Understanding that the right to data protection is a basic right, the University of Girona fully assumes the principles of Regulations (EU) 2016/679 of the European Parliament and the Board, of 27 April 2016, related to the protection of physical persons regarding the handling of personal data and the free circulation of these data and by which Directive 95/46/CE (General Data Protection Regulations or RGPD) is repealed, available for consultation inthis link ), and of Organic law 3/2018, of 5 December, on Personal Data Protection and guaranteeing digital rights (LOPDGDD, available for consultation in this link ), rules that give guarantees in relation to handling data. Below is a summary of the criteria applied by the University of Girona to the processing of data, which is carried out in relation to the services offered via its web sites and other digital channels.
Who is responsible for personal data handling?
The University of Girona (UdG) is responsible for processing the data of members of the university community and third parties with which it establishes relationships in the undertaking of its functions. For official purposes, the address of the University of Girona (CIF Q6750002E) is Pl. Sant Domènec, number 3, Girona (CP 17004), telephone number +34 972 41 80 00, email address email@example.com
For what purposes do we handle data?
The UdG processes personal data in order to provide academic services, and complementary services or those derived from its academic activity, taking into account at all times the rights of the interested parties. We process data that is appropriate, pertinent and limited to fulfilling the purposes for which they are obtained. Below is a list of the main purposes.
Academic management. The UdG registers the data of the persons who pre-enrol and subsequently formalise their enrolment in order to record this fact and, on this basis, provide higher education services. The data provided and those that result from the academic activity enable us to undertake monitoring tasks and serve as the basis of the evaluation. In this regard, the UdG understands that the student's academic record is the most important data processing task undertaken. Student data is also used for administrative management purposes, for identifying students as users of the University's services, to enable access to these services, to send them information that is of interest to them, to process and issue qualifications and, lastly, to monitor their labour market insertion.
Information about activities and services. With each student's explicit authorisation, once they have finished their studies their contact information is used for sending them information about our services and activities. Also with their authorisation, we send them information about the activities and services of other institutions within our group. This information is also sent to anyone who has not enrolled at the UdG but who requests said information.
Selecting staff. We collect and keep the CVs sent to us by people interested in working with us send to us and we also handle personal data when developing staff recruitment processes for the purpose of analysing the suitability of the profile of the candidates depending on the vacant or the newly created position. Our criterion is also to store for a maximum of one year the data of anyone who is not contacted in case a new vacancy or a new post arises in the short term. However, in this last case, we immediately delete the data if the interested party asks us to do so.
Managing our suppliers data.
We record and process the data of suppliers from whom we obtain services or goods. These may be the data of people acting on an individual basis, for example, as self-employed persons, and also the data of representatives of legal entities. We obtain the essential data for maintaining the contractual relationship, we use them only for this purpose and we make use of them in a way that is appropriate for this type of relationship.
Ex-alumni. We record the data of registered members of the Alumni Community for the purpose of maintaining links with former students of the UdG and to offer services such as the careers service, training and complementary activities.
Contact. We handle data to answer the queries of the people who use the contact forms of our web page. They are used solely for this purpose.
Other services. On its web sites, the UdG publishes and offers numerous services, some of which are open to people who are not part of the university community. The careers service, the sport services or the services offered by the libraries are an example. In each case, the users of the service receive information on the processing of the personal data they have to provide to access these services.
Other channels to obtain data. We also obtain data through other channels such as when receiving emails, comments and subscriptions to blogs, and through our social network profiles. In al cases the data are used only for the explicit purposes for which they are collected and processed.
How do we obtain the data?
The UdG mainly obtains mainly data directly from the interested parties, generally through forms that are specific to each purpose. The main process is enrolment, but they are also obtained through signing up for activities and information sessions in education centres, and through participating in fairs where we present our educational offer. A smaller volume of data can come from the public administrations responsible for higher education or from other academic institutions.
As relationships with students, teaching staff and service providers are developed, other data are generated that are incorporated into the UdG information systems.
What is the legal justification for handling data?
The data processing carried out by the UdG has various legal bases, depending on the nature of the data treatment.
For providing educational services. To provide students with services, the UdG assumes a series of contractual obligations that must be fulfilled, in particular that of providing students with the education they wish to receive. This contract between the UdG and the student means that the University must process numerous data, the most important of which relate to their academic record. This processing of data has its legal basis in Organic law 6/2001, of 23 December, on universities, in Law 1/2003, of 19 February, on Universities of Catalonia and in its development regulations.
In fulfilment of a pre-contractual relationship. This is the case of the data of people interested in the UdG's educational offer who are not yet enrolled. For other reasons but with a similar legitimation, we process the data of potential suppliers with whom we have prior relationships in the formalisation of a contractual relationship. This is also the case in the processing of the data of people who send us their curriculum vitae or those who participate in selection processes.
In fulfilment of a contractual relationship. This is the case of relationships with our suppliers and all the actions and uses of the data that these commercial relationships entail.
In fulfilment of legal duties. In providing higher education services the UdG communicates its students’ data to the competent administrations in this subject area for the procedures of recognising and issuing the degree certificates corresponding to the studies completed. The UdG is also legally obliged (fiscal regulations) to communicate data to the tax authorities. It is also legally obliged to communicate data to judicial bodies and security forces if they require them.
Consent. When we send information on our activities or services we use contact data with the explicit consent of the recipient. We also obtain the browsing data of people who visit our websites on the basis of consent, which can be withdrawn at any moment by uninstalling the cookies.
For legitimate interests. The images we obtain with video surveillance cameras are used for the justifiable interest our institution has in preserving its assets and installations. The interests of our institution also justify the processing of the contact data of people that represent public bodies and other institutions, when this is necessary for duly undertaking functions pertaining to our purpose.
To whom are the data communicated?
As a general criteria, we only communicate data in fulfilment of legal obligations or with the explicit authorisation of the interested party. In previous sections we have explained how and to whom student data is communicated as required to enable the provision of educational services, and the data of our suppliers in the undertaking of economic and commercial relationships.
Data transfers outside the European Union (international transfer) are carried out to manage the international mobility of students and to respond to job offers from non-European companies. In both cases the communication is based on the student's consent.
For certain tasks, we obtain the services of companies or people who bring us their experience or specialisation and who, on occasion, must access personal data for which the University is responsible. In the terms of the General Regulation on Data Protection, this access is not considered to be a transfer of data but rather a data processing task. We only contract the services of companies that guarantee compliance with the data protection regulations. At the time the contract is signed, their confidentiality obligations are formalised and their actions are monitored. This may be the case for data hosting services on the servers of specialist companies, IT support services or legal, accounting and tax consultancy services. Detailed information about these suppliers can be obtained from the profile of the contracting party from the University or by contacting the UdG's Recruitment Service.
How long do we keep the data for?
The length of time for which the data is stored is determined by a number of factors. Mainly the fact that the data continue to be needed in order to attend to the purposes for which it was collected in each case. Secondly, the data is kept to deal with any possible data processing responsibilities the UdG may have and to deal with any requirements from public authorities or judicial bodies.
Consequently, the data are kept for the time needed and to provide evidence of fulfilment of legal duties, preserving their legal and informative value ("limitation on conservation period" as required under the General Regulation on Data Protection). In the case of information that accredits the education received by students, the data are conserved permanently to preserve these students’ rights.
In certain cases, such as the data found in accounting and billing documentation, fiscal regulations stipulate that said data must be conserved until all responsibilities in this area have expired.
In the case of data that are processed on the basis of the consent of the interested party, these are conserved until said person withdraw their consent.
Last, in the case of the images obtained by the video surveillance cameras, these are conserved for a maximum period of one month, although in justifiable cases they are kept for as long as needed to facilitate the work of the security forces or judicial bodies.
The regulations governing conserving public documents and the rulings of the rating commissions are a decisive benchmark regarding deciding whether to conserve or delete data linked to carrying out services of public interest. The rulings of the National Access Evaluation and Document Selection Commission are published in the Official Journal of the Government of Catalonia and can be found inthis link .
What rights do people have in relation to the data we handle?
As provided for in the General Regulation on Data Protection, people whose data is processed by us have the following rights:
To know if their data is being processed. First, anybody has the right to know if we handle their data, irrespective of whether or not there was a prior relationship.
To be informed when the data is collected. When the personal data are obtained from the interested parties themselves, at the time they are provided they receive clear information on the purposes for which they will be processed, who will be responsible for processing them, and the main aspects derived from this handling.
To access them. This right includes the right to know which personal data are being processed, for what purpose they are being processed, who else they will be communicated to (where applicable) and the right to obtain a copy or to know how long the data will be kept for.
To request the rectification of the data. This is the right to rectify any inaccurate data that is being processed by us.
To ask for the data to be removed. In certain circumstances, interested parties have the right to ask for the data to be removed when, among other reasons, they are not needed for the purpose for which they were collected and which justified their processing.
To ask for the restriction on processing. Also, in certain circumstances the right to ask for the restriction on processing the data is recognised. In this case the data will stop being processed and they will only be kept to make or defend against claims, in accordance with the General Data Protection Regulations.
Portability. The right to obtain one’s own personal data in a machine-readable structured format for common use is recognised.
To object to data processing. A person can put forward motives related to their particular situation, motives that mean their data will stop being handed in the degree or measure that can mean cause them harm, except for legitimate motives or for making or defending against claims.
How can rights be exercised or defended?
The rights outlined above can be exercised by sending a request to the University of Girona at its postal address or by using any of the other contact details indicated in the header.
If you do not receive a satisfactory response when exercising these rights, a claim can be made to the Catalan Data Protection Authority using the forms or the other channels that can be accessed from its website (www.apdcat.gencat.cat ).
In all cases, be it to make claims, ask for clarifications or make suggestions, you can contact the Data Protection Representative on this email firstname.lastname@example.org .
What is the Data Protection Representative's function?
As provided for in article 37.1 of the RGPD and article 34.1 of the LOPDGDD the Data Protection Representative (DPD) is the person who oversees the fulfilment of our data protection policy, ensuring that the data are processed appropriately and people's rights are protected. Their functions include attending to any queries, suggestions, complaints or claims put forward by people whose data is being processed. The Data Protection Representative can be contacted by telephone or in writing at out postal address or at the following email address email@example.com
(last updated February 2019)