EN 
ES 
DE 
FR 
PT 
NL 
RECORD OF TREATMENT ACTIVITIES
COMPLIANCE WITH THE PROVISIONS OF ARTICLE 30 OF REGULATION (EU) 2016/679
In accordance with recital 82 of the General Data Protection Regulation, to demonstrate compliance with the Regulation, the controller must maintain records of the processing activities under its responsibility. All controllers are obliged to cooperate with the supervisory authority and make these records available to it upon request, so that they can be used to monitor processing operations.
Therefore, the entity/professional Mancomunidad de Islantilla, with Tax Identification Number (CIF/NIF) P2100013H, and with registered address for notification purposes at Avenida de Islantilla, s/n, 21410 – ISLA CRISTINA (Huelva), has prepared this “Record of processing activities”, in order to comply with the provisions of Article 30 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
If the data controller is one of the entities required to do so under current data protection regulations, the data controller must make public and accessible by electronic means an inventory of its processing activities.
Likewise, the record of processing activities must be kept up to date, recording any additions, modifications, or deletions to its content. Therefore, this record will have a maximum validity period of one calendar year from the following date:
31/03/2026
IDENTIFICATION OF THE DATA CONTROLLER
a) Name and contact details of the data controller:
– Company name / Name and surname: Islantilla Association of Municipalities
– CIF/NIF: P2100013H
– Activity: Public Administration and defense; Compulsory Social Security
– Contact phone number: 959486319
– Registered office: Avenida de Islantilla, s/n, 21410 – ISLA CRISTINA (Huelva)
– Address for notification purposes: Avenida de Islantilla, s/n, 21410 – ISLA CRISTINA (Huelva)
– Contact email address: informatica@islantilla.es
– Website (URL): https://www.islantilla.es/
b) Name and contact details of the joint controller:
– There is no figure of the joint controller of the processing
c) Name and contact details of the representative of the responsible party:
– The data controller is established in the territory of the European Union
d) Name and contact details of the data protection officer:
– Company name / Name and surname: AUDIDAT 3.0, SL.
– Contact email address: DPD@AUDIDAT.COM
e) Group companies:
–
SUMMARY TABLE OF TREATMENT ACTIVITIES
Treatment Activity No. 1
a) Name of the processing activity:
Attention to the rights of individuals
b) Geographical extent of the treatment activity:
National
c) Number of affected parties:
– Specific number of affected parties (the closest possible figure if the exact figure is not available): It is not possible to quantify it, not even approximately.
– Approximate proportion of the corresponding population (assuming a relevant percentage of people in a given context or area): QUANTIFICATION, EVEN APPROXIMATELY, IS NOT POSSIBLE
d) Description of the purposes of processing:
– Processing of the data of interested parties necessary to address requests for rights addressed to the entity, in accordance with the provisions of articles 15 to 22 of the General Data Protection Regulation.
e) Means used for collecting the information:
– Paper form
– Electronic means, if applicable.
f) Specific operations to be carried out on personal data:
– Collection
- Record
- Organization
– Preservation or storage
- Consultation
g) Legal basis for processing / legitimacy criterion:
– The processing is based on compliance with an obligation required of the controller under a legally binding regulation (specify if possible):
• Articles 15 to 22 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
h) If the consent of the data subjects is required, identify possible means of obtaining it:
i) Description of the categories of interested parties:
-Natural persons who own the data.
j) Typification of groups or categories of interested parties:
-Interested parties
k) Description of the origin of the data:
-Personal data has been obtained through the request to exercise the rights set out in articles 15 to 22 of the General Data Protection Regulation.
l) Typification of the origin of the data:
-The interested party himself
m) Description of the categories of personal data:
-Set of data of interested parties necessary to address requests for rights addressed to the entity, in accordance with the provisions of articles 15 to 22 of the General Data Protection Regulation.
n) Classification of personal data subject to processing:
-Mailing address
-Email address
-Signature / Fingerprint
-NIF / DNI
-Name and surname
-Reason for the request
o) Areas with access to data and type of access:
-Administration
-Address
p) Description of the categories of recipients / transfers or communications of data:
-No production occurs
q) Classification of data transfers or communications:
r) Description of the categories of recipients in third countries or international organizations:
-No production occurs
s) Description of the planned timeframes for the deletion of the different categories of personal data / retention periods:
-Personal data will be kept for the limitation periods of actions derived from the legal relationship that bases the processing, as well as for the periods and under the terms provided for in the specific sectoral legislation that is applicable. Case provided for clients and users of regulated activities, members, etc.
t) Data processors:
Treatment Manager No. 1
-Name of the data processor: Audidat 3.0 SL.
-CIF/NIF: B02482545
-Address for notification purposes: Paseo de la Castellana, nº 182 6th Floor, 28046 – Madrid (Madrid)
-Services to be provided:
•Services related to data protection regulations
u) Details of high-risk treatment activities:
Risk Block A – Significant economic, moral or social damages or losses
-In principle, no specific risks are apparent from this section.
Risk Block B – Deprivation of rights and/or control mechanisms
-The processing may deprive the data subjects of their rights and freedoms or may prevent them from exercising control over their personal data
Risk Block C – Processing of special categories of personal data
-In principle, no specific risks are apparent from this section.
Risk Block D – Creation or use of personal user profiles
-In principle, no specific risks are apparent from this section.
Risk block E – Data of especially vulnerable people
-In principle, no specific risks are apparent from this section.
Risk block F – Data volume
-In principle, no specific risks are apparent from this section.
Risk Block G – Transfers to Third States
-In principle, no specific risks are apparent from this section.
Risk Block H – Other risk assumptions
-In principle, no specific risks are apparent from this section.
v) Risk level:
-High risk
Treatment Activity No. 2
a) Name of the processing activity:
Notification and communication of personal data security breaches to the supervisory authority and interested parties
b) Geographical extent of the treatment activity:
National
c) Number of affected parties:
– Specific number of affected parties (the closest possible figure if the exact figure is not available): It is not possible to quantify it, not even approximately.
– Approximate proportion of the corresponding population (assuming a relevant percentage of people in a given context or area): QUANTIFICATION, EVEN APPROXIMATELY, IS NOT POSSIBLE
d) Description of the purposes of processing:
– Processing of the data necessary for the notification and communication of personal data security breaches to the supervisory authority and the interested parties, in accordance with the provisions of Articles 33 and 34 of the General Data Protection Regulation.
e) Means used for collecting the information:
– Paper form
– Web form
– Electronic means, if applicable.
f) Specific operations to be carried out on personal data:
– Collection
- Record
- Organization
– Preservation or storage
- Consultation
– Communication by transmission
g) Legal basis for processing / legitimacy criterion:
– The processing is based on compliance with an obligation required of the controller under a legally binding regulation (specify if possible):
• Articles 33 and 34 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
h) If the consent of the data subjects is required, identify possible means of obtaining it:
i) Description of the categories of interested parties:
– Natural persons who are the data subjects affected by the personal data security breach.
j) Typification of groups or categories of interested parties:
-Affected parties
k) Description of the origin of the data:
-Personal data has been obtained through the security breach notification and management mechanisms established by the entity.
l) Typification of the origin of the data:
-The interested party himself
m) Description of the categories of personal data:
-Set of data necessary for the notification and communication of personal data security breaches to the supervisory authority and interested parties, in accordance with the provisions of Articles 33 and 34 of the General Data Protection Regulation.
n) Classification of personal data subject to processing:
-Mailing address
-Email address
-NIF / DNI
-Name and surname
-Phone
-Characteristics and possible consequences of a data security breach.
o) Areas with access to data and type of access:
-Address
-Administration
p) Description of the categories of recipients / transfers or communications of data:
Data Communication No. 1
-Identity of the recipient: Spanish Data Protection Agency or the corresponding regional supervisory authority
-Type of recipient activity: Data protection supervisory authority
-Purpose of the communication: Notification of the personal data security breach
q) Classification of data transfers or communications:
-Data protection supervisory authorities
r) Description of the categories of recipients in third countries or international organizations:
-No production occurs
s) Description of the planned timeframes for the deletion of the different categories of personal data / retention periods:
-Personal data will be kept for the limitation periods of actions derived from the legal relationship that bases the processing, as well as for the periods and under the terms provided for in the specific sectoral legislation that is applicable. Case provided for clients and users of regulated activities, members, etc.
t) Data processors:
Treatment Manager No. 1
-Name of the data processor: Audidat 3.0 SL.
-CIF/NIF: B02482545
-Address for notification purposes: Paseo de la Castellana, nº 182 6th Floor, 28046 – Madrid (Madrid)
-Services to be provided:
•Services related to data protection regulations
u) Details of high-risk treatment activities:
Risk Block A – Significant economic, moral or social damages or losses
-In principle, no specific risks are apparent from this section.
Risk Block B – Deprivation of rights and/or control mechanisms
-The processing may deprive the data subjects of their rights and freedoms or may prevent them from exercising control over their personal data
Risk Block C – Processing of special categories of personal data
-In principle, no specific risks are apparent from this section.
Risk Block D – Creation or use of personal user profiles
-In principle, no specific risks are apparent from this section.
Risk block E – Data of especially vulnerable people
-In principle, no specific risks are apparent from this section.
Risk block F – Data volume
-In principle, no specific risks are apparent from this section.
Risk Block G – Transfers to Third States
-In principle, no specific risks are apparent from this section.
Risk Block H – Other risk assumptions
-In principle, no specific risks are apparent from this section.
v) Risk level:
-High risk
PROCESSING OF PERSONAL DATA ON BEHALF OF THE CONTROLLER
Based on the provisions of Article 28.3 of the General Data Protection Regulation, the processing by the processor shall be governed by a contract or other legal act under Union or Member State law, which binds the processor to the controller and sets out the subject matter, duration, nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller.
Likewise, based on the provisions of Article 5.1 f) of the General Data Protection Regulation, personal data must be processed in such a manner as to ensure appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical or organizational measures.
This requires signing either a personal data processing agreement or a confidentiality and secrecy agreement, depending on the case.
This section contains the list of contracts that the entity responsible for processing must sign in order to comply with the provisions of the aforementioned articles 28.3 and 5.1 f) of the General Data Protection Regulation.
Those in charge of the treatment
