Museu Picasso de Barcelona

Barcelona City Council

Site Menu



Data Protection Policy

This is the Data Protection Policy of the Fundació Museu Picasso de Barcelona. It refers to the data processed in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016).

Who is responsible for the processing of personal data?

The Fundació Museu Picasso of Barcelona (hereinafter, Museu Picasso), is responsible for the processing of personal data, with the CIF (Tax Identification Code) CIF G66008897, whose registered address is carrer Montcada, 15-23, Barcelona (Postal Code 08003), tel. 93 256 3000,,

Who is the Data Protection Officer?

The Data Protection Officer (DPO) supervises the fulfilment of the Data Protection Policy of the Museu Picasso, ensuring that the personal data is suitably processed and that the rights of the people are protected. Among the functions of this figure are those of attending any doubt, suggestion, complaint or claim of the people who data is processed. The Data Protection Officer can be contacted in writing to carrer Montcada, 15-23, Barcelona (Postal Code 08003), by telephone, 93 256 3000 or by email to

What is our aim in processing the data?

In the Museu Picasso we process personal data with the following aims:

To attend the queries of the people who contact us through contact forms on our website or by phone.

Museum Services.
Registration of users who purchase or book admission tickets to visit the rooms of the Museum and carry out training courses or educational projects. The possibility is offered of having the "Picasso Card" which results from the processing of the data of the people who request it, in order to provide personalised services and advantages. In the process of registering users of the services, essential information is requested for identification purposes, or bank details (in case it is necessary to manage a payment process).

Information about our services
With the explicit authorization of each person, we use contact details to communicate information about activities or events.Con la autorización explícita del usuario utilizamos los datos de contacto para informar sobre actividades, actos o acontecimientos.

Management of the data of our providers and suppliers
We record and process the data of the providers and suppliers from whom we obtain services or goods. It can be the data of people who act as freelancers and also data of representatives of legal persons or entities. We obtain essential data for maintaining business relationships, we use it solely for this purpose and we use it for this kind of relation.

Video surveillance
In the entrances of our facilities, the visitors are informed of the existence of video surveillance cameras by means of the approved signage. The cameras record images only of the points in which it is justified to guarantee the security of the goods and the people, and the images are only used for this purpose.

What is the legal legitimisation for the data processing?

The data processing that we carry out has different legal grounds, depending on the nature of each processing:

In fulfilment of a contractual relation: if the relation is with our providers and suppliers and with those who purchase admission tickets or contract other services of the Museum.

In compliance with legal obligations: For example, data communications to the tax administration, established in fiscal and regulatory rules for commercial relations.

Based on consent: We do mailings of information about the services, activities, or events that we programme.

In fulfilment of the public interest mission: We record images with the video surveillance cameras, to preserve the heritage that is held by us.

To whom do we communicate?

As a general criteria, we only communicate data to public administrations or authorities and always in compliance with legal obligations. In the issuing of invoices to customers and clients the data can be communicated to banking entities. In justified cases, we will communicate the data to the security forces and bodies or to the competent judicial bodies. No transfers of data will be carried out, outside the scope of the European Union (international transfer).

How long do we keep the data for?

The period of the data storage is determined by different factors, mainly the fact that the data is still necessary to meet the purposes for which it has been collected in each case. Secondly, it is kept to deal with possible responsibilities for the processing of data by the Museum, and to meet any requirements from other public administrations or judicial bodies.

Consequently, the data must be kept for as long as necessary to preserve its legal or informative value or to prove compliance with the legal obligations, but not for a period exceeding that which is required in accordance with the purposes of its processing.

In certain cases, such as the data contained in the accounting documentation and the invoicing, the tax regulations oblige us to keep it until they prescribe the responsibilities in this matter.

If the data that is processed exclusively on the basis of the consent of the interested party, it will be kept until this person revokes this consent.

Finally, in the case of the images being obtained by video surveillance cameras, these are kept for a maximum of one month, although in the case of incidents that justify it, for the period necessary to facilitate the actions of the security forces and bodies or of the judicial organs.

The rules regulating the conservation of public documentation, and the decisions of the National Commission for the Access, Evaluation and Documentary Choice are a benchmark that determines the criteria that we follow in the conservation or elimination of the data.

What rights do the people have in relation to the data that we process?

As foreseen in the General Regulations on Data Protection, the persons for whom we process data have the following rights:

To know if it is processed
Anyone has the right to know if we are processing their data, regardless of whether there has been a prior relationship.

To be informed of its collection
When personal data is obtained from the interested party, at the time of providing it, they must have clear information regarding the purposes for which it will be assigned, who will be responsible for the processing, and any other aspects derived from this processing.

To gain access to it
The right that includes knowing precisely what personal information is being processed, what is the purpose for which it is being processed, any communications to other people (if applicable) or the right to obtain a copy or to know the expected time frame of its conservation.

To request its rectification
It is the right to have any inaccurate data rectified, that is the object of processing by us.

To request its deletion
In certain circumstances there exists the right to request the deletion of the data when, among other reasons, it is no longer necessary for the purposes for which it was collected and for which its processing is justified.

To request a limitation of the processing
Also in certain circumstances, the right to request the limitation of the processing of the data is also recognized. In this case it will no longer be processes with and will only be kept for the exercising or defense of claims.

To the portability
In the cases foreseen in the regulations, the right to obtain personal data is recognized in a structured format that is commonly readable by machines.

To oppose the processing
A person can adduce reasons related to his or her particular situation, reasons that will imply their data should no longer be processed, to the extent that may be detrimental to them.

How can you exercise or defend your rights?

The rights that we have just mentioned may be exercised by sending a written request to the Museu Picasso at its registered postal address of carrer Montcada, 15-23, Barcelona (Postal Code 08003) or by sending an email to, indicating in all cases "Protection of Personal Data”.

If you haven't received a satisfactory response in exercising your rights, you can present a claim to the Spanish Data Protection Agency, by means of the forms or other accessible channels, from its website (In Spanish):

In all cases, either to present claims, request clarifications or send suggestions, it is possible to do so, by sending a mail to the Data Protection Officer, at the following email address