Register of Treatment Activities

Article 30 of the General Data Protection Regulation establishes that each controller shall keep a record of the processing activities carried out under its responsibility. Such register shall contain all of the following information:

1. The name and contact details of the controller and, where applicable, the joint controller, the representative of the controller, and the data protection officer.
2. The purposes of the processing.
3. Legal basis for processing.
4. A description of the categories of data subjects and the categories of personal data.
5. Categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organisations.
6. Where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), documentation of appropriate safeguards.
7. Where possible, the deadlines for the deletion of the different categories of data.
8. Where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

This register, in accordance with article 31.2 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights, must be made public by electronic means. To comply with this mandate, the Consortium’s Register of Processing Activities is published.

Register of Treatment Activities