Through this personal data processing document, the processing is regulated of personal data provided by users (the "User " or the "Users") of the website:
- and their subdomains, including, https://fundacio.tmb.cat, http://tickets.tmb.cat, http://transparencia.tmb.cat, http://developer.tmb.cat, http://perfilcontractant.tmb.cat and https://noticies.tmb.cat.
All these web pages form the "Website".
What is the purpose of this Personal Data Protection Policy?
The purpose of this personal data protection policy ("Personal Data Protection") is to announce how we obtain, process and protect the personal data you provide, or which we obtain through forms on our Website, so you can freely and voluntarily decide if you wish us to process them.
The Website is the property of TMB. We would also like to remind you that through this document, we inform you on the processing of personal data, which TMB does through the Website. However this does not apply to third parties, which obtain them from other web pages, even those that are linked to this Website.
It is important to read this Personal Data Protection Policy, whenever you use the Website, as there may be modifications.
Who is the Data Controller of your personal data?
The data controllers of User data are Transports de Barcelona, SA holding CIF number A-08016081, Ferrocarril Metropolità de Barcelona, SA holding CIF number A-08005795, Projectes i Serveis de Mobilitat, SA holding CIF number A-63645220 and Transports Metropolitans de Barcelona, SL holding CIF number B-63645253 (jointly "co-data processing controllers" or "TMB").
Contact details for the Data Controllers are as follows:
- Postal address: Carrer 60, No. 21-23, Sector A, Polígon Industrial de la Zona Franca, 08040, Barcelona.
- email address: firstname.lastname@example.org
You can request information regarding the responsibility of each entity by using the following email address: email@example.com.
How can you contact the TMB Data Protection Officer?
The User is hereby informed that TMB has appointed a Data Protection Officer ("DPO"), whom you can address for any question regarding processing of your personal details. The User can contact the Data Protection Officer by using the following email address: firstname.lastname@example.org.
For what purpose is your personal data processed?
TMB will process your personal data for the purposes and with the legitimacy indicated in each personal data collection form of the Website.
As a general rule, the purposes and legitimacy for processing, as set out in the forms, are:
- Uses based on your consent: we can collect and process your personal data when you have specifically given your consent. For example, when you give your consent to receive the TMB newsletter.
- Uses of a contractual purpose: TMB will have to use your personal data to complete any purchase made through the Website. For example, we need to use data such as your contact data and information on payment, in order to provide the transport tickets or services contracted.
- Uses with a legal or regulatory purpose: there are situations in which TMB is subject to certain legal obligations and needs to use your personal data, in order meet these obligations. For example: processing your data in order to arrange information access requests by citizens, under Law 19/2013 of 9 December, on transparency, information access and good governance.
- Uses based on public interest: on other occasions, we may process your data on the legitimate basis of public interest, such as processing administrative records and the presentation of the corresponding allegations by the User.
- Uses of a commercial purpose, based on legitimate interest: as a transport service company, TMB has a legitimate business interest in processing personal data collected, in order to offer an efficient service and to develop our business. For example, the Company has a legitimate interest in carrying out satisfaction surveys to Users of its services.
How do we protect your data?
TMB processes your personal data in strict confidentiality. We undertake to keep them secret and guarantee to adopt all measures required, to avoid their alteration, loss, non-authorized processing or access, following legal obligations applied as the party responsible for your personal data.
TMB undertakes to maintain and implement the required levels of security, bearing in mind the status of technology, the nature of stored data and risks, in order to protect your personal data against incidental losses and accesses, non-authorized processing or disclosure, all in accordance with current law regarding data protection.
What type of personal data do we process regarding you?
TMB guarantees that your information is only used in an appropriate manner. Hence, we basically process information indicated below:
- Identity data: name, surname, signature, date and place of birth, nationality, passport/identity document details.
- Contact details: address, phone and email address.
How long is your data kept?
We process your data while the consents you have given us remain in force, or unless you cancel the contractual or business relation with us.
Notwithstanding the above, we will no longer process your data once your consent has been withdrawn or once your contractual or business relation with TMB is over, as long as your data are not required for purposes for which they were collected or processed.
Without prejudice to regulations and certain legal requirements, your personal data will be preserved in order to meet archive and documentation regulations, and also: to make and pursue claims, during the limitation term of actions arising from signed contractual or business relations, etc.
To which recipients may we communicate your personal data?
Apart from the exchange of personal data between companies which are Co-responsible for Processing, on some occasions we need to share certain information with third parties, including personal data, in order to offer our services:
- Financial entities
- Fraud control service providers, to process payments (when necessary), carry out fraud controls, as required by law.
- Public administrations, courts and tribunals.
- Service providers, which incorporate specific requirements (such as service providers to undertake marketing initiatives or carry out User surveys.
- Law firms, to call for compliance or application of a contract with you.
- Third parties to which we provide web use data (but not your personal data), so that they know who has visited our websites (see section "Cookies policy").
The types of services with which we may share your data are given below:
- Administrative support services
- Consultancy and auditing services
- Legal services
- Payment services
- Marketing and advertising services
- Survey services
- Call centre services
- Physical safety services
- Computer services
- Telecommunications services
- Printing, placing in envelopes, mailing and messaging services
- Information custody and destruction services
- Maintenance services of buildings, facilities and equipment
Are my data transferred outside the European economic area?
The User is hereby informed that in general your persona data are processed by service providers located within the European Economic Area ("EEA") or in countries that have been declared with a suitable level of protection.
Nevertheless, in other cases they may be transferred to third party entities located outside the EEA, including countries that cannot offer the same level of protection of personal data as Spain or the EEA. In this case, TMB will ensure that these third countries offer the following guarantees:
- A legally binding and enforceable instrument between the authorities or public bodies.
- Corporate binding regulations.
- Contractual clauses, approved by the European Commission (Decision 2001/497/CE, of 15 June 2001, regarding standard contractual clauses for the transfer of personal data between processing controllers to a third country / Decision 2004/915/CE, of 27 December 2004, through which Decision 2001/497/CE is modified, regarding the introduction of an alternative set of standard contractual clauses, for the transfer of personal data to third countries / Decision 2010/87/UE of the Commission, dated 5 February 2010, regarding standard contractual clauses for the transfer of personal data to data controllers located in third countries, in compliance with Directive 95/46/CE of the European Parliament and Council).
- Standard data protection clauses adopted by a control authority and approved by the Commission.
- Conduct codes, along with binding and enforceable commitments of the party responsible for processing in the third country, to apply suitable guarantees, including those regarding the rights of the parties concerned.
- Certification mechanisms, plus binding and enforceable commitments of the party responsible for processing in the third country, to apply suitable guarantees, including those regarding the rights of the parties concerned.
Lastly, in view of the lack of an adequacy decision and suitable guarantees, TMB will only make international transfers, if any of the following conditions are met:
- The party concerned has explicitly given his/her consent.
- The transfer is necessary for the performance of a contract between the party concerned and the party responsible for processing or the implementation of pre-contractual measures adopted at the request of the party concerned.
- The transfer is necessary to perform a contract, in the interest of the party concerned, between the party responsible for processing and another natural person or legal entity.
- The transfer is necessary for significant reasons of public interest.
- The transfer is necessary for filing, implementing or defending claims.
- The transfer is necessary to protect the vital interests of the party concerned or other people, when the party concerned is physically or legally unable to give his/her consent.
- The transfer is done from a public register, which, in accordance with the Law of the Union or member States, aims to facilitate information to the public, and is open to consultation of the general public or any person who can prove legitimate interest. However, this is only to the extent that the terms established in the Law of the Union or member States are met for the consultation.
What are your rights regarding the data you provide? How can you exercise them?
In accordance with European data protection regulation, you have the following rights:
Right of access: you have the right to know which of your data we are processing, and the right to access these data and obtain the following information:
- The purposes of processing, the categories of personal data being processed and the recipients or categories of recipients, which have been or will be informed of your data.
- The planned preservation term of personal data or the criteria used to determine it.
- The right to ask the party responsible for processing, to rectify or eliminate data, limit processing or the right to oppose it.
- The right to present a claim before the corresponding control authorities.
- The origin of the data, when they have not been obtained from the party concerned.
- The existence of automated decisions, even in drawing up profiles, the logic applied and the consequences of this processing.
- In the case of international transfers of data, the appropriate guarantees offered.
Right to withdraw consent: right to withdraw consent at any time, when you have given us authorization to process your data.
Right of rectification: right to rectify your data if they are inaccurate and to complete them if they are incomplete.
Right to object: right to object to processing of your personal data, based on a mission performed in public interest or the exercise of public powers conferred to the party responsible, or in legitimate interest pursued by the party responsible for processing or by a third party. In this case, opposition should be based on reasons related to the personal situation. The party responsible for processing should refrain from processing them, except in the case of compelling, legitimate reasons for processing that prevail over the interests, rights and freedom of the party concerned, or to file, implement or defend claims.
Right of elimination: right to eliminate your data, when:
- The data are no longer required for the purpose for which they were collected.
- Consent, on which processing was based, is withdrawn.
- The party concerned opposes processing.
- Data have been processed illegally.
- Data have to be eliminated in order to meet a legal obligation.
- Data have been obtained regarding services of the information society addressed to minors.
Right of limitation: right to limit processing of your data (in certain cases, explicitly indicated in regulations).
Right of portability: right to release your data (data processed to implement products and services, and data we process with your consent), so you can transfer them to another party responsible for processing. In any event, if technically possible, data are transferred directly by TMB to another responsible party.
Right to not be subject to automated individual decisions: right to not be subject to a decision based only on automated processing of your data, including the drawing-up of profiles, which lead to legal implications or which have a negative effect, unless the decision:
- Is necessary to enter into or execute a contract between the party concerned and a party responsible for processing.
- Is based on the explicit consent of the party concerned.
- Is authorized by law of the Union or of a member state.
The aforementioned rights can be exercised by sending an email to the following address: email@example.com indicating in the subject: "Exercising GPDR rights".
If it is not possible to exercise your rights through the previous option, send a written and signed request to a "TMB data": carrer 60. núm. 21-23. sector A, Zona Franca, 08040 Barcelona, indicating in the subject: "Exercising GPDR rights".
Finally, the User is informed that he/she has the right to present a claim to the Catalan Data Protection Agency and to the Spanish Data Protection Agency regarding the processing of your personal data at all times.