RAT-Personas Encargadas de Tratamiento Lantik

DATA PROCESSORS
OF LANTIK S.A.M.P.

Art. 4 of the General Data Protection Regulation (GDPR) defines a data processor as “a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller”. In accordance with Art. 28 of the GDPR, when a data processor processes personal data on behalf of Lantik, the company ensures that relationships are only established with data processors that offer sufficient guarantees for the implementation of technical and organisational security measures. This ensures that the processing of personal data complies with the instructions and guidelines that are defined, established, and updated by Lantik for its employees and, furthermore, that their implementation complies with current legislation on data protection.

HOW DO WE ESTABLISH AND REGULATE OUR RELATIONSHIP WITH DATA PROCESSORS?

Lantik is a company exclusively owned by the Bizkaia Provincial Council, which provides the Provincial Institution, the bodies and institutions that report to it, and City Councils with information systems, as well as providing their operation and related services.

The company has the status of being an agency affiliated with Bizkaiko Foru Aldundia/Bizkaia Provincial Council (BFA/DFB), which may, either directly or through other contracting authorities or legal entities controlled in the same way by the BFA/DFB, entrust it with tasks that must be carried out.

Its legal relationship with the data processors is regulated and established through instructions and guidelines which give rise to legal acts binding on both parties and that establish the purpose, duration, nature, and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of both parties, as well as the other aspects specified in Article 28 of the GDPR.

The main and end goal of the instructions and guidelines is to ensure that entities that process personal data on behalf of data controllers in Lantik's environment, only have legitimate access to data, ensuring:

  1. That the personal data are used to provide the service entrusted and are not used for other purposes that are contrary to those expressly authorised
  2. That personal data is not disclosed to third parties or entities without a legitimate legal basis, in accordance with Art. 6 of the GDPR.
  3. That the confidentiality and integrity of personal data are guaranteed through the implementation of security measures.

Only entities that provide the established guarantees and that comply with the instructions and data protection regulations in force may be data processors for Lantik.

WHAT PARTIES ARE INVOLVED IN PROCESSING ORDERS AT LANTIK?

In relation to Lantik, given its status as an agency affiliated with the Bizkaia Provincial Council (BFA/DFB), different situations may arise in its relations with other intervening entities. Firstly, and principally, Lantik can commission private companies to process personal data, which in most cases will assist Lantik in providing services for the Bizkaia Provincial Council and the rest of the Provincial Entities. In addition, although to a lesser extent, Lantik can carry out orders for other agencies affiliated with the Bizkaia Provincial Council, such as Izenpe, for example.

In general terms, in relation to Lantik, we can identify the following parties as being involved in the bilateral relationship between the data controller and data processor:

  1. Firstly, Lantik's general departments are, for the most part, data controllers, within their material scope of competence and, specifically, with regard to the processing of personal data that occurs within the scope of this legal responsibilities.
  2. In addition, data processors are the natural persons or legal entities with whom Lantik enters into a legal relationship which, in most cases, as mentioned above, is aimed at supporting the provision of services carried out for the Bizkaia Provincial Council and the rest of the Provincial Entities, and which has the following characteristics:
    • A contract is entered into
    • These legal transactions give rise to and trigger the processing of personal data

HOW ARE PROCESSING ORDERS FORMALISED BETWEEN THE DATA CONTROLLER AND THE DATA PROCESSOR AT LANTIK?

The data processors are linked to Lantik's data controllers, mostly General Management, by means of various administrative, private, or hybrid contracts that are formalised by Lantik's contracting bodies with private sector individuals or entities in accordance with Law 9/2017, of 8 November, on Public Sector Contracts.

You can view the entities with which Lantik has entered into contracts and the services they provide through the following link: Contractor profile

These contracts, in addition to regulating the specific material scope that is specific to them, must contain legal clauses that regulate the processing of personal data that occurs when providing the main service of each business. These data protection clauses organise and regulate both the legal relationship that arises between the General Management of Lantik, in their capacity as data controllers, and the data processors, as well as the rest of the aspects required and stipulated by data protection regulations.