IAAC Data Protection Policy

The Institutd’ArquitecturaAvançada de Catalunya FundacióPrivada (IAAC) is committed to safeguarding the rights and freedoms of individuals concerning the processing of their personal data. This commitment extends to information on students, academic staff, administrative and service staff, graduates, suppliers, clients, and other associated individuals, ensuring that all data handling complies with applicable laws.


Personal Data Processing

Personal data processing at IAAC is conducted with the consent of data subjects for various purposes, including:

  • Fulfilling contracts and agreements
  • Protecting the vital interests of data subjects or others
  • Complying with legal obligations
  • Exercising IAAC’s competences and powers as a public institution
  • Advancing IAAC’s legitimate interests or those of third parties
  • Disclosure of Personal Data

Personal data are disclosed to third parties only when permitted or required by law. IAAC ensures that only the data necessary for specific, explicit, and legitimate purposes are processed. The institution employs various technical and administrative measures to protect personal data, especially for those using its website.


Website and Data Protection

The IAAC website provides up-to-date information on data protection laws and the institution’s regulations, procedures, and standard forms in this area. Browsing the IAAC website does not necessarily result in the collection of personal data. However, IAAC may place cookies on devices used to access the website in accordance with its cookies policy. Cookies are used solely to facilitate and personalize browsing. Data generated during website browsing are processed strictly for technical purposes by staff bound by confidentiality obligations.

By adhering to these practices, IAAC ensures the protection of personal data in compliance with legal standards and best practices.



Data Protection Officer

In compliance with Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (Europe’s General Data Protection Regulation, GDPR), IAAC has designated a Data Protection Officer (DPO).


Duties of the Data Protection Officer

The primary responsibilities of the DPO include:

Informing and Advising:

Educate the controller or the processor, along with all IAAC staff and employees involved in data processing, about their obligations under the GDPR and other data protection regulations.


Monitoring Compliance:

Ensure adherence to the GDPR, other data protection laws, and IAAC’s internal data protection policies. This includes assigning responsibilities, raising awareness, providing training to staff engaged in processing operations, and conducting audits.


Advising on Data Protection Impact Assessments:

Offer advice on data protection impact assessments (DPIAs) and oversee their implementation as per Article 35 of the GDPR.


Cooperating with the Supervisory Authority:

Collaborate with the Autoritat Catalana de Protecció de Dades.


Acting as Contact Point:

Serve as the contact point for the supervisory authority on processing-related issues, including prior consultations referred to in Article 36, and provide consultation on other relevant matters.


Involvement and Resources

IAAC, as either a controller or processor, ensures that the DPO is involved in all issues related to personal data protection promptly and appropriately. IAAC provides the DPO with the necessary resources to fulfill their duties and access to personal data and processing operations.


Contacting the Data Protection Officer

It is essential to contact the DPO ([email protected]) when initiating a new project, designing new software, or making a purchase or proposal involving personal data processing (whether electronic or paper-based). This ensures compliance with the formalities and documentation required under the GDPR and other data protection regulations.


The Data Protection Officer is available to answer any queries regarding data protection.


DPO Contact Information:


Juan Lattanzio Caro

C/Pujades 102, 08005 Barcelona

(+34) 935994949

[email protected]



Key Concepts


Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons regarding the processing of personal data and on the free movement of such data (GDPR), came into force on 25 May 2018, replacing Directive 95/46/EC. Additionally, Organic Law 3/2018, of 5 December, on Personal Data Protection and the Guarantee of Digital Rights (LOPDGDD) took effect on 7 December 2018.


In compliance with the GDPR, the following key concepts are essential for understanding data protection as it pertains to the IAAC’s operations:


Key Concepts

Personal Data: Any information related to an identified or identifiable natural person.


Special Categories of Personal Data: Personal data that reveal sensitive information requiring additional protection, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.


Biometric Data: Personal data resulting from specific technical processing related to physical, physiological, or behavioral characteristics of a natural person, such as facial images or fingerprint data, which allow for unique identification.


Data Subject: The natural person to whom the personal data pertains.


Processing: Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.


Data Transfer: The disclosure of personal data to any person other than the data subject.


International Data Transfer: Any transfer of personal data to recipients outside the European Union.


Profiling: Any form of automated processing of personal data intended to evaluate, analyze, or predict aspects concerning a natural person’s professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.


Filing System: Any structured set of personal data accessible according to specific criteria.


Controller: The natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data. At IAAC, the controller role is assigned to heads of areas, services, offices, or administrative units that manage filing systems centrally. For research projects, the principal investigator (PI) usually acts as the controller.


Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. Processors at IAAC include companies or individuals contracted to provide services or supplies that require access to personal data.


Consent: A freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of their personal data. Consent must be provided through a clear affirmative action and cannot be implied by silence. For special categories of personal data, consent must be explicit.


Personal Data Breach: Any incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.


Security Measures: Technical and organizational measures implemented to ensure the confidentiality, integrity, and availability of personal data.


These concepts form the foundation of IAAC’s data protection policies and practices, ensuring compliance with the GDPR and the LOPDGDD.




  1. Risk Analysis

Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons regarding the processing of personal data and on the free movement of such data (GDPR), which replaces Directive 95/46/EC, requires controllers to implement technical and organizational measures to ensure data security, particularly regarding confidentiality, availability, and integrity.


The GDPR does not prescribe specific measures, allowing each controller to assess the risks associated with their data processing activities and implement appropriate mitigation strategies. These strategies should consider current technical capabilities and the cost of implementation and may include:


  • Minimizing data processing wherever possible
  • Pseudonymization of data
  • Data encryption

A risk analysis is essential to determine the appropriate security measures. This analysis should be documented and maintained by both the controller and the DPO, ready for review by the supervisory authority if requested.


In certain circumstances defined by the GDPR and supervisory authorities, a Data Protection Impact Assessment (DPIA) must also be conducted. This assessment should be signed by the functional controller and the IAAC DPO.


  1. Security Measures

Although the GDPR does not mandate specific security measures, adopting the measures outlined in Spanish Royal Decree 1720/2007, of 21 December, which implements the Organic Law on Personal Data Protection (LOPD), is advisable. These measures include:


Backup and Recovery Procedures: Regular procedures for data backup and recovery.

User Identity Confirmation: Methods for verifying the identity of authorized users.

Access Controls: Systems to control and monitor access to data.

Access Logs: Records of access attempts and activities.

Limit on Unauthorized Access Attempts: Measures to prevent repeated unauthorized access attempts.

Password Management: Procedures for assigning, managing, and setting expiration periods for passwords, including secure storage of active passwords.

Storage Media Management: Proper management of data storage devices.

Security Coordination: Appointment of a person responsible for coordinating and monitoring security measures.

Audits: Regular security audits.

Data Transmission Security: Procedures to ensure the secure transmission of data.

  1. Breaches of Security

The GDPR mandates that both the supervisory authority and data subjects be notified of security breaches that pose or could pose a significant risk to the rights and freedoms of individuals. This notification must occur within 72 hours of the breach or upon becoming aware of it.


Controllers are required to maintain a register of security breaches, which should be available to the Data Protection Officer and the Catalan Data Protection Authority. This register can be kept in paper or electronic format and must include, at a minimum, the information specified in Articles 33 and 34 of the GDPR. Details on this information can be found in Section 3.2 of this document.


By implementing these measures, IAAC ensures compliance with GDPR requirements and enhances the protection of personal data.


Registration and Notification of Incidents


 Rights of Data Subjects

Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (GDPR), enhances and expands upon the rights granted to data subjects by Organic Law 15/1999, of 13 December, on Protection of Personal Data (LOPD), and its implementing regulation (RD 1720/2007), with the aim of reinforcing the guarantees of rights and liberties for data subjects.



Data subjects have the right to:


Obtain confirmation from IAAC regarding the processing of personal data concerning them.

Access their personal data being processed by IAAC.


Data subjects have the right to:


Promptly request the correction of inaccurate or incomplete personal data held by IAAC.

Erasure (Right to be Forgotten)

Data subjects have the right to:


Request the deletion of inappropriate or excessive personal data held by IAAC without undue delay.

Request the erasure of personal data in other circumstances specified by data protection legislation.

Right to Object

Data subjects have the right to:


Object to the processing of their personal data by IAAC, where such processing is carried out for public interest tasks or in the exercise of official authority, or for the legitimate interests pursued by IAAC or a third party.

Right to Be Forgotten

If IAAC has made personal data public and is obligated to erase them, it must:


Inform other controllers processing the data that the data subject has requested erasure, including any links to or copies of the data.

Restriction of Processing

Data subjects have the right to:


Obtain restriction of processing from IAAC in certain circumstances as specified in data protection legislation.

Data Portability

Data subjects have the right to:


Receive personal data they provided to IAAC in a structured, commonly used, and machine-readable format.

Transmit this data to other controllers without hindrance from IAAC, where processing is based on consent or a contract.

These rights empower data subjects to exercise control over their personal data and ensure its proper handling by IAAC, promoting transparency and accountability in data processing practices.




Processors are individuals or entities, whether natural or legal persons, public authorities, agencies, or other bodies, who process personal data on behalf of the controller. In the context of IAAC, processors are those who, in order to provide services to the institute, require access to personal data stored within its systems.


Contractual Obligations

Processing by a processor is governed by a contract or other legal agreement under Union or Member State law. This contract binds the processor to the controller and outlines various key aspects of the processing, including:


  • Subject-matter and duration of the processing.
  • Nature and purpose of the processing.
  • Types of personal data to be processed.
  • Categories of data subjects involved.
  • Obligations and rights of the controller.


Obligations of Processors

The contract or agreement with processors also includes specific obligations, ensuring compliance with data protection regulations. These obligations typically include:


  • Processing personal data only on documented instructions from the controller, including transfers to third countries or international organizations.
  • Ensuring that individuals authorized to process personal data are bound by confidentiality obligations or statutory confidentiality requirements.
  • Implementing appropriate technical and organizational measures to ensure the security of processing, considering the associated risks.
  • Maintaining the confidentiality, integrity, availability, and resilience of processing systems and services.
  • Establishing procedures for promptly restoring availability and access to personal data in the event of physical or technical incidents.
  • Implementing processes for verifying and assessing the effectiveness of technical and organizational security measures.

Controller’s Responsibilities

Under the GDPR, the controller is responsible for selecting processors that provide adequate guarantees of implementing appropriate technical and organizational measures and safeguarding the rights of data subjects.


IAAC Model Clauses

IAAC maintains a model of contractual clauses or agreements with processors, ensuring that all necessary provisions and obligations are included to protect the rights and interests of data subjects and comply with data protection regulations effectively.