Record of processing activities

Legal representatives
Government officials

Processing personal information regarding client government officials and legal representatives of suppliers for managing orders, contracts, and billing.

FIRST AND LAST NAMES
National ID/TIN
MAILING ADDRESS
EMAIL
TELEPHONE NUMBER
BANK ACCOUNT
ECONOMIC, FINANCIAL, AND INSURANCE DATA

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with:

Legislative decree 1/1997 of 11 November by which the revised text of the ordering principles law for the general tax authority of the Basque Country

Legislative decree 2/2007 of 6 November approving the revised text of the heritage law of the Basque Country

The budget law of the Basque Country every year

DECREE 36/2020 of 10 March, by which the model for managing information and communications technology in the public sector of the Basque Country Autonomous Community is regulated.

Periods in accordance with legislative decree 2/2017 of 19 October by which the revised text of the economic control and accounting law of the Basque Country autonomous community law was approved, and decree 464/1995 that carries it out:

Documents recorded in accounting: Six years from the end of the economic period they are from.

Accounting books: 15 years 

Álava regional government
Account auditors
Basque Court of Public Accounts

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Members of the EJIE Administrative Board

Former members of the EJIE Administrative Board

Processing personal information regarding people who are members of governing bodies and managing their actions, tenders, and meeting minutes.

FIRST AND LAST NAMES
CORPORATE TELEPHONE NUMBER
CORPORATE EMAIL ADDRESS
MARITAL STATUS
PHOTOCOPY OF ID
SIGNATURE

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with legislative royal decree 1/2010 of 2 July by which the revised text of the law of capital companies was approved.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Notaries
Account auditors

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Physical contact persons at EJIE clients

Government officials

Support for the service subscription
Complaint management
Satisfaction evaluation
Sending information about EJIE’s activities

IDENTIFIER
FIRST AND LAST NAMES
TITLE - ROLE
TELEPHONE NUMBER
EMAIL
LANGUAGE
COMMERCIAL INFORMATION

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1e) To perform a task carried out in the public interest or in the exercise of an official authority vested in the controller.

DECREE 36/2020 of 10 March, by which the model for managing information and communications technology in the public sector of the Basque Country Autonomous Community is regulated.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

The following data transfers to third countries are foreseen:

SAP Spain S.A for the purpose of customer management and data hosting. The guarantee for this transfer has been established through: Standard contractual data protection clauses.

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

People filing charges
People charged
Witnesses
Third parties involved in the charges

Processing of personal data concerning the reporting and investigation of abnormal cases or queries regarding possible breaches of the organisation's internal regulations about the code of conduct and code of ethics of the organisation.

FIRST AND LAST NAMES
EMAIL
DATA FOR THE PERSON OR THIRD-PARTIES
DATA NEEDED TO SUSTAIN THE CHARGES
SPECIAL DATA CATEGORIES OF PERSONAL DATA

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.

Law 11/2022, of December 1, on Basque Public Employment, in its reference to Law 1/2014, of June 26, Regulating the Code of Conduct and Conflicts of Interest of Public Officials.

Special categories of data: GDPR: 9.2g) Processing is necessary for reasons of substantial public interest, on the legal basis of the Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Personal data of the person informing of the situation and of the employees or third parties shall only be kept for the time necessary to process the complaint.

In any case, three months after having informed of the situation and/or concluding the investigation thereof, all data shall be deleted unless disciplinary proceedings against an employee are pending or the purpose of keeping the data is to leave evidence as to the functioning of the method for the prevention of the commission of offences on the part of the legal person.

Communications that have not been followed up on will only appear anonymously.

Where appropriate, data shall be disclosed to the Courts and Tribunals, Law Enforcement Agencies or other public administrations authorised to deal with the type of complaint lodged.

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Physical contact persons at potential EJIE clients

Government officials

Handle the response to the request sent by the person through the channel for contacts and generating potential clients, as well as sending information about EJIE’s business activities.

IDENTIFIER
FIRST AND LAST NAMES
TITLE - ROLE
TELEPHONE NUMBER
EMAIL
LANGUAGE
COMMERCIAL INFORMATION

GDPR: 6.1e) To perform a task carried out in the public interest or in the exercise of an official authority vested in the controller.

DECREE 36/2020 of 10 March, by which the model for managing information and communications technology in the public sector of the Basque Country Autonomous Community is regulated.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

The following data transfers to third countries are foreseen:

SAP Spain S.A for the purpose of lead management and data hosting. The guarantee for this transfer has been established through: Standard contractual data protection clauses.

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Employed staff

Government officials

Third-parties that interact with EJIE

Use of multimedia content for external use and dissemination.

Images and videos that may contain the name, surname, face (image) and/or voice of employees and third-parties may be used for external use, for example the EJIE website, events and presentations, corporate social networks or other analogous uses.

FIRST AND LAST NAMES
IMAGE
VOICE

GDPR: 6.1a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes.

Data shall be kept until the data subject withdraws their consent to such processing.

In certain cases, the data will be published on the EJIE website, at events and on EJIE social networks.

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual data protection clauses.

Social networks, the guarantee for this transfer has been established through: Standard contractual data protection clauses.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Employed staff

Government officials

Third-parties that interact with EJIE

Use of multimedia content for internal use and dissemination.

Images and videos that may contain the name, surname, face (image) and/or voice of employees and third-parties may only be used for internal use and dissemination, i.e., the corporate intranet, internal events and presentations, or other analogous uses.

FIRST AND LAST NAMES
IMAGE
VOICE

GDPR: 6.1f) Processing is necessary to meet legitimate interests sought by the controller.

The data will be kept until the interested party expresses their opposition to the processing.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Own and external staff who provide services at EJIE

Staff of the Basque Country autonomous community government and the rest of the entities that make up the public sector

Contact information for people who EJIE staff have relationships with Managing the content of communications, and maintaining commercial or contractual relationships.

FIRST AND LAST NAMES
EMAIL
TELEPHONE NUMBER
ROLE / POSITION PERFORMED

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

DECREE 36/2020 of 10 March, by which the model for managing information and communications technology in the public sector of the Basque Country Autonomous Community is regulated.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

The following data transfers to third countries are foreseen:

SAP Spain S.A for the purpose of customer management, leads and data hosting. The guarantee for this transfer has been established through: Standard contractual data protection clauses.

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Representatives of legal person

People employed by EJIE

Centralised document management that let users use digital signatures.

National ID/TIN
FIRST AND LAST NAMES
EMAIL
ELECTRONIC SIGNATURE

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

No data transfers are expected.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Physical persons who exercise their rights with EJIE

Managing rights regarding data protection exercised regarding processing EJIE was responsible for.

FIRST AND LAST NAMES
National ID/TIN
EMAIL
MAILING ADDRESS

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with the General Data Protection Regulations 2016/679, and organic law 3/2018 of 5 December for personal data protection and guaranteeing digital rights.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Basque Data Protection Authority

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Candidates opting for employment roles in selection processes.

Processing of personal data concerning candidates for the purposes of staff recruitment and the filling of vacancies.

National ID/TIN
FIRST AND LAST NAMES
SOCIAL SECURITY NUMBER
MAILING ADDRESS
EMAIL ADDRESS
TELEPHONE NUMBER
SIGNATURE
IMAGE
SOCIAL SECURITY DATA
SKILLS EVALUATION REPORT
WORK HISTORY
SWORN STATEMENT of meeting the obligations of the position
Language skills: Basque and English

CURRICULUM VITAE THAT MAY INCLUDE:
PERSONAL CHARACTERISTICS: sex
ACADEMIC AND PROFESSIONAL ITEMS: professional experience, degrees, training activities
LANGUAGES

GDPR: 6.1.b) Processing necessary for the fulfilment of a contract to which the data subject is a party or for use at their request for pre-contractual purposes.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Employed staff

Handling the personal information needed to process the economic and financial activities of the organisation  Accounting management and budget control Managing travel for professional purposes.

FIRST AND LAST NAMES
National ID/TIN
MAILING ADDRESS
EMAIL
TELEPHONE NUMBER
BANK ACCOUNT
ECONOMIC DATA
FISCAL DATA

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with legislative decree 2/2017 of 19 October by which the revised text of the economic control and accounting law of the Basque Country autonomous community law was approved.

Documents recorded in accounting: Six years from the end of the economic period they are from.

Accounting books: 15 years Periods in accordance with legislative decree 2/2017 of 19 October by which the revised text of the economic control and accounting law of the Basque Country autonomous community law was approved, and decree 464/1995 that carries it out.

General Social Security Treasury, Regional Government of Álava
Financial entities stated for every employee to pay salaries
Itzarri,
Account auditors
Basque Court of Public Accounts

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

EJIE personnel

Attention in medical consultation to EJIE personnel.

FIRST AND LAST NAMES

GDPR: 6.1.b) The processing is necessary for the performance of a contract to which the data subject is a party.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

The following data communications are foreseen:

Awarded company providing the health care service: Medicina de Diagnóstico y Control, Intermediación, S.A. (MEDYCSA).

No data transfers are expected.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Diagnostic and Control Medicine, Intermediation, S.A. (MEDYCSA)

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Applicants who are employed by the organisation

Processing of personal data concerning internal calls for in-house staff to apply for vacant posts in the organisation.

National ID/TIN
FIRST AND LAST NAMES
SIGNATURE
IMAGE
WORK HISTORY
SWORN STATEMENT of meeting the obligations of the position
Language skills: Basque and English

CURRICULUM VITAE THAT MAY INCLUDE:
PERSONAL CHARACTERISTICS: sex
ACADEMIC AND PROFESSIONAL ITEMS: professional experience, degrees, training activities
LANGUAGES

GDPR: 6.1.b) Processing necessary for the fulfilment of a contract to which the data subject is a party or for use at their request for pre-contractual purposes.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

People associated with administrative or legal proceedings subject to consulting by the area

Processing personal information associated with legal advice and legal defence tasks Managing legal or administrative proceedings

FIRST AND LAST NAMES
National ID/TIN
MAILING ADDRESS
EMAIL
TELEPHONE NUMBER
PLACE AND DATE OF BIRTH
ACADEMIC, PROFESSIONAL, AND EMPLOYMENT DATA
ECONOMIC-FINANCIAL DATA
INFRACTION DATA
HEALTH
PERSONAL DATA CONTAINED IN SENTENCES

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with procedural and substantive laws associated with administrative, labour, administrative or criminal claims.

Special categories of data: GDPR: 9.2g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Vice-chancellor of the Legal Regime of the Basque Government

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

People filing charges
People charged
Witnesses
Third parties involved in the charges

Processing personal information related with the communication and investigation of allegedly irregular activities by employees while performing their functions or possible situations of workplace harassment, sexual harassment or gender based harassment.

FIRST AND LAST NAMES
SIGNATURE
DATA FOR THE PERSON OR THIRD PARTIES NEEDED TO SUSTAIN THE CHARGES
SPECIAL DATA CATEGORIES OF PERSONAL DATA

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.

Organic law 3/2007 of 22 March for the effective equality of women and men

Law 31/1885 of 8 November for workplace risk prevention

Legislative royal decree 2/2015 of 23 October by which the revised text of the workers’ statute is approved

Special categories of data: GDPR: 9.2g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

Personal data of the person informing of the situation and of the employees or third parties shall only be kept for the time necessary to process the complaint.

In any case, three months after having informed of the situation and/or concluding the investigation thereof, all data shall be deleted unless disciplinary proceedings against an employee are pending or the purpose of keeping the data is to leave evidence as to the functioning of the method for the prevention of the commission of offences on the part of the legal person.

Communications that have not been followed up on will only appear anonymously.

Where appropriate, data shall be disclosed to the Courts and Tribunals, Law Enforcement Agencies or other public administrations authorised to deal with the type of complaint lodged.

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Employed staff
Employee family members

Processing of personal data required for the management of the employment relationship, preparation of payslips, social security and generation of different data; planning and control of hours worked: specifically the start and end of the work day (time-sheet), working days and tasks to be performed; staff training; linguistic profiles; instruction and training processes: monitoring incompatibilities Granting of permits, licences and authorisations. Disciplinary proceedings. Management of internal statistics. Relationship with staff representatives. Management of fixed and mobile telephone calls for professional use and costs incurred.

FIRST AND LAST NAMES
USER IDENTIFICATION
PHOTOCOPY OF ID/TIN
SOCIAL SECURITY DATA
HEALTH INSURANCE CARD
MAILING ADDRESS
EMAIL ADDRESS
TELEPHONE NUMBER
SIGNATURE
IMAGE

PERSONAL CHARACTERISTICS: sex, place and date of birth, marital status
ACADEMIC AND PROFESSIONAL ITEMS: professional experience, degrees, training activities, curriculum vitae
LANGUAGES
SCHEDULE CONTROL DATA: date/time of entrance and exit

FAMILY DATA (income tax, collective bargaining agreement)

CURRENT ACCOUNT
ECONOMIC, FINANCIAL, AND INSURANCE DATA: economic salary data, tax deduction data, insurance linked with the organisation

SPECIAL DATA CATEGORY: union representation (if applicable)

GDPR: 6.1.b) Processing necessary for the fulfilment of a contract to which the data subject is a party or for use at their request for pre-contractual purposes.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with legislative decree 2/2015 of 23 October by which the revised text of the workers’ statute was approved.

Legislative royal decree 8/2015 of 30 October by which the revised text of the general social security law was approved.

Special data categories: GDPR: 9.2.b) Processing is necessary to fulfil obligations and exercise specific rights of the controller or interested party in sphere of labour law.

The data will be kept while the contractual relationship is in force and, when it ends, for the periods of time prescribed for responsibilities in legislative royal decree 5/2000 of 4 august, and the other legal provisions that are applicable.

Time-sheets will be kept for four years from the date they are collected.

General Social Security Treasury

Job Inspection and Social Security

Álava regional government

Financial entities stated for every employee to pay their salary

Insurance Company

EJIE Company Committee

The following data transfers to third countries are foreseen:

ServiceNow Inc. for the purpose of IT Management and data hosting. The guarantee for this transfer has been established through: Standard contractual data protection clauses.

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Affected parties
Complainants
Legal representatives
Clients
Internal and external staff who perform work activities in companies that are EJIE suppliers

Management, assessment and reporting of data security incidents and breaches.

FIRST AND LAST NAMES
TELEPHONE NUMBER
EMAIL
DATA INVOLVED IN THE SECURITY BREACH

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with the General Data Protection Regulations 2016/679, and organic law 3/2018 of 5 December for personal data protection and guaranteeing digital rights.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Basque Data Protection Authority
The Centre’s incident response teams National Cryptography (CCN-CERT)
Law enforcement agencies
Cyberzaintza

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Employed staff

Processing of personal data necessary for financing external language courses for staff in accordance with article 28 of the EJIE collective bargaining agreement.

FIRST AND LAST NAMES
National ID/TIN
CURRENT ACCOUNT
EMAIL
TELEPHONE NUMBER
DATE OF BIRTH

ACADEMIC AND PROFESSIONAL DATA
COURSE DOCUMENTATION
LANGUAGE SKILLS
DEGREE EARNED

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Financial entities stated for every employee to pay the social assistance

No data transfers are expected.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Staff who perform work activities in companies that are EJIE suppliers

Processing personal data of people working in supplier companies that provide services to EJIE, and to process the creation and deletion of user accounts in the system for them in order to maintain control of physical access to the facilities and digital access to the information systems. Coordinating business activities (CBA) in regards to preventing risk in the workplace Managing communications for maintaining the contractual relationship.

FIRST AND LAST NAMES
National ID/TIN
MAILING ADDRESS
EMAIL
TELEPHONE NUMBER
IMAGE
WORKPLACE HEALTH AND SAFETY DATA
APTITUDE FOR THE JOB
TC2, ITA
PROFESSIONAL EXPERIENCE AND ACADEMIC HISTORY
Specific training in workplace risk received
Document for accepting Ejie policies
Salary payment receipt
Associated PPI, if applicable
Proof of maternity/paternity

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.

Law 31/1995 of 8 November regarding Workplace Risk Prevention

It will be kept for the duration of the contractual relationship and, when the relationship has ended, it will be kept for the prescriptive period established by the applicable legal provisions.

Personal data processed for CBA purposes will be kept for five years, based on the workplace risk prevention law.

Identifying and contact data may be communicated to the directorate of the department of the Basque government or corresponding dependent public sector body of the Basque Country autonomous community that may be necessary for the purposes of providing the services.

The following data transfers to third countries are foreseen:

ServiceNow Inc. for the purpose of IT Management and data hosting. The guarantee for this transfer has been established through: Standard contractual data protection clauses.

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Representative from the convergent entity

Staff of supplier companies of EJIE clients (convergent entities) who, in order to execute an order, must access EJIE information systems

Processing information to manage user creation and deletion in order to maintain logical access control for EJIE information systems and acceptance of the security policies.

Staff of companies that are suppliers of EJIE clients
FIRST AND LAST NAMES
TITLE / CATEGORY
ID NUMBER
SIGNATURE
On a Servicenow request, the following is also collected:
EMAIL
TELEPHONE NUMBER

GDPR: 6.1.b) Processing is necessary for executing the order between the department of the Basque government and the dependent public sector body of the Basque Country Autonomous Community and EJIE

GDPR: 6.1f) Processing is necessary to meet legitimate interests sought by the controller.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

The following data transfers to third countries are foreseen:

ServiceNow Inc. for the purpose of IT Management and data hosting. The guarantee for this transfer has been established through: Standard contractual data protection clauses.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Internal staff (procurement table and technical managers)

Members of the EJIE Steering Committee

Members of the EJIE Administrative Board

Legal representatives of tendering and awarded companies

External staff who provide services at EJIE

Processing personal information regarding the collective of interested parties who participate in drafting specifications and fill out and sign the corresponding appendices in the framework of EU Next Generation project management.

FIRST AND LAST NAMES
ID NUMBER
TELEPHONE NUMBER
MAILING ADDRESS
EMAIL
SIGNATURE

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with:

EU regulation 2021/241 of the European Parliament and Council of 12 February, which establishes the RRM.

Royal decree-law 36/2020 of 30 December, by which urgent measures for modernising the public administration are approved and to execute the recovery, transformation and resilience plan.

Order HFP/1030/2021 of 29 September, by which the management system of the recovery, transformation and resilience plan is configured.

Order HFP/1031/2021of 29 September, by which the procedure and format for the information to provide by national, autonomous community and local public sector entities is established for monitoring achievement of milestones and goals for the parts of the recovery, transformation and resilience plan.

Order HFP/55/2023 of 24 January, regarding the systemic analysis of the risk of conflicts of interest in the procedures executed by the recovery, transformation and resilience plan.

Governing Council agreement of 8 February 2022, regarding the budgetary and accounting execution, management and monitoring the activities and projects associated with the recovery, transformation and resilience plan.

Governing Council agreement of 29 March 2022, by which the “plan for measures to meet anti-fraud requirements, conflict of interest, double financing and state assistance and non-significant environmental damage for initiatives required under the recovery, transformation and resilience plan” is approved.

Chapter V of law 15/2022 of 23 December, by which the general budget of the Basque Country autonomous community are approved.

Documents are kept for five years after the payment of the salary or of the transaction if there was no payment, or for three years in accordance with article 132 of the financial regulations.

Ministry of Taxes and Public Functions, through the MINERVA and CoFFEE-MRR platform

Ministry of Economy, Commerce and Business, through the HRS platform

Bodies of the European Union for the purposes of audits and monitoring government and European funds, when applicable

Personal data regarding internal staff may be communicated to the directorate of services of the department of public governance and self-governance for auditing purposes

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Employed staff
Employee family members

Processing of personal data relating to the registration and management of social benefits and personal loans applied for and granted to employees to acquire a home or vehicle, or for their own or their children’s studies, medical assistance and to care for disabled or dependent family members, in conformance with article 24 and 27 of the EJIE collective bargaining agreement.

FIRST AND LAST NAMES
National ID/TIN
MAILING ADDRESS
CORPORATE EMAIL ADDRESS

Personal data vary depending on the document the employee submits, which may include:

PERSONAL CHARACTERISTICS DATA: marital status, date of birth, sex, place of birth, age, nationality
EMPLOYMENT STATEMENT: profession, non-economic salary data, worker history, role, category/level
FINANCIAL ECONOMIC DATA: income, loans, bank guarantees, pension plans, retirement, tax data, bank details, loan history
Special Education: SPECIAL DATA CATEGORIES: degree of disability, invoices for medical expenses

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Special data categories: GDPR: 9.2.b) Processing is necessary to fulfil obligations and exercise specific rights of the controller or interested party in sphere of labour law.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Álava regional government

Financial entities stated for every employee to pay the loan

EJIE Company Committee 

No data transfers are expected.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Employed staff

Processing of personal data necessary for staff performance reviews needed for internal promotions and the training plan.

FIRST AND LAST NAMES
EMAIL ADDRESS
TELEPHONE NUMBER

EMPLOYMENT STATEMENT: profession, non-economic salary data, worker history, role, category/level
SKILLS EVALUATION REPORT
TRAINING

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

It will be kept for as long as necessary to execute and carry out the labour relationship until it ends and to determine potential liabilities that may arise from that purpose and processing the data.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Employed staff

Witnesses or people familiar with the events

Processing of personal data concerning the prevention of occupational hazards and other protocols related to the workplace, the investigation of accidents and incidents, activation of prevention mechanisms and measures, preparation of assessments, preventive measures and elimination of risks. Occupational health and safety risk assessment reports. Records of regular checks on the working conditions of staff. Records of the implementation of staff health checks (Health Surveillance). Records of information and training provided to staff on OHS. Implementation of the occupational risk prevention plan: risk assessment and planning of preventive activities, information and training for workers. Adoption of health and safety measures. Permanent monitoring of risk prevention.

FIRST AND LAST NAMES
National ID/TIN
MAILING ADDRESS
EMAIL
TELEPHONE NUMBER
IMAGE

SOCIAL SECURITY NUMBER
IDENTIFICATION OF THE POSITION AND ACTIVITIES
EMPLOYEE APTITUDE
SENIORITY IN THE POSITION
RISK PREVENTION TRAINING GIVEN
ACADEMIC AND PROFESSIONAL DATA
INSURANCE
THIRD PARTY DATA (witnesses or people familiar with the events)
HEALTH DATA: sick leave, workplace accidents and degree of disability (without including diagnosis)

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with law 31/1995 of 8 November for workplace risk prevention

Special data categories: GDPR: 9.2.b) Processing is necessary to fulfil obligations and exercise specific rights of the controller or interested party in sphere of labour law.

Data shall be kept for a period of 5 years in accordance with the Law on the Prevention of Occupational Risks.

Health data storage period in accordance with the terms established by regulations.

Awarded company that provides workplace risk prevention services in regards to health monitoring

Mutual insurance companies that collaborate with social security

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Own and external staff who provide services at EJIE

Physical persons or representatives of legal persons who visit the EJIE offices (e.g. clients or members of the administrative council)

(i) Access control for own and external staff
(ii) Access control for visitors
(iii) Managing the evacuation of the building and internal safety to ensure the protection of company property
(iv) For visitors only: Subscribe the safety directives and confidentiality agreement for visitors and behaviour of visitors in the facilities during emergency situations

EJIE's own staff:
NAME AND SURNAME
DNI/NIF
IMAGE
EMPLOYEE NUMBER
If applicable, VEHICLE REGISTRATION NUMBER

External personnel providing services at EJIE:
NAME AND SURNAME
DNI/NIF
COMPANY DETAILS
TEMPORARY CARD CODE

Visits:
NAME AND SURNAME
DNI/NIF
COMPANY DATA
If applicable, E-MAIL ADDRESS

(i) and (iv) GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

(ii) and (iii) GDPR: 6.1f) Processing is necessary to meet legitimate interests sought by the controller.

The data collected in the access register, from own and external staff, will be kept for one month from the date of collection, except when they have to be kept to accredit the commission of acts that threaten the integrity of persons, goods or installations.

The visit data collected in the pre-registration form will be kept for 5 years from the date of collection in order to determine the possible responsibilities that may arise from the purposes of data processing. In the event that the visit does not take place, it will be kept for one month from the date of collection.

Where appropriate, law enforcement agencies, courts and tribunals will be notified.

No data transfers are expected.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Own and external staff who provide services at EJIE

Monitoring staff who have keys to EJIE locations.

FIRST AND LAST NAMES
COMPANY DATA

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1f) Processing is necessary to meet legitimate interests sought by the controller.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

No data transfers are expected.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Own and external staff who provide services at EJIE

Physical persons or representatives of legal persons who visit protected areas at EJIE

Monitoring staff who enter internal protected and restricted areas to ensure the protection of company property.

FIRST AND LAST NAMES
National ID/TIN
COMPANY DATA
TEMPORARY CARD CODE
In certain cases, a photocopy of the national ID

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.f) Processing is necessary to meet legitimate interests sought by the controller.

One month from the date of their capture, except when they have to be kept to prove the commission of acts against the integrity of persons, property or installations.

Where appropriate, a photocopy of the ID will be sent to the Basque government department to control access to the DPC.

Where appropriate, law enforcement agencies, courts and tribunals will be notified.

No data transfers are expected.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Own and external staff who provide services at EJIE

Minsters, Vice-Ministers, Directors and staff of the Basque Country Autonomous Community government and the rest of the entities that make up the public sector

Sending non-commercial communications like, for example, Christmas greetings or bank holiday greetings, among other things. Managing sending invitations and registration for events organised by EJIE, or third-parties, in which EJIE participates.

FIRST AND LAST NAMES
EMAIL

GDPR: 6.1f) Processing is necessary to meet legitimate interests sought by the controller.

The data will be kept until the interested party expresses their opposition to the processing.

In certain cases, personal data belonging to entities that promote events EJIE participates in may be communicated.

No other communication of data is foreseen, unless it is required to comply with legal obligations that EJIE S.A. must fulfil.

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Legal representatives

Staff who perform work activities in companies that are candidates for being EJIE suppliers

Interlocutors in pre-market consultations

Processing of personal data concerning employees of companies applying to become suppliers in accordance with the internal procurement procedures and tendering process. Communication, notifications, and incidents associated with the process above and regarding pre-market consultations.

FIRST AND LAST NAMES
National ID/TIN
MAILING ADDRESS
TELEPHONE NUMBER
EMAIL
SIGNATURE
CURRICULUM VITAE of workers at the company tendering for or contracted by EJIE
ROLE AND CHARACTERISTICS of the role performed
SINGLE EUROPEAN DOCUMENT
TC2, ITA

Contact data collected from preliminary market consultations:
FIRST AND LAST NAMES
TITLE
TELEPHONE NUMBER
EMAIL

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with:

Law 9/2017 of 8 November for public sector contracts

Law 3/2016 of 7 April for including certain social clauses in public procurement

Decree 36/2020 of 10 March, by which the model for managing information and communications technology in the public sector of the Basque Country Autonomous Community is regulated.

Decree 116/2016 of 27 July regarding the public sector procurement regime for the Basque Country Autonomous Community

Legislative decree 1/1997 of 11 November by which the revised text of the ordering principles law for the general tax authority of the Basque Country

Legislative decree 2/2007 of 6 November approving the revised text of the heritage law of the Basque Country

The budget law of the Basque Country every year

Data will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data, in accordance with law 9/2017 of 8 November for public sector contracts.

Basque Court of Public Accounts

Administrative Body of Contractual Resources

General Tax Office of the Basque Country

Courts

Anti-fraud Agency

Management of the department of the Basque government or dependent public sector body of the Basque Country autonomous community that is in charge of services or provisioning for EJIE

Management of Basque government services

Management of heritage and procurement for the Basque government

Basque authority for competition - CNMC

Public prosecutor’s office

State law enforcement bodies and forces, anti-fraud control unit

Control auditors (account, quality, public function auditors, among others)

REVASCON - Basque registry of contracts

For persons seeking tenders and who have signed contracts with EJIE, the data is published in:

Procurement platform of the Basque Country - Public sector procurement platform

In regards to contact data for interlocutors collected in the preliminary market consultations, they will not be communicated to recipients.

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual data protection clauses.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Employed staff

Teaching staff from external company

Processing of personal data necessary for voluntary training and commitment to learning in the Basque language training plan and the development of linguistic profiles.
Management of training plans offered by the entity for staff.
Registration, management, control and monitoring of participation in training activities organised by EJIE.
Recording of training sessions for internal use and dissemination.

FIRST AND LAST NAMES
National ID/TIN
MAILING ADDRESS
EMAIL

ACADEMIC AND PROFESSIONAL DATA
COURSE DOCUMENTATION
LANGUAGE SKILLS
SIGNATURE
IMAGE
VOICE

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recordings of training sessions will be kept for a maximum time of 3 years from the collection date.

Personal identification data will be communicated, where appropriate, to entities that manage training grants:

Internal personnel data:
FUNDAE
LANBIDE
HABE

Data of teachers from external companies:
FUNDAE
LANDIBE

The following data transfers to third countries are foreseen:

Zoom Inc, for the purpose Videoconference service. The guarantee for this transfer has been established through: Standard contractual data protection clauses.

Microsoft Corporation/Office 365, for the purpose of data hosting. The warranty for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

High ranking staff and management

Members of the EJIE Administrative Board

Members of the Company Committee

People requesting public information

Processing of personal data relating to public relations concerning transparency in the application of regulations on access to public information.

PERSONAL DATA REGARDING HIGH RANKING STAFF AND MANAGEMENT
First and last names
Title
Salary and remuneration only for the general manager

PERSONAL DATA REGARDING MEMBERS OF THE ADMINISTRATIVE BOARD
First and last names
Title

PERSONAL DATA REGARDING MEMBERS OF THE COMPANY COMMITTEE
First and last names

PERSONAL DATA THAT APPEARS ON DOCUMENTS WITH A DIGITAL SIGNATURE
First and last names

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with law 19/2013 of 9 December for transparency, access to public information and good governance.

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

The personal data will be published on the transparency section of the EJIE website.

No other communication of data is foreseen, unless it is required to comply with legal obligations that EJIE S.A. must fulfil.

The following data transfers to third countries are foreseen:

Microsoft Corporation/Office 365, for the purpose of data hosting. The guarantee for this transfer has been established through: Standard contractual clauses for data protection.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Own and external staff who provide services at EJIE

Physical persons or representatives of legal persons who visit the EJIE offices

Processing of personal data obtained by video surveillance systems to guarantee the security of EJIE's personnel, assets and facilities.

IMAGE

GDPR: 6.1e) Processing is necessary for the controller to perform a task carried out in the public interest.

Organic law 3/2018 of 5 December for protecting personal data and guaranteeing digital rights

The images obtained will be kept for a period of one month from the date they are collected, except when they must be saved to accredit acts committed against the integrity of people, property or facilities.

Where appropriate, law enforcement agencies, courts and tribunals will be notified.

No data transfers are expected.

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.