The CSIC is a public body that generally acts as a controller of personal data, so it is responsible, following the principle of proactive responsibility, for meeting the obligations established by the General Data Protection Regulation and Law 3/2018 of 5 December, on the Protection of Personal Data and guaranteeing digital rights. 
These obligations include the duty to appoint a Data Protection Officer and communicate this to the AEPD. The CSIC Data Protection Officer is José López Calvo. 

The regulation also requires that the inventory of processing activities be made public electronically. Through the following links you can access those corresponding to the central organization of the CSIC and those corresponding to the CSIC Centres and Institutes.  

The CSIC has fulfilled the other requirements existing in the area of data protection. These include the creation of internal mechanisms for the communication of any security breach, and the corresponding risk analysis, with the adoption of the appropriate security measures depending on the detected breach, as well as studies into the “evaluation of impact on privacy” in the cases where there are risks, mainly those detected linked to data processing within the framework of certain research projects. 

The privacy policy of the CSIC is accessible through this link: