This data protection policy refers to the processing of data by the Fundació Museu Picasso de Barcelona in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016) and Organic Law 3/2018 of 5 December on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
Who is responsible for the processing of personal data?
The entity responsible for the processing of personal data is the Fundació Museu Picasso Barcelona (hereinafter, Museu Picasso), with Tax Identification Number (CIF) G-66008897, registered at Carrer Montcada 15-23, 08003 Barcelona, Spain, telephone number (+34) 932 56 30 00, email address museupicasso@bcn.cat and website www.museupicassobcn.cat.
Who is the Data Protection Officer?
The Data Protection Officer (DPO) supervises compliance with the Museu Picasso's Data Protection Policy, ensuring that personal data is suitably processed and that the rights of individuals are protected. Among its functions is to attend to any doubt, suggestion, complaint or claim from the individuals whose data is processed. You can contact the Data Protection Officer by writing to Carrer Montcada 15-23, 08003 Barcelona, Spain, or by telephone (+34) 932 56 30 00 or via email Dpd_museupicasso@bcn.cat.
What is our purpose in processing the data?
At the Museu Picasso we process personal data mainly for the following purposes:
- Contact. To attend the queries of people who contact us via contact forms on our website or by telephone.
- Museum Services. Registration of users who purchase or book tickets to visit the Museum or carry out training courses or educational projects. It offers people the opportunity to obtain the “Picasso Card” and proceeds to process the data of those who request it, in order to offer personalised services and benefits. During the process of registering users for these services, essential data is requested, such as identification or bank details (in case it is necessary to manage a payment process).
- Information about our services. With the explicit authorisation of each individual, contact details are used to communicate information about activities or events organised by the Museu Picasso.
- Management of the data of our suppliers. We register and process the data of suppliers from whom we obtain services or goods. This can be the data of individuals who act as freelancers and also the data of representatives of legal entities. We obtain essential data for maintaining business relations. The data is used solely for said purpose and for this type of relation.
- Video surveillance. At the entrances to our facilities, visitors are informed of the existence of video surveillance cameras by means of approved signage. The cameras only record images at points where it is justified to ensure the safety of property, goods and people, and the recorded images are used solely for this purpose.
What is the legal legitimacy for the processing of data?
The data processing we carry out covers different legal grounds, depending on the nature of each processing. Accordingly, we process data:
In compliance with contractual relations, such as in the case of relations with our suppliers and with people who purchase tickets or contract other Museum services.
In compliance with legal obligations, for example, data communications to the Tax Administration, established in fiscal and regulatory regulations of commercial relations.
Based on individual consent, we send information about the services, activities or events that we programme.
In fulfilment of our public interest mission, we record images via video surveillance cameras, in order to preserve the heritage we look after.
Who is the data shared with?
As a general rule, we only communicate data to public administrations or authorities and always in compliance with legal obligations. When necessary, the data is communicated to banking entities, for the purchasing of tickets to the Museum or other services provided. In cases where it is justified, we will communicate data to the security forces or to the appropriate judicial authorities. No transfers of data are carried out beyond the scope of the European Union (international transfer).
How long do we store the data for?
The data storage period is determined by different factors, mainly based on whether the data is still necessary to meet the purposes for which it was initially collected in each case. Secondly, it is stored to deal with possible responsibilities derived from the processing of data by the Museum, and to meet any requirements from other public administrations or judicial authorities.
Consequently, the data must be kept for as long as is necessary to preserve its legal or informative value or to prove compliance with legal obligations, but not for a period exceeding that which is required in accordance with the purposes of its processing.
In certain cases, such as the data contained in the accounting, invoicing and billing documentation, tax regulations oblige us to keep the data until the responsibilities in this matter have prescribed.
In the case of data that is processed exclusively on the basis of the consent of an interested party, it will be stored until they revoke their consent.
Finally, in the case of the images obtained by video surveillance cameras, these are stored for a maximum of one month, although in the case of incidents that justify it, they are stored for the period necessary to facilitate the actions of the security forces and/or judicial authorities.
The rules regulating the conservation of public documentation and the rulings of the Comissió Nacional d’Accés, Avaluació i Tria Documental (National Commission for the Access, Evaluation and Selection of Documents) are a benchmark that determines the criteria we follow in the storage or elimination of data.
What rights do individuals have in relation to the data we process?
As established in the General Data Protection Regulation, those individuals whose data we process have the following rights:
To know if it is processed. Everyone has, first of all, the right to know if we process their data, regardless of whether there has been a prior relation.
To be informed of its collection. When personal data is obtained from the interested person, at the time of providing it, they must have clear information regarding the purposes for which it will be used, who will be responsible for the processing, and any other aspects derived from this processing.
To gain access to the data. A very broad right that includes knowing precisely what personal information is being processed, the purpose for which it is being processed, any communications to third parties (if applicable), as well as the right to obtain a copy or to know the expected time frame of its storage.
To request its rectification. The right to rectify inaccurate data that is processed by us.
To request its deletion. In certain circumstances there exists the right to request the deletion of data, for example, when it is no longer necessary for the purposes for which it was collected and for which its processing is justified.
To request the limitation of processing. In certain circumstances, the right to request the limitation of data processing is also recognised. In that case, it will cease to be processed and will only be kept for the exercising or defence of claims, in accordance with the General Data Protection Regulation.
Portability. The right to obtain personal data in a structured, commonly used, machine-readable and interoperable format, or to request that it be transferred in this way to another data officer. This right is recognised when the processing is based on consent or a contractual relation.
To oppose the processing. As a general criterion, when the data processing is based on the fulfilment of a mission carried out in the public interest, an individual can put forward reasons related to their particular situation, reasons that would force us to stop processing their data to the extent that this may be detrimental to them, unless there are legitimate reasons to continue doing so or if it is necessary to make claims or defend against said claims.
To not receive information. We immediately attend to requests to stop receiving information regarding our activities and services when said communications were based solely on the consent of the receiving individual.
How can these rights be exercised or defended?
The rights detailed above can be exercised by sending a written request to Museu Picasso, Carrer Montcada 15-23, 08003 Barcelona, Spain, or by sending an email to museupicasso@bcn.cat, indicating in all cases “Protection of personal data”.
If you do not receive a satisfactory response in exercising your rights, you can present a claim to the Autoritat Catalana de Protecció de Dades (Catalan Data Protection Authority) by means of the forms or other channels accessible from its website (in Spanish): https://apdcat.gencat.cat/es/inici/index.html.
In all cases, either to present claims, request clarifications or send suggestions, it is possible to do so by sending an email to the Data Protection Officer at the following email address: dpd_museupicasso@bcn.cat.
