Scope of action

Specifically, the scope of action of the Authority includes the processing done by:

• Public institutions.
• The Administration of the Generalitat.
• Local agencies.
• Autonomous entities, consortia and other public law entities linked to the Administration of the Generalitat or to local agencies, or that depend on them.
• Entities governed by private law that meet at least one of the following three requirements in relation to the Generalitat, local agencies or the bodies that depend on them:
  • That its capital belongs mostly to the aforementioned public bodies.
  • That its budget income comes mostly from the aforementioned public bodies.
  • That the members appointed by the aforementioned public entities are the majority in their management bodies.
• Other private entities that provide public services through any form of direct or indirect management, if it concerns files and processing linked to the provision of these services.
• The public and private universities that make up the Catalan university system, and the bodies that depend on them.
• Natural or legal persons who fulfil public functions in relation to matters that are the responsibility of the Generalitat or local agencies, if it concerns files or processing intended for the exercise of these functions and the processing is carried out in Catalonia.
• Public corporations that conduct their functions exclusively in the territorial scope of Catalonia for the purposes of what is established in this law.

This also includes the processing of personal data performed by third parties through a data processor contracted by for one of these entities. Within this scope of action, the Authority is responsible for exercising all the functions that the data protection regulations attribute to the control authorities, including international data transfers.