Data Protection
This is the data protection policy of the Organisme Autònom de Salut Pública de la Diputació de Girona (Girona Provincial Council Public Health Agency). It refers to the data of natural persons with whom it interacts in the exercise of its powers and functions. Given the functions of the Organisme Autònom de Salut Pública de la Diputació de Girona, some processing activities are the result of providing services to other public administrations, in some cases by delegation. Processing is carried out in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016) and the state regulations on this matter.
Who is the data controller for the personal data?
The data controller for the personal data is the Organisme Autònom de Salut Pública de la Diputació de Girona (hereinafter, Dipsalut), with CIF (Tax ID) Q1700565C and registered address at carrer Pic de Peguera, 15 (Parc Científic i Tecnològic de la Universitat de Girona – Edifici Jaume Casademont), La Creueta (CP 17003), email address info@dipsalut.cat, (https://www.dipsalut.cat). In the case of processing carried out on behalf of public bodies, Dipsalut processes the data as a data processor, with the delegating body being the Data Controller.
On what criteria do we process personal data?
In processing data, we fully adhere to the principles of the General Data Protection Regulation.
We process them lawfully (only when we have a legal basis that allows it) and with transparency towards the data subject.
We use them for the specific, explicit, and legitimate purposes that we explain at the time of collection. We do not subsequently process them in a manner incompatible with those purposes.
We process only the data that is adequate, relevant, and limited to what is necessary for each case and purpose.
We strive to keep the data up to date.
We retain them for the necessary period, complying with the regulations governing the conservation of public information.
We apply appropriate technical or organizational measures to prevent unauthorized or unlawful processing, or its loss, destruction, or accidental damage.
Who is the Data Protection Officer?
The Data Protection Officer (DPO) is the person who supervises compliance with Dipsalut’s data protection policy, ensuring that personal data is processed appropriately and that individuals’ rights are protected. Their functions include addressing any questions, suggestions, complaints, or claims from the individuals whose data is processed. You can contact the Data Protection Officer by writing to Dipsalut or by sending an email to dpd@dipsalut.cat.
For what purpose do we process the data and to whom do we communicate it?
Dipsalut processes data to exercise its powers and functions. Dipsalut’s services are described on its website and its electronic office. A complete description of the processing activities and the purposes for which the data is intended can be found in the Register of Processing Activities.
Administrative procedures and formalities
Based on the requests of interested parties, we use their data to follow the specific processing for each formality. Consult the catalogue of services and the procedure that is followed. Depending on the procedure, the data may be communicated to other competent administrations in the matter. In some cases, they must be published in compliance with the principle of transparency.
Services
For the provision of certain services, we process the data of the beneficiaries or data we have obtained from other administrations. Offering these services often involves monitoring them and obtaining new data from the users. Consult the catalogue of services. As a general criterion, data is not communicated to other persons without the explicit consent of the service user.
Training activities
When organizing training activities, we receive data from the individuals who register, in order to organize the activity. As a general criterion, the data is communicated to the local entities where the registered person works. It is not communicated to other persons without the explicit consent of the person participating in the activity.
Contact
We handle inquiries from people who use the contact forms on our website. The data is used solely for this purpose and is not communicated to other persons.
Staff selection
We receive curricula vitae and convene staff selection processes. The data provided by the interested persons allow us to evaluate merits and analyze the suitability of the candidates’ profiles based on vacant or newly created positions. It is not communicated to other persons.
Sending information
With the explicit authorization of each person, we use the contact data they have provided to inform them of our initiatives, services, or activities. We do this through different channels depending on how each person has authorized it. It is not communicated to other persons without their consent.
Management of our suppliers’ data
We register and process the data of suppliers from whom we obtain services or goods. This may be data from individuals acting as self-employed professionals and also data from representatives of legal entities. We obtain the essential data to maintain the commercial relationship and use it solely for this purpose. In compliance with legal obligations (tax regulations), we communicate data to the tax administration.
Video surveillance
When accessing our facilities, the existence of video surveillance cameras is informed, where applicable, through approved signage. The cameras record images only of those points where it is justified to ensure the security of goods and people. The images are used solely for this purpose. In justified cases, we communicate the data to security forces or competent judicial bodies.
What is the legal basis for data processing?
The data processing we carry out has different legal bases, depending on the nature of each processing activity.
Compliance with legal obligations
The processing of data in the context of administrative procedures is carried out following the rules governing each procedure. It is carried out in compliance with legal obligations.
Performance of a task carried out in the public interest
The processing resulting from the provision of our services is justified by satisfying the public interest. The images we obtain with video surveillance cameras are also processed to preserve the public interest.
Performance of a contractual or pre-contractual relationship
We process our suppliers’ data following the public sector procurement regulations, to the degree and extent necessary for the development of the contractual relationship. In another sense, but also within the framework of contractual or pre-contractual relationships, we process data of people participating in selection processes or joining our institution.
Based on consent
When we send information about our initiatives, services, or activities, we process the contact data of the recipients with their explicit authorization or consent.
How long do we keep the data?
The retention period for data is determined by various factors, primarily whether the data is still necessary for the purposes for which it was collected in each case. Secondly, data is retained to address potential liabilities for data processing by Dipsalut, and to meet any requirements from other public administrations or judicial bodies. Consequently, data must be retained for the time necessary to preserve its legal or informational value or to prove compliance with legal obligations, but not for a period longer than necessary for the purposes of the processing.
In certain cases, such as data in accounting and billing documentation, tax regulations require it to be kept until liabilities in this area prescribe. In the case of data processed exclusively based on the consent of the data subject, it is kept until that person revokes said consent. Finally, in the case of images obtained by video surveillance cameras, they are kept for a maximum of one month, although in the event of incidents that justify it, they are kept for the time necessary to facilitate the actions of security forces or judicial bodies. The regulations governing the conservation of public documentation, and the opinions of the National Commission for Access, Evaluation and Document Selection (Comissió Nacional d’Accés, Avaluació i Tria Documental) are a reference and determine the criteria we follow in the conservation or deletion of data.
What rights do individuals have regarding the data we process?
As provided for in the General Data Protection Regulation, the individuals whose data we process have the following rights:
To know if their data is being processed
Everyone has, first and foremost, the right to know if we are processing their data, regardless of whether there has been a prior relationship.
To be informed at collection
When personal data is obtained from the data subject, at the time of providing it, they must have clear information about the purposes for which it will be used, who the data controller will be, and the main aspects arising from this processing.
To access their data
A very broad right that includes knowing precisely what personal data is being processed, the purpose for which it is processed, any communications to other persons that will be made (if applicable), or the right to obtain a copy or to know the planned retention period.
To request rectification
This is the right to have inaccurate data that we process corrected.
To request erasure
In certain circumstances, there is a right to request the erasure of data when, among other reasons, it is no longer necessary for the purposes for which it was collected and which justified its processing.
To request the restriction of processing
Also in certain circumstances, the right to request the restriction of data processing is recognized. In this case, the data will cease to be processed and will only be kept for the exercise or defense of claims, in accordance with the General Data Protection Regulation.
To data portability
In the cases provided for in the regulations, the right is recognized to obtain one’s own personal data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller if the data subject so decides.
To object to processing
An individual may adduce reasons related to their particular situation, which will require that their data cease to be processed to the degree or extent that it may cause them harm, except for legitimate reasons or the exercise or defense against claims.
To not receive information
We immediately attend to requests to stop receiving information about our activities and services, when such mailings were based solely on the consent of the recipient.
How can rights be exercised or defended?
The rights listed above can be exercised by sending a request to Dipsalut at the postal address or other contact details indicated in the heading. If a satisfactory response has not been obtained in the exercise of rights, it is possible to file a complaint with the Catalan Data Protection Authority (Autoritat Catalana de Protecció de Dades), through the forms or other channels accessible from its website: (https://apdcat.gencat.cat/). In all cases, whether to file complaints, request clarifications, or send suggestions, it is possible to contact the Data Protection Officer via email at dpd@dipsalut.cat.
DATA PROTECTION
Exercise of the right to restriction of processing
Exercise of the right of access
Exercise of the right to object
Exercise of the right to rectification
Exercise of the right to erasure