Data protection

With this notice of data protection, the Statistical Institute of Catalonia (Idescat) wants to offer agile and rapid access to the main sources of information about data processing that is being carried out and the rights that data subject have and can use to have effective control over their personal data.

2. Controller

The controller data processing is the Statistical Institute of Catalonia, whose address is Via Laietana 58, 08003 Barcelona.

• Switchboard telephone: +34 935 573 000
• NIF: Q5850015H
• sasg at idescat dot cat

3. Protection and processing of personal data

In order to carry out its activities, Idescat needs to process personal data. These data are processed in accordance with EU Regulation number 2016/679 of the European Parliament and of the Council, dated 27 April 2016, related with the protection of the personal data of natural persons and the free flow of these data, which repeals Directive 95/46/CE (General Data Protection Regulation, GDPR) and the Organic Law 3/2018, of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).

Idescat ensures the protection of the personal data it processes, whether they have been provided by the data subject or gathered from other sources, and implements the measures required to keep them secure. Personal data are not transferred unless authorised by law.

The data which Idescat processes in order to perform its statistical activities are also protected by statistical confidentiality safeguards pursuant to Law 23/1998, of 30 December, on statistics in Catalonia (LEC).

4. List of processing activities

This section provides information about the data processing carried out by Idescat.

Register of Processing Activities

Latest review: June 2024

• Administrative activities
• Statistical activities

5. Rights of individuals (informational self-determination rights)

Right of access

The data subject has the right to know whether the controller is processing their data and, if so, the right to access this data and obtain the following information:

• The purpose of the processing, the categories of personal data being processed or the addressees and categories of the addressees to whom the data has been or will be disclosed.
• The period for maintaining the personal data or the criteria used to determine this.
• The right to request rectification or elimination of the data by the controller for processing, restricting the processing or the right of opposition.
• The right to present a complaint before the monitoring authority.
• The source of the data, not obtained from the data subject.
• The existence of automated decision, including the creation of profiles, applied logic and the consequences of this process.
• If the data is transferred internationally, the suitable guarantees that have been offered.

The data subject has the right to obtain a free copy of the data that is the object of processing. A canon can be arranged for later copies in accordance with the administrative costs. If requested by electronic means, the data subject has the right to receive information in the same format.

Restriction on the right to receive copies: if this infringes the rights of third parties.

Right to rectification

This is linked to the inaccurate or incomplete nature of the data.

The data subject has the right to correct any inaccurate personal data and to complete any that are incomplete, through an additional declaration if appropriate.

The controller must inform each of the addressees to whom the data has been sent of the rectification made, unless this is impossible or requires disproportionate effort. If the data subject requests it, the controller must identify the addressees.

Right of erasure (or right to be forgotten)

The GDPR includes the right to be forgotten as a right linked to the erasure of data.

The data subject has the right to demand the erasure of their personal data (right to be forgotten) when:

• The data is no longer necessary for the purpose for which it was collected.
• The consent on which processing was based has been revoked.
• The data subject is opposed to the processing.
• The data has been processed illicitly.
• The data must be erased to comply with a legal obligation.

When the controller has made the personal data public and they must be erased, reasonable measures must be taken to inform the other controllers for processing the data of this.

The controller must inform each of the addressees of the erasure, unless this is impossible or requires disproportionate effort. If the data subject requests it, the controller must identify the addressees.

Exceptions to the exercise of the right of erasure:

• The exercise of this right of freedom of expression and information
• Compliance with a legal obligation
• The existence of reasons of public interest, scientific or historical research or statistical purposes for keeping the files
• The drafting, exercise or defence of complaints

Right to object

The data subject has the right to object the processing of their personal data when:

• The processing is based on public interest or the exercise of public authority conferred on the controller, or a legitimate interest pursued by this controller or a third party. In this case, the object must be grounded on reasons related with their personal situation.
• The controller for processing must refrain from processing them, unless they can prove a legitimate interest that prevails over those of the data subject or it is necessary to exercise or defend claims.
• The purpose of processing is direct marketing, including the preparation of profiles related with this marketing.
• Processing has statistical motives or scientific or historical research and a reason related with their personal situation is invoked.

Right to restriction of processing

The data subject has the right for their personal data to be marked in order to restrict processing in the future. The restriction of processing implies that the personal data of the data subject can stop being processed on request.

This should not be confused with the blocking of data stipulated in Organic Law 15/1999 of 13 December on personal data protection (LOPD).

The restriction can be requested when:

• The data subject has exercised their right to rectification or object and until the controller decides whether to accept the request.
• Processing is illicit, which would result in erasure of the data, but the data subject does not want to erase them.
• The data is not needed for processing, which would result in erasure of the data, but the data subject does not want to erase them because they are needed to make, exercise or defend claims.

While the restriction lasts, the controller can only process the data affected, besides preserving them, in the following cases:

• With the consent of the data subject
• To make, exercise or defend claims
• To protect the rights of another natural or legal person
• For public interest, of the European Union or the corresponding member state

The controller must inform each of the addressees to whom the data has been sent of the restriction, unless this is impossible or requires disproportionate effort. If the data subject requests it, the controller must identify the addressees.

Right to data portability

The data subject has the right to receive their personal data provided by a controller for processing in a structured, commonly used, machine-readable format to transfer it to another controller, if the following requirements are met:

• Processing is based on consent or a contract.
• Processing is done through automated means.

On the other hand, this right cannot be exercised when processing is grounded on compliance with a purpose of interest public or inherent to the exercise of public authority.

How to exercise your rights

You can access your data, rectify or erase them, oppose processing and request the restriction of processing or portability by sending your request to the postal address of Idescat (Via Laietana, 58, 08003 Barcelona) or online using the general request form available at Procedures gencat.

Submitting the request by digital means requires possession of an electronic certificate or the idCat Mòbil alternative system of identification. You must clearly state which right or rights you wish to exercise in your request.

Data protection legislation specifies that requests to exercise these rights may be denied when the data are covered by the statistical confidentiality safeguards laid down in statistics legislation (article 25.3 LOPDGDD).

Idescat will inform you of the actions arising from your request within one month that, in the case of particularly complex requests, can be extended for two more months (therefore to a maximum of three months). In the latter case, the extension of the period will be notified in the first month.

If you consider that we have not offered a suitable response to your request, you can make a complaint to the Catalan Data Protection Authority or take legal action.