PERSONAL DATA PROTECTION

Your data, your rights, our obligations

This document explains the data protection policy of FUNDACIÓ PRIVADA UNIVERSITAT I TECNOLOGIA (here in after FUNITEC), which incorporates the principles of Regulation (EU) 2016/679 of the European Parliament and the Council, of 27 April 2016 (here in after the General Data Protection Regulation).

At FUNITEC, we fully assume the spirit of this European Regulation, since it reinforces your rights and offers greater guarantees concerning the processing of your data. This regulation makes the processing of your data homogeneous across Europe and establishes a framework for information and protection that we want you to be aware of.

For this reason, we have summarised the fundamental aspects of our data protection policy:

  • Who is responsible for the processing of personal data?
  • What is the function of the Data Protection Officer?
  • What is the purpose of the data processing?
  • How do we obtain data?
  • What is the legal ground for the data processing?
  • Who is the data communicated to?
  • How long is data kept?
  • What rights do people have about the data we process?
  • How can you exercise or defend your rights?
  • Specific data protection policies                                                                                                                                     

Who is responsible for the processing of personal data?

The Data Controller is FUNDACIÓ PRIVADA UNIVERSITAT I TECNOLOGIA (FUNITEC), with registered address at C/ Sant Joan de la Salle, 42, Barcelona (CP – 08022), Tax ID: G60643558, tel: 93 290 24 00, email: info@salle.url.edu, www.salleurl.edu, registered in the Foundations Registry of the Catalan Government with number 744.

The email address for making requests regarding personal data protection is protecciodades@salle.url.edu .

The services and functions offered by FUNITEC are complemented by those carried out by the following institutions:

La Salle is a member of the Higher Education Centre of Ramon Llull University.

What is the function of the Data Protection Officer?

The Data Protection Officer (DPO) is the person who oversees compliance with our data protection policy, ensuring that data is processed properly and protecting people’s rights. Their functions include handling any doubts, suggestions, complaints, or claims by the people whose data is processed. You can contact the Data Protection Officer either by post at our physical address, by telephone, or by email at dpd@salle.url.edu.

What is the purpose of the data processing?

We process personal data with all due regard to people’s rights and always in a proportional way. This means that in all cases, we process only the appropriate, pertinent data required to fulfill the explicit purposes for which it was obtained; in short, we process only the necessary data to make it possible to provide Campus services.

In the case of opinions or assessments of our services, more data than usual may be required. On these occasions, the answers will be processed as statistics separate from any data identifying the person answering.

FUNITEC processes personal data mainly to provide academic and extra-academic services, to send communications related to Campus activities and services, to develop commercial relations, and ultimately, for internal management. Here are some specific cases related to various existing profiles (list not exhaustive):

  • Candidates, students, and alumni:
    • To register potential students, assess their profiles, and offer them information about the Campus products, services, and events that are best suited to them and which they are interested in.
    • Academic management and student oversight (analysis of progress and performance, assessment and support) throughout the student’s life cycle.
    • Administrative procedures (insurance, enrolments, financial processes, issuance of certificates and titles, etc.).
    • Counseling and support in finding work.
    • Management of alumni and organisation of events to help maintain relationships.
  • Organisation staff (Teaching and Research Staff/Admin. and Services Staff, external teaching staff and interns):
    • Internal management of the organisation's staff and monitoring of their work-related activity.
    • Assessment of their training needs for their professional development and ensuring the internal training that is offered to them is appropriate.
    • Administrative procedures (creating wage slips, processes related to Social Security, etc.).
    • Management and resolution of incidents or suggestions.
    • Detection of weaknesses related to occupational health and safety, planning improvements, and providing training activities in this area.
  • Users of campus services (including La Salle website):
    • Recording and controlling access.
    • Security of people and assets.
    • Administrative management of services.
    • Information about the services offered and activities related to them.
  • Commercial suppliers:
    • Administration of contacts with whom there is a financial relationship.
    • Accounting and other financial activities.

FUNITEC may carry out additional processing where so obliged by law and/or judicial orders.

How do we obtain data?

The data we collect is provided mainly by you in your relationship with the organisation. This can be done through specific tools or methods for this purpose, for example, through digital or physical forms, interviews, surveys, and recording of images through video cameras, e-mails, etc.

It should also be noted that a smaller amount of the data collected may come from other academic institutions.

What is the legal ground for the data processing?

The legal ground for the various data processing we carry out may vary depending on the type of relationship or connection you have with us. We classify the main data processing carried out by us according to the legal grounds from Article 6.1 of the General Data Protection Regulation.

Below you will find further details about these legal grounds:

  • For the performance of a pre-contractual relationship:
    • This is the case of the data of people interested in the educational programs offered by FUNITEC.
    • For other reasons but with similar legal grounds, we process the data of future workers, users of services, and suppliers with whom we have relationships before formalising a contractual relationship.
  • For the performance of a contractual relationship:
    • This is the case of the relationships with our employees, suppliers, and users of campus services, and all the actions and uses of data that these contractual relationships entail.
  • For compliance with legal obligations:
    • The provision of higher education services means we are forced to comply with various laws and regulations that entail data processing. In this regard, FUNITEC communicates the data of its students to Universitat Ramon Llull Fundació for procedures involving the recognition and issuance of certificates corresponding to the studies taken.
    • Data is also reported, in compliance with legal obligations (tax regulations), to the tax administration, judicial bodies, and law enforcement agencies if so required.
  • Based on the consent of the interested party:
    • When we send information about our activities or services we use contact information with the explicit consent of the person who will receive it.
    • This is also the case of data sent to us by people who have sent us their CVs or who participate in hiring processes.
    • Monitoring the return on investment in FUNITEC promotion.
  • For purposes of legitimate interest:
    • The images we obtain with video surveillance cameras are processed in the legitimate interest of our institution in preserving our property and facilities.
    • Our legitimate interest also justifies the processing of data we get from contact forms, as well as the data of people who register to comment on our blogs or install our app.
  • For the performance of a task carried out in the public interest:
    • When we disseminate research work and awards obtained, among others.

Who is the data communicated to?

In general, the personal data, which is processed by FUNITEC to achieve the purposes and on the grounds described above, is only communicated in compliance with legal obligations. However, they may also be communicated to specific recipients depending on the legal grounds of communication between both organisations, and where consent of the interested party is given when required.

In terms of the General Data Protection Regulation, it is not a transfer of the data itself but an order to process. Services are only procured from businesses that guarantee compliance with this regulation. Upon procurement of these services, these companies formalise their confidentiality obligations, and their conduct is overseen. Such cases include data hosting services on servers, IT support services, legal services, and accounting and tax consultants.

Based on this, the following cases of data communication are to ensure contractual relationships can be carried out effectively, as well as to comply with legal obligations that require us to carry out such communication:

  • Other institutions of the Network.
  • Regional, state, European and international organisms and public administrations (the Spanish Tax Agency, Social Security, law enforcement bodies, etc.).
  • Financial entities, to manage payments and/or collections.
  • Healthcare organisations and insurance providers so that users can use the services.
  • Domestic or international companies and institutions that host students as interns, or with whom we run projects based on collaboration agreements.
  • Professional associations.
  • Associations and non-profit organisations.
  • Public bodies with competencies in the field of workplace health and safety.
  • Google. Inc, to measure the return on investment in the promotion of FUNITEC, which adopts appropriate security measures according to ISO 27001 (information encryption using the secure and unidirectional SHA256 hash algorithm), under the explicit consent of the interested party.

How long is data kept?

The time data is kept depends on various factors. The first deciding factor is whether the data is still necessary to fulfill the purposes for which it was collected. Secondly, they are kept as long as required to cover any possible data processing responsibilities on the part of FUNITEC, as well as to comply with any orders from public administrations or judicial bodies.

As such, the data must be kept for as long as necessary to preserve its legal or informational value and to prove compliance with legal obligations, but not for a while longer than necessary for the processing (requirement of “limitation of preservation of data” as described in the General Data Protection Regulation). In the case of information that certifies studies taken by students with us, the data is permanently preserved to preserve the rights of these students.

In certain cases, such as the data contained in accounting documentation and billing, tax regulations oblige us to preserve data until legal responsibilities in this field have been prescribed. Regulations on foundations specify that certain accounting data must be preserved for at least ten years (compliance with Law 10/2010, of 28 April).

In the case of data that is processed exclusively on the basis of the consent of the interested party, such data is kept until the person in question revokes this consent.

Finally, in the case of images obtained by video surveillance cameras, these are kept for a maximum of one month, although in the case of incidents that justify it, they may be kept for as long as is required to facilitate the actions of law enforcement agencies and judicial bodies.

What rights do people have in relation to the data we process?

Following the provisions of the General Data Protection Regulation, the people whose data we process have the following rights:

  • To know if their data is being processed:
    • Everyone has the right firstly to know if we are processing their data, regardless of whether there has been a previous relationship.
  • To be informed upon collection:
    • When personal data is obtained from the interested party, upon providing them, they must have clear information about the purposes for which the data will be used, who will be responsible for processing it, and the main aspects derived from such processing.
  • Access:
    • A very wide-reaching right that includes knowing precisely what personal data is being processed, the purpose for which it is processed, whether the data will be communicated to other parties, the right to obtain a copy of the data, and to know the expected time it will be kept for.
  • Rectification:
    • This is the right to request modification of inaccurate data being processed by us.
  • Revocation:
    • In certain circumstances, you have the right to request deletion of the data when, among other reasons, it is no longer necessary for the purposes for which it was collected.
  • To request limitation of processing:
    • In certain cases, the right to require limitation of data processing is also recognised. In this case, data will no longer be processed and will only be retained for the exercise or defense of claims, following the General Data Protection Regulation.
  • Portability:
    • In the cases provided for in the regulations, you have the right to obtain personal data in a commonly-used, structured format that can be read by a machine, and to transfer them to another data processing officer if the interested party so decides.
  • To object to processing:
    • A person can cite reasons related to their particular situation that mean we will stop processing their data to the extent that such processing may be detrimental to them, except for legitimate reasons, in the exercise of or defense against claims.
  • Not to receive information:
    • We immediately handle requests to stop receiving information about our activities and services, when this was sent based solely on the consent of the recipient.

How can you exercise or defend your rights?

The rights listed above can be exercised by sending a request in writing to FUNITEC to the postal address (C/Sant Joan de La Salle 42, 08022, Barcelona) or by email at protecciodades@salle.url.edu.

In any case, whether you wish to file a claim, make a request for clarification or send suggestions, it is possible to contact the Data Protection Officer by email at dpd@salle.url.edu.

If a satisfactory response has not been obtained in the exercise of your rights, it is possible to file a complaint with the Catalan Data Protection Authority, either via forms or other channels accessible from their website www.apd.cat.