Data Protection Policy

This is the data protection policy of the Consorci de les Vies Verdes de Girona. It complies with the General Data Protection Regulation (EU Regulation 2016/679 of the European Parliament and Council of 27th April 2016) and Organic Law 3/2018 on data protection and the guarantee of digital rights (LOPDGDD).


Who is responsible for the processing of personal data?

The data controller is the Consorci de les Vies Verdes de Girona (hereinafter, the Consortium), with tax number P1700047B and domiciled at Ronda de Sant Antoni Maria Claret, 28 A, 1r, Girona (postcode 17002), email address and web address


Under what criteria do we process personal data?

In processing the data the Consortium accepts the principles established in the General Data Protection Regulation, and therefore:

  1. It processes data licitly (only when there are legal grounds permitting it and with transparency with regard to the data subject).
  2. It uses the data for certain explicit, legitimate purposes that are explained when the data are collected. They are not subsequently processed in any way incompatible with these purposes.
  3. Only appropriate, pertinent data limited to those necessary in each case and for each purpose are processed.
  4. It attempts to keep these data up to date.
  5. It keeps them for the time necessary to comply with regulations on keeping public information.
  6. It takes adequate technical or organisational measures to avoid unauthorised or illicit processing of the data, or their accidental loss, destruction or damage.
  7. As a general rule, only the data of people over 14 years old are passed on. In the case of minors under 14 years old the authorisation of the parents or legal representatives is necessary.


Who is the Data Protection Officer?

The Data Protection Officer (DPO) supervises compliance with data protection regulations and makes sure people’s rights are upheld. Their functions include that of dealing with people whose data is being processed who wish to lodge a complaint or claim. To contact the Data Protection Officer, write to the Consortium or send an email to the address


For what purposes do we process data and who do we pass them on to?

The Consortium processes data to exercise its competences and functions. The Consortium’s services are described on its website. A full description of the processing and the purposes for which the data are used is shown in the Register of processing activities, prepared in accordance with article 30 of the General Data Protection Regulation.


Administrative procedures and paperwork

Acting on request by the individual data subjects, the Consortium uses their data to carry through each process. The catalogue of processes and the procedure followed may be consulted at the Consortium’s electronic office. Depending on the procedure, the data may be passed on to other authorities competent in the area. In some cases they must be published in accordance with the principle of transparency.



To provide its services the Consortium processes the data supplied by the beneficiaries or else those obtained through other authorities. Offering these services often involves monitoring them and obtaining new data from users. The catalogue of services can be consulted on the website. As a general rule the data are not passed on to other people without the consent of the user of the service.



The Consortium deals with enquiries from people who use the contact forms on this website. The data are used solely for this purpose and are not passed on to other people.


Sending Information

With each person’s explicit authorisation, the Consortium uses contact data supplied by them to inform them of its initiatives, services or activities. This is done through different channels, depending on the authorisation given by each person, and the data are not passed on to other people without their consent.


Managing our suppliers’ data

The Consortium records and processes the data of its providers of work, services or goods. These may be the data of people working freelance or also those of representatives of legal entities. Only the data essential to carry on the commercial relationship are collected, and these are used only for this purpose. In compliance with legal obligations (tax and contractual regulations governing public services), data are passed on to other public authorities.


What are the legal grounds for processing the data?

Data are processed by the Consortium on different legal grounds, depending on the nature of the processing in each case.


Compliance with Legal Obligations

Data are processed in the context of administrative procedures in accordance with the regulations governing each procedure. This is carried out in accordance with legal obligations.


How long do we keep the data?

How long the data are kept is determined by different factors, primarily the fact that the data remain necessary to fulfil the purposes for which they were collected in each case. Secondly, they are kept to fulfil any responsibilities for data processing incumbent on the Consortium, and to meet any requirements of other public authorities or judicial bodies.

Consequently, the data must be kept for the time necessary to preserve their legal or information value or to prove compliance with legal obligations, but not for any longer than is necessary in accordance with the purposes of processing.

In certain cases, such as that of data that appear in accounting and invoicing documentation, tax regulations oblige them to be kept until liabilities in this area have prescribed.

Data processed solely on the basis of the data subject’s consent are kept until this consent is withdrawn.

The regulations governing the keeping of public documentation and the rulings of the national committee for access, assessment and choice of documents are the point of reference determining the rules followed by the Consortium in keeping or deleting data.


What rights do people have regarding the data we process?

People whose data is processed by the Consortium have the following rights:


To know whether they are processed

Anybody has, firstly, the right to know whether the Consortium is processing their data, regardless of whether any previous relationship has existed.


To be informed of collection

When the data are collected from the data subject, the latter must have clear information about the purposes for which they are intended, and who will be responsible for their processing and the main factors arising from this processing.


To access their data

This is the right to know what personal data are being processed, for what purpose they are processed, to know whether they will be passed on to other people (if applicable); and the right to have a copy or to know how long they are expected to be processed for.


To demand rectification

This is the right to have inaccurate data processed by the Consortium corrected.


To demand erasure

The right to demand erasure of the data is recognised where, among other reasons, they are not necessary for the purposes for which they were collected.


To demand limitation of processing

In certain circumstances the right to demand limitation of the processing of data is also recognised. In this case, they will cease to be processed and will only be kept to make or respond to claims.


To portability

In the cases stipulated in the regulations the right to obtain one’s own personal data in a commonly-used format is recognised.


To object to processing

A person may give personal reasons for their data to cease to be processed to the extent that this harms them.


How can these rights be exercised or upheld?

The rights outlined above may be exercised by applying to the Consortium, at its postal address or at the other contact addresses given at the beginning of this document.

If no satisfactory response is obtained in the exercise of rights, a complaint may be lodged with the Catalan Data Protection Authority, using the forms or other channels accessible through its website:

In any case, to lodge complaints, request clarification or make suggestions, an email message may be sent to the Data Protection Officer at the address