.
    The processing of personal data can only be considered based on the fulfilment of a mission carried out in public interest or in the exercise of public powers conferred on the person in charge, in the terms provided in Article 6.1 e) of Regulation (EU) 2016/679, when it derives from a competence attributed by a norm with the force of law.

 

3. Purposes of the processing

The purposes of the processing of the personal data of the data subjects, which the APB carries out in the exercise of its powers, in accordance with the legal bases that legitimise the processing of personal data by the APB are listed in the Record of Processing Activities.

 

4. Data retention period

The personal data of the data subjects will be kept for the time necessary for the fulfilment of the purposes that justify the processing, in accordance with the exercise of the powers and functions of the APB, and to determine the possible responsibilities derived from these purposes. The deletion of the data will also comply with sectoral regulations that require minimum conservation periods; and subsequently in application of the legislation on administration files.

 

5. Data protection rights and how to exercise them

The data subjects, owners of the data for processing by the APB, have recognised the exercise of data protection rights: right of access to their data, right of rectification of erroneous, inaccurate or incomplete data, and deletion when, among other reasons, the data is no longer necessary for the purposes that had justified the processing.

In certain circumstances, the data subjects may request the limitation of the processing of their data, in this case they will only be kept for the exercise or defence of claims.

Also for reasons related to their particular situation, the data subjects may oppose the processing of their data. In this case, the APB will cease processing this data except for legitimate reasons or for the exercise or defence of possible claims.

Definition of data protection rights

- Right of Access: It consists of the right of the data subjects to contact the data controller and find out if their personal data is being processed or not.
- Right of Rectification: It consists of the right of the data subjects to rectify or complete the data of the data subject that is inaccurate or incomplete.
- Right of Opposition: It consists of the right of the data subjects to oppose the processing of their data, for reasons related to their particular situation.
- Right of Suppression: It consists of the right of the data subjects to request the deletion of their personal data.
- Right to Limitation of Processing: It consists of the right of the data subjects to request the limitation of the processing of their personal data, in accordance with certain conditions related to the interests of the data subjects
- Right of Portability: It consists of the right of the data subjects to receive their personal data that they have provided to a data controller, in a structured, commonly used and machine-readable format, and to transmit them to another data controller without being prevented by the controller to whom they were received, when the processing is based on consent or a contract and is carried out by automated means. This right of portability will not apply to the processing that is necessary for the fulfilment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller.
- Right not to be subject to automated individual decisions or profiles: It consists of the right of the data subjects not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on them or significantly affects them in a similar way, including certain situations of non-application.

To exercise these rights, the data subject may do so through the Electronic Registry through the electronic Office at https://seu.portdebarcelona.gob.es or in person at the offices of the SAU General Registry located on the Barcelona dock, World Trade Center – East Building, 08039 Barcelona.

Furthermore, if you are not satisfied with the response to the request to exercise your rights, and in any case, whenever you consider it appropriate, you may file a claim with the Spanish Agency for Data Protection through its electronic office https://sedeagpd.gob.es/sede-electronica-web/.

 

6. Recipients of the data

The identification of recipients of the data appears in the Record of Processing Activities that the APB has made public. In any case, other competent public administrations in the matter may also be recipients of personal data, when appropriate, the assignment being based on a legitimate legal basis, in accordance with Article 6 of the GDPR and Article 8 of the LOPDGDD.

 

7. International data transfers

International data transfers are not foreseen.

 

8. Origin of personal data

Personal data processed by the APB, in compliance with a mission carried out in the public interest, in the exercise of public powers vested in the data controller, or in compliance with a legal obligation or in execution of a contract, that come directly from the data subjects or their representatives.

In the event that the data does not come directly from the data subjects, for example if they come from other public administrations, compliance will be given in Article 14 of the GDPR referring to the additional information that will have to be provided to the data subject when the personal data has not been obtained from it, which specifically includes the obligation to inform about the origin of the data and about the categories of personal data for processing.

Furthermore, with respect to the right of citizens not to provide documents that are already in the possession of the acting administration or that have been prepared by any other administration, the provisions of the current wording of Article 28.2 of the Administrative Procedure Law will apply, in accordance with the twelfth final provision of Organic Law 3/2018, on the protection of personal data and guarantee of digital rights and the eighth additional provision of the same law, on the power of verification of the public administrations of the same law.