PRIVACY POLICY AND PROCESSING OF INFORMATION 

1. RIGHT TO INFORMATION
1. RIGHT TO INFORMATION
In application of the provisions of article 11 of Organic Law 3/2018, of 5 December, on Protection of Personal Data and guarantee of digital rights (hereafter PPDGDR) and article 13 of the General Data Protection Regulation 2016/679 (GDPR), the following describes how personal data are processed at the Museu d’Art Contemporani de Barcelona MACBA.  
1.2.- Definitions Meaning of terms: 
  • 01
    Personal data: any information about an identified or identifiable person (the interested party). An identifiable person is any person whose identity can be determined, directly or indirectly, using an identifier, such as a name, an identification number, location data, an online identifier or one or more elements specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that person.
  • 02
    Processing: any operation or set of operations carried out on personal data or a set of personal data by automated or non-automated procedures, such as collection, registration, organisation, structuring, conservation, adaptation, modification, extraction, consultation, use, communication by transmission, dissemination or any other form of enabling access, confrontation or interconnection, limitation, deletion or destruction.
  • 03
    Profiling: any form of automated processing of personal data consisting of using these data to evaluate personal aspects of a person; in particular, to analyse or predict aspects relating to that person’s professional performance, financial situation, health, personal preferences, interests, reliability, behaviour, location or movements.
  • 04
    Pseudonymisation: processing of personal data in a way that such data cannot be attributed to an interested party without using additional information, provided that this information is separated and subject to technical and organisational measures aimed at ensuring that the personal information is not attributed to an identified or identifiable person.
  • 05
    File: a structured set of personal data accessible following certain criteria, be it centralised, decentralised or distributed functionally or geographically. 
  • 06
    Responsibility for the processing: the physical or legal person, public authority, service or any other body that, alone or acting with others, decides the purpose of the processing.
  • 07
    Person in charge of the processing: the physical or legal person, public authority, service or any other body that processes personal data on behalf of the person responsible for the processing.
  • 08
    Recipient: the person to whom personal data are communicated, whether a third party or not. However, public authorities that may receive personal data relating to a specific investigation should not be considered as recipients.
  • 09
    Third party: physical or legal person, public authority, service or body other than the interested party, the person responsible for the processing, the person in charge of the processing and the persons authorised to process personal data under the direct authority of the person responsible or the person in charge. 
  • 10
    Consent of the interested party: any manifestation of free, specific, informed and unequivocal will by which the interested party accepts, through a statement or a clear affirmative action, the processing of personal data affecting the interested party.
  • 11
    Control authority: the independent public authority established by a member state, in accordance with the provisions of article 51 of the GDPR.
  • 12
    Cross-border processing: 

    a) The processing of personal data carried out in the context of the activities of establishments in more than one member state of a person responsible or in charge of the processing in the European Union, if the person responsible or in charge is established in more than one member state, or 

    b) The processing of personal data carried out in the context of the activities of a single establishment of a person responsible or in charge of the processing in the European Union, but which affects or may substantially affect interested parties in more than one member state. 
1.3. Who decides on the use that will be made of the data and the means that will be used to carry out the processing? The responsible for the use of the data is Museu d’Art Contemporani de Barcelona (MACBA)
  • NIF: ESQ5856181B 
  • Address: Plaça dels Àngels núm. 1, Ciutat Vella, 08001 Barcelona
  • Telephone: 93 412 08 10 
  • Email: macba@macba.cat  
1.4. Who ensures that all the rules governing the processing of information at MACBA are correctly applied? The data protection delegate is CIPDI Tratamiento de la información SL, whose registered address is Mataró, c/Sant Agustí n. 1 1º 1ª, dpd@cipdi.com
1.5. To what purpose will we use your data, what is the legal basis for this data processing and how long will we keep it?

PURPOSE

LEGAL BASIS

CONSERVATION

Provision of the services you request from us 

Contractual relationship 

10 years 

Sending activity information by email or post 

Contractual relationship and consent 

Until consent is revoked 

Information request 

Consent 

1 year 

Donation management 

Contractual relationship and legal obligation. 

10 years 

People management 

Contractual relationship and legal obligation. 

5 years 

Supplier management 

Contractual relationship and legal obligation. 

5 years 

Attention to legal and contractual obligations 

Contractual relationship and legal obligation. 

5 years 

Image management 

Consent and art. 8 LO 1/1982 

Until consent is revoked 

Library management 

Consent and contractual relationship 

Until consent is revoked 

Video surveillance  

Legitimate interest. Security maintenance 

Maximum 30 days from its capture 

1.6. Do we process your images? The person responsible for the processing documents the public events that they organise using photographs and videos with the purpose of disseminating them on their website or other spaces for public dissemination of information such as: the website itself, the social networks where the person responsible for the processing has a created profile and own publications, or in the press. You can obtain more information about this section by consulting the website of the person responsible for the processing or by contacting their Data Protection Officer (DPO).  
1.7. Who will be able to access and read the content of your data? To comply with the above purposes, the persons and entities listed below may have access to personal data. Their access will be limited to the data needed to carry out the functions of the person responsible for the processing. Confidentiality agreements and/or specific agreements have been signed with all recipient entities and individuals in order to regulate access to information, security measures and the use that can be made of the data.

Those who may have access to the data are: 
  • 01
    Personnel duly authorised by the person responsible for the processing. 
  • 02
    The suppliers needed to comply with the services you request or to comply with legal and contractual obligations
  • 03
    The public administration within the remit of its powers. 
  • 04
    Social networks, provided you have previously consented to the dissemination of your identifying data. 
You can expand this information by consulting the DPO. 
1.8. Does cross-border data processing take place? The person responsible for the processing uses the following programs, which may involve the transfer of data outside the Schengen area:   In these cases, the transfer of data is carried out to countries considered suitable by the European Commission; or in accordance with the guarantees required by the GDPR, such as having standard data protection clauses approved by the European Commission.   All information on the rights of users who have allowed digitised processing can be found in the legal notices on the websites containing the software and applications. Since access is free, we assume that the entire content of said notices has been reproduced. Given the extent of the contents of the published policies, you can request a copy by contacting the person responsible for the processing or the data protection representative, at the addresses listed in section 1.3 of this section. 
1.9. What rights do interested parties and data owners have? Right of access As regulated in article 15 of the GDPR 2016/679 of 27 April 2016. This addresses requests made to the person responsible for the processing to obtain free of charge all the information they have about requestee’s own personal data and past or future communications.   Right of rectification As regulated in article 16 of the GDPR. This addresses requests made to the person responsible for the processing to change the content of the information about you and your data, following instructions from the owner of the information.   Right of deletion As regulated in article 17 of GDPR 2016/679. This addresses requests made to the person responsible for the processing to delete any information about the data owner. Deletion involves blocking all the data and keeping them at the disposal of the public administrations during the period provided for the right to take legal action. Right to limit processing As regulated in article 18 of GDPR 2016/679 of 27 April 2016. This addresses requests made to the person responsible for the processing to limit the processing of your data when any of the following conditions are met: 
  • 01
    The personal data are not accurate. 
  • 02
    The processing is unlawful.
  • 03
    The person responsible for the processing no longer needs to process the data. 
  • 04
    When the reasons for ceasing to process the data alleged by the affected person prevail over those of the person responsible for the processing.
Right to information portability As regulated in article 20 of the GDPR 2016/679 of 27 April 2016. This addresses requests made to the the person responsible for the processing to provide the personal data of the information holder in a structured, commonly used and machine-readable format, in order to transmit them to another person responsible for the processing when the processing is done with automated means and is based on express consent.  Right of opposition As regulated in article 21 of the GDPR 2016/679 of 27 April 2016. This addresses requests made to the person responsible for the processing to process the data following certain instructions given by the owner of the personal information. Right to revoke consent As regulated in article 13.2.c) of GDPR 2016/679 of 27 April 2016. This addresses a request made by the owner of the data to the person responsible for the processing, notifying them that they withdraw the consent they gave to process their data.  Rights not to be subject to automated individual decisions This addresses a request to the person responsible for the processing that all decisions that have legal effects are not made exclusively by machines.  

To exercise the above rights, you can write to the registered address of the person responsible for the processing, or send an email to dpd@macba.cat with the text ‘DATA PROTECTION’ in the subject box and attaching a photocopy of your DNI, NIE or passport to this email. 
1.10. How can a claim be made? You can contact the internal compliance officer by sending an email to dpd@macba.cat If you consider that your rights have been violated, the body competent to know the correct application of the rules on information processing is the Catalan Data Protection Authority, located at Carrer Rosselló nº 214, Esc. A, 1r 1a, 08008 Barcelona. 
1.11.-What obligations do I have as an interested party? The affected person must provide truthful and updated information in all data collection processes, taking due care and responsibility for non-violation of this obligation. 

Depending on the request made by the person concerned, the mandatory data are already marked on the collection forms. If the mandatory data are not provided, the right to participate in the activity could be affected or the service requested may not be provided. 
1.12. Can the person responsible for the processing create profiles? In order to achieve more personalised, accurate and effective user attention, it is sometimes necessary to create the profiles of the recipients of the services. Profiles are not drawn up without the direct intervention of a physical person.
2. USER CONSENT
2. USER CONSENT
It is understood that the user accepts the proposed conditions if they press the ‘ACCEPT’ button found on the data collection forms, or if they send a message by email to the contact addresses listed on the website. 

Personal data are stored in the general administration database of the person responsible for the processing, who, in any case, guarantees the technical and organisational measures to preserve the integrity and security of the information they deal with. 
3. SECURITY
3. SECURITY
The general database is equipped with the mandatory security document and has all the technical means at its disposal to prevent the loss, misuse, alteration, unauthorised access or theft of the data provided to us. The processing of personal data is regulated by the provisions of Organic Law 3/2018 on data protection and guarantee of digital rights and Regulation (EU) 2016/679 of the European Parliament and Council, of 27 April 2016. 
4. USE OF IP ADDRESSES
4. USE OF IP ADDRESSES
To facilitate the search for resources that we think are of interest to you, you can find links to other pages on this website. 

This privacy policy only applies to this website. The person responsible for the processing does not guarantee compliance with these rules on other websites, nor are they responsible for access through links from this site.