Data protection

Data protection 

Pursuant to the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) and applicable Spanish national legislation on the matter, this is the data protection policy of Patronat de Turisme Costa Brava Girona, SA. You may access the data processing activities register  (RAT).

Who is the data controller?

The data controller is Patronat de Turisme Costa Brava Girona, SA, holder of tax identification code (CIF) A17031246 and whose registered address is Avinguda de Sant Francesc 29, 3r, 17001 Girona, Spain, email,

On what basis do we process personal data?

We only process data when we have a legal basis that permits us to do so, and we use them for the specific, explicit and legitimate purposes that we explain at the time of their collection. We only process data that is appropriate, relevant and limited to what is necessary in each given case. We make every effort to ensure that they are up to date and retain them for the necessary time, pursuant to applicable legislation on the storing of public information. We implement appropriate technical and organisational measures to prevent their unauthorised or unlawful processing and against their accidental loss, destruction or damage. As a general rule, only personal data of those aged over 14 may be disclosed. In the case of persons under 14 years of age, the authorisation of their parents or legal representatives shall be required.

Who is the data protection officer?

The data protection officer (DPO) oversees compliance with data protection legislation and ensures that people’s rights are protected. Their duties include advising data subjects when they wish to submit a complaint or a claim. To contact the data protection officer, you may do so in writing to Patronat de Turisme Costa Brava Girona, SA directly by email to the address

 For what purposes do we process personal data and to whom do we disclose them?

Patronat de Turisme Costa Brava Girona, SA processes personal data to carry out its activities and functions and to offer the services described on its e-services website.

Procedures. Mainly at their request, we use the personal data of private individuals to monitor the relevant procedure. A listing of procedures can be found on our e-services website. Depending on the procedure in question, the personal data may be disclosed to the relevant public administrations or may be published, pursuant to the principle of transparency.

Services. To provide our services, we process the personal data submitted by users. The listing of services can be found in the procedures and services section of our e-services website. As a general rule, personal data are not disclosed to other parties without the service user’s consent.

Activities. We collect data from people registering for training activities in order to organise them. These data are not disclosed to third parties.

Contact. We respond to requests for information from people who use the contact forms on our website. The data is used solely for this purpose and is not communicated to other people.

Sending of information. With prior authorisation, we use contact data to provide information on our services and/or activities via the channels authorised by the individual in question. Addressees’ data are not disclosed to third parties.

Management of data on our suppliers. We record and process data on suppliers from whom we receive works, goods or services. We collect data essential for maintaining the business relationship and use them solely for this purpose. In compliance with our legal obligations, we disclose the necessary data to the tax authorities.

Video surveillance. When accessing our installations, information is provided, where applicable, on the existence of video surveillance cameras. The cameras record images only in those points where said recording is justified and to guarantee the security of assets and persons. The images are used solely for this purpose. Where justified, data is disclosed to the law enforcement authorities and forces and the competent judicial bodies.

What is the lawful basis for data processing?

The data processing we perform has a number of lawful bases, depending upon the nature of the processing in question.

Compliance with legal obligations. Data processing in the context of administrative procedures is performed pursuant to the regulatory norms applicable to each given procedure.

Performance of a task carried out in the public interest. Processing arising from the provision of our services is justified by the meeting of a public interest. Additionally, the images we obtain from video surveillance cameras are processed in the public interest.

Fulfilment of a contractual or pre-contractual relationship. We process data on our suppliers in compliance with public sector procurement regulations, with the scope necessary for the fulfilment of the contractual relationship.

Recipient consent. When we send out information on our activities or services, we process contact data with the prior consent of the recipient.

How long do we keep the data for?

The storage time depends chiefly on how long they are required to fulfil the given purpose for which they have been collected. Secondly, they are kept to deal with any possible responsibilities or liabilities arising from their processing and to accommodate the requirements of other public administrations or judicial bodies.

Accordingly, the data must be stored for as long as necessary but no longer. In certain cases, such as when data are included in accounting and invoicing documentation, tax regulations require that they be kept until the responsibilities and liabilities in this regard have lapsed. Data whose processing is based exclusively on the consent of the data subject is kept until said consent is revoked.

Any images obtained by video surveillance are kept for a maximum of one month. Nevertheless, should incidents so justifying arise, they are kept for as long as necessary to facilitate the actions of the law enforcement authorities and forces and of judicial bodies. 

What are people’s rights with regard to the data we process?

People whose data we process have the following rights:

To know whether they are being processed. Everyone has, firstly, the right to know if we are processing their data, whether or not there has been any prior relationship.

To be informed when they are being collected . When the data are collected from the data subjects themselves, they must be provided with clear information on the purposes for which they shall be used, who the data controller will be and the main issues arising from said processing.

To access them. This right allows data subjects to know which data are being processed, for what purposes they are being processed and any disclosures to third parties (where applicable), as well as to obtain a copy thereof and to be made aware of planned time for which the data shall be kept.

To request their rectification. This is the right to ensure incorrect data processed by us is rectified.

To request their erasure. The right to request deletion of data is recognised when, amongst other reasons, they are not required for the purposes for which they were collected

To request restriction of processing. Under certain circumstances, the right to request restriction of the processing of the data is also acknowledged. In this case, the data shall no longer be processed and shall be kept solely for the purposes of making or defence against claims.

To request their portability. In the cases recognised in legislation, the right to obtain one’s own personal data in a commonly used format is recognised.

To object to their processing. Someone may invoke personal reasons to ensure that their data cease to be processed to the extent that said processing is prejudicial to them.

How can these rights be exercised or defended?

The aforementioned rights may be exercised by making the relevant request to Patronat de Turisme Costa Brava Girona, SA, either at its postal address or via the other contact details indicated at the start hereof.

It is also possible to file a complaint before the Catalan Data Protection Authority using the forms and other channels available on its website (

 Whatever the case, to make claims, request clarifications or provide us with suggestions, data subjects may contact the data protection officer by sending an email to

Skip to content