Data protection policy

The data protection policy of the Consorci del Museu de Ciències Naturals de Barcelona is described below. The policy refers to data processed in compliance with the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the GDPR). and and Organic Law 3/2018, of December 5, on the protection of personal data and guarantee of digital rights.

Who is responsible for processing your personal data?

The entity responsible for the processing of your personal data is the Consorci del Museu de Ciències Naturals of Barcelona (hereinafter, the Museum), CIF Q0801897J, with a registered address at Plaça Leonardo da Vinci, 4-5, Barcelona 08019 (Spain). Telephone: 0034 932 566 002. Email: Website:

Who is the Data Protection Officer?

The Data Protection Officer (DPO) oversees compliance with the Museum’s data protection policy, ensures that your personal data are legitimately processed and that your rights are protected. The DPO’s functions include responding to any questions, suggestions, complaints or claims made by the persons whose date are processed by the Museum. The DPO can be contacted by writing to Plaça Leonardo da Vinci, 4-5, Barcelona 08019, by telephoning 0034 932 566 002, or by sending an email to the electronic address

For what purpose do we process personal data?

The Museum processes personal data for the following purposes:

  • Contact: To deal with inquiries made through our website contact forms or by telephone.
  • Museum services: To register people who book or purchase tickets to visit the Museum or who attend events or activities organized by the Museum. The registration process requires us to ask for essential information such as identification details and, when required for payment purposes, banking information.
  • Activities. In the organization of cultural and training activities we receive data from the people who register, in order to organize the activity. As a general criterion, the data is not communicated to other people without the explicit consent of the person who participates in the activity.
  • Information about our services: When expressly authorized to do so, we use people’s contact details to communicate information about activities and events organized by the Museum.
  • Management of provider data: We register and process the data of providers of goods and services, including the data of freelancers and representatives of legal persons or entities. We only collect the data necessary to maintain the commercial relationship and only use it for this purpose and as appropriate for this kind of relationship.
  • Video surveillance: Visitors to the Museum’s premises are informed by means of approved signs of the existence of video surveillance cameras. The cameras only record in locations where it is necessary ensure the safety of people and property and the images are used only for this same purpose.

What are the lawful bases for data processing?

The data we collect are processed on different legal grounds depending on their nature:

  • To comply with a contractual relationship. This is the case of relationships with our providers and with people who purchase tickets or hire other services from the Museum.
  • To comply with legal obligations. An example is communication of data to the tax authorities, as established in fiscal and regulatory rules governing commercial relationships. 
  • On the basis of consent. We send news about services and schedules of activities and events to people who agree to receive this information.
  • To perform a task in the public interest. We use video surveillance to safeguard the collections for which we are responsible.

Who else has access to your personal data?

As a general rule, we only communicate data to public administrations or authorities and only to comply with legal obligations. Data referring to invoices to customers may be communicated to banking entities. Whenever necessary and justifiable, we communicate data to police and security forces and to competent judicial bodies. Data are not transferred outside the European Union (international transfers).

How long do we keep your personal data?

The length of time we keep your personal data is determined by different factors, but the first and main reason is the need to fulfil the purpose for which they were collected. The data are also kept for as long as necessary to deal with possible claims and the requirements of other public authorities and judicial bodies.

Consequently, the data will be kept for the time necessary to preserve their legal or informative nature or to demonstrate compliance with legal obligations, but for no longer than necessary in accordance with the purposes of collecting the data.

In certain cases, such as accounting documentation and invoices, tax regulations require us to keep the corresponding data until responsibilities have prescribed.

The data that are processed exclusively on the basis of consent are retained until the consent is withdrawn.

Images recorded by video surveillance cameras are kept for a maximum of one month, except in the case of incidents that involve the police, security forces or judicial bodies.

The criteria we apply to the conservation or erasure of data are determined by regulations governing the conservation of public documentation and decisions of the Spanish National Commission on Access, Evaluation and Documentary Selection (Comisión Nacional de Acceso, Evaluación y Selección Documental).

What are your rights regarding the personal data we process?

As stipulated in the GDPR, you have the following rights regarding personal data of yours that we collect:

  • To know that your data is being processed: You have the right to know that we are processing your data, regardless of whether or not a prior relationship exists.
  • To be properly informed when your data is collected: When we collect your personal data, you have the right to receive clear information on the purposes for which they will be used, who will be responsible for processing and any other relevant information.
  • To access: You have the right to know exactly which personal data are being processed and for what purpose and also which data (if any) are communicated to others. You also have the right to obtain a copy of your data and to information on how long they will be kept.
  •  To rectification: You have the right to rectify inaccurate personal data held by the Museum. 
  • To erasure: In certain circumstances you have the right to request the erasure of your data when, among other reasons, they are no longer necessary for the purposes for which they were collected and processed.
  • To restrict processing: In certain circumstances you have the right to request that the processing of your personal data be restricted, in which case they will only be kept in order to exercise or defend possible claims.
  • To data portability: In cases provided for in the GDPR you have the right to obtain your personal data in a commonly used, structured, machine-readable format.
  • To object: You have the right to adduce reasons related to your particular circumstances that will stop the processing of your personal data to the extent that this may cause harm.

How can you exercise or defend your rights?

The rights listed above can be exercised or defended by sending a written request to the Museum addressed to Plaça Leonardo da Vinci, 4-5, Barcelona 08019 (Spain). Alternatively, you can send an email to, using the subject heading “Personal data protection.”

If you do not receive a satisfactory response in the exercise or defence of your rights, you may file a claim with the Catalan Data Protection Authority (Autoridad Catalana de Protección de Datos) using the forms or other channels accessible from its website at

To submit claims, request clarifications or make suggestions, you may also contact the DPO by sending an email to