Privacy Policy
and Record of Processing Activities

This Privacy Policy provides details on all the information that applies to the use that we make at the Juan Crisóstomo de Arriaga Foundation – Basque National Orchestra (BNO) Foundation, of the personal data of the people who contact us or who make use of our services.
Furthermore, given our status as a Bizkaia province public sector Foundation and in compliance with the provisions of Article 30 of the EU Regulation, 2016/679 (General Data Protection Regulation, “GDPR”), and 31 of the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (“ LOPDGDD”), we publish below our record of Processing Activities, through which you can find detailed information on the personal data processing that we carry out.

Basic data protection information

 

1. Who is the Data Controller?

The entity responsible for the Processing of your data is the Juan Crisóstomo de Arriaga Foundation – Basque National Orchestra (BNO), a Basque public sector foundation attached to the Department of Basque Language, Culture and Sports and the purpose of which is the management of the Basque National Orchestra.

2. Who is the Data Protection Officer?

The duties and position of the Data Protection Officer are carried out by the Head of the Legal Consultancy, Information Security, and Data Protection Section of Bizkaia Provincial Council. The creation, appointment, and regulation of the Data Protection Officer of Bizkaia Provincial Council and public sector Provincial Entities was approved via the government Council Agreement on 15 May 2018. The publication of this appointment was made in the Bizkaia Official Gazette in BOG Number 99 of 24 May 2018, and its official communication to the Basque Data Protection Agency (BDPA) was made.
You may contact the Data Protection Officer by writing to the Legal Consultancy, Information Security, and Data Protection Section at the following postal address:
Gran Vía 2, 6ª planta – 48001 Bilbao (Bizkaia).

3. What are your rights when you provide us with your data?

Data protection regulations grant data subjects a number of rights over their personal data, which we inform you of below. These rights can be exercised directly or through a legal representative or volunteer and are free of charge.
You can exercise your rights by contacting the Juan Crisóstomo de Arriaga Foundation – Basque National Orchestra (BNO) in writing, together with a photocopy of your ID card or similar identity document, at the following address:
Calle Abandoibarra, 4 – 48011 Bilbao (Bizkaia-Spain) 
Once we have received your request, we will issue a decision. In the event that you do not agree with it, you may address a prior claim to the data protection officer (Head Office of Legal Consultancy, Information Security and Data Protection Section of Bizkaia Provincial Council, Gran Vía 2, 6º – 48001 Bilbao), who will take care of processing your claim within the Juan Crisóstomo de Arriaga Foundation – Basque National Orchestra (BNO), or before the Spanish Data Protection Agency (www.aepd.es).
The rights held by data subjects are as follows:

  • Right to Access: the right to know whether personal data are processed and all the complete information on said processing, including: personal data, categories, purposes, recipients, storage period, origin, transfers, and communications.
  • Right to Rectification: the right to rectify inaccurate personal data and to complete incomplete data.
  • Right to Erasure: the right to eliminate personal data in these circumstances:
    • Due to the unlawful processing of data.
    • Due to the purpose for which the data were processed or collected no longer being applicable.
    • Due to withdrawal of consent (only if the legal basis of the processing of the data is consent).
    • Due to an objection to processing.
  • Right to Object: you may object to the processing of your personal data when the legitimate basis for the processing is the exercise of official authority or the legitimate interest of the Data Controller.
  • Right to Limitation:  Limitation of the processing of personal data, which includes the aspects of suspension of processing and data retention:
    • The suspension of processing is requested:
      • When the accuracy of personal data is contested, during the period for verifying its accuracy.
      • When the data subject objects to processing, stating personal reasons, while it is verified that the Controller is processing the corresponding data legitimately in the public interest or in the exercise of official authority, and it is determined that this processing by the Controller takes precedence.
    • Retention of the data is requested:
      • When the processing is unlawful and the request is for restriction of use and not erasure.
      • When individuals need the data for the exercise or defence of claims, but at the same time the Controller no longer needs the data for the purposes of the processing.
  • Right to Reject Automated Individual Decision-Making: this right guarantees that the data subject shall not be subject to decisions based solely on the processing of personal data, including profiling, and decisions that have legal effects on the individual. However, this right does not apply:
    • If it is necessary for the conclusion or performance of a contract between the data subject and the data controller;
    • If the legitimate basis of processing is consent.

4. In what circumstances will we disclose your data?

We will not disclose your data to third parties without informing you in advance and without an appropriate legal basis for doing so.
Occasionally, we enter into contracts with companies to provide us with certain services that require access to personal data. We have entered into appropriate data processing agreements with these companies that comply with the provisions of the GDPR and the LOPDGDD. Through these agreements we ensure that these companies process the data to which they have access only to provide us with the contracted service, that they never use it for purposes for which we have not authorised them, and that they will not share personal data with third-party companies and/or administrations. Furthermore, we require them to implement a series of security measures that guarantee the confidentiality and integrity of personal data. We only enter into contracts with companies and entities that give us guarantees that they comply with the data protection provisions in force.
As we will inform you in each case, when certain circumstances arise we are legally obliged to transfer data to different public administrations.
Unless specified otherwise, we do not carry out international data transfers.

5. What security measures do we apply to the processing of data?

The security measures implemented correspond to those described in Annex II (Security measures) of Royal Decree 311/2022, of 3 May, regulating the National Security Framework.


Record of Processing Activities as the Data Processor entity and additional information

Below we include detailed information related to each one of the processing activities that we perform at the Juan Crisóstomo de Arriaga Foundation – Basque National Orchestra (BNO) (hereinafter, BNO), as the Data Processors.

1. Management of season ticket holders and attendees at events 

1.1 For what purpose do we process your personal data?

We process your personal data in order to maintain contact, communication and manage the relationship with season ticket holders and attendees at events.

1.2 For how long will we keep the data?

The data shall be stored for the period of time necessary to fulfil the purpose for which they were collected and to determine the possible liabilities that may derive from said purpose and the processing of data.

1.3 What is the legal basis for processing the data?

We process your data in order to execute a contract (article 6.1.b GDPR).

1.4 What data do we process and how did we obtain it?

The data we process comes from the season ticket holders and attendees at events.
We process the following categories of data:

  • Identification and contact information
  • Social and personal circumstances
  • Goods and services transaction details.
  • Banking and financial assets.

1.5 Who will receive your data?

No data communications take place.

2. Online request management

2.1 For what purpose do we process your personal data?

We process your personal data to manage the online requests by people who use the website.

2.2 For how long will we keep the data?

The data shall be stored for the period of time necessary to fulfil the purpose for which they were collected and to determine the possible liabilities that may derive from said purpose and the processing of data.

2.3 What is the legal basis for processing the data?

We process your data based on the consent of the interested party (art. 6.1.a GDPR).

2.4 What data do we process and how did we obtain it?

The data we process comes from the users of the website.
We process the following categories of data:

  • Identification and contact information

2.5 Who will receive your data?

No data communications take place.

3. Commercial communications and satisfaction surveys

3.1 For what purpose do we process your personal data?

We process your personal data in order to:
• Send out information about our activities and that of the partner companies;
• Carry our satisfaction surveys (including publicity and/or commercial communications).

3.2 For how long will we keep the data?

The data shall be stored for the period of time necessary to fulfil the purpose for which they were collected and to determine the possible liabilities that may derive from said purpose and the processing of data.

3.3 What is the legal basis for processing the data?

The legal basis for the processing of data is the existence of legitimate interests pursued by the data processor (art. 6.1.f GDPR).

3.4 What data do we process and how did we obtain it?

The data we process comes from season ticket holders, attendees at events, visits and users.
We process the following categories of data:

  • Identification data;
  • Social and personal circumstances.

3.5 Who will receive your data?

No data communications take place.

4. Management of selection processes

4.1 For what purpose do we process your personal data?

We process your personal data in order to manage the selection processes.

4.2 For how long will we keep the data?

The data shall be stored for the period of time necessary to fulfil the purpose for which they were collected and to determine the possible liabilities that may derive from said purpose and the processing of data.

4.3 What is the legal basis for processing the data?

We process your data based on the consent of the interested party (art. 6.1.a GDPR)

4.4 What data do we process and how did we obtain it?

The data we process comes from the candidates.
We process the following categories of data:

  • Identification and contact;
  • Academic and professional;
  • Economic-financial;
  • Employment details.

4.5 Who will receive your data?

No data communications take place.

5. Human resource management

5.1 For what purpose do we process your personal data?

We process your personal data for the management of the employment relationships with our employees.

5.2 For how long will we keep the data?

The data shall be stored for the period of time necessary to fulfil the purpose for which they were collected and to determine the possible liabilities that may derive from said purpose and the processing of data.

5.3 What is the legal basis for processing the data?

The legal basis for the processing of data is the consent of the interested person (art. 6.1.a GDPR) for the capture and publication of images; the execution of the employment contract (art. 6.1. b. GDPR) and the fulfilment of legal obligations (art. 6.1. c. GDPR)
The laws that act as the legal basis of the processing of the data are as follows:

  • Royal Legislative Decree 5/2015, of 30 October, approving the revised text of the Law on the Basic Statute of the Public Employee.
  • Law 6/1989, of 6 July, on the Basque Civil Service.
  • Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Workers’ Statute Law.
  • Royal Legislative Decree 8/2015, of 30 October, approving the revised text of the General Law on Social Security.
  • Law 31/1995, of 8 November, on the Prevention of Occupational Risks.
  • Provincial Regulation 13/2013, of 5 December, on Personal Income Tax.

5.4 What data do we process and how did we obtain it?

The data we process comes from our employees.
We process the following categories of data:

  • Identification and contact;
  • Academic and professional;
  • Economic-financial;
  • Employment details.

5.5 Who will receive your data?

The data communications listed below have compliance with the legal obligations of the aforementioned laws as their legal basis.
Specifically, we disclose data to the following parties:

  • National Social Security Institute
  • Public Employment Service
  • Provincial Treasury of Bizkaia
  • General Treasury of Social Security;
  •  Public Administrations with competence in tax and social security matters;
  • Insurance companies.

6. Video surveillance

6.1 For what purpose do we process your personal data?

We process your personal data to guarantee the security of the facilities.

6.2 For how long will we keep the data?

The data will be kept for a period of one month after its collection (article 22 of Organic Law 3/2018 on the protection of personal data and guarantee of digital rights).

6.3 What is the legal basis for processing the data?

The legal basis for processing the data is to perform a task in the public interest or in the exercise of official authority conferred to the data processor (art.6.1.e GDPR) by the regulation:
• Law 5/2014, of 4 April, on Private Security.

6.4  What data do we process and how did we obtain it?

The data we process comes from the employees, and from all other people who access our facilities.
We process the following categories of data:

  • Identification (image).

6.5  Who will receive your data?

The data communications listed below have compliance with the legal obligations of the aforementioned laws as their legal basis.
Specifically, we disclose data to the following parties:

  • State Security Forces and Corps
  • Judicial bodies

7. Management of contacts at DanonArtean and in the corporate spheres of relationship between Bizkaia Provincial Council and the Provincial Entities

7.1 For what purpose do we process your personal data?

We will process your data for the management of contacts in order to carry out the activities in the different corporate fields of relations between Bizkaia Provincial Council and the Provincial Entities.

7.2 For how long will we keep the data?

They shall be stored for the period of time necessary to fulfil the purpose for which they were collected and to determine the possible liabilities that may derive from said purpose and the processing of data.

7.3 What is the legal basis for processing the data?

We process your personal data to comply with the legal obligations (article 6.1.c GDPR) which the following laws impose on us:

  • Law 40/2015 of 1 October, on the Public Sector Legal Framework.
  • Provincial Decree-Law 5/2013 of 3 December, approving the revised text of Provincial Regulation 5/2006, of 29 December, General Budgetary Regulation.
  • Provincial Regulation 3/1987, of 13 February, on the Election, Organisation, Regime and Functioning of the Provincial Institutions of the Historical Territory of Bizkaia.

7.4  What data do we process and how did we obtain it?

The data we process comes from the contact persons of institutions, users and suppliers.
We process the following categories of data:

  • Identification and contact.
  • Employment and training.