Personal Data Protection
PROTECTION OF PERSONAL DATA
Here follows the Fundació Universitat de Girona: Innovació i Formació data protection policy. It is based on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 (General Data Protection Regulation).
Who is responsible for handling personal data?
The Fundació Universitat de Girona: Innovació i Formació (FUdGIF), CIF G17318080, located at Parque de Investigación e Innovación de la Universidad de Girona (Centro de Empresas Giroemprèn), Pic de Peguera, 11, Girona (postcode 17003), tel. 972 210 299, email address info.fundacioif@udg.edu; registered in the Registry of Foundations of the Catalan Government, Generalitat de Catalonia, number 630.
The FUdGIF was founded by the University of Girona (UdG) with the aim of offering new educational services. It is also member of the Centre for Postgraduate Studies, as well as being an affiliated centre to the University of Girona, providing university master’s degrees, FUdGIF-specific master’s degrees, postgraduate diplomas and postgraduate courses in compliance with university regulations.
What is the function of the Data Protection Delegate?
The Data Protection Delegate (DPD) is the person who supervises adherence to the data protection policy, monitoring that data is handled appropriately and protecting the rights of the persons affected. Their responsibilities include handling concerns, suggestions, complaints or claims from interested parties. The Data Protection Delegate (DPD) may be contacted via the FUdGIF’s postal address, telephone or by sending an email to the following address: dpdfundacioif@udg.edu
For what purpose is the data handled?
The FUdGIF handles personal data for different purposes, mainly to provide educational services, send information about activities and services and to maintain business relationships with suppliers. For more details, see below.
Academic administration: The FUdGIF handles the data of those people enrolled in courses, to be able to offer them educational services. The data provided, and that which results from the academic activity, permits assessment and evaluation. Student data is also used for administrative purposes, to send information of interest and to process and issue qualifications or certificates.
Contact: Data is handled when answering the enquiries resulting from the contact tab from the web page. This data is handled only for this purpose.
Information about activities and services: With the explicit consent of each student, once their course of studies has finalised, their contact data is used to send them information about FUdGIF services and activities.
Handling the data of our suppliers: The FUdGIF handles the data of suppliers from whom they obtain services and goods. The data handled is essential to maintain business relationships, and is only handled for this purpose and for internal use.
Users of the FUdGIF website: The browsing data and software necessary for the operation of the website collects the standard data generated in the use of such Internet protocols. This type of data includes the IP address or domain name of the computer used by the person connected to the website. The website uses cookies to facilitate browsing and to provide information about users and their interests (more information on the policy on the use of cookies).
Other data acquisition channels: Data is also collected through direct personal contact and other channels such as emails received or via social media profiles. In all cases, the data is used only for explicit purposes which justify the collection of said data.
How is data collected?
The above sections have outlined some of the sources from which data originates. In the majority of cases the data is provided directly by the interested party and is collected mainly through forms designed for that purpose. In educational activities organised by agreement with other institutions, data may be provided by the co-organising institution.
Throughout the development of the student relationship, as well as that of teachers and service suppliers, other data is generated which is added to the FUdGIF’s systems.
What is the basis in law legal for data handling?
The data handled by the FUdGIF has different legal bases, depending on the nature of the processing.
To provide educational services: Once enrolled, students will receive educational services from the FUdGIF. The provision of services to the student constitutes a contractual relationship which starts with enrolment.
In compliance with a pre-contractual relationship: This is the case of persons interested in the FUdGIF’s educational provision. Another case in point, but on different grounds, may be the handling of data of possible clients or suppliers with whom a relationship prior to the formalising of a contractual agreement is held.
In compliance with a contractual relationship: This is the case of the relationship with clients and suppliers and with the courses of action and uses of data that such commercial relationships involve.
In compliance with legal obligations: Part of the FUdGIF’s educational provision involves having to provide student data to the University of Girona for the recognition and issuing of the relevant certificates. In compliance with legal obligations (tax regulations) data is shared with the tax administration. It would also be in compliance with legal obligations to communicate data to judicial bodies or to the police or law enforcement agencies should that be requested.
On the basis of informed consent: When information about educational activities or services is sent then the contact data used is done with the explicit, informed consent of the interested party.
With whom is data shared?
As a general rule, data is shared in compliance with the legal obligation to do so. The sharing of student data, necessary for the provision of educational services, and that of clients and suppliers in the development of economic and commercial relationships, has been outlined in previous sections.
In certain educational activities, teacher identification data will be communicated to the State Foundation for Training in Employment (Fundación Estatal para la Formación en el Empleo (Fundae)) in order to accredit the training provided and facilitate the securing of grants or subsidies provided for under employment legislation.
Data transfers outside of the European Union (international data transfer) are effected for the managing of international student mobility. This is done with the student’s full consent.
For how long is data stored?
The length of time of data storage is determined by the specific purpose of each case. It is also kept in order to address any possible requests from public administrations or judicial bodies. Data is therefore stored while it retains legal and informational value and to accredit the compliance of legal obligations; but not for longer than necessary to fulfil the purpose for which it was collected. In the case of data necessary for the verification of the studies undertaken, it is stored permanently in order to protect the rights of those students.
In certain cases, such as when data appears in accounting documentation and billing, tax regulations require such data to be held until the legal requirements of that documentation are no longer applicable. The regulations governing Foundations specifies that some accounting data must be kept for ten years (in compliance with Law 10/2010, of 28th April).
When data is handled based solely on the consent of the interested party, it is stored until that person withdraws their consent.
The regulations governing the storage of public documentation, and the resolutions of examining boards, are a determining reference when deciding on the preservation or deletion of data linked to the exercise of services in the public interest.
What are the people’s rights in relation to data handling?
In accordance with the General Regulation of Data Protection, people whose data is being handled have the following rights:
To know if their data is being handled: First of all, any person has the right to know if the FUdGIF is handling their data, irrespective of whether there is a pre-existing relationship between the two parties.
To be informed about data collection: At the moment of collecting personal data from an interested person, they must be clearly informed on the purpose behind this data collection, who will be responsible for handling the data and the main points to be derived from the data handling.
To access the data: This is a wide-ranging right which includes knowing precisely which personal data is being handled, for what purpose the data is being handled, the communication of said data to third parties (if applicable) or the right to obtain a copy or know the intended period of storage.
To request rectification: Is the right to request the correction of inexact data that is being handled by the FUdGIF.
To request deletion: Under certain circumstances, the interested party has the right to request deletion when, amongst other reasons, the data is no longer required for the purpose for which it was collected and for which the collection was justified.
To request a limitation in data management: Also under certain circumstances, the right to request a limitation in the management of data is recognised. In such cases the data will cease to be handled and only be stored for the defence of claims, in accordance with the General Regulation of Data Protection.
To obtain data in a portable format: The cases provided for in the rules recognise the right to obtain personal data in a structured, common use, machine-readable format, and for the data to be transmitted to another controller if the interested party so decides.
To oppose handling: A person may cite personal reasons which may lead to the cessation of data handling as to continue to do so would be prejudicial in some way; with the exception of legitimate cases in the defence of a claim.
To not receive information: Requests to cease receiving information about FUdGIF activities and services will be addressed immediately when such messages were based solely on the personal consent of the interested party.
How can these rights be exercised or defended?
The rights detailed in the above sections can be exercised by submitting an application to the FUdGIF to the addresses included in the opening paragraph.
If a person considers that they have not received a satisfactory response in the exercise of their rights then they may lodge a complaint before the Catalan Data Protection Authority, via the forms or other channels on their website (www.apd.cat).
In all instances, whether it is to lodge a claim, request clarification or send suggestions, the Data Protection Delegate (DPD) may be contacted by sending an email to the following address: dpdfundacioif@udg.edu