Having regard to the fact that the right to data protection is a fundamental right, the University of Girona fully assumes the principles of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data, which replaces Directive 95/46/CE (General Data Protection Regulations or RGPD, available for consultation from this link) and Framework Act 3/2018, of 5 December, on Protection of Personal Data and Guarantee of Digital Rights(LOPDGDD, available for viewing from this link), rules that give people guarantees in relation to the processing of their data. The University has approved a general rule for data processing, which will be used as a basis for drafting instructions and protocols on processes and specific processing. The University’s regulations for this matter can be viewed fromthis link.
We summarise below the criteria that the University of Girona applies to the personal data processing.
Under what criteria do we process personal data?
When processing data we fully adopt the principles of the General Data-Protection Regulations.
- We process them lawfully (only when we have a legal basis that authorises us to do so transparently with the person concerned).
- We assign the data for the specific, explicit and legitimate purposes we explain on obtaining them. We do not subsequently process them any way that is incompatible with these purposes.
- We only process data that are suitable, relevant and limited to what is necessary in each case and for each purpose.
- We do our utmost to ensure the data are up to date.
- We store the data for as long as necessary time, complying with the regulations governing the conservation of the public information.
- We apply the appropriate technical or organisational measures to prevent unauthorised or illegal processing, or any loss, destruction or accidental damage to data.
- As a general criterion only individuals over the age of 14 years can communicate data. In the case of minors under the age of 14, the authorisation would be required from their parents or legal representatives.
Who is responsible for personal data handling?
The University of Girona (UdG) is responsible for processing the data of members of the university community and third parties with which it establishes relationships in the undertaking of its functions. For official purposes, the address of the University of Girona (CIF Q6750002E) is Pl. Sant Domènec, number 3, Girona (CP 17004), telephone number +34 972 41 80 00, email address email@example.com
For what purposes do we handle data?
The UdG processes personal data to provide academic and extracurricular services as well as services that are complementary or derived from their academic activities, taking the rights of the parties concerned into account at all times. We process data that is appropriate, pertinent and limited to fulfilling the purposes for which they are obtained. Below is a list of the main purposes.
Academic management. The UdG registers the data of the persons who pre-enrol and subsequently formalise their enrolment in order to record this fact and, on this basis, provide higher education services. The data provided and those that result from the academic activity enable us to undertake monitoring tasks and serve as the basis of the evaluation. In this regard, the UdG understands that the student's academic record is the most important data processing task undertaken. Student data is also used for administrative management purposes, for identifying students as users of the University's services, to enable access to these services, to send them information that is of interest to them, to process and issue qualifications and, lastly, to monitor their labour market insertion.
Research. The research carried out at the University often requires personal data to be processed, whether from individuals who provide them (informants) or pre-existing data obtained previously for other purposes. When work is conceived and performed, the rights of the individuals are guaranteed, by asking for their consent to take part and/or applying techniques to minimise the risks that arise in processing. The Research Ethics and Biosecurity Committee at the University of Girona assesses research projects and provides guidelines to follow regarding security and right data protection. When the research affects individuals who are under age, the criteria that apply are the ones which appear in the University of Girona's Child-Protection Protocol.
Information about activities and services. With each student's explicit authorisation, once they have finished their studies their contact information is used for sending them information about our services and activities. Their authorisation enables us to send them information on activities or services from other institutions created by the UdG. This information is also sent to anyone who has not enrolled at the UdG but who requests said information.
Selecting staff. We collect and keep the CVs sent to us by people interested in working with us send to us and we also handle personal data when developing staff recruitment processes for the purpose of analysing the suitability of the profile of the candidates depending on the vacant or the newly created position. Our criterion is also to store for a maximum of one year the data of anyone who is not contacted in case a new vacancy or a new post arises in the short term. However, in this last case, we immediately delete the data if the interested party asks us to do so.
Management of our suppliers’ data. We record and process the data of suppliers we obtain services or goods from. These may be the data of people acting on an individual basis, for example, as self-employed persons, and also the data of representatives of legal entities. We obtain the essential data for maintaining the contractual relationship, we use them only for this purpose and we make use of them in a way that is appropriate for this type of relationship.
Ex-alumni. We record the data of registered members of the Alumni Community for the purpose of maintaining links with former students of the UdG and to offer services such as the careers service, training and complementary activities.
Contact. We handle data to answer the queries of the people who use the contact forms of our web page. They are used solely for this purpose.
Other services. On its web sites, the UdG publishes and offers numerous services, some of which are open to people who are not part of the university community. The careers service, the sport services or the services offered by the libraries are an example. In each case, the users of the service receive information on the processing of the personal data they have to provide to access these services.
Other channels to obtain data. We also obtain data through other channels such as when receiving emails, comments and subscriptions to blogs, and through our social network profiles. In al cases the data are used only for the explicit purposes for which they are collected and processed.
Video surveillance. Anyone accessing our facilities is informed of the existence of video surveillance cameras, if there are any, through the standard sign-posting. The cameras only record images from the points where there is justification to guarantee the security of the goods and safety of individuals. The images are used solely for this purpose. In justified cases they communicate the data to the security bodies and forces or competent legal bodies.
How do we obtain the data?
The UdG mainly obtains mainly data directly from the interested parties, generally through forms that are specific to each purpose. The main process is enrolment, but they are also obtained through signing up for activities and information sessions in education centres, and through participating in fairs where we present our educational offer. A smaller volume of data can come from the public administrations responsible for higher education or from other academic institutions.
As relationships with students, teaching staff and service providers are developed, other data are generated that are incorporated into the UdG information systems.
When the individuals the data correspond to are under age, the criteria that apply are the ones which appear in the University of Girona's Child-Protection Protocol.
What is the legal justification for handling data?
The data processing carried out by the UdG has various legal bases, depending on the nature of the data treatment.We will list the main data processing activities we carry out, in compliance with the legal rules of the Article 6.1. of the General Data Protection Regulations.
For providing educational services. To provide students with services, the UdG assumes a series of contractual obligations that must be fulfilled, in particular that of providing students with the education they wish to receive. This contract between the UdG and the student means that the University must process numerous data, the most important of which relate to their academic record. This processing of data has its legal basis in Organic law 6/2001, of 23 December, on universities, in Law 1/2003, of 19 February, on Universities of Catalonia and in its development regulations.
In fulfilment of a pre-contractual relationship. This is the case of the data of people interested in the UdG's educational offer who are not yet enrolled. For other reasons but with a similar legitimation, we process the data of potential suppliers with whom we have prior relationships in the formalisation of a contractual relationship. This is also the case in the processing of the data of people who send us their curriculum vitae or those who participate in selection processes.
In fulfilment of legal duties. The provision of higher-education services stipulates that the UdG must meet several rules involving data processing. Here the UdG communicates its students’ data to the competent authorities in this matter, for the procedures for recognising and issuing the degree certificates corresponding to the studies completed. The UdG is also legally obliged (fiscal regulations) to communicate data to the tax authorities. It is also legally obliged to communicate data to judicial bodies and security forces if they require them.
To meet its public-interest mission. Justification of the processing arising from the provision of our services lies in our satisfaction of the public interest. The images we also obtain with video-surveillance cameras are processed to preserve the public interest.
In fulfilment of a contractual relationship. This is the case of relationships with our suppliers and all the actions and uses of the data that these commercial relationships entail.
Consent. When we send information on our activities or services we use contact data with the explicit consent of the recipient. We also obtain the browsing data of people who visit our websites on the basis of consent, which can be withdrawn at any moment by uninstalling the cookies.
To whom are the data communicated?
As a general criteria, we only communicate data in fulfilment of legal obligations or with the explicit authorisation of the interested party. In previous sections we have explained how and to whom student data is communicated as required to enable the provision of educational services, and the data of our suppliers in the undertaking of economic and commercial relationships.
Data transfers outside the European Union (international transfer) are carried out to manage the international mobility of students and to respond to job offers from non-European companies. In both cases the communication is based on the student's consent.
For certain tasks, we obtain the services of companies or people who bring us their experience or specialisation and occasionally require access to personal data that the University is responsible for. Under the General Data Protection Regulations, such access is not considered to be a data transfer but rather a data-processing task. We only contract the services of companies that guarantee compliance with the data protection regulations. At the time the contract is signed, their confidentiality obligations are formalised and their actions are monitored. This may be the case for data hosting services on the servers of specialist companies, IT support services or legal, accounting and tax consultancy services. Detailed information on these suppliers can be obtained from the contractor’s profile from the University or by contacting the UdG's Recruitment Service.
How long do we keep the data for?
The length of time for which the data is stored is determined by a number of factors. Mainly the fact that the data continue to be needed in order to attend to the purposes for which it was collected in each case. Secondly, the data is kept to deal with any possible data processing responsibilities the UdG may have and to deal with any requirements from public authorities or judicial bodies.
Consequently, the data are kept for as long as needed and as evidence of compliance with legal obligations, preserving their legal and informational value ("limit to storage period" as required under the General Data Protection Regulations). In the case of information that accredits the education received by students, the data are conserved permanently to preserve these students’ rights.
In certain cases, such as the data found in accounting and billing documentation, fiscal regulations stipulate that said data must be conserved until all responsibilities in this area have expired.
In the case of data that are processed on the basis of the consent of the interested party, these are conserved until said person withdraw their consent.
Last, in the case of the images obtained by the video surveillance cameras, these are conserved for a maximum period of one month, although in justifiable cases they are kept for as long as needed to facilitate the work of the security forces or judicial bodies.
The regulations governing conserving public documents and the rulings of the rating commissions are a decisive benchmark regarding deciding whether to conserve or delete data linked to carrying out services of public interest. The rulings of the National Access Evaluation and Document Selection Commission are published in the Official Journal of the Government of Catalonia and can be found inthis link .
What rights do people have in relation to the data we handle?
As provided for in the General Data Protection Regulations, the individuals whose data we process us have the following rights:
To know if their data is being processed. First, anybody has the right to know if we handle their data, irrespective of whether or not there was a prior relationship.
To be informed when the data is collected. When the personal data are obtained from the interested parties themselves, at the time they are provided they receive clear information on the purposes for which they will be processed, who will be responsible for processing them, and the main aspects derived from this handling.
To access them. A very extensive right that includes that of knowing the personal data that are subject to processing, the purpose for their processing, their communications to other persons (where applicable) and the right to obtain a copy or know how long the data will be kept for.
To request the rectification of the data. This is the right to rectify any inaccurate data that is being processed by us.
To ask for the data to be removed. In certain circumstances, interested parties have the right to ask for the data to be removed when, among other reasons, they are not needed for the purpose for which they were collected and which justified their processing.
To ask for the restriction on processing. Also, in certain circumstances the right to ask for the restriction on processing the data is recognised. In this case the data will stop being processed and only kept for exercising or defending claims, in accordance with the General Data Protection Regulations.
Portability. The person concerned is entitled to request the Data Controller processing personal data by automated means to given them their own personal data in a structured, common-use, mechanically readable and interoperable format or to transfer the data that way to another Data Controller. This right is recognised where the person concerned has provided their personal data giving their consent or where the processing is necessary for the performance of a contract. It does not have to apply where the treatment has a legal basis other than that of consent or contract, such as the exercise of public duties, to meet a legal obligation, satisfy a mission carried out in the public interest or in the exercise of public powers conferred on the Data Controller.
To object to data processing. A person can put forward motives related to their particular situation, motives that mean their data will stop being handed in the degree or measure that can mean cause them harm, except for legitimate motives or for making or defending against claims.
Not to receive information. We attend immediately to requests to stop receiving information on our activities and services, when such messages are exclusively based on the consent of the receiving person.
How can rights be exercised or defended?
The rights outlined above can be exercised by sending a request to the University of Girona at its postal address or by using any of the other contact details indicated in the header.
If you do not receive a satisfactory response when exercising these rights, a claim can be made to the Catalan Data Protection Authority using the forms or the other channels that can be accessed from its website (www.apdcat.gencat.cat ).
In all cases, be it to make claims, ask for clarifications or make suggestions, you can contact the Data Protection Representative on this email firstname.lastname@example.org .
What is the Data Protection Representative's function?
As provided for in article 37.1 of the RGPD and article 34.1 of the LOPDGDD, the Data Protection Officer (DPD) is the person who oversees compliance with our data-protection policy, ensuring that the data are processed appropriately and people's rights are protected. Their functions include attending to any queries, suggestions, complaints or claims put forward by people whose data is being processed. The Data Protection Officer can be contacted by telephone or in writing at out postal address or at the following email address email@example.com
(Last updated in July 2021)