Privacy Policy and Data Processing

1.- RIGHT TO INFORMATION

In accordance with the provisions of Article 11 of Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights (hereinafter LOPDGDD) and Article 13 of the General Data Protection Regulation 2016/679 (GDPR), we describe how personal data is processed at the Diocesan Delegation of the Maritime Apostolate-Stella Maris.

1.2.- Definitions

The following terms are understood as:

  1. Personal data: any information relating to an identified or identifiable natural person (the data subject). An identifiable natural person is one whose identity can be determined, directly or indirectly, by means of an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
  2. Processing: any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  3. Profiling: any form of automated processing of personal data consisting of using such data to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects concerning that person’s professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
  4. Pseudonymization: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
  5. File: any structured set of personal data accessible according to specific criteria, whether centralized, decentralized, or distributed functionally or geographically.
  6. Data controller: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  7. Data processor: the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.
  8. Recipient: the natural or legal person, public authority, agency, or another body, to which personal data is disclosed, whether a third party or not. However, public authorities that may receive personal data in the context of a particular inquiry shall not be regarded as recipients.
  9. Third party: a natural or legal person, public authority, agency, or body other than the data subject, the data controller, the data processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
  10. Consent of the data subject: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
  11. Supervisory authority: an independent public authority established by a Member State pursuant to Article 51 of the GDPR.
  12. Cross-border processing:
    1. Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the European Union where the controller or processor is established in more than one Member State; or
    2. Processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the European Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

1.3.- Who decides on the use of the data and the means to be used for processing?

The data controller is the Diocesan Delegation of the Maritime Apostolate
Tax ID: R5800072J
Address: Paseo Josep Carner nº 51, Sants-Montjuïc, 08038 Barcelona
Telephone: +34 93443 19 65
Email: residencia@stellamarisbarcelona.org

1.4.- Who ensures that all regulations governing data processing are correctly applied at the Diocesan Delegation of the Maritime Apostolate?

The Data Protection Officer is CIPDI Tratamiento de la información SL, located at Mataró, c/Sant Agustí n. 1 1º 1ª, dpd@cipdi.com.

1.5.- What purposes will your data be used for, what is the legal basis for this data processing, and how long will it be retained?

Purpose Legal Basis Retention
Provision of the services you request Contractual relationship 10 years
Sending information about activities via email or postal mail Contractual relationship and consent Until consent is withdrawn
Request for information Consent 1 year
Management of donations Contractual relationship and legal obligation 10 years
Management of labor personnel Contractual relationship and legal obligation 5 years
Management of suppliers Contractual relationship and legal obligation 5 years
Compliance with legal and contractual obligations Contractual relationship and legal obligation 5 years
Management of images Consent and Art. 8 LO 1/1982 Until consent is withdrawn
Video surveillance Legitimate interest. Ensuring security Maximum 30 days from capture

1.6.- Do we process your images?

The delegation documents public events it organizes with photographs and videos for the purpose of disseminating them on its website or other public information dissemination spaces, such as its own website, social media platforms where the data controller has a created profile, and its own publications or in the press. You can obtain more information about this section by consulting the data controller’s website or contacting its DPO.

1.7.- Who may access and know the content of your data?

To fulfill the aforementioned purposes, the following persons and entities may have access to personal data. Their access will be limited to the data necessary to carry out the delegation’s functions. Confidentiality agreements and/or specific contracts regulating access to information, security measures, and the use of data have been signed with all recipient entities and persons. The following may have access to the data:

  • The Archdiocese of Barcelona, for services or activities shared with the delegation.
  • Personnel duly authorized by the data controller.
  • Suppliers necessary to provide the services you request or to comply with legal and contractual obligations.
  • Public administration within the scope of its competencies.
  • Social media platforms, provided you have previously consented to the dissemination of your identifying data.

You can obtain further information by consulting the Data Protection Officer.

1.8.- Are cross-border data transfers carried out?

The delegation uses the following programs, which may involve the transfer of data outside the Schengen area:

  1. Microsoft. For more information, you can click: https://privacy.microsoft.com/en-us/privacystatement
  2. Social media platforms listed on our website.

In these cases, data transfers are made to countries deemed adequate, as they have an adequacy decision from the European Commission, or in compliance with the guarantees required by the GDPR, such as having standard data protection clauses approved by the European Commission. All information regarding the rights of users who have authorized digitized processing can be found in the legal notices of the websites hosting the programs and applications. Since access is open, we consider the content of these notices to be reproduced. Given the extent of the published policies, you may request a copy by contacting the data controller or the Data Protection Officer at the addresses listed in section 1.3 of this document.

1.9.- What rights do data subjects and data owners have?

Right of access. Regulated in Article 15 of GDPR 2016/679 of April 27, 2016. It consists of requesting the data controller to obtain, free of charge, all information held about one’s personal data and any communications that have been made or are planned to be made.
Right to rectification. Regulated in Article 16 of the GDPR. It consists of requesting the data controller to modify the content of the information about the individual and their data, following the instructions of the data owner.
Right to erasure. Regulated in Article 17 of GDPR 2016/679. It consists of requesting the data controller to delete any information about the data owner. Erasure involves blocking all data and keeping it available to public administrations for the period stipulated until the right to take legal action expires.
Right to restriction of processing. Regulated in Article 18 of GDPR 2016/679 of April 27, 2016. It consists of requesting the data controller to restrict the processing of their data when one of the following conditions is met:

  1. The personal data is not accurate;
  2. The processing is unlawful;
  3. The data controller no longer needs to process the data;
  4. When the reasons for ceasing to process the data provided by the data subject outweigh those of the data controller.

Right to data portability. Regulated in Article 20 of GDPR 2016/679 of April 27, 2016. It consists of requesting the data controller to provide the data subject’s personal data in a structured, commonly used, and machine-readable format, to transmit it to another data controller when the processing is carried out by automated means and is based on explicit consent.
Right to object. Regulated in Article 21 of GDPR 2016/679 of April 27, 2016. It consists of requesting the data controller to process the data following specific instructions provided by the data owner.
Right to withdraw consent. Regulated in Article 13.2.c) of GDPR 2016/679 of April 27, 2016. It is an instruction given by the data owner to the data controller notifying them that they withdraw the consent previously given for the processing of their data.
Right not to be subject to automated individual decision-making. It is a request to the data controller that all decisions with legal effects are not made exclusively by automated means.
To exercise the above rights, you may contact the data controller in writing at the addresses provided, or send an email to dpd@cipdi.com with the subject “DATA PROTECTION” and attaching a photocopy of your ID, NIE, or passport in the email.

1.10.- How can a complaint be filed?

If you believe your rights have been violated, the competent body to address the correct application of data processing regulations is the Spanish Data Protection Agency, located at Calle Jorge Juan n. 6, Madrid.

1.11.- What obligations do I have as a data subject?

The data subject must provide accurate and up-to-date information in all data collection processes, being responsible for any breach of this obligation. Depending on the request made by the data subject, mandatory data is already marked in the collection forms. Failure to provide mandatory data may prejudice the right to participate in the activity or prevent the provision of the requested service.

1.12.- Can the delegation create profiles?

To provide more personalized, careful, and effective attention to the user, it is sometimes necessary to create profiles of the recipients of the services. Profiles are not created without the direct intervention of a natural person.

2.- USER CONSENT

It is understood that the user accepts the proposed conditions by clicking the ‘ACCEPT’ button found in the data collection forms or by sending a message via email to the contact addresses listed on the website. Personal data is stored in the general administrative database of the data controller, which, in any case, guarantees the technical and organizational measures to preserve the integrity and security of the processed information.

3.- SECURITY

The general database is equipped with the required security document and has all technical means at its disposal to prevent the loss, misuse, alteration, unauthorized access, or theft of the data you provide. The processing of personal data complies with the provisions of Organic Law 3/2018 on personal data protection and guarantee of digital rights and Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016.

4.- USE OF IP ADDRESSES

To facilitate the search for resources we believe are of interest to you, you may find links to other websites on this site. This privacy policy applies only to this website. The data controller does not guarantee compliance with these regulations on other websites, nor is it responsible for accesses made through links from this site.