Data protection

IAAC Data Protection Policy

The Institutd’ArquitecturaAvançada de Catalunya FundacióPrivada (IAAC) is committed to safeguarding the rights and freedoms of individuals concerning the processing of their personal data. This commitment extends to information on students, academic staff, administrative and service staff, graduates, suppliers, clients, and other associated individuals, ensuring that all data handling complies with applicable laws.

Personal Data Processing

Personal data processing at IAAC is conducted with the consent of data subjects for various purposes, including:

Fulfilling contracts and agreements
Protecting the vital interests of data subjects or others
Complying with legal obligations
Exercising IAAC’s competences and powers as a public institution
Advancing IAAC’s legitimate interests or those of third parties
Disclosure of Personal Data

Personal data are disclosed to third parties only when permitted or required by law. IAAC ensures that only the data necessary for specific, explicit, and legitimate purposes are processed. The institution employs various technical and administrative measures to protect personal data, especially for those using its website.

Website and Data Protection

The IAAC website provides up-to-date information on data protection laws and the institution’s regulations, procedures, and standard forms in this area. Browsing the IAAC website does not necessarily result in the collection of personal data. However, IAAC may place cookies on devices used to access the website in accordance with its cookies policy. Cookies are used solely to facilitate and personalize browsing. Data generated during website browsing are processed strictly for technical purposes by staff bound by confidentiality obligations.

By adhering to these practices, IAAC ensures the protection of personal data in compliance with legal standards and best practices.

Data Protection Officer

In compliance with Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (Europe’s General Data Protection Regulation, GDPR), IAAC has designated a Data Protection Officer (DPO).

Duties of the Data Protection Officer

The primary responsibilities of the DPO include:

Informing and Advising:

Educate the controller or the processor, along with all IAAC staff and employees involved in data processing, about their obligations under the GDPR and other data protection regulations.

Monitoring Compliance:

Ensure adherence to the GDPR, other data protection laws, and IAAC’s internal data protection policies. This includes assigning responsibilities, raising awareness, providing training to staff engaged in processing operations, and conducting audits.

Advising on Data Protection Impact Assessments:

Offer advice on data protection impact assessments (DPIAs) and oversee their implementation as per Article 35 of the GDPR.

Cooperating with the Supervisory Authority:

Collaborate with the Autoritat Catalana de Protecció de Dades.

Acting as Contact Point:

Serve as the contact point for the supervisory authority on processing-related issues, including prior consultations referred to in Article 36, and provide consultation on other relevant matters.

Involvement and Resources

IAAC, as either a controller or processor, ensures that the DPO is involved in all issues related to personal data protection promptly and appropriately. IAAC provides the DPO with the necessary resources to fulfill their duties and access to personal data and processing operations.

Contacting the Data Protection Officer

It is essential to contact the DPO ([email protected]) when initiating a new project, designing new software, or making a purchase or proposal involving personal data processing (whether electronic or paper-based). This ensures compliance with the formalities and documentation required under the GDPR and other data protection regulations.

The Data Protection Officer is available to answer any queries regarding data protection.

DPO Contact Information:

Juan Lattanzio Caro

C/Pujades 102, 08005 Barcelona

(+34) 935994949

[email protected]

Key Concepts

Introduction

Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons regarding the processing of personal data and on the free movement of such data (GDPR), came into force on 25 May 2018, replacing Directive 95/46/EC. Additionally, Organic Law 3/2018, of 5 December, on Personal Data Protection and the Guarantee of Digital Rights (LOPDGDD) took effect on 7 December 2018.

In compliance with the GDPR, the following key concepts are essential for understanding data protection as it pertains to the IAAC’s operations:

Key Concepts

Personal Data: Any information related to an identified or identifiable natural person.

Special Categories of Personal Data: Personal data that reveal sensitive information requiring additional protection, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

Biometric Data: Personal data resulting from specific technical processing related to physical, physiological, or behavioral characteristics of a natural person, such as facial images or fingerprint data, which allow for unique identification.

Data Subject: The natural person to whom the personal data pertains.

Processing: Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.

Data Transfer: The disclosure of personal data to any person other than the data subject.

International Data Transfer: Any transfer of personal data to recipients outside the European Union.

Profiling: Any form of automated processing of personal data intended to evaluate, analyze, or predict aspects concerning a natural person’s professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Filing System: Any structured set of personal data accessible according to specific criteria.

Controller: The natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data. At IAAC, the controller role is assigned to heads of areas, services, offices, or administrative units that manage filing systems centrally. For research projects, the principal investigator (PI) usually acts as the controller.

Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. Processors at IAAC include companies or individuals contracted to provide services or supplies that require access to personal data.

Consent: A freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of their personal data. Consent must be provided through a clear affirmative action and cannot be implied by silence. For special categories of personal data, consent must be explicit.

Personal Data Breach: Any incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Security Measures: Technical and organizational measures implemented to ensure the confidentiality, integrity, and availability of personal data.

These concepts form the foundation of IAAC’s data protection policies and practices, ensuring compliance with the GDPR and the LOPDGDD.

Measures

Risk Analysis

Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons regarding the processing of personal data and on the free movement of such data (GDPR), which replaces Directive 95/46/EC, requires controllers to implement technical and organizational measures to ensure data security, particularly regarding confidentiality, availability, and integrity.

The GDPR does not prescribe specific measures, allowing each controller to assess the risks associated with their data processing activities and implement appropriate mitigation strategies. These strategies should consider current technical capabilities and the cost of implementation and may include:

Minimizing data processing wherever possible
Pseudonymization of data
Data encryption

A risk analysis is essential to determine the appropriate security measures. This analysis should be documented and maintained by both the controller and the DPO, ready for review by the supervisory authority if requested.

In certain circumstances defined by the GDPR and supervisory authorities, a Data Protection Impact Assessment (DPIA) must also be conducted. This assessment should be signed by the functional controller and the IAAC DPO.

Security Measures

Although the GDPR does not mandate specific security measures, adopting the measures outlined in Spanish Royal Decree 1720/2007, of 21 December, which implements the Organic Law on Personal Data Protection (LOPD), is advisable. These measures include:

Backup and Recovery Procedures: Regular procedures for data backup and recovery.

User Identity Confirmation: Methods for verifying the identity of authorized users.

Access Controls: Systems to control and monitor access to data.

Access Logs: Records of access attempts and activities.

Limit on Unauthorized Access Attempts: Measures to prevent repeated unauthorized access attempts.

Password Management: Procedures for assigning, managing, and setting expiration periods for passwords, including secure storage of active passwords.

Storage Media Management: Proper management of data storage devices.

Security Coordination: Appointment of a person responsible for coordinating and monitoring security measures.

Audits: Regular security audits.

Data Transmission Security: Procedures to ensure the secure transmission of data.

Breaches of Security

The GDPR mandates that both the supervisory authority and data subjects be notified of security breaches that pose or could pose a significant risk to the rights and freedoms of individuals. This notification must occur within 72 hours of the breach or upon becoming aware of it.

Controllers are required to maintain a register of security breaches, which should be available to the Data Protection Officer and the Catalan Data Protection Authority. This register can be kept in paper or electronic format and must include, at a minimum, the information specified in Articles 33 and 34 of the GDPR. Details on this information can be found in Section 3.2 of this document.

By implementing these measures, IAAC ensures compliance with GDPR requirements and enhances the protection of personal data.

→ Registration and Notification of Incidents

Rights of Data Subjects

Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (GDPR), enhances and expands upon the rights granted to data subjects by Organic Law 15/1999, of 13 December, on Protection of Personal Data (LOPD), and its implementing regulation (RD 1720/2007), with the aim of reinforcing the guarantees of rights and liberties for data subjects.

Access