Privacy Policy
and Record of Processing Activities

At BOS, we are committed to protecting the privacy and correct use of the personal data that we process and that you submit. This policy describes how we process that data and the rights of the users regarding their personal data, both online and at the www.bilbaorkestra.eus website and, as applicable, any of its sub-domains, micro-sites, and when you provide that data offline for us to provide you with services.

 

Given our status as a public sector foundation and pursuant to Article 30 of the General Data Protection Regulation (GDPR – EU Regulation, 2016/679) and Article 31 of the Personal Data Protection and Guarantee of Digital Rights Act 3/2018, we hereby publish our Record of Processing Activities where you will find detailed information on the processing of personal data by BOS.

 

1.- Your consent

Please read this policy carefully and make sure that you understand it and agree with it before accessing or using any of our services or providing us with your personal data and, if you do not agree with it, do not use this website or its service or provide us with your data. The fact of accessing this website, using any of its services or providing us with your data, either online or offline, will be taken as a clear affirmative action authorising us (when that is necessary) to process your data for the purposes indicated below.

2.- Who is the Data Protection Officer?

The duties and post of the Data Protection Officer are assumed by the Head of the Legal Advice, Information and Data Protection Section, answering to the Corporate and Digital Strategy Office or, failing that, the administrative unit responsible for data protection and information security.

The creation, appointment and regulation of the Data Protection Officer of Bizkaia Provincial Council and Provincial Entities of the public sector was approved by means of the Governing Council Agreement on 15 May 2018. The appointment was published in the Bizkaia Official Gazette Issue 99 of 24 May 2018 and was officially notified to the Basque Data Protection Agency (AVPD).

You can contact the Data Protection Officer through the Legal Advice, Information and Data Protection Section at the following postal address: Gran Vía 25-48009 Bilbao.

3.- Who is responsible for processing your data?

Fundación Juan Crisóstomo de Arriaga-Orquesta Sinfónica de Bilbao (BOS)

Postal address: Abandoibarra etorbidea, 4 – 48011 Bilbao

Email: bos@bilbaorkestra.eus

4.- How did we obtain your details?

If you are already a season ticket holder or have attended any of our events, you have provided them, either offline or online, when requesting our services in order to be able to maintain the contractual relationships with you, or they may come from third parties who have decided to sign up to BOS.

If you have provided your data through this website, we collect information, for example, when you access the website, fill in any form with personal details, when your shop at our store, or when you directly contact us by email.

We can process and record those uses, sessions and related information, either independently or with the help of third-party services, even by means of using “cookies” and other monitoring technologies.

When you voluntarily enter your personal data, you guarantee that you are authorised to provide this information and that the information is accurate, true, exact and current, that it is not confidential, that you are not breaching any contractual restriction or third-party rights and you undertake not to impersonate other Users by using their registration data to other services and/or contents of the website.

You are responsible for keeping your data correct and up-to-date and BOS shall not be held liable if you fail to do so.

4.1.- Third-party data.

As regards the data of other persons, you must respect their privacy and take special care when publishing their personal data. Please note, as a user, you can only provide and agree to the processing of your personal data, but not those of third parties, and that if you provide us with third-party data, you are transferring personal data, and it is your responsibility to ensure you have the prior and express authorisation of those third parties to use and provide us with that data, and it is your responsibility to inform them that their data will be included in our files.

The publication of third-party data without their consent may be in breach, in addition to data protection legislation, the right to honour, to personal privacy and the image of third parties, rights whose protection is governed by the Spanish Organic Law 1/1982, of 5 May, on the Civil Protection of the Right to Honour, Personal and Family Privacy and to Self Image.

5.- Why do we process your data?

We can process the data that you provide and that generated during our relationship with you for different purposes, for example:

  • If you are a season-ticket holder and/or have attended our events, to keep in contact, communicate and manage the relationship with you.
  • If you merely use our websites to manage the requests that you make online.
  • In both cases, to conduct opinion and/or satisfaction surveys and send you information about our activities and the partner companies and conduction satisfaction surveys (including commercial communications and advertising pursuant to Article 21 LSSICE 34/2002).
  • If you send us your curriculum data, to contact you and manage the selection processes to fill any vacancies that we conduct, and you therefore accept the rules governing the audition processes and authorise that the lists with the successful/rejected candidates and which contain the outcome of the selection processes and the proceedings with the final result may be published on bilbaorkestra.eus , to facilitate the control and transparency of the selection process.
  • If you are a BOS employee or musician, to manage our employment relationship with you and to comply with our legal obligations as an employer.
  • When you access the BOS premises, we capture your image to control access to the premises.

6.- For how long will we keep your data?

We will keep the personal data that you provided for as long as you do not request they be removed. Even after that request, we will be able to keep them, but limiting their processing, only to meet legal obligations and/or bring or defend claims.

In the case of image capturing for video-surveillance, we will only keep the data for one month from its capture pursuant to Article 22.3 of the Personal Data Protection and Guarantee of Digital Rights Act 3/2018.

7.- What is the legal standing for processing your data?

The legal grounds for our processing your data is different according to the purpose:

Purpose Legitimate Interest
1.      Maintain contact, communicate and manage the relationships with the season holders and people attending the events. The contractual relationship between the parties.
2.      Manage the online requests of the web users. Your consent. Your clear consent is given when you provide us your data online through our website or offline, with that contribution being taken to be a clear affirmative act expressing that consent.
3.      Send you information about our activities and the partner companies and conduction satisfaction surveys (including commercial communications and advertising pursuant to Article 21 LSSICE – Information Society Services and Electronic Commerce Act 34/2002). Legitimate Interest
4.      Manage selection processes Your consent.
5.      Manage human resources The contractual relationship between the parties.

Consent to capture and publish images.

Compliance of legal obligations.

6.      Video-surveillance Public interest (Article 6.1.e GDPR)

Given the appropriate and relevant relationship that you have with us as a season-ticket holder, attendees at events or user of our website, we have a legitimate interest in processing your data in order to, as part of its maintenance and management, Be able to send you information about the activities of the foundation and of associate companies (including commercial communications and advertising pursuant to Article 21 LSSICE 34/2002)   , Conduct satisfaction and/or opinion surveys, Take photos and/or record videos that may be published on the www.bilbaorkestra.eus website, on the profiles that the Foundation has in social media, as well as in YouTube and/or on billboards, in leaflets, programmes and other stationery, in order to promote the event and be part of its photographic/videographic memory.

These purposes are compatible with the initial purpose for which we collect your data (managing the contact and communication with you and maintain the relationship between us), but, in any event, the submission of your data for those purposes, arising from our legitimate interest, is always voluntary and your interests, rights or liberties shall always prevail over our legitimate interest. Therefore, if you ask us no to use your data for that purpose (by sending us an email stating that to bos@bilbaorkestra.eus) we will do so, and may kept the data blocked for the purpose of preparing, making or defending claims. That withdrawal does not condition the processing of your data for the other described purposes.

8.- To which recipients can we disclose your data?

We hereby inform you that the data you provide may be notified to third-party entities to meet purposes directly related to the legitimate functions of assignor and assignee and to the company that is in charge, at any given moment, of managing the payment of tickets and season tickets, for the collection and payment formalities of the tickets/season tickets acquired or the shipment and distribution of them, as well to the entities or authorities to which there is a legal obligation to communicate data.

9.- What security measures do we apply to the data processing?

The security measures implemented are those envisaged in Annex II (Security Measures) of Royal Decree 3/2010, of 8 January, regulating the National Security Framework in the field of Electronic Administration.

10.- What are your rights when you provide us with your data?

Right of access: You can ask us which of your personal data we are processing and even ask us for a copy of them.

Right of rectification: You can request that we rectify any inaccurate personal data or complete any that is incomplete, even by means of a supplementary declaration.

Right of erasure (right to forget): You can ask us to suppress your personal data when: they are not necessary for the purposes for which they were collected, you withdraw your consent, there has been unlawful processing of them or to comply with a legal obligation.

Right to limiting the processing: You can ask us to limit the processing of your data, in which case we will only keep them to make or defend claims.

Right of objection: You can object to how your data is processing if that processing is based on the legitimate interest of the data manager or is for advertising purposes.

To exercise all those rights, you should send us a written and signed request, making sure you attach a copy of you ID, to the postal or electronic address indicated in Section 3 of this privacy policy. Any changes to your details should be sent to the same address and the company shall not be held liable should you fail to do so.

Once any of the above requests have been received, we will reply within 1 month.

You are entitled to make a complaint to the Spanish Data Protection Agency. Further information on the rights you can exercise and to request forms to exercise those rights is available at the Spanish Data Protection Agency website www.aepd.es