The CBM, as data controller, guarantees an adequate and comprehensive level of protection for individuals with regard to their personal data being processed by the company, in accordance with General Data Protection Regulation 679/2016.

The CBM only processes personal data in a highly responsible manner and lawfully, and in accordance with the legal grounds that result in the legality of the processing. It has also adopted the relevant and appropriate security measures given the objectively identified and assessed risks to the rights and freedoms of the data subjects which may derive from the processing carried out by our company.

Offered below is additional and extended information regarding the specific processing activities:

Responsible: Centro de Biología Molecular Severo Ochoa

• Contact details: Agencia Estatal Consejo Superior de Investigaciones Científicas. Calle Serrano 117 Madrid (lopd@csic.es) -Data Protection Delegate: José López Calvo (1-7-2016) – delegadoprotecciondatos@csic.es Javier Rodríguez Aparicio – javier.rodriguez@csic.es
• Purposes of processing: video surveillance, security and access control to the buildings of the Centro de Biología Molecular Severo Ochoa.
• Description of the categories of data subjects employees and visitors accessing the Severo Ochoa Molecular Biology Center and of the categories of personal data non-special personal data: image.
• Categories of recipients to whom personal data were or will be communicated: to Security Forces and Corps.
• Where applicable, transfers of personal data to a third country or international organization, including the identification of such third country or international organization and, in the case of transfers referred to in Article 49(1), second subparagraph, the documentation of appropriate safeguards: no processing is carried out or envisaged outside the territory of the European Economic Area.
• Deadlines foreseen for the deletion of the different categories of data: in accordance with article 6 of Instruction 1/2006 on video surveillance, the data will be deleted within a maximum period of 1 month from its collection.
• General description of the technical and organizational security measures referred to in article 32, paragraph 1. In accordance with the first additional provision of the LOPDGDD, the security measures provided for in the National Security Scheme will be applied to prevent its loss, alteration or unauthorized access.
• Legal basis. (RGPD: 6.1.e) Processing necessary for the performance of a task carried out in the public interest or in the exercise of public powers vested in the controller.

• Party responsible: Centro de Biología Molecular Severo Ochoa
• Contact details: Agencia Estatal Consejo Superior de Investigaciones Científicas. Calle Serrano 117 Madrid (lopd@csic.es) – Data Protection Officer: José López Calvo (1-7-2016) – delegadoprotecciondatos@csic.es Javier Rodríguez Aparicio – javier.rodriguez@csic.es
• Purposes of processing: Management and administrative procedures of the Human Resources of the CBM, publication of the staff directory on the Centre’s website and staff access control. Nominal control of visitors.
• Description of the categories of data subjects employees, students and other staff with some kind of involvement and employment relationship with the Centro de Biología Molecular Severo Ochoa. Visitors and personal data categories employee data: name, address, telephone, e-mail, date of birth, sex, nationality, DNI, NSS, academic qualifications, job title, identification photo. Visitor data: Name
• Categories of recipients to whom personal data were or will be communicated: to central services of the CSIC or the Autonomous University of Madrid within the framework of their competences.
• Where applicable, transfers of personal data to a third country or international organisation, including the identification of such third country or international organisation and, in the case of the transfers referred to in the second subparagraph of Article 49(1), documentation of adequate safeguards: no processing is carried out or envisaged outside the territory of the European Economic Area.
• Timeframes foreseen for the erasure of the different categories of data: it is not possible to make a forecast of the timeframes for erasure.
• General description of the technical and organisational security measures referred to in Article 32(1). In accordance with the first additional provision of the LOPDGDD, the security measures provided for in the National Security Scheme shall be applied to prevent their loss, alteration or unauthorised access.
• Legal basis. GDPR: 6.1.b) Processing necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures. GDPR: 6.1.c)

Processing necessary for compliance with a legal obligation applicable to the controller. Law 30/1984, of 2 August 1984, on measures for the reform of the Civil Service.

Royal Legislative Decree 5/2015, of 30 October, approving the Law on the Basic Statute of the Public Employee.

Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Workers’ Statute Law.