Data protection

This is Tossa de Mar Town Council’s data protection policy. It refers to the data of natural persons with whom it interacts in the performance of its functions and responsibilities. Given the nature of Tossa de Mar Town Council’s functions, some of the processing is done to render services to other public administrations that have delegated functions to it. The processing is carried out in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) and the Spanish regulations on this matter.

Who is the personal data controller?

The personal data controller is the Tossa de Mar Town Council (hereinafter, “the Town Council”), with Tax Identification Code P1721500E, and registered address at Avinguda del Pelegrí 25, 17320 Tossa de Mar, Tel. +34 972 34 01 00,,

What criteria are applied in processing personal data?

We abide fully by the principles of the General Data Protection Regulation in our data processing.

a) We process them licitly (only when we have a legal basis that allows us to do this and in a manner that is transparent to the data subject).

b) We use them for legitimate, explicit and determined purposes that we explain at the time of collecting the personal data. No subsequent processing is made that is incompatible with these purposes.

c) We only process the adequate, relevant and limited data that are necessary in each case and for each purpose.

d) We take steps to ensure that the data are up to date.

e) We keep them for the time required, in compliance with the regulations that regulate the storage of public information.

f) We use appropriate technical or organisational measures to avoid unauthorised or illicit processing, or the data’s accidental loss, destruction or damage.

Who is the Data Protection Officer?

The Data Protection Officer (DPO) is the person who supervises compliance with the Town Council’s data protection policy, ensuring that the personal data are processed appropriately and people’s rights are protected. This person’s functions include attending to any query, suggestion, complaint or claim made by people whose data are processed. The Data Protection Officer can be contacted by writing to Carrer de l’Església, 4, 17320 Tossa de Mar, Tel. +34 972 34 01 00 or at the email

With what purpose and legitimate interest do we process your data and who do we disclose them to?

Contact. We answer the queries made by the people who contact us via email, the contact forms on our website or by telephone. We process these data with the consent of the person who has contacted us. The data are not disclosed to other people.

Information about activities and services. With the user’s authorisation, his or her contact details are used to send advertising related with our services or activities. We process these data with the consent of the person who receives the messages. The data are not disclosed to other people.

Video surveillance. When entering our facilities, visitors are informed of the existence of video surveillance cameras by means of officially approved signs. The images we obtain with video surveillance cameras are processed to preserve public interest. In justified cases, we disclose the data to the law enforcement forces or the appropriate judicial authorities.

For how long do we store the data?

We comply with the legal obligation to limit the data storage period to the minimum necessary. Accordingly, data are only kept for the time required and justified by the purpose for which they were collected. The images obtained by the video surveillance cameras are kept for no longer than one month. However, should incidents occur that justify this, they will be kept for the time required to assist the law enforcement forces or the judicial authorities in their inquiries.

What are people’s rights with respect to the data we process?

As provided in the General Data Protection Regulation, the people whose data we process have the following rights:

To know whether they are processed. First of all, everyone has the right to know whether we process their data, irrespective of whether or not there has been a prior relationship.

To be informed during collection. When the personal data are obtained from the data subject himself or herself, the data subject must receive clear information, at the time of providing the data, about the purposes they will be used for, who will be the controller and the main aspects derived from this processing.

To access them. This is a very broad right that includes knowing exactly which personal data are being processed, what is the purpose for which they are being processed, the disclosures that will be made to other people (if applicable) or the right to obtain a copy or to know the planned storage time.

To request rectification. This is the right to rectify inaccurate data that are being processed by us.

To request erasure. In certain circumstances, there exists the right to request erasure of the data when, among other reasons, they are no longer necessary for the purpose for which they were collected and which justified their processing.

To request restriction of processing. Also, in certain circumstances, the right to request restriction of the data processing is acknowledged. In this case, they will cease to be processed and will only be kept for the exercise or defence of legal claims, pursuant to the General Data Protection Regulation.

To portability. In the cases defined in the Regulation, the right to obtain one’s own personal data in a structured, commonly used and machine-readable format, and to transmit those data to another controller if the data subject so chooses, is acknowledged.

To object to processing. A data subject may cite reasons related with his or her particular situation. These reasons will mean that his or her data will cease to be processed to any extent or measure that may cause harm, except for compelling legitimate grounds or for the exercise or defence of legal claims.

To not receive information. We immediately comply with requests to not continue receiving information about our activities and services, when sending such information is based solely on the consent of the person who receives it.

How can the rights be exercised or defended?

The rights listed above can be exercised by sending a request to the Town Council or to the postal address or other contact details stated at the beginning of this policy.

If no satisfactory answer is obtained about the exercise of rights, a complaint can be sent to the Catalan Data Protection Authority using the forms or other channels that can be accessed from its website (

In all cases, whether it is to submit claims, ask for clarifications or send suggestions, users can write to the Data Protection Officer by email at the address