Privacy Policy
and Record of Processing Activities

This Privacy Policy provides details on all the information that applies to the use that we make at the Juan Crisóstomo de Arriaga Foundation – Basque National Orchestra (BNO) Foundation, of the personal data of the people who contact us or who make use of our services.
Furthermore, given our status as a Bizkaia province public sector Foundation and in compliance with the provisions of Article 30 of the EU Regulation, 2016/679 (General Data Protection Regulation, “GDPR”), and 31 of the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (“ LOPDGDD”), we publish below our record of Processing Activities, through which you can find detailed information on the personal data processing that we carry out.

Basic data protection information

 

1. Who is the Data Processor?

The entity responsible for the Processing of your data is the Juan Crisóstomo de Arriaga Foundation – Bilbao Symphony Orchestra (BSO), a Basque public sector foundation attached to the Department of Basque Language, Culture and Sports and the purpose of which is the management of the Bilbao Symphony Orchestra.

2. Who is the Data Protection Officer?

The duties and position of the Data Protection Officer are carried out by the Head of the Legal Consultancy, Information Security, and Data Protection Section of Bizkaia Provincial Council. The creation, appointment, and regulation of the Data Protection Officer of Bizkaia Provincial Council and public sector Provincial Entities was approved via the government Council Agreement on 15 May 2018. The publication of this appointment was made in the Bizkaia Official Gazette in BOG Number 99 of 24 May 2018, and its official communication to the Basque Data Protection Agency (BDPA) was made.
You may contact the Data Protection Officer by writing to the Legal Consultancy, Information Security, and Data Protection Section at the following postal address:
Gran Vía 2, 6ª planta – 48001 Bilbao (Bizkaia).

3. What are your rights when you provide us with your data?

Data protection regulations grant data subjects a number of rights over their personal data, which we inform you of below. These rights can be exercised directly or through a legal representative or volunteer and are free of charge.
You can exercise your rights by contacting the Juan Crisóstomo de Arriaga Foundation – Basque National Orchestra (BNO) in writing, together with a photocopy of your ID card or similar identity document, at the following address:
Calle Abandoibarra, 4 – 48011 Bilbao (Bizkaia-Spain) 
Once we have received your request, we will issue a decision. In the event that you do not agree with it, you may address a prior claim to the data protection officer (Head Office of Legal Consultancy, Information Security and Data Protection Section of Bizkaia Provincial Council, Gran Vía 2, 6º – 48001 Bilbao), who will take care of processing your claim within the Juan Crisóstomo de Arriaga Foundation – Basque National Orchestra (BNO), or before the Spanish Data Protection Agency (www.aepd.es).
The rights held by data subjects are as follows:

  • Right to Access: the right to know whether personal data are processed and all the complete information on said processing, including: personal data, categories, purposes, recipients, storage period, origin, transfers, and communications.
  • Right to Rectification: the right to rectify inaccurate personal data and to complete incomplete data.
  • Right to Erasure: the right to eliminate personal data in these circumstances:
    • Due to the unlawful processing of data.
    • Due to the purpose for which the data were processed or collected no longer being applicable.
    • Due to withdrawal of consent (only if the legal basis of the processing of the data is consent).
    • Due to an objection to processing.
  • Right to Object: you may object to the processing of your personal data when the legitimate basis for the processing is the exercise of official authority or the legitimate interest of the Data Controller.
  • Right to Limitation:  Limitation of the processing of personal data, which includes the aspects of suspension of processing and data retention:
    • The suspension of processing is requested:
      • When the accuracy of personal data is contested, during the period for verifying its accuracy.
      • When the data subject objects to processing, stating personal reasons, while it is verified that the Controller is processing the corresponding data legitimately in the public interest or in the exercise of official authority, and it is determined that this processing by the Controller takes precedence.
    • Retention of the data is requested:
      • When the processing is unlawful and the request is for restriction of use and not erasure.
      • When individuals need the data for the exercise or defence of claims, but at the same time the Controller no longer needs the data for the purposes of the processing.
  • Right to Reject Automated Individual Decision-Making: this right guarantees that the data subject shall not be subject to decisions based solely on the processing of personal data, including profiling, and decisions that have legal effects on the individual. However, this right does not apply:
    • If it is necessary for the conclusion or performance of a contract between the data subject and the data controller;
    • If the legitimate basis of processing is consent.

4. In what circumstances will we disclose your data?

We will not disclose your data to third parties without informing you in advance and without an appropriate legal basis for doing so.
Occasionally, we enter into contracts with companies to provide us with certain services that require access to personal data. We have entered into appropriate data processing agreements with these companies that comply with the provisions of the GDPR and the LOPDGDD. Through these agreements we ensure that these companies process the data to which they have access only to provide us with the contracted service, that they never use it for purposes for which we have not authorised them, and that they will not share personal data with third-party companies and/or administrations. Furthermore, we require them to implement a series of security measures that guarantee the confidentiality and integrity of personal data. We only enter into contracts with companies and entities that give us guarantees that they comply with the data protection provisions in force.
As we will inform you in each case, when certain circumstances arise we are legally obliged to transfer data to different public administrations.
Unless specified otherwise, we do not carry out international data transfers.

5. What security measures do we apply to the processing of data?

The security measures implemented correspond to those described in Annex II (Security measures) of Royal Decree 311/2022, of 3 May, regulating the National Security Framework.


Record of Processing Activities as the Data Processor entity and additional information

Below we include detailed information related to each one of the processing activities that we perform at the Juan Crisóstomo de Arriaga Foundation – Basque National Orchestra (BNO) (hereinafter, BNO), as the Data Processors.

1. Management of season ticket holders and attendees at events 

1.1 For what purpose do we process your personal data?

We process your personal data in order to maintain contact, communication and manage the relationship with season ticket holders and attendees at events.

1.2 For how long will we keep the data?

The data shall be stored for the period of time necessary to fulfil the purpose for which they were collected and to determine the possible liabilities that may derive from said purpose and the processing of data.

1.3 What is the legal basis for processing the data?

We process your data in order to execute a contract (article 6.1.b GDPR).

1.4 What data do we process and how did we obtain it?

The data we process comes from the season ticket holders and attendees at events.
We process the following categories of data:

  • Identification and contact information
  • Social and personal circumstances
  • Goods and services transaction details.
  • Banking and financial assets.

1.5 Who will receive your data?

No data communications take place.

2. Online request management

2.1 For what purpose do we process your personal data?

We process your personal data to manage the online requests by people who use the website.

2.2 For how long will we keep the data?

The data shall be stored for the period of time necessary to fulfil the purpose for which they were collected and to determine the possible liabilities that may derive from said purpose and the processing of data.

2.3 What is the legal basis for processing the data?

We process your data based on the consent of the interested party (art. 6.1.a GDPR).

2.4 What data do we process and how did we obtain it?

The data we process comes from the users of the website.
We process the following categories of data:

  • Identification and contact information

2.5 Who will receive your data?

No data communications take place.

3. Commercial communications and satisfaction surveys

3.1 For what purpose do we process your personal data?

We process your personal data in order to:
• Send out information about our activities and that of the partner companies;
• Carry our satisfaction surveys (including publicity and/or commercial communications).

3.2 For how long will we keep the data?

The data shall be stored for the period of time necessary to fulfil the purpose for which they were collected and to determine the possible liabilities that may derive from said purpose and the processing of data.

3.3 What is the legal basis for processing the data?

The legal basis for the processing of data is the existence of legitimate interests pursued by the data processor (art. 6.1.f GDPR).

3.4 What data do we process and how did we obtain it?

The data we process comes from season ticket holders, attendees at events, visits and users.
We process the following categories of data:

  • Identification data;
  • Social and personal circumstances.

3.5 Who will receive your data?

No data communications take place.

4. Management of selection processes

4.1 For what purpose do we process your personal data?

We process your personal data in order to manage the selection processes.

4.2 For how long will we keep the data?

The data shall be stored for the period of time necessary to fulfil the purpose for which they were collected and to determine the possible liabilities that may derive from said purpose and the processing of data.

4.3 What is the legal basis for processing the data?

We process your data based on the consent of the interested party (art. 6.1.a GDPR)

4.4 What data do we process and how did we obtain it?

The data we process comes from the candidates.
We process the following categories of data:

  • Identification and contact;
  • Academic and professional;
  • Economic-financial;
  • Employment details.

4.5 Who will receive your data?

No data communications take place.

5. Human resource management

5.1 For what purpose do we process your personal data?

We process your personal data for the management of the employment relationships with our employees.

5.2 For how long will we keep the data?

The data shall be stored for the period of time necessary to fulfil the purpose for which they were collected and to determine the possible liabilities that may derive from said purpose and the processing of data.

5.3 What is the legal basis for processing the data?

The legal basis for the processing of data is the consent of the interested person (art. 6.1.a GDPR) for the capture and publication of images; the execution of the employment contract (art. 6.1. b. GDPR) and the fulfilment of legal obligations (art. 6.1. c. GDPR)
The laws that act as the legal basis of the processing of the data are as follows:

  • Royal Legislative Decree 5/2015, of 30 October, approving the revised text of the Law on the Basic Statute of the Public Employee.
  • Law 6/1989, of 6 July, on the Basque Civil Service.
  • Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Workers’ Statute Law.
  • Royal Legislative Decree 8/2015, of 30 October, approving the revised text of the General Law on Social Security.
  • Law 31/1995, of 8 November, on the Prevention of Occupational Risks.
  • Provincial Regulation 13/2013, of 5 December, on Personal Income Tax.

5.4 What data do we process and how did we obtain it?

The data we process comes from our employees.
We process the following categories of data:

  • Identification and contact;
  • Academic and professional;
  • Economic-financial;
  • Employment details.

5.5 Who will receive your data?

The data communications listed below have compliance with the legal obligations of the aforementioned laws as their legal basis.
Specifically, we disclose data to the following parties:

  • National Social Security Institute
  • Public Employment Service
  • Provincial Treasury of Bizkaia
  • General Treasury of Social Security;
  •  Public Administrations with competence in tax and social security matters;
  • The financial data of your salary shall be communicated to the financial entity determined for the payment of salaries.
  • If the foundation takes out (either voluntarily, or by virtue of the applicable collective bargaining agreement) insurance for the workers, the necessary data will be communicated to the insurance broker, and insurance entities.
  • Hotels, airline companies and/or travel or vehicle rental agencies with the aim of managing your accommodation bookings, transport tickets or vehicle rentals in the event of journeys paid for by the company.
  • We can communicate the following data to entities that contract the services of the BNO and/or installations to where we send workers, (as well as the Euskalduna Conference Centre): Identification data to manage compliance with labour and social security obligations, and the safety and/or access to the installations to which the worker travels.
    If any of these organisations are located in countries outside the European Economic Area, the communication of your data to companies in those countries involves an INTERNATIONAL TRANSFER OF DATA to states that may not provide guarantees equivalent to European ones regarding the processing of personal data and this may entail a risk for the processing of the data subject’s personal data. Likewise, in these cases data may be communicated to the embassies of the destination countries in order to obtain the visa that will allow access to said country, as well as to the relevant public or private bodies for the performance and management of any immigration formalities.
    These entities may be different and vary over time, but we will endeavour to choose entities either belonging to countries that have a level of protection equivalent to the European one regarding data protection, or that have the appropriate guarantees to achieve that level, or on the basis of one of the exceptions provided for in the GDPR.
    We may also carry out international transfers of data if necessary for: the execution of a contract between the data subject and the data controller; or between the latter and a third party in the interest of the data subject.

6. Video surveillance

6.1 For what purpose do we process your personal data?

We process your personal data to guarantee the security of the facilities.

6.2 For how long will we keep the data?

The data will be kept for a period of one month after its collection (article 22 of Organic Law 3/2018 on the protection of personal data and guarantee of digital rights).

6.3 What is the legal basis for processing the data?

The legal basis for processing the data is to perform a task in the public interest or in the exercise of official authority conferred to the data processor (art.6.1.e GDPR) by the regulation:
• Law 5/2014, of 4 April, on Private Security.

6.4  What data do we process and how did we obtain it?

The data we process comes from the employees, and from all other people who access our facilities.
We process the following categories of data:

  • Identification (image).

6.5  Who will receive your data?

The data communications listed below have compliance with the legal obligations of the aforementioned laws as their legal basis.
Specifically, we disclose data to the following parties:

  • State Security Forces and Corps
  • Judicial bodies

7. Management of contacts at DanonArtean and in the corporate spheres of relationship between Bizkaia Provincial Council and the Provincial Entities

7.1 For what purpose do we process your personal data?

We will process your data for the management of contacts in order to carry out the activities in the different corporate fields of relations between Bizkaia Provincial Council and the Provincial Entities.

7.2 For how long will we keep the data?

They shall be stored for the period of time necessary to fulfil the purpose for which they were collected and to determine the possible liabilities that may derive from said purpose and the processing of data.

7.3 What is the legal basis for processing the data?

We process your personal data to comply with the legal obligations (article 6.1.c GDPR) which the following laws impose on us:

  • Law 40/2015 of 1 October, on the Public Sector Legal Framework.
  • Provincial Decree-Law 5/2013 of 3 December, approving the revised text of Provincial Regulation 5/2006, of 29 December, General Budgetary Regulation.
  • Provincial Regulation 3/1987, of 13 February, on the Election, Organisation, Regime and Functioning of the Provincial Institutions of the Historical Territory of Bizkaia.

7.4  What data do we process and how did we obtain it?

The data we process comes from the contact persons of institutions, users and suppliers.
We process the following categories of data:

  • Identification and contact.
  • Employment and training.

      7.5 Who will receive your data?

      The data shall be communicated to Bizkaia Provincial Council.

      8. Compliance: processing of personal data through the presentation and processing (investigation and resolution) of claims and/or consultations

      8.1. For what purpose do we process your personal data?

      We process your personal data for the presentation and processing (investigation and resolution) of claims and/or consultations. In particular, related to breaches of the code of ethics and conduct, the harassment protocol or other protocols or regulations in force.

      8.2. For how long will we keep the data?

      Your data shall be stored for the period of time necessary to fulfil the purpose for which they were collected and to determine the possible liabilities that may derive from said purpose and the processing of data.
      For the investigations with negative results, and for situations of non-admission and filing of claims, the personal data conservation period shall be three months.

      8.3. What is the legal basis for processing the data?

      We process your personal data to comply with the legal obligations (article 6.1.c GDPR) which the following laws impose on us:

      • Organic Law 10/1995 of 23 November on the Criminal Code.
      • Sectoral regulations applicable in each area.

      8.4. What data do we process and how did we obtain it?

      The data we process come from our employees, both claimants/affected people, such as witnesses and respondents.
      We process the following categories of data:

      • Identity and contact details.
      • Social and personal circumstances.
      • Employment details.
      • Related to sentences and criminal offences.

      8.5. Who will receive your data?

      If applicable, the data may be communicated to:

      • The body or authority with competence to investigate and manage the claim.
      • State Security Forces and Corps.
      • Judicial Bodies

      9. Internal information system of the Juan Crisóstomo de Arriaga Foundation – Bilbao Symphony Orchestra regarding infractions and non-compliances

      9.1. Who is the data processor?

      The data processor is the Board of Trustees of the Juan Crisóstomo de Arriaga Foundation – Bilbao Symphony Orchestra as the Administrative Body responsible for the implementation of the system.

      Distribution of functions: Body responsible for the internal information system (ORSII), as the collegiate body responsible for the management of the system, assignment of management, and resolution of data protection rights requests, and drafting allegations against violations of security and/or claims before the Supervisory Authority.

      9.2. For what purpose do we process your personal data?

      We process your personal data for the management of the internal information system of the Juan Crisóstomo de Arriaga Foundation – Bilbao Symphony Orchestra for the communication and investigation of information referring to a serious or very serious criminal or administrative infraction or, if applicable, other non-compliances with regulations or codes of conduct.

      9.3. For how long will we keep the data?

      As a general rule, the processing of personal data must be carried out within a period of 3 months or 6 months depending on the complexity of the procedure in question, for the processing thereof and application of anonymisation or blocking, technical security measures deemed necessary and applicable where given, to guarantee confidentiality and security.
      If an investigation is not started, the personal data will be eliminated within a period of 3 months.
      In no case may data be stored for a period of more than ten years.

      9.4. What is the legal basis for processing the data?

      We process your personal data to comply with the legal obligations (article 6.1.c GDPR) which the following laws impose on us:

      • Law 2/2023, of 20 February, regulatory basis for the protection of individuals that report regulatory breaches and the fight against corruption.
      • Organic Law 3/2018, of 5 December on Personal Data Protection and guaranteed digital rights.
      • Organic Law 7/2021, of 26 May, on the protection of personal data processed for the purpose of preventing, detecting, investigating, and trying criminal offences and executing criminal sanctions.
      • All other applicable sector regulations.

      Special category data: processing is necessary for reasons of essential public interest, on the basis of EU or Member State Law, which must be proportionate to the aim pursued, respect in essence the right to data protection and establish adequate and specific measures to protect the interests and fundamental rights of the data subject (article 9.2 g GDPR).

      9.5. What data do we process and how did we obtain it?

      The data we process proceeds from the informer, the informer’s Independent Protection Authority, or other external bodies, authorities or persons.
      Where appropriate, we process the following categories of data:

      • Special categories of data in a narrow sense, and in strictly necessary cases.

      9.6. Who will receive your data?

      If applicable, the data may be communicated to:

      • Prosecution Service or European Public Prosecutor, for communicating crimes.
      • Third-party individuals to adopt corrective measures or process sanctioning or criminal procedures, where applicable.
      • Competent Independent Authority or Entity, for information referred to another obligated entity.