Regenera4MED
The Project
EN ES EL IT FR CAT SI HR Log in

Data Protection

Purpose and Scope

Purpose: This Data Protection Policy outlines how the Regenera4MED project ensures compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and related data protection regulations. It sets out the procedures for processing, storing, and protecting personal data collected in the course of the project.

Scope: This policy applies to all project partners, subcontractors, stakeholders, and third parties involved in the Regenera4MED project who have access to or process personal data. Partners should ensure that all data protection is respected.

Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data, whether or not by automatedmeans.
  • Data Subject: A natural person whose personal data is processed.
  • Data Controller: The entity that determines the purposes and means of processing personal data.
  • Data Processor: The entity that processes personal data on behalf of the controller.

Roles and Responsibilities

  • Lead Partner (Catalan Tourism Board) acts as the primary Data Controller ans has appinted a DPO for the role.
  • Each project partner is responsible for ensuring that data processing activities under their responsibility comply with GDPR.
  • A Data Protection Contact Point is designated in each partner organisation.

Principles, Legal Basis and Rights

Principles for Processing Personal Data: All data processing activities will follow these principles: Lawfulness, Fairness, and Transparency; Purpose Limitation; Data Minimisation; Accuracy; Storage Limitation; Integrity and Confidentiality; Accountability.

Legal Basis for Processing: The processing of personal data within Regenera4MED is based on: (1) Fulfilment of contractual obligations under the Interreg Euro-MED Programme; (2) Legal obligations imposed by EU regulations and (3) Consent from data subjects, when required (e.g. for newsletter subscriptions, photographs).

Data Subject Rights: Data subjects have the right to: Access their personal data; Rectify inaccuracies; Erase data (‘right to be forgotten’); Restrict or object to processing; Data portability; Withdraw consent (where applicable); Lodge a complaint with a supervisory authority.

Data Security

Measures: Each partner commits to: (1) Secure IT systems with encryption, firewalls, and password protection; (2) Regular data backups; (3) Role-based access control; (4) Anonymisation or pseudonymisation where feasible; and (5) Staff training on data protection principles.

Transfers: Any data transfers outside the EU/EEA will only occur under appropriate safeguards, such as EU Standard Contractual Clauses or adequacy decisions.

Retention: Personal data will be retained only as long as necessary for project implementation and up to five years after project closure, in line with the Programme’s audit and evaluation requirements.

Breach Notification: PIn case of a data breach: (1) The affected partner must notify the Lead Partner within 24 hours; (2) The Lead Partner will assess and report to the relevant Data Protection Authority within 72 hours, if required; (3) Data subjects will be informed when the breach poses a high risk to their rights and freedoms.

Where high-risk processing is identified (e.g. large-scale collection of sensitive data), a DPIA will be conducted in consultation with the relevant supervisory authority.