top of page
Conditions of Use of Personal Data
Being a member of the fan club is completely voluntary and free .
You must agree to share, your data to be part of the BSB SPANISH ARMY CLUB Fan Club, will be used exclusively for internal use, in your favor, to receive the latest news from the BSB and the Club. Next, we leave you the Personal Data Law.
DATA PROTECTION
Applicable regulations
In our legal system, the right to the protection of personal data is not expressly included in our constitutional text, but it is article 18.4 of the Spanish Constitution that guarantees it in the following way:
“The Law will limit the use of information technology to guarantee the honor and personal and family privacy of citizens and the full exercise of their rights”
Developing this constitutionally provided obligation, and recognizing the fundamental right to data protection, as stated in the Constitutional Court Judgment 290/2000, we find the current Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD), and Royal Decree 1720/2007, of December 21, which approves the Regulations for the development of the repealed Organic Law 15/1999, of December 13, on the protection of personal data staff (RLOPD).
At an international level, the reference standard in relation to the regulation of the processing of personal data is Convention No. 108, of the Council of Europe, for the protection of people with respect to the automated processing of personal data, made in Strasbourg, on January 28, 1981.
The right to Data Protection is also guaranteed at a European level through the Charter of Fundamental Rights of the European Union, which recognizes it in its article 8:
"Personal data protection
Every person has the right to the protection of personal data that concerns them.
These data will be processed fairly, for specific purposes and based on the consent of the affected person or by virtue of another legitimate basis provided by law. Every person has the right to access the data collected that concerns him or her and to obtain its rectification.
Compliance with these rules will be subject to control by an independent authority.”
At the community level, the processing of personal data is currently regulated by Regulation (EU) 2016/679, of the European Parliament and of the Council, regarding the protection of natural persons with regard to the processing of personal data and the free movement of these data and repealing Directive 95/46/EC (General Data Protection Regulation). This new rule is directly applicable in our legal system and, in addition to reinforcing the rights of the owners of personal data, establishes a new proactive approach when processing personal data.
Together with this regulation, when processing personal data we must take into account the sectoral regulations of the field in which the personal data is being processed.
Convention No. 108 of the Council of Europe, of January 28, 1981, for the protection of people with respect to the automated processing of personal data.
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data and which repeals the Directive 95/46/EC (General Data Protection Regulation) (Text relevant for EEA purposes).
Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights
Royal Decree 1720/2007, of December 21, which approves the Regulations for the development of Organic Law 15/1999, of December 13, on the protection of personal data.
DATA PROTECTION
Definitions
As a general rule, Regulation (EU) 2016/679 General Data Protection (RGPD), Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and Royal Decree 1720/ 2007, which approves the Regulations for the development of the repealed Organic Law 15/1999 (RLOPD) will apply to all processing of personal data that is carried out in Spanish territory or has as recipients citizens who are in Spain.
Thus, all natural and legal persons -whether public or private- that process or manage personal data must comply with a series of principles and obligations, legally and statutorily established, that guarantee, ultimately, the right of people to control and dispose of their personal data, that is, their right to personal data protection. Thus, the University of Alcalá is obliged to comply with both the GDPR and current national regulations.
In order to offer a better understanding of the matter, it is necessary to offer a series of basic definitions on the processing of personal data:
Personal data (art. 4.1 RGPD and art. 5.1.f) RLOPD)
A personal data is all that information that refers to an identified or identifiable natural person, that is, from their name and surnames, to any other that reveals information about their habits, preferences or way of life. As stated in the RLOPD, personal data is any numerical, alphabetical, graphic, photographic, acoustic or any other type of information concerning natural persons, identified or identifiable (art. 5.1.f)). Thus, for example, a name and surname, voice, photograph or fingerprint are personal data.
This definition leads us to make three qualifications: first, that we must refer to an identified or identifiable person. In this sense, any treatment that can identify a natural person is covered. Identity must be able to be determined, either directly or indirectly. The RLOPD indicates that “a natural person will not be considered identifiable if said identification requires disproportionate time or activities” (art. 5.1.o) RLOPD). Second, that it must be a natural person, thus excluding legal persons from the scope of application of the LOPDGDD. And, third, that in any case it refers to living individuals, data relating to deceased persons being also excluded from the data protection regulations (art. 2.4 RLOPD). However, the new LOPDGDD refers to the processing of data of deceased persons (art. 3 LOPDGDD), but with the exclusive purpose that access to their data, as well as the request for its rectification or deletion, is may be carried out by persons related to the deceased for family reasons or for reasons of fact, as well as their heirs.
For all these reasons, if statistical data or dissociated data are processed, which do not allow the identification of their owner, the data protection regulations will not apply.
On the other hand, when talking about personal data, we must bear in mind that not all personal information will have the same level of protection, since not all information is equally relevant (due to the damage that its misuse may cause). And, for this reason, the data protection regulations, both national and community, distinguish between different categories of personal data and refer to the "special categories of data", also known as "specially protected data" or "sensitive data" (arts. 9 GDPR and 9 LOPDGDD).
Special categories of data or specially protected data (arts. 9 RGPD and 9 LOPDGDD)
According to the RGPD, data that reveals “ethnic or racial origin, political opinions, religious or philosophical convictions, or trade union affiliation, and the processing of genetic data, biometric data aimed at unambiguously identifying a person, are specially protected data. natural person, data relating to health or data relating to the sexual life or sexual orientation of a natural person”.
As a general rule, for the treatment of this data, the express and written consent of its owner will be required.
Treatment of personal data (art. 4.2 RGPD and art. 5.1.t) RLOPD)
Any activity that is carried out with personal data, whether automated or manual. For example, the collection, registration, organization, conservation, storage, manipulation, modification, use, communication, interconnection, transfer, assignment, limitation, deletion or destruction. Thus, for example, posting a list with names of students or their grades on a web page is personal data processing that must comply with the regulations.
Personal data file (arts. 4.6) RGPD and 5.1.k) RLOPD)
A personal data file is an organized set of personal data according to a certain criterion, regardless of its form of treatment (automated or manual). For example, a human resources file -where all the personal information relating to the entity's workers is collected- can be found in manual or computerized format.
The new community regulations focus their attention not on the data files but on the processing carried out with the personal data included in said files. Hence, it focuses on the processing of the data and not on the support in which they are included, without this denying the existence of said elements. Our new LOPDGDD is in this same line, although here there is a fundamental change in the Spanish regulations. The new organic law, like the community law, focuses on what data processing is and not on its support or on the form of organization of the same, automated or manual. That is, the new LOPDGDD does not differentiate public files from private files, although the RLOPD continues to maintain the definition of said files and their distinction.
The RGPD has eliminated the obligation of those responsible for data processing to register or notify files. Now, on them falls the obligation that they keep a record of activities or treatments carried out.
Affected or interested party (art. 4.1 RGPD and art. 5.1.a) RLOPD)
It is the owner of the personal data, that is, the subject to whom the personal data refers. As we have previously pointed out, it must be a natural person, identified or identifiable. In the case of minors or people with disabilities, the processing of their personal data will be subject to specific conditions, specifically in relation to the provision of their consent.
Consent (art. 4.11 RGPD and 5.1.d) RLOPD)
Consent is any manifestation of free, unequivocal, specific and informed will, through which the interested party consents to the processing of personal data that concerns him. It must consist of a declaration or clear affirmative action, that is, express consent is currently required, and tacit consent is not valid in any case.
The general rule to be able to process data will be to have the informed consent of its owner.
Responsible for the file or data processing (art. 4.7 RGPD and art. 5.1.q) RLOPD)
The person in charge is the natural or legal person, public or private, who decides the purpose for which the personal data will be collected and processed, as well as the means for said treatment. In the case of the University of Alcalá, the person responsible for the processing carried out in and by the institution is the General Secretariat.
Person in charge of the treatment (art. 4.8 RGPD and art. 5.1.i) RLOPD)
The person in charge is the person, natural or legal, public or private, who works on behalf of the Responsible. Between the Manager and the Responsible there must be a confidentiality contract for the use of personal data (provided for both in art. 28 RGPD and in arts. 28 and 33 LOPDGDD).
The figure of the Person in Charge falls, par excellence, on the agencies, consultancies or IT companies, which work on behalf of the Person in Charge and who will only do with the personal data that the Person in Charge passes them, what the latter indicates in the aforementioned contract. As a general rule, the Processor is usually a person external to the entity responsible for the treatment who is entrusted with data processing that the person in charge does not want or cannot do personally with its employees, who are considered as mere users of the information. .
Users (art. 5.2.p) RLOPD)
Users are the staff or employees at the service of the person responsible for the file or in charge of the treatment, who have access to personal data as a result of the work entrusted.
Control authorities (art. 4.21 RGPD)
They are the independent public authorities in charge of protecting the right to personal data protection. They are also called Data Protection Authorities.
In Spain, the fundamental right to the protection of personal data enjoys, like any other fundamental right, the specific guarantees thereof, but it also has specific protection, such as this type of Control Authorities, which in Spain is the Agency Spanish Data Protection Agency (AEPD) and its regional counterparts, which today are only the Agencies created in the Autonomous Communities of Catalonia and the Basque Country.
The holders of the right to the protection of personal data may go to the Personal Data Protection Agencies or Control Authorities when they consider that their right or any of the powers that comprise it have been violated.
bottom of page