Record of processing activities

  • Designation: IMDEA WATER FOUNDATION
  • Address: Avenida Punto Com, nº 2 – Parque Científico Tecnológico de la Universidad de Alcalá – Alcalá de Henares. 28805 Madrid
  • Tax ID Number: G84912732
  • Telephone: 91 830 59 62
  • Email Data Protection Officer: datos.agua@imdea.org

 

Human resources management

Legal basis

  • GDPR: 6.1.b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • GDPR: 6.1.c) Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Royal Legislative Decree 2/2015, of 23 October, approving the consolidated text of the Ley del Estatuto de los Trabajadores [Workers' Statute Law].

Purpose of processing

  • Management of employee payrolls and associated products, as well as tax withholdings, social insurance, absenteeism control, human resources management, occupational risk prevention, training and performance evaluation.

Collectives

  • Hired personnel.

Categorías de datos

  • Name and surname, national ID, social security/mutuality number, address, signature, photo, telephone number.
  • Special data categories: health data (sick leave, accidents at work and degree of disability), proof of absence.
  • Personal details: date and place of birth, marital status, sex, age, nationality.
  • Social circumstances: Start date of sick leave and date of return to normal work activities, permits and authorisations.
  • Academic details and training courses (accreditation through recognised qualifications and certificates).
  • Attendance control data: date/time of entry and exit, cause of absence.
  • Economic and financial data: salary and bank details.
  • Data related to the job position (category, function, seniority, salary, worker's record).

Recipient categories

  • Tesorería General de la Seguridad Social.
  • Agencia Estatal de Administración Tributaria.
  • Servicio Público de Empleo Estatal.
  • Entidades bancarias.
  • Dirección General de Investigación e Innovación de la Consejería de Educación e Investigación de la Comunidad de Madrid.
  • Cámara de Cuentas y Consejería de Hacienda de la Comunidad de Madrid.
  • Entidades subvencionadoras, públicas o privadas, de carácter nacional o internacional a efectos de justificación de gastos o contratación.
  • Mutua de accidentes laborales.
  • Entidades aseguradoras.
  • Servicio de Prevención Ajeno.
  • Empresas dedicadas al transporte o el hospedaje.
  • Entidades organizadoras de conferencias o seminarios.
  • Oficina Española de Patentes y Marcas y/o a la Europea Patent Office.
  • Publicación de datos profesionales de contacto e imagen en la página web de IMDEA AGUA.
  • Tesorería General de la Seguridad Social [Social Security General Treasury].
  • Agencia Estatal de Administración Tributaria [National Tax Administration Agency].
  • Servicio Público de Empleo Estatal [State Employment Service].
  • Bank entities.
  • General Directorate of Research and Innovation of the Ministry of Education and Research of the Community of Madrid.
  • Cámara de Cuentas [Chamber of Accounts] and Consejería de Hacienda [Treasury Department] of the Community of Madrid.
  • National or international public and private subsidising entities, for the purpose of justifying expenditure or contracting.
  • Work accident mutual insurance company.
  • Insurance companies.
  • External Prevention Service.
  • Companies providing transport or accommodation services.
  • Entities organising conferences or seminars.
  • Spanish Patent and Trademark Office and/or European Patent Office.
  • Publication of professional contact details, including photo, on IMDEA WATER website.

International data transfers

  • No international data transfers are anticipated.

Deletion period

  • Data will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any liabilities that may arise from that purpose and from their processing.
  • Employment data will be kept in accordance with the provisions of Royal Legislative Decree 5/2000, of 4 August, approving the consolidated text of the Ley sobre Infracciones y Sanciones en el Orden Social [Law on Infractions and Sanctions in the Social Order]. Those related to risk prevention, in accordance with Law 31/1995, of 8 November, on the Prevention of Risks at Work.
  • Financial data will be kept under the provisions of the General Tax Law 58/2003, of 17 December, and General Subsidies Law 38/2003, of 17 November.

Security measures

  • The security measures implemented correspond, as far as applicable to public sector foundations, to those provided for in Annex II (Security measures) of Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the area of e-administration, and in accordance with the risk analysis conducted.

 

Personnel selection

Legal basis

  • GDPR: 6.1.b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • GDPR: 6.1.a) The data subject has given consent to the processing of his or her personal data for one or more specific purpose.

Purpose of processing

  • Management of the curricula received, in order to assess their profile to fill vacancies in administration or research.

Collectives

  • Candidates for the vacancies offered.

Data categories

  • Identifying details: name and surnames, national ID, address, telephone number, email address, signature.
  • Personal details: sex, age.
  • Social circumstances: driving licence.
  • Academic details and training courses.
  • Previous professional experience.

Recipient categories

  • No disclosure of data is anticipated.

Transferencias internacionales

  • No international data transfers are anticipated.

Deletion period

  • Data will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any liabilities that may arise from that purpose and from their processing. The deciding factor will be the period during which the process can be audited by the body subsidising the project referring to the vacancy subject of the candidate’s application.

Security measures

  • The security measures implemented correspond, as far as applicable to public sector foundations, to those provided for in Annex II (Security measures) of Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the area of e-administration, and in accordance with the risk analysis conducted.

 

Management of student curricular internship and research stays

Legal basis

  • GDPR: 6.1.b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Purpose of processing

  • Management and monitoring of the curricular internships of students at IMDEA WATER, as well as research stays, by virtue of agreements signed with universities and centres of origin.

Collectives

  • Students in curricular internships.

Data categories

  • Name and surnames, national ID, address, telephone number, email address, signature.
  • Academic details and training courses.

Recipient categories

  • Transfer of assessment of internship to the training centre with which the internship agreement has been signed.

International transfers

  • No international data transfers are anticipated.

Deletion period

  • Data will be kept for the time necessary to comply with the purpose for which they were collected and to determine any liabilities that may arise from that purpose and from their processing; in all cases, they will be kept for a period of three years from completion of the internship.

Security measures

  • The security measures implemented correspond, as far as applicable to public sector foundations, to those provided for in Annex II (Security measures) of Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the area of e-administration, and in accordance with the risk analysis conducted.

 

Participation of in-house or external researchers and collaborators in projects and research networks

Legal basis

  • GDPR: 6.1.b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

  • GDPR: 6.1.c) Processing is necessary for compliance with a legal obligation to which the controller is subject.

Purpose of processing

  • Management of the data required for the signing of agreements for creation of research groups and concession of grants and funding from official bodies.

Collectives

  • In-house researchers and associates.

Data categories

  • Name and surnames, national ID, signature, photo.

  • Academic details and training courses.

  • Previous professional experience.

Recipient categories

  • General Directorate of Research and Innovation of the Ministry of Education and Research of the Community of Madrid.

  • National and EU bodies subsidising IMDEA WATER activities.

  • Cámara de Cuentas [Chamber of Accounts] and Consejería de Hacienda [Treasury Department] of the Community of Madrid.

  • Spanish Patent and Trademark Office and/or European Patent Office.

  • Publication of professional contact details, including photo, on IMDEA WATER website.

International transfers

  • No international data transfers are anticipated.

Deletion period

  • Data will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any liabilities that may arise from that purpose and from their processing.

  • The data related to projects will be kept under the provisions of the General Subsidies Law 38/2003, of 17 November.

Security measures

  • The security measures implemented correspond, as far as applicable to public sector foundations, to those provided for in Annex II (Security measures) of Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the area of e-administration, and in accordance with the risk analysis conducted.

 

Supplier management

Legal basis

  • GDPR: 6.1.b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

  • GDPR: 6.1.c) Processing is necessary for compliance with a legal obligation to which the controller is subject.

  • Article 6.1f) of the GDPR: Processing is necessary for the purposes of the legitimate interests pursued by the controller.

  • The legitimate interest of the Foundation in maintaining the relationship with its suppliers through contact persons or representatives, of whom only professional or identifying contact details are processed.

  • Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights.

Purpose of processing

  • Commercial management of suppliers, offers, orders, invoices, payments, tax information for Inland Revenue and statistics.

Collectives

  • Businessmen and professionals, company contact persons and legal representatives.

Data categories

  • Name and surnames, national ID, address, telephone number, email address, signature.

  • Bank current account details for the payment of the products and services contracted.

  • Data related to the position held by the contact person of a company.

  • Information related to business.

  • Data related to goods and services transactions (contracts, proposals, orders, invoices).

Recipient categories

  • Agencia Estatal de Administración Tributaria [National Tax Administration Agency].

  • Bank entities.

  • General Directorate of Research and Innovation of the Ministry of Education and Research of the Community of Madrid.

  • Public entities financing national and European projects.

  • Publication of contracting data in the Public Contracting Portal of the Community of Madrid.

International data transfers

  • No international data transfers are anticipated.

Deletion period

  • Data will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any liabilities that may arise from that purpose and from their processing.

  • Financial data will be kept under the provisions of the General Tax Law 58/2003, of 17 December, and General Subsidies Law 38/2003, of 17 November.

Security measures

  • The security measures implemented correspond, as far as applicable to public sector foundations, to those provided for in Annex II (Security measures) of Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the area of e-administration, and in accordance with the risk analysis conducted.

 

Customer management

Legal basis

  • GDPR: 6.1.b) Processing is necessary for the performance of a contract to which the data subject is the party or in order to take steps at the request of the data subject prior to entering into a contract.

  • GDPR: 6.1.c) Processing is necessary for compliance with a legal obligation to which the controller is subject.

  • Article 6.1.f) of the GDPR: Processing is necessary for the purposes of the legitimate interests pursued by the controller.

  • The legitimate interest of the Foundation in maintaining the relationship with its clients through contact persons or representatives, of whom only professional or identifying contact details are processed.

  • Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights.

Purpose of processing

  • Commercial management of clients, offers, proposals, issuance of invoices, management of collections, tax information for Inland Revenue and statistics.

Collectives

  • Businessmen and professionals, company contact persons and legal representatives.

Data categories

  • Name and surnames, national ID, address, telephone number, email address, signature.

  • Bank current account details for collection in the event of issuance of receipts.

  • Data related to the position held by the contact person of a company.

  • Information related to business.

  • Data related to goods and services transactions (contracts, proposals, offers, invoices).

Recipient categories

  • Agencia Estatal de Administración Tributaria [National Tax Administration Agency].

  • Bank entities.

International data transfers

  • No international data transfers are anticipated.

Deletion period

  • Data will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any liabilities that may arise from that purpose and from their processing.

  • Financial data will be kept under the provisions of the General Tax Law 58/2003, of 17 December.

Security measures

  • The security measures implemented correspond, as far as applicable to public sector foundations, to those provided for in Annex II (Security measures) of Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the area of e-administration, and in accordance with the risk analysis conducted.

 

Management of participation of the board members and scientific council in the governing and representative bodies of the Foundation

Legal basis

  • GDPR: 6.1.c) Processing is necessary for compliance with a legal obligation to which the controller is subject.

  • Ley de Fundaciones de la Comunidad de Madrid 1/1998, of 2 March [Community of Madrid Law on Foundations].

  • Article 6.1.f) of the GDPR: Processing is necessary for the purposes of the legitimate interests pursued by the controller.

  • The legitimate interest of the Foundation in encouraging the participation of the members of the Foundation's bodies and ensuring transparency following the acceptance of the position.

Purpose of processing

  • Managing the data of Foundation members regarding the functions associated with their position and payments arising from their exercise or collaborations.

Collectives

  • Members of the Foundation governing and representative bodies.

Data categories

  • Name and surname, national ID, passport number, signature, photo.

  • Personal details: sex, age.

  • Job position and professional career details.

  • Bank current account details.

Recipient categories

  • Agencia Estatal de Administración Tributaria [National Tax Administration Agency].

  • Mercantile Registry.

  • Notary's office to record in public deed the adopted resolutions.

  • Registry of Foundations.

International data transfers

  • No international data transfers are anticipated.

Deletion period

  • Data will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any liabilities that may arise from that purpose and from their processing. Once the relationship with the Foundation has ended, the data relating to the position will be removed from the website.

  • Data related to the activity of the Foundation will be kept in accordance with the requirements of Ley de Fundaciones de la Comunidad de Madrid 1/1998, of March 2 [Community of Madrid Law on Foundations].

  • Financial data will be kept under the provisions of the General Tax Law 58/2003, of 17 December, and General Subsidies Law 38/2003, of 17 November.

Security measures

  • The security measures implemented correspond, as far as applicable to public sector foundations, to those provided for in Annex II (Security measures) of Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the area of e-administration, and in accordance with the risk analysis conducted.

 

Video surveillance

Legal basis

  • GDPR: 6.1.e) Processing is necessary for the performance of a task carried out in the public interest.

  • Security maintenance at the facility.

  • Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights.

Purpose of processing

  • Management of images captured by video cameras in order to guarantee security and to control access to the building.

Collectives

  • People who access the facility.

Data categories

  • Image.

Recipient categories

  • Law enforcement agencies or Judges and Courts in cases of reported incidents or legal requirement.

International data transfers

  • No international data transfers are anticipated.

Deletion period

  • Data will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any liabilities that may arise from that purpose and from their processing. As a general rule, they will be kept for one month from the date of collection.

Security measures

  • The security measures implemented correspond, as far as applicable to public sector foundations, to those provided for in Annex II (Security measures) of Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the area of e-administration, and in accordance with the risk analysis conducted.

 

Control of access to the facility

Legal basis

  • GDPR: 6.1.e) Processing is necessary for the performance of a task carried out in the public interest.

  • Security maintenance at the facility.

Purpose of processing

  • To keep a record identifying persons present on the premises of the Institute for security reasons.

Collectives

  • People who access the facility, visitors, messengers, suppliers or contract personnel. Staff and researchers to control access to the building and laboratories.

Data categories

  • National ID/Tax ID number, signature, photo.

  • Data of the company or entity to which the visitor belongs.

Recipient categories

  • No disclosure of data is anticipated.

International data transfers

  • No international data transfers are anticipated.

Deletion period

  • Data will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any liabilities that may arise from that purpose and from their processing. As a general rule, they will be kept for one month from the date of collection.

Security measures

  • The security measures implemented correspond, as far as applicable to public sector foundations, to those provided for in Annex II (Security measures) of Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the area of e-administration, and in accordance with the risk analysis conducted.

 

Contacts and requests

Legal basis

  • GDPR: 6.1.f) Processing is necessary for the purposes of the legitimate interests pursued by the controller. Maintaining institutional contact and request support.

  • GDPR: 6.1.c) Processing is necessary for compliance with a legal obligation to which the controller is subject.

  • Law 19/2013, of December 9, on transparency, access to public information and good governance.

Purpose of processing

  • Management of data derived from requests via email or from exercising the right of access to public information on the website.

Collectives

  • Individuals who contact the institute or exercise their right of access to public information.

Data categories

  • Name, surnames and email address.

  • Data related to the request.

Recipient categories

  • No disclosure of data is anticipated.

International data transfers

  • No international data transfers are anticipated.

Deletion period

  • Data will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any liabilities that may arise from that purpose and from their processing.

  • Institutional contact data will be kept while the person remains in their position. Any data received via email will be deleted once the request has been dealt with, except when other relations or interests are derived thereof.

  • Those that refer to requests for the exercise of the right of access to public information shall be kept, in accordance with the provisions of Law 19/2013 of 9 December on transparency, access to public information and good governance.

Security measures

  • The security measures implemented correspond, as far as applicable to public sector foundations, to those provided for in Annex II (Security measures) of Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the area of e-administration, and in accordance with the risk analysis conducted.

 

Exercise of rights by interested parties

Legal basis

  • GDPR: 6.1.c) Processing is necessary for compliance with a legal obligation to which the controller is subject.

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of such data.

Purpose of processing

  • To process requests to exercise rights established in the General Data Protection Regulations and replies to these requests.

Collectives

  • Individuals exercising their rights before the Institute.

Data categories

  • National ID/Tax ID number, name and surnames, address, telephone number, email address, signature.

  • Data related to the request.

Recipient categories

  • Agencia Española de Protección de Datos [Spanish Data Protection Agency].

International data transfers

  • No international data transfers are anticipated.

Deletion period

  • ata will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any liabilities that may arise from that purpose and from their processing and, in all cases, a maximum of three years from the completion of the procedure.

Security measures

  • The security measures implemented correspond, as far as applicable to public sector foundations, to those provided for in Annex II (Security measures) of Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the area of e-administration, and in accordance with the risk analysis conducted.

 

Notification of security breaches

Legal basis

  • GDPR: 6.1.c) Processing is necessary for compliance with a legal obligation to which the controller is subject.

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of such data.

Purpose of processing

  • To file incident reports that are considered security breaches and assess the need for notification to the AEPD [Spanish Data Protection Agency]. To record the process, whether or not confirmation is required.

Collectives

  • Notifying party.

Data categories

  • Name, surnames and email address.

Recipient categories

  • Agencia Española de Protección de Datos [Spanish Data Protection Agency].

  • State security forces and bodies.

International data transfers

  • No international data transfers are anticipated.

Deletion period

  • Data will be kept for the time necessary to fulfil the purpose for which they were collected and to determine any liabilities that may arise from that purpose and from their processing, and in all cases three years from the closure of the incident report.

Security measures

  • The security measures implemented correspond, as far as applicable to public sector foundations, to those provided for in Annex II (Security measures) of Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the area of e-administration, and in accordance with the risk analysis conducted.