Data protection

Data protection

This is the data protection policy of Patronat de Turisme Costa Brava Girona, SA, which gives effect to the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) and the currently valid Spanish regulations on the matter.

Who is the Data Controller?

The Data Controller is Patronat de Turisme Costa Brava Girona, SA, with Tax Identification Code A17031246 and registered address at Avinguda de Sant Francesc, no. 29, 3rd floor (Postcode 17001), Girona, e-mail,

What criteria are applied in processing personal data?

We only process the data when we have a legal basis that allows us to do this, and we use them for legitimate, explicit and determined purposes that we explain at the time of collecting them. We only process the adequate, relevant and limited data that are necessary in each case and for each purpose. We make effort to ensure that the data are up to date and we keep them for such time as may be necessary, complying with the current regulations on public information storage. We use appropriate technical or organisational measures to avoid unauthorised or illicit processing, or the data’s accidental loss, destruction or damage. As a general rule, only people over 14 years of age can give their data; people under 14 years of age must be authorised by their parents or legal representatives.


Who is the Data Protection Officer?

The Data Protection Officer (DPO) is the person who supervises compliance with the data protection regulations and ensures that people’s rights are protected. The Data Protection Officer’s functions include attending to the people whose data are being processed if they wish to make a complaint or lodge a claim. The Data Protection Officer can be contacted by writing to Patronat de Turisme Costa Brava Girona, SA or by sending an e-mail directly to


With what purpose do we process your data and who do we disclose them to?

Patronat de Turisme Costa Brava Girona, SA processes the data in order to carry out its responsibilities and functions and to offer the services described at its electronic office.

Procedures catalogue. Mainly at the request of private individuals, we use their data to track the corresponding procedure. The procedures catalogue can be consulted at the electronic office. Depending on the procedure, the data may be disclosed to other authorities with jurisdiction in the matter or they may be published, in compliance with the transparency principle.

Services. We process the data provided by users in order to render our services. The services catalogue can be consulted in the electronic office’s procedures and services section. As a general rule, the data are not disclosed to other people without the consent of the service’s user.

Activities. We obtain data from the people who register for the training activities we offer to assist us in organising these activities. These data are not disclosed to other people.

Contact. We answer the queries received from people who use the contact forms on our website. The data are used solely for this purpose and are not disclosed to other people.

Sending information. With prior authorisation, we use the contact details to provide information about our services or activities through the channels authorised by each person. The recipients’ data are not disclosed to other people.

Managing our suppliers’ data. We register and process the data of the suppliers from whom we receive works, services or goods. We obtain the data that are strictly necessary for maintaining the business relationship and we use them solely for this purpose. In compliance with legal obligations, we disclose the necessary data to the Tax Authorities.

Video surveillance. When entering our facilities, users are informed, if appropriate, of the existence of video surveillance cameras. The cameras only record images from those points where this recording is justified to guarantee assets’ and people’s security. The images are used solely for this purpose. In justified cases, we disclose the data to the law enforcement forces or the appropriate judicial authorities.


What is the legal basis for processing the data?

The data processing we carry out has different legal bases depending on the nature of each type of processing.

Compliance with legal obligations. When required for the performance of administrative procedures, the data are processed in accordance with the rules regulating each of the procedures.

Performance of a task in the public interest. The processing performed in order to render our services is justified on the grounds of satisfying public interest. Furthermore, the images we obtain with video surveillance cameras are processed to preserve public interest.

Performance of a contractual or precontractual relationship. We process our suppliers’ data in accordance with public sector procurement regulations, with the scope required for performance of the contractual relationship.

The recipient’s consent. We process the contact data when we send information about our activities or services, with the recipient’s prior consent.


For how long do we store the data?

The time during which the data are held is basically determined by whether or not they are necessary for performing the purpose for which they have been obtained in each case. Second, they are kept in order to cover possible liabilities arising from their processing and to attend to requests from other public administrations or judicial authorities.

Consequently, the data must be kept for such time as may be necessary but for no longer. In certain cases, such as the data appearing in accounting documentation and invoicing, tax regulations require that they be kept until any possible tax liability has expired. As regards the data whose processing is based solely on the data subject’s consent, they are kept until this consent is revoked.

Lastly, the images obtained by the video surveillance cameras are kept for one month at most; however, in the event of the occurrence of incidents where this is justified, they are kept for such time as may be necessary to assist the law enforcement forces or the judicial authorities in their inquiries.


What are people’s rights with respect to the data we process?

The people whose data we process have the following rights:

To know whether they are processed. First of all, everyone has the right to know whether we process their data, irrespective of whether or not there has been a prior relationship.

To be informed during collection. When the data are obtained from the data subject himself or herself, the data subject must receive clear information about the purposes they will be used for, who will be the controller and the main aspects derived from this processing.

To access them. This right entitles the data subject to know what personal data are being processed, with what purpose and the disclosures that are made to other people (if applicable), and to obtain a copy of such disclosures and be informed of the data’s planned storage time.

To request rectification. This is the right to rectify inaccurate data that are being processed by us.

To request erasure. The right to request erasure of the data is acknowledged when, among other reasons, they are not necessary for the purpose for which they were collected.

To request restriction of processing. Also, in certain circumstances, the right to request restriction of the data processing is acknowledged. In this case, they will cease to be processed and will only be kept for the exercise or defence of legal claims.

To request portability. In the cases provided in the regulations, the right to obtain one’s own personal data in a commonly used format is acknowledged.

To object to processing. A person may cite private reasons which will require ceasing to process his or her data if such processing may be detrimental to him or her.


How can the rights be exercised or defended?

The rights listed above can be exercised by sending a written request to Patronat de Turisme Costa Brava Girona, SA, either at its postal address or through the other contact details stated at the beginning of this policy.


It is also possible to lodge a claim with the Catalan Data Protection Authority using the forms or other channels that can be accessed from its website (


In any case, whether it is to lodge claims, ask for clarifications or send suggestions, data subjects can write to the Data Protection Officer by email at the address