Transparency portal

Record of processing activities

Commercial activities with potential clients

Category of data subjects

Physical contact persons at potential EJIE clients

Government officials

Purposes

Handle the response to the request sent by the person through the channel for contacts and generating potential clients, as well as sending information about EJIE’s business activities.

Personal data subject to processing

IDENTIFIER
FIRST AND LAST NAMES
TITLE - ROLE
TELEPHONE NUMBER
EMAIL
LANGUAGE
COMMERCIAL INFORMATION

Legal basis

GDPR: 6.1e) To perform a task carried out in the public interest or in the exercise of an official authority vested in the controller.

DECREE 36/2020 of 10 March, by which the model for managing information and communications technology in the public sector of the Basque Country Autonomous Community is regulated.

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Client relationship management

Category of data subjects

Physical contact persons at EJIE clients

Government officials

Purposes

Support for the service subscription
Complaint management
Satisfaction evaluation
Sending information about EJIE’s activities

Personal data subject to processing

IDENTIFIER
FIRST AND LAST NAMES
TITLE - ROLE
TELEPHONE NUMBER
EMAIL
LANGUAGE
COMMERCIAL INFORMATION

Legal basis

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1e) To perform a task carried out in the public interest or in the exercise of an official authority vested in the controller.

DECREE 36/2020 of 10 March, by which the model for managing information and communications technology in the public sector of the Basque Country Autonomous Community is regulated.

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Supplier contracting process

Category of data subjects

Legal representatives

Staff who perform work activities in companies that are candidates for being EJIE suppliers

Interlocutors in pre-market consultations

Purposes

Processing of personal data concerning employees of companies applying to become suppliers in accordance with the internal procurement procedures and tendering process. Communication, notifications, and incidents associated with the process above and regarding pre-market consultations.

Personal data subject to processing

FIRST AND LAST NAMES
National ID/TIN
MAILING ADDRESS
TELEPHONE NUMBER
EMAIL
SIGNATURE
CURRICULUM VITAE of workers at the company tendering for or contracted by EJIE
ROLE AND CHARACTERISTICS of the role performed
SINGLE EUROPEAN DOCUMENT
TC2, ITA

Contact data collected from preliminary market consultations:
FIRST AND LAST NAMES
TITLE
TELEPHONE NUMBER
EMAIL

Legal basis

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with:

Law 9/2017 of 8 November for public sector contracts

Law 3/2016 of 7 April for including certain social clauses in public procurement

Decree 36/2020 of 10 March, by which the model for managing information and communications technology in the public sector of the Basque Country Autonomous Community is regulated.

Decree 116/2016 of 27 July regarding the public sector procurement regime for the Basque Country Autonomous Community

Legislative decree 1/1997 of 11 November by which the revised text of the ordering principles law for the general tax authority of the Basque Country

Legislative decree 2/2007 of 6 November approving the revised text of the heritage law of the Basque Country

The budget law of the Basque Country every year

Data storage period

Data will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data, in accordance with law 9/2017 of 8 November for public sector contracts.

Recipients

Basque Court of Public Accounts

Administrative Body of Contractual Resources

General Tax Office of the Basque Country

Courts

Anti-fraud Agency

Management of the department of the Basque government or dependent public sector body of the Basque Country autonomous community that is in charge of services or provisioning for EJIE

Management of Basque government services

Management of heritage and procurement for the Basque government

Basque authority for competition - CNMC

Public prosecutor’s office

State law enforcement bodies and forces, anti-fraud control unit

Control auditors (account, quality, public function auditors, among others)

REVASCON - Basque registry of contracts

For persons seeking tenders and who have signed contracts with EJIE, the data is published in:

Procurement platform of the Basque Country - Public sector procurement platform

In regards to contact data for interlocutors collected in the preliminary market consultations, they will not be communicated to recipients.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Management of personnel belonging to supplier companies

Category of data subjects

Staff who perform work activities in companies that are EJIE suppliers

Purposes

Processing personal data of people working in supplier companies that provide services to EJIE, and to process the creation and deletion of user accounts in the system for them in order to maintain control of physical access to the facilities and digital access to the information systems. Coordinating business activities (CBA) in regards to preventing risk in the workplace Managing communications for maintaining the contractual relationship.

Personal data subject to processing

FIRST AND LAST NAMES
National ID/TIN
MAILING ADDRESS
EMAIL
TELEPHONE NUMBER
IMAGE
WORKPLACE HEALTH AND SAFETY DATA
APTITUDE FOR THE JOB
TC2, ITA
PROFESSIONAL EXPERIENCE AND ACADEMIC HISTORY
Specific training in workplace risk received
Document for accepting Ejie policies
Salary payment receipt
Associated PPI, if applicable
Proof of maternity/paternity

Legal basis

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.

Law 31/1995 of 8 November regarding Workplace Risk Prevention

Data storage period

It will be kept for the duration of the contractual relationship and, when the relationship has ended, it will be kept for the prescriptive period established by the applicable legal provisions.

Personal data processed for CBA purposes will be kept for five years, based on the workplace risk prevention law.

Recipients

Identifying and contact data may be communicated to the directorate of the department of the Basque government or corresponding dependent public sector body of the Basque Country autonomous community that may be necessary for the purposes of providing the services.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

 
Administrative management of clients and suppliers

Category of data subjects

Legal representatives
Government officials

Purposes

Processing personal information regarding client government officials and legal representatives of suppliers for managing orders, contracts, and billing.

Personal data subject to processing

FIRST AND LAST NAMES
National ID/TIN
MAILING ADDRESS
EMAIL
TELEPHONE NUMBER
BANK ACCOUNT
ECONOMIC, FINANCIAL, AND INSURANCE DATA

Legal basis

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with:

Legislative decree 1/1997 of 11 November by which the revised text of the ordering principles law for the general tax authority of the Basque Country

Legislative decree 2/2007 of 6 November approving the revised text of the heritage law of the Basque Country

The budget law of the Basque Country every year

DECREE 36/2020 of 10 March, by which the model for managing information and communications technology in the public sector of the Basque Country Autonomous Community is regulated.

Data storage period

Periods in accordance with legislative decree 2/2017 of 19 October by which the revised text of the economic control and accounting law of the Basque Country autonomous community law was approved, and decree 464/1995 that carries it out:

Documents recorded in accounting: Six years from the end of the economic period they are from.

Accounting books: 15 years 

Recipients

Álava regional government
Account auditors
Basque Court of Public Accounts

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Government

Category of data subjects

Employed staff

Purposes

Handling the personal information needed to process the economic and financial activities of the organisation  Accounting management and budget control Managing travel for professional purposes.

Personal data subject to processing

FIRST AND LAST NAMES
National ID/TIN
MAILING ADDRESS
EMAIL
TELEPHONE NUMBER
BANK ACCOUNT
ECONOMIC DATA
FISCAL DATA

Legal basis

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with legislative decree 2/2017 of 19 October by which the revised text of the economic control and accounting law of the Basque Country autonomous community law was approved.

Data storage period

Documents recorded in accounting: Six years from the end of the economic period they are from.

Accounting books: 15 years Periods in accordance with legislative decree 2/2017 of 19 October by which the revised text of the economic control and accounting law of the Basque Country autonomous community law was approved, and decree 464/1995 that carries it out.

Recipients

General Social Security Treasury, Regional Government of Álava
Financial entities stated for every employee to pay salaries
Itzarri,
Account auditors
Basque Court of Public Accounts

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

External recruitment processes

Category of data subjects

Candidates opting for employment roles in selection processes.

Purposes

Processing of personal data concerning candidates for the purposes of staff recruitment and the filling of vacancies.

Personal data subject to processing

National ID/TIN
FIRST AND LAST NAMES
SOCIAL SECURITY NUMBER
MAILING ADDRESS
EMAIL ADDRESS
TELEPHONE NUMBER
SIGNATURE
IMAGE
SOCIAL SECURITY DATA
SKILLS EVALUATION REPORT
WORK HISTORY
SWORN STATEMENT of meeting the obligations of the position
Language skills: Basque and English

CURRICULUM VITAE THAT MAY INCLUDE:
PERSONAL CHARACTERISTICS: sex
ACADEMIC AND PROFESSIONAL ITEMS: professional experience, degrees, training activities
LANGUAGES

Legal basis

GDPR: 6.1.b) Processing necessary for the fulfilment of a contract to which the data subject is a party or for use at their request for pre-contractual purposes.

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Internal recruitment processes

Category of data subjects

Applicants who are employed by the organisation

Purposes

Processing of personal data concerning internal calls for in-house staff to apply for vacant posts in the organisation.

Personal data subject to processing

National ID/TIN
FIRST AND LAST NAMES
SIGNATURE
IMAGE
WORK HISTORY
SWORN STATEMENT of meeting the obligations of the position
Language skills: Basque and English

CURRICULUM VITAE THAT MAY INCLUDE:
PERSONAL CHARACTERISTICS: sex
ACADEMIC AND PROFESSIONAL ITEMS: professional experience, degrees, training activities
LANGUAGES

Legal basis

GDPR: 6.1.b) Processing necessary for the fulfilment of a contract to which the data subject is a party or for use at their request for pre-contractual purposes.

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Management of Human Resources

Category of data subjects

Employed staff
Employee family members

Purposes

Processing of personal data required for the management of the employment relationship, preparation of payslips, social security and generation of different data; planning and control of hours worked: specifically the start and end of the work day (time-sheet), working days and tasks to be performed; staff training; linguistic profiles; instruction and training processes: monitoring incompatibilities Granting of permits, licences and authorisations. Disciplinary proceedings. Management of internal statistics. Relationship with staff representatives. Management of fixed and mobile telephone calls for professional use and costs incurred.

Personal data subject to processing

FIRST AND LAST NAMES
USER IDENTIFICATION
PHOTOCOPY OF ID/TIN
SOCIAL SECURITY DATA
HEALTH INSURANCE CARD
MAILING ADDRESS
EMAIL ADDRESS
TELEPHONE NUMBER
SIGNATURE
IMAGE

PERSONAL CHARACTERISTICS: sex, place and date of birth, marital status
ACADEMIC AND PROFESSIONAL ITEMS: professional experience, degrees, training activities, curriculum vitae
LANGUAGES
SCHEDULE CONTROL DATA: date/time of entrance and exit

FAMILY DATA (income tax, collective bargaining agreement)

CURRENT ACCOUNT
ECONOMIC, FINANCIAL, AND INSURANCE DATA: economic salary data, tax deduction data, insurance linked with the organisation

SPECIAL DATA CATEGORY: union representation (if applicable)

Legal basis

GDPR: 6.1.b) Processing necessary for the fulfilment of a contract to which the data subject is a party or for use at their request for pre-contractual purposes.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with legislative decree 2/2015 of 23 October by which the revised text of the workers’ statute was approved.

Legislative royal decree 8/2015 of 30 October by which the revised text of the general social security law was approved.

Special data categories: GDPR: 9.2.b) Processing is necessary to fulfil obligations and exercise specific rights of the controller or interested party in sphere of labour law.

Data storage period

The data will be kept while the contractual relationship is in force and, when it ends, for the periods of time prescribed for responsibilities in legislative royal decree 5/2000 of 4 august, and the other legal provisions that are applicable.

Time-sheets will be kept for four years from the date they are collected.

Recipients

General Social Security Treasury

Job Inspection and Social Security

Álava regional government

Financial entities stated for every employee to pay their salary

Insurance Company

EJIE Company Committee

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Managing social benefits and personal loans

Category of data subjects

Employed staff
Employee family members

Purposes

Processing of personal data relating to the registration and management of social benefits and personal loans applied for and granted to employees to acquire a home or vehicle, or for their own or their children’s studies, medical assistance and to care for disabled or dependent family members, in conformance with article 24 and 27 of the EJIE collective bargaining agreement.

Personal data subject to processing

FIRST AND LAST NAMES
National ID/TIN
MAILING ADDRESS
CORPORATE EMAIL ADDRESS

Personal data vary depending on the document the employee submits, which may include:

PERSONAL CHARACTERISTICS DATA: marital status, date of birth, sex, place of birth, age, nationality
EMPLOYMENT STATEMENT: profession, non-economic salary data, worker history, role, category/level
FINANCIAL ECONOMIC DATA: income, loans, bank guarantees, pension plans, retirement, tax data, bank details, loan history
Special Education: SPECIAL DATA CATEGORIES: degree of disability, invoices for medical expenses

Legal basis

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Special data categories: GDPR: 9.2.b) Processing is necessary to fulfil obligations and exercise specific rights of the controller or interested party in sphere of labour law.

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recipients

Álava regional government

Financial entities stated for every employee to pay the loan

EJIE Company Committee 

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Management of language grants

Category of data subjects

Employed staff

Purposes

Processing of personal data necessary for financing external language courses for staff in accordance with article 28 of the EJIE collective bargaining agreement.

Personal data subject to processing

FIRST AND LAST NAMES
National ID/TIN
CURRENT ACCOUNT
EMAIL
TELEPHONE NUMBER
DATE OF BIRTH

ACADEMIC AND PROFESSIONAL DATA
COURSE DOCUMENTATION
LANGUAGE SKILLS
DEGREE EARNED

Legal basis

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recipients

Financial entities stated for every employee to pay the social assistance

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Training plan management

Category of data subjects

Employed staff

Teaching staff from external company

Purposes

Processing of personal data necessary for voluntary training and commitment to learning in the Basque language training plan and the development of linguistic profiles.
Management of training plans offered by the entity for staff.
Registration, management, control and monitoring of participation in training activities organised by EJIE.
Recording of training sessions for internal use and dissemination.

Personal data subject to processing

FIRST AND LAST NAMES
National ID/TIN
MAILING ADDRESS
EMAIL

ACADEMIC AND PROFESSIONAL DATA
COURSE DOCUMENTATION
LANGUAGE SKILLS
SIGNATURE
IMAGE
VOICE

Legal basis

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recordings of training sessions will be kept for a maximum time of 3 years from the collection date.

Recipients

Personal identification data will be communicated, where appropriate, to entities that manage training grants:

Internal personnel data:
FUNDAE
LANBIDE
HABE

Data of teachers from external companies:
FUNDAE
LANDIBE

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Performance review

Category of data subjects

Employed staff

Purposes

Processing of personal data necessary for staff performance reviews needed for internal promotions and the training plan.

Personal data subject to processing

FIRST AND LAST NAMES
EMAIL ADDRESS
TELEPHONE NUMBER

EMPLOYMENT STATEMENT: profession, non-economic salary data, worker history, role, category/level
SKILLS EVALUATION REPORT
TRAINING

Legal basis

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Data storage period

It will be kept for as long as necessary to execute and carry out the labour relationship until it ends and to determine potential liabilities that may arise from that purpose and processing the data.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Prevention of occupational hazards

Category of data subjects

Employed staff

Witnesses or people familiar with the events

Purposes

Processing of personal data concerning the prevention of occupational hazards and other protocols related to the workplace, the investigation of accidents and incidents, activation of prevention mechanisms and measures, preparation of assessments, preventive measures and elimination of risks. Occupational health and safety risk assessment reports. Records of regular checks on the working conditions of staff. Records of the implementation of staff health checks (Health Surveillance). Records of information and training provided to staff on OHS. Implementation of the occupational risk prevention plan: risk assessment and planning of preventive activities, information and training for workers. Adoption of health and safety measures. Permanent monitoring of risk prevention.

Personal data subject to processing

FIRST AND LAST NAMES
National ID/TIN
MAILING ADDRESS
EMAIL
TELEPHONE NUMBER
IMAGE

SOCIAL SECURITY NUMBER
IDENTIFICATION OF THE POSITION AND ACTIVITIES
EMPLOYEE APTITUDE
SENIORITY IN THE POSITION
RISK PREVENTION TRAINING GIVEN
ACADEMIC AND PROFESSIONAL DATA
INSURANCE
THIRD PARTY DATA (witnesses or people familiar with the events)
HEALTH DATA: sick leave, workplace accidents and degree of disability (without including diagnosis)

Legal basis

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with law 31/1995 of 8 November for workplace risk prevention

Special data categories: GDPR: 9.2.b) Processing is necessary to fulfil obligations and exercise specific rights of the controller or interested party in sphere of labour law.

Data storage period

Data shall be kept for a period of 5 years in accordance with the Law on the Prevention of Occupational Risks.

Health data storage period in accordance with the terms established by regulations.

Recipients

Awarded company that provides workplace risk prevention services in regards to health monitoring

Mutual insurance companies that collaborate with social security

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Active health programme

Category of data subjects

Employed staff

Purposes

Processing of personal data of employees participating in the health improvement and injury and illness prevention programme.

Personal data subject to processing

FIRST AND LAST NAMES
CORPORATE EMAIL ADDRESS
CORPORATE TELEPHONE NUMBER
IDENTIFICATION OF THE POSITION

Legal basis

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Management of conflict resolution procedures and harassment protocols

Category of data subjects

People filing charges
People charged
Witnesses
Third parties involved in the charges

Purposes

Processing personal information related with the communication and investigation of allegedly irregular activities by employees while performing their functions or possible situations of workplace harassment, sexual harassment or gender based harassment.

Personal data subject to processing

FIRST AND LAST NAMES
SIGNATURE
DATA FOR THE PERSON OR THIRD PARTIES NEEDED TO SUSTAIN THE CHARGES
SPECIAL DATA CATEGORIES OF PERSONAL DATA

Legal basis

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.

Organic law 3/2007 of 22 March for the effective equality of women and men

Law 31/1885 of 8 November for workplace risk prevention

Legislative royal decree 2/2015 of 23 October by which the revised text of the workers’ statute is approved

Special categories of data: GDPR: 9.2g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

Data storage period

Personal data of the person informing of the situation and of the employees or third parties shall only be kept for the time necessary to process the complaint.

In any case, three months after having informed of the situation and/or concluding the investigation thereof, all data shall be deleted unless disciplinary proceedings against an employee are pending or the purpose of keeping the data is to leave evidence as to the functioning of the method for the prevention of the commission of offences on the part of the legal person.

Communications that have not been followed up on will only appear anonymously.

Recipients

Where appropriate, data shall be disclosed to the Courts and Tribunals, Law Enforcement Agencies or other public administrations authorised to deal with the type of complaint lodged.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Recording and controlling physical access to the buildings

Category of data subjects

Own and external staff who provide services at EJIE

Physical persons or representatives of legal persons who visit the EJIE offices (e.g. clients or members of the administrative council)

Purposes

(i) Access control for own and external staff
(ii) Access control for visitors
(iii) Managing the evacuation of the building and internal safety to ensure the protection of company property
(iv) Subscribe the safety directives and confidentiality agreement for visitors and behaviour of visitors in the facilities during emergency situations

Personal data subject to processing

FIRST AND LAST NAMES
National ID/TIN
COMPANY DATA
IMAGE
SIGNATURE
TEMPORARY CARD CODE
Where appropriate, VEHICLE REGISTRATION NUMBER

Legal basis

(i) and (iv) GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

(ii) and (iii) GDPR: 6.1f) Processing is necessary to meet legitimate interests sought by the controller.

Data storage period

The data collected in the access register, from own and external staff, will be kept for one month from the date of collection, except when they have to be kept to accredit the commission of acts that threaten the integrity of persons, goods or installations.

The visit data collected in the prior access registration form will be kept for the time necessary to fulfil the purpose for which they were collected and to determine the possible responsibilities that may arise from this purpose and from the processing of the data. In the event that the visit does not take place, they will be kept for one month from the date on which they were collected.

Recipients

Where appropriate, law enforcement agencies, courts and tribunals will be notified.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Recording and controlling physical access to warehouses and the DPC

Category of data subjects

Own and external staff who provide services at EJIE

Physical persons or representatives of legal persons who visit protected areas at EJIE

Purposes

Monitoring staff who enter internal protected and restricted areas to ensure the protection of company property.

Personal data subject to processing

FIRST AND LAST NAMES
National ID/TIN
COMPANY DATA
TEMPORARY CARD CODE
In certain cases, a photocopy of the national ID

Lawfulness of processing Legal basis

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1.f) Processing is necessary to meet legitimate interests sought by the controller.

Data storage period

One month from the date of their capture, except when they have to be kept to prove the commission of acts against the integrity of persons, property or installations.

Recipients

Where appropriate, a photocopy of the ID will be sent to the Basque government department to control access to the DPC.

Where appropriate, law enforcement agencies, courts and tribunals will be notified.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Video surveillance management

Category of data subjects

Own and external staff who provide services at EJIE

Physical persons or representatives of legal persons who visit the EJIE offices

Purposes

Processing of personal data obtained by video surveillance systems to guarantee the security of EJIE's personnel, assets and facilities.

Personal data subject to processing

IMAGE

Legal basis

GDPR: 6.1e) Processing is necessary for the controller to perform a task carried out in the public interest.

Organic law 3/2018 of 5 December for protecting personal data and guaranteeing digital rights

Data storage period

The images obtained will be kept for a period of one month from the date they are collected, except when they must be saved to accredit acts committed against the integrity of people, property or facilities.

Recipients

Where appropriate, law enforcement agencies, courts and tribunals will be notified.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Recording and controlling keys to EJIE locations

Category of data subjects

Own and external staff who provide services at EJIE

Purposes

Monitoring staff who have keys to EJIE locations.

Personal data subject to processing

FIRST AND LAST NAMES
COMPANY DATA

Legal basis

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1f) Processing is necessary to meet legitimate interests sought by the controller.

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Transparency

Category of data subjects

High ranking staff and management

Members of the EJIE Administrative Board

Members of the Company Committee

People requesting public information

Purposes

Processing of personal data relating to public relations concerning transparency in the application of regulations on access to public information.

Personal data subject to processing

PERSONAL DATA REGARDING HIGH RANKING STAFF AND MANAGEMENT
First and last names
Title
Salary and remuneration only for the general manager

PERSONAL DATA REGARDING MEMBERS OF THE ADMINISTRATIVE BOARD
First and last names
Title

PERSONAL DATA REGARDING MEMBERS OF THE COMPANY COMMITTEE
First and last names

PERSONAL DATA THAT APPEARS ON DOCUMENTS WITH A DIGITAL SIGNATURE
First and last names

Legal basis

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with law 19/2013 of 9 December for transparency, access to public information and good governance.

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recipients

The personal data will be published on the transparency section of the EJIE website.

No other communication of data is foreseen, unless it is required to comply with legal obligations that EJIE S.A. must fulfil.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Board of Directors

Category of data subjects

Members of the EJIE Administrative Board

Former members of the EJIE Administrative Board

Purposes

Processing personal information regarding people who are members of governing bodies and managing their actions, tenders, and meeting minutes.

Personal data subject to processing

FIRST AND LAST NAMES
CORPORATE TELEPHONE NUMBER
CORPORATE EMAIL ADDRESS
MARITAL STATUS
PHOTOCOPY OF ID
SIGNATURE

Legal basis

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with legislative royal decree 1/2010 of 2 July by which the revised text of the law of capital companies was approved.

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recipients

Notaries
Account auditors

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Legal Advice

Category of data subjects

People associated with administrative or legal proceedings subject to consulting by the area

Purposes

Processing personal information associated with legal advice and legal defence tasks Managing legal or administrative proceedings

Personal data subject to processing

FIRST AND LAST NAMES
National ID/TIN
MAILING ADDRESS
EMAIL
TELEPHONE NUMBER
PLACE AND DATE OF BIRTH
ACADEMIC, PROFESSIONAL, AND EMPLOYMENT DATA
ECONOMIC-FINANCIAL DATA
INFRACTION DATA
HEALTH
PERSONAL DATA CONTAINED IN SENTENCES

Legal basis

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with procedural and substantive laws associated with administrative, labour, administrative or criminal claims.

Special categories of data: GDPR: 9.2g) Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recipients

Vice-chancellor of the Legal Regime of the Basque Government

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Exercising rights associated with data protection

Category of data subjects

Physical persons who exercise their rights with EJIE

Purposes

Managing rights regarding data protection exercised regarding processing EJIE was responsible for.

Personal data subject to processing

FIRST AND LAST NAMES
National ID/TIN
EMAIL
MAILING ADDRESS

Legal basis

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with the General Data Protection Regulations 2016/679, and organic law 3/2018 of 5 December for personal data protection and guaranteeing digital rights.

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recipients

Basque Data Protection Authority

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Management of incidents and security breaches

Category of data subjects

Affected parties
Complainants
Legal representatives
Clients
Internal and external staff who perform work activities in companies that are EJIE suppliers

Purposes

Management, assessment and reporting of data security incidents and breaches.

Personal data subject to processing

FIRST AND LAST NAMES
TELEPHONE NUMBER
EMAIL
DATA INVOLVED IN THE SECURITY BREACH

Legal basis

GDPR: 6.1.c)  Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with the General Data Protection Regulations 2016/679, and organic law 3/2018 of 5 December for personal data protection and guaranteeing digital rights.

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recipients

Basque Data Protection Authority
The Centre’s incident response teams National Cryptography (CCN-CERT)
Law enforcement agencies
Cyberzaintza

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Contact agenda

Category of data subjects

Own and external staff who provide services at EJIE

Staff of the Basque Country autonomous community government and the rest of the entities that make up the public sector

Purposes

Contact information for people who EJIE staff have relationships with Managing the content of communications, and maintaining commercial or contractual relationships.

Personal data subject to processing

FIRST AND LAST NAMES
EMAIL
TELEPHONE NUMBER
ROLE / POSITION PERFORMED

Legal basis

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

GDPR: 6.1e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

DECREE 36/2020 of 10 March, by which the model for managing information and communications technology in the public sector of the Basque Country Autonomous Community is regulated.

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Common repository of digital media for internal dissemination

Category of data subjects

Employed staff

Government officials

Third-parties that interact with EJIE

Purposes

Use of multimedia content for internal use and dissemination.

Images and videos that may contain the name, surname, face (image) and/or voice of employees and third-parties may only be used for internal use and dissemination, i.e., the corporate intranet, internal events and presentations, or other analogous uses.

Personal data subject to processing

FIRST AND LAST NAMES
IMAGE
VOICE

Legal basis

GDPR: 6.1f) Processing is necessary to meet legitimate interests sought by the controller.

Data storage period

The data will be kept until the interested party expresses their opposition to the processing.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Common repository of digital media for external dissemination

Category of data subjects

Employed staff

Government officials

Third-parties that interact with EJIE

Purposes

Use of multimedia content for external use and dissemination.

Images and videos that may contain the name, surname, face (image) and/or voice of employees and third-parties may be used for external use, for example the EJIE website, events and presentations, corporate social networks or other analogous uses.

Personal data subject to processing

FIRST AND LAST NAMES
IMAGE
VOICE

Lawfulness of processing Legal basis

GDPR: 6.1a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes.

Data storage period

Data shall be kept until the data subject withdraws their consent to such processing.

Recipients

In certain cases, the data will be published on the EJIE website, at events and on EJIE social networks.

International data transfer

Social networks, international transfers based on adequacy decision foreseen in art. 45 of the GDPR or through suitable guarantees foreseen in art. 46 GDPR.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Electronic signature - Izenbox

Category of data subjects

Representatives of legal person

People employed by EJIE

Purposes

Centralised document management that let users use digital signatures.

Personal data subject to processing

National ID/TIN
FIRST AND LAST NAMES
EMAIL
ELECTRONIC SIGNATURE

Legal basis

GDPR: 6.1.b) Processing is necessary for the fulfilment of a contract to which the data subject is a party.

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Sending communications

Category of data subjects

Own and external staff who provide services at EJIE

Minsters, Vice-Ministers, Directors and staff of the Basque Country Autonomous Community government and the rest of the entities that make up the public sector

Purposes

Sending non-commercial communications like, for example, Christmas greetings or bank holiday greetings, among other things. Managing sending invitations and registration for events organised by EJIE, or third-parties, in which EJIE participates.

Personal data subject to processing

FIRST AND LAST NAMES
EMAIL

Legal basis

GDPR: 6.1f) Processing is necessary to meet legitimate interests sought by the controller.

Data storage period

The data will be kept until the interested party expresses their opposition to the processing.

Recipients

In certain cases, personal data belonging to entities that promote events EJIE participates in may be communicated.

No other communication of data is foreseen, unless it is required to comply with legal obligations that EJIE S.A. must fulfil.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Managing EU Next Generation projects

Category of data subjects

Internal staff (procurement table and technical managers)

Members of the EJIE Steering Committee

Members of the EJIE Administrative Board

Legal representatives of tendering and awarded companies

External staff who provide services at EJIE

Purposes

Processing personal information regarding the collective of interested parties who participate in drafting specifications and fill out and sign the corresponding appendices in the framework of EU Next Generation project management.

Personal data subject to processing

FIRST AND LAST NAMES
ID NUMBER
TELEPHONE NUMBER
MAILING ADDRESS
EMAIL
SIGNATURE

Legal basis

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject, in accordance with:

EU regulation 2021/241 of the European Parliament and Council of 12 February, which establishes the RRM.

Royal decree-law 36/2020 of 30 December, by which urgent measures for modernising the public administration are approved and to execute the recovery, transformation and resilience plan.

Order HFP/1030/2021 of 29 September, by which the management system of the recovery, transformation and resilience plan is configured.

Order HFP/1031/2021of 29 September, by which the procedure and format for the information to provide by national, autonomous community and local public sector entities is established for monitoring achievement of milestones and goals for the parts of the recovery, transformation and resilience plan.

Order HFP/55/2023 of 24 January, regarding the systemic analysis of the risk of conflicts of interest in the procedures executed by the recovery, transformation and resilience plan.

Governing Council agreement of 8 February 2022, regarding the budgetary and accounting execution, management and monitoring the activities and projects associated with the recovery, transformation and resilience plan.

Governing Council agreement of 29 March 2022, by which the “plan for measures to meet anti-fraud requirements, conflict of interest, double financing and state assistance and non-significant environmental damage for initiatives required under the recovery, transformation and resilience plan” is approved.

Chapter V of law 15/2022 of 23 December, by which the general budget of the Basque Country autonomous community are approved.

Data storage period

Documents are kept for five years after the payment of the salary or of the transaction if there was no payment, or for three years in accordance with article 132 of the financial regulations.

Recipients

Ministry of Taxes and Public Functions, through the MINERVA and CoFFEE-MRR platform

Ministry of Economy, Commerce and Business, through the HRS platform

Bodies of the European Union for the purposes of audits and monitoring government and European funds, when applicable

Personal data regarding internal staff may be communicated to the directorate of services of the department of public governance and self-governance for auditing purposes

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Code of Conduct

Category of data subjects

People filing charges
People charged
Witnesses
Third parties involved in the charges

Purposes

Processing of personal data concerning the reporting and investigation of abnormal cases or queries regarding possible breaches of the organisation's internal regulations about the code of conduct and code of ethics of the organisation.

Personal data subject to processing

FIRST AND LAST NAMES
EMAIL
DATA FOR THE PERSON OR THIRD-PARTIES
DATA NEEDED TO SUSTAIN THE CHARGES
SPECIAL DATA CATEGORIES OF PERSONAL DATA

Legal basis

GDPR: 6.1.c) Processing necessary for compliance with a legal obligation to which the controller is subject.

Law 2/2023 of 20 February, which regulates protection of whistleblowers about regulatory infractions and the fight against corruption.

Special categories of data: GDPR: 9.2g) Processing is necessary for reasons of substantial public interest, on the legal basis of the Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Data storage period

Personal data of the person informing of the situation and of the employees or third parties shall only be kept for the time necessary to process the complaint.

In any case, three months after having informed of the situation and/or concluding the investigation thereof, all data shall be deleted unless disciplinary proceedings against an employee are pending or the purpose of keeping the data is to leave evidence as to the functioning of the method for the prevention of the commission of offences on the part of the legal person.

Communications that have not been followed up on will only appear anonymously.

Recipients

Where appropriate, data shall be disclosed to the Courts and Tribunals, Law Enforcement Agencies or other public administrations authorised to deal with the type of complaint lodged.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Managing access to EJIE systems by staff from supplier companies of convergent entities

Category of data subjects

Representative from the convergent entity

Staff of supplier companies of EJIE clients (convergent entities) who, in order to execute an order, must access EJIE information systems

Purposes

Processing information to manage user creation and deletion in order to maintain logical access control for EJIE information systems and acceptance of the security policies.

Personal data subject to processing

Staff of companies that are suppliers of EJIE clients
FIRST AND LAST NAMES
TITLE / CATEGORY
ID NUMBER
SIGNATURE
On a Servicenow request, the following is also collected:
EMAIL
TELEPHONE NUMBER

Legal basis

GDPR: 6.1.b) Processing is necessary for executing the order between the department of the Basque government and the dependent public sector body of the Basque Country Autonomous Community and EJIE

GDPR: 6.1f) Processing is necessary to meet legitimate interests sought by the controller.

Data storage period

It will be kept for as long as necessary to fulfil the purposes for which it was collected and to determine any potential liabilities that may arise from those purposes and handling the data.

Recipients

No data communication is expected except in cases where it is required to fulfil legal obligations that EJIE S.A must fulfil.

International data transfer

No data transfers are expected.

Data controller

Eusko Jaurlaritzaren Informatika Elkartea (EJIE)

Avda. de El Mediterráneo, 14, 01010 Vitoria-Gasteiz Araba/Álava

DPD contact information dpo@ejie.eus

Security measures

The security measures implemented are the ones described in ISO 27001 for managing information security systems and the ones described in royal decree 311/2022 of 3 May, with which the national security scheme is regulated.

Last modified date: