What is the scope of action of the Catalan Data Protection Authority?
The Catalan Data Protection Authority is the competent supervisory authority with respect to data processing which is the responsibility of or is managed by:
- Public institutions.
- The Administration of the Generalitat.
- Local agencies.
- Autonomous entities, consortia and other public law entities linked to the Administration of the Generalitat or to local agencies, or that depend on them.
- Entities governed by private law that meet at least one of the following three requirements in relation to the Generalitat, local agencies or the bodies that depend on them:
- That its capital belongs mostly to the aforementioned public bodies.
- That its budget income comes mostly from the aforementioned public bodies.
- That the members appointed by the aforementioned public entities are the majority in their management bodies.
- Other private entities that provide public services through any form of direct or indirect management, if it concerns files and processing linked to the provision of these services.
- The public and private universities that make up the Catalan university system, and the bodies that depend on them.
- Natural or legal persons who fulfil public functions in relation to matters that are the responsibility of the Generalitat or local agencies, if it concerns files or processing intended for the exercise of these functions and the processing is carried out in Catalonia.
- Public corporations that conduct their functions exclusively in the territorial scope of Catalonia for the purposes of what is established in this law.
This also includes processing carried out by third parties with personal data made available to them as the result of a processing agreement entered into by one of these organisations.
Within this scope of action, the Catalan Data Protection Authority is responsible for exercising all the functions attributed to supervisory authorities by data protection legislation, including international data transfers.
