1. Identity of the Data Controller
The TURISME DE BARCELONA CONSORTIUM is the DATA CONTROLLER responsible for the processing of the USER'S personal data and informs the USER that such data will be processed in accordance with the provisions of Regulation (EU) 2016/679 of 27 April (GDPR) and Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
The Data Controller may be contacted at the following email address barcelonaturismedpo@herrero.es
Claims and complaints should be directed to the Owner's registered address.
2. Purposes of processing
a) Handling and answering inquiries, information requests and communications submitted by the data subject.
Purpose of processing: To handle, process and respond to inquiries, information requests, incidents, or any other communications submitted by the data subject through the channels provided by the Data Controller.
Types of data processed: Identifiable data, contact details, email address, telephone number, the Content of the inquiry or communication submitted by the data subject, and any other information voluntarily provided through forms, email, chat, telephone, or other channels made available by the Data Controller.
Retention period: Data will be retained for as long as it is necessary to process and respond to the data subject’s request. Where required for the establishment, exercise, or defence of legal claims, the information will remain restricted for the legally established retention periods.
Legal basis: The Data Controller’s legitimate interest in dealing with the requests received and, in those cases where applicable, the data subject’s consent, provided through the voluntary submission of an inquiry or communication.
b) Handling orders, product purchases and the provision of services.
Purpose of processing: To process orders, handle the purchase of products and/or services, process payments, deal with issues arising from the contractual relationship, provide User support, and comply with the legal, tax and administrative obligations arising from the commercial relationship.
Types of data processed: Identifying details, contact details, postal and billing information, financial and transaction data, payment information, purchase and booking history, records of incidents or issues, data required for the provision of the service, and any other information strictly necessary for the fulfilment of the contractual relationship.
Retention period: Data will be processed for as long as the contractual relationship between the parties remains in effect. Upon termination of the contractual relationship, the data may be retained in a restricted form for the periods required under applicable tax, commercial, contractual and legal liability laws.
Legal basis: Fulfilment of the contractual relationship and compliance with applicable legal obligations.
c) Sending marketing communications and newsletter.
Purpose of processing: To send the data subject marketing communications, promotions, news, event updates and information about the Data Controller’s products, services, activities and Content that may be of interest, by electronic or other means.
Types of data processed: Identifying details, contact details, email address, marketing preferences, language, country of residence, records of interactions with communications sent, and browsing data associated with marketing campaigns, where applicable.
Retention period: Data will be retained until the data subject withdraws consent or opts out of marketing communications. Thereafter, the data may be retained in a restricted form for the periods required by law to address any potential legal claims.
Legal basis: Explicit consent of the data subject.
d) Managing the private “My Barcelona” section of the website
Purpose of processing: To handle the registration and maintenance of the User account, provide access to the private “My Barcelona” section of the website which requires a login, personalise the User experience, manage profile-related features, bookings, preferences, activity history and other services associated with the Customer’s or User’s account.
Types of data processed: Identifying details, contact details, login credentials, User preferences, activity history as well as unique technical device identifiers, including advertising identifiers, IDFA, AAID, IMEI, IP address, operating system, version of the application, and other technical data necessary to ensure the proper functioning, security, and personalisation of the APP and related services.
Retention period: Data will be processed for as long as the contractual relationship remains in place, or the User account remains active. Thereafter, the data may be retained in a restricted form for the periods required under applicable contractual, tax and legal liability obligations.
Legal basis: Fulfilment of the contractual relationship and provision of the services requested by the User.
e) Handling the publication of comments, reviews and feedback on the Website or APP.
Purpose of processing: To handle the publication and moderation of comments, ratings, reviews, feedback and other User-generated Content on the Website/ APP or associated platforms, and to improve service quality and the User experience.
Types of data processed: Identifying details, contact details, the User’s name or alias, profile picture (where applicable), the Content of comments, feedback, reviews, or ratings submitted by the User, as well as technical data associated with the publication of such Content, including IP address, date and time of publication, and platform usage data.
Retention period: Data will be retained until the data subject requests the removal of the published Content or withdraws their consent. Thereafter, the information may be retained in a restricted form for the periods required by law.
Legal basis: The data subject’s consent, provided through the voluntary publication of comments, feedback or reviews.
f) Handling the data subject’s Customer or User account subscription and providing access to Customer/User services and features
Purpose of processing: To manage the subscription and maintenance of Customer and User accounts, verify the User’s identity, allow access to services, features and personalised Content, and ensure the proper functioning and security of the platform.
Types of data processed: Identifying details, contact details, login credentials, User preferences, activity history, bookings, services purchased, data associated with the User profile, as well as unique technical device identifiers, including advertising identifiers, IDFA, AAID, IMEI, IP address, operating system, version of the application, and other technical data necessary to ensure the proper functioning, security, and personalisation of the APP and related services.
Retention period: The data will be retained for as long as the contractual relationship is in place or the account remains active, or until the data subject requests its deletion. Thereafter, the data may be retained in a restricted form for the periods required by law.
Legal basis: Fulfilment of the contractual relationship and the data subject’s consent for the creation and management of the User account.
g) Geolocation.
Purpose of processing: To manage location-based features, including the provision of personalised services, tips about nearby Content or services, the location of tourist attractions, information offices, shops, bars and restaurants, enhancement of the browsing experience, prevention of unauthorised, improper, or fraudulent use, and, where applicable, service-related operational monitoring.
Types of data processed: Geolocation data obtained through GPS, IP address, wireless networks, Bluetooth, or other geolocation technologies integrated into the device being used by the data subject.
Retention period: Geolocation data will be retained until the data subject withdraws consent and for as long as the contractual relationship remains in place or is necessary for the provision of the requested services. Thereafter, the data may be retained in a restricted form for the periods required by law to address any potential legal claims.
Legal basis: The data subject’s express consent given through the voluntary activation of geolocation services or by granting the relevant permissions on the device or application.
h) Image processing. For operational, identifying, corporate purposes, or purposes related to the provision of the contracted services.
Purpose of processing: To capture, use and process images and/or videos of the data subject for operational, identifying, corporate, or other purposes related to the provision of the contracted services, including, where applicable and subject to the data subject’s consent, their possible publication on User profiles, internal platforms, websites, social media channels, and other corporate media or communication materials.
Types of data processed: Images, voice recordings, and other identifying data taken from photographs, audio recordings, video recordings, or live-streamed Content, regardless of the medium or format used.
Retention period: The data will be retained until the User withdraws consent and for as long as the contractual relationship remains in effect or the purpose for which the data was collected continues to apply. Thereafter, the data may be retained in a restricted form for the periods required by law to address any potential legal claims.
Legal basis: Express consent of the data subject.
i) Push notifications
Purpose of processing: To send push notifications about application updates, new features, alerts, relevant Content, promotional offers, events, operational issues and other communications related to the services provided by the Data Controller.
Types of data processed: Unique device identifiers, push notification tokens, and other data necessary to ensure the delivery and receipt of push notifications. This may include identifying data, contact details, access credentials, User preferences, activity history, and unique technical device identifiers, including advertising identifiers, IDFA, AAID, IMEI, IP address, operating system, version of the application, and other technical data necessary to ensure the proper functioning, security, and personalisation of the APP and related services.
Retention period: The data will be processed for as long as push notifications remain enabled on the User’s device and until the User withdraws their consent. Thereafter, the data may be retained in a restricted form for the periods required by law.
Legal basis for processing: The data subject’s express consent given through the voluntary activation of push notifications on their device. The User may withdraw such consent at any time by disabling push notifications through their device settings.
j) Access to the camera and photo gallery on the device
Purpose of processing: To enable future features of the APP and the “My Barcelona” section, for which a User account is needed, which allow Users to capture, upload, store and manage images and audiovisual Content, including profile pictures, posts, comments, incident reports and other features that require access to the device’s camera or photo gallery.
Types of data processed: Images, videos and other audiovisual Content that the User chooses to upload or capture through the device's camera or photo gallery.
Retention period: The data will be retained for as long as the contractual relationship remains in place or until the User requests its deletion or withdraws the consent provided. Thereafter, the data may be retained in a restricted form for the periods required by law.
Legal basis: The data subject’s explicit consent, granted through the authorisation of access to the camera or photo gallery on the device and the voluntary upload of audiovisual Content.
3. Recipients of your data
The Data Controller engages third-party data processors to support the provision of its services. Except for these entities, your personal data will not be disclosed to any other third parties. Should it become necessary to disclose your data to additional third parties, you will be informed in advance and, where required, your consent will be obtained. The purposes of the disclosure and the identity of the third party receiving the data will also be specified.
The foregoing does not apply where disclosure of personal data is required by law.
The Data Controller has put in place security guidelines and protocols governing the processing of your personal data. They guarantee that it will not be used for any purposes other than those for which it was collected, or disclosed to third parties, other than those you have been notified about or authorised.
Certain technology service providers engaged by the Data Controller may be located outside the European Economic Area (EEA), which could involve the international transfer of personal data. In such cases, the Data Controller will implement the safeguards required under applicable data protection laws, including the execution of Standard Contractual Clauses approved by the European Commission, or other valid transfer mechanisms.
4. Rights
Individuals who provide us with their personal data have the following rights in relation to the processing of such data:
a. Right of access
b. Right to rectification or erasure
c. Right to restriction of processing
d. Right to data portability
e. Right to object
a. Right of access: Any individual has the right to obtain confirmation from the Data Controller as to whether or not personal data concerning them is being processed and, where that is the case, to access such personal data.
b. Right to rectification or erasure: This is the right to obtain the rectification or erasure of personal data concerning you that is in our possession.
c. Right to restriction of processing: This is the right to require that the processing activities carried out in relation to the use of your personal data be restricted where one of the following conditions applies:
i. Where you have exercised your right to rectification or your right to object, and the Data Controller is in the process of determining whether the request should be granted.
ii. Where the processing of your personal data is unlawful – which would require the erasure of the data – but you do not wish your personal data to be erased by the Data Controller.
iii. Where the data is no longer necessary for the purposes of the processing, which would imply the erasure of the data, but you wish the Data Controller to restrict its processing and retain the data in order to establish, exercise, or defend legal claims.
d. Right to portability: This is the right to obtain from the Data Controller, where your personal data is processed by automated means, a copy of such data in a structured, commonly used and machine-readable format, or to have that copy transferred directly to another Data Controller designated by you. Please note that this right does not apply in the following circumstances:
i. Personal data relating to third parties that you have given to the Data Controller.
ii. Personal data concerning you that has been sent to the Data Controller by third parties.
e. Right to opposition: This is the right to object to the processing of your personal data. With regard to the processing carried out by the Data Controller, you may object to the sending of commercial communications, whether from the Data Controller or from third parties.
If you would like more information about your data protection rights, we recommend you visit the website of the Spanish Data Protection Agency (AEPD) and read the General Data Protection Regulation (GDPR).
You may exercise these rights by sending an email to barcelonaturismedpo@herrero.es, clearly stating the right you wish to exercise and providing a copy of a valid identity document as proof of identity. You may also submit your request by post to the Data Controller’s registered office address given in Section 1 of this Privacy Policy.
You also have the right to lodge a complaint with the competent supervisory authority, which, in this case, is the Spanish Data Protection Agency (AEPD), particularly if you are dissatisfied with the outcome of your request to exercise your data protection rights. You can contact the AEPD by telephone on +34 901 100 099 or +34 912 663 517, or contact them at C/ Jorge Juan, 6, 28001 Madrid, Spain.
5. Security measures
The Data Controller guarantees the User that the processing carried out complies with all the provisions of the aforementioned data protection regulations, GDPR and the LOPDGDD, and that the data are processed lawfully, fairly and transparently in relation to the data subject, and are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Furthermore, the Data Controller guarantees that it has implemented the appropriate technical and organisational policies to apply the security measures required by the GDPR and the LOPDGDD in order to protect the rights and freedoms of USERS, and has provided them with the necessary information so that they can exercise those rights.
Session persistence and device security:
In order to enhance the User experience and provide faster access to the features of the APP and the section of the website, “My Barcelona”, which requires a User account, the User’s session may stay logged in on the device unless the User signs out.
The User shall be responsible for ensuring the security and safekeeping of their device, as well as for keeping appropriate security measures enabled (such as passwords, biometric authentication or equivalent systems), particularly in the event of loss, theft or access by unauthorised third parties.
The Data Controller shall not be held liable for any unauthorised access to the User's account resulting from the User's failure to exercise due care in protecting or safeguarding their device.
6. Source and accuracy of data
All the data collected is directly obtained from the data subject. By agreeing to this Privacy Policy, the User declares and undertakes that the data provided is true and accurate and that they are the lawful owner of such data.
Furthermore, the User undertakes to ensure their personal data is up to date at all times and to promptly notify the Data Controller of any material changes, such as a change in the name of the holder of their bank account or a change to the email address provided through the relevant forms available on the website.
In this regard, the User shall be solely responsible for any failure to comply with the foregoing obligations and shall hold the Data Controller harmless from any liability in relation to data that the User has failed to notify them about in advance.