Transparency portal

Personal data processing conditions


Data Controller: Centre d’Estudis Demogràfics[1]

Manager of processing: the company, institution or organization that signs the corresponding contract.

Both parts recognize that they have sufficient legal capacity to execute this contract in accordance with the provisions of current legislation.



Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing and free movement of personal data (GDPR).

LOPD 3/2018 of December 5 on the protection of personal data and guarantee of digital rights (OLDP).



The personal data that will be processed by the Manager of processing, will process will always be the minimum information absolutely necessary to achieve the purposes of the terms present in the corresponding contract.



Personal data will be kept for the duration of the purpose for which they are processed and for the time established in the corresponding contract.

The duration may be automatically renewable for equal periods of time unless one of the two parties requests its termination.

Once the present agreement is finalized, the Manager of processing will return to the Data controller the personal data provided and will delete any copy he/she may have.



  1. Comply with the data protection regulations in force at all times, exonerating in any case the Manager of processing of the treatment for these breaches.
  2. Deliver to the Manager of processing the necessary information, which he/she will have previously collected in a legitimate way.
  3. To have designated the Data Protection Delegate (DPD), if necessary.
  4. To make an assessment of the impact on the protection of personal data of the processing operations to be carried out by the Manager of processing.
  5. To make the corresponding prior consultations.
  6. To ensure, before and during the processing, that the Manager of processing complies with the GDPR.
  7. Supervise the treatment, including the execution of inspections and audits.



Use the personal data being processed only for the purpose for which it was collected, in accordance with the instructions of the person responsible for the processing.

In any case you can use the data for your own purposes.

Activity register

To have a record of all the categories of treatment activities carried out, containing:

  1. The name and contact details of the person or persons in charge and of each person responsible on behalf of whom the Manager of processing acts and, if applicable, of the representative of the Manager of processing and of the data protection officer.
  2. The categories of treatments carried out on behalf of each person in charge.
  3. If applicable, transfers of personal data to a third country or international organization, including the identification of this country or this international organization, and in the case of transfers indicated in art. 49.1, 2nd paragraph of the GDPR, the documentation of adequate safeguards.

Technical and organizational safety measures

  1. To guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services.
  2. Restore availability and access to personal data quickly, in case of physical or technical incident.
  3. To verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the safety of the treatment.
  4. Pseudonymise and delete personal data, if necessary.


  1. Not to communicate the data to third parties, unless expressly authorized by the person responsible for the processing.
  2. The Manager of processing may communicate the data to other persons in charge of the processing of the same person, in accordance with the instructions of the person in charge. In this case, the data controller must identify, beforehand and in writing, the entity to which the data are to be communicated, the data to be communicated and the security measures to be applied in order to proceed with the communication.
  3. If the Manager of processing has to transfer personal data to a third country or to an international organization, in virtue of the law of the Union or of the member states that may be applicable, the Manager of processing must inform the Manager of processing of this legal requirement in advance, unless this law prohibits it for important reasons of public interest.
  4. In order to subcontract with other companies, the Manager of processing must communicate this in writing to the person in charge, clearly and unequivocally identifying the subcontracted company or third party, and its contact details. The subcontracting may be carried out if the Manager of processing does not express his opposition within 15 days.
  5. The subcontractor, who is also the Manager of processing of the treatment, will also be obliged to comply with the obligations that this document establishes for the Manager of processing of the treatment and the instructions issued by the person in charge.

Professional Secret

  1. To maintain the duty of secrecy with respect to the personal data to which he/she has had access by virtue of this position, until and until after the end of his/her collaboration.
  2. Guarantee that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.
  3. Keep at the disposal of the Manager of processing the documentation that accredits that the obligation established in the previous section is completed.
  4. To guarantee the necessary training in personal data protection for the persons authorized to process personal data.

Rights of users or interested parts

To assist the data controller in responding to the exercise of the rights of users or interested parties regarding (1) access, rectification, deletion and objection, (2) limitation of processing, (3) portability of data and (4) not to be subject to automated individualized decisions (including profiling).

Notification of data security breaches

The Manager of processing of the processing will inform the person responsible for the processing, without undue delay and in any case within a maximum of 72 hours, by e-mail or other reliable means, of any breach of security of the personal data in his/her care of which he/she is aware, together with all relevant information to document and communicate the incident in those cases where security constitutes a risk to the rights and freedoms of individuals.

To support the Manager of processing of the treatment at the time of making impact assessments related to data protection and to make prior consultations with the supervisory authority, when necessary.

Completion of the contract

Return to the Manager of processing of the processing the personal data and, if necessary, the files on which they are stored, once the service has been completed. The return will entail the total deletion of the existing data in the computer equipment used by the person in charge. Notwithstanding the foregoing, the contractor may keep a copy of the data, with the data duly blocked, for as long as any liability may arise from the performance of the service.

[1] Privacy policy