Data Protection Policy

This document explains the data protection policy of the Fundació Universitària del Bages, owner of higher education centres affiliated with the Universitat de Vic – Universitat Central de Catalunya. It is based on the principles of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (General Data Protection Regulation). We fully embrace the spirit of this European Regulation as it strengthens rights and provides greater guarantees to individuals with regard to the processing of their data, an objective that fully aligns with our commitment to the continuous improvement of our educational services. Below we summarise the key aspects of our data protection policy.

Who is responsible for the processing of personal data?

What is the role of the Data Protection Officer?

For what purposes do we process data?

How do we obtain the data?

What is the legal basis for processing the data?

To whom are the data disclosed?

How long do we retain the data?

What rights do individuals have in relation to the data we process?

How can these rights be exercised or defended?

Specific data protection policies

                                                                                                                                                  

Who is the Data Controller of your data?

The Fundació Universitària del Bages (FUB), with Tax ID number G59862719, is the controller responsible for processing your personal data.

Postal address: Avinguda Universitària, 4-6, 08242 Manresa (Barcelona)

Telephone: +34 938 77 41 79

Email: umanresa@umanresa.cat

For any matter related to the protection of your data, you may contact our Data Protection Officer (DPO) via the following email address: dpd@umanresa.cat

1. For what purpose do we process your data and what is the legal basis?

At FUB, we process your personal data with the utmost care and always for legitimate, explicit and specific purposes. Below we detail the main processing activities, their purposes and the legal bases that enable us to carry them out:

1. Academic and Educational Area

• Purposes: Comprehensive management of academic records (admission, pre-enrolment, enrolment, assessment, issuance of degrees), organisation of external internships, management of mobility programmes, organisation of continuing education courses and language services, processing of grants and financial aid, and maintaining contact with alumni.
• Legal bases:
  Compliance with a legal obligation (Art. 6(1)(c) GDPR) arising from university regulations (Organic Law 2/2023 on Universities)
  Performance of a task carried out in the public interest (Art. 6(1)(e) GDPR), as a higher education service. Performance of a contract or pre-contractual relationship (Art. 6(1)(b) GDPR) in the provision of educational services.
  Consent of the data subject (Art. 6(1)(a) GDPR) for specific purposes such as disclosure to professional associations or management of graduation photographs.

2. Human Resources and Staff Area

• Purposes: Management of the employment relationship (payroll, recruitment, training), organisation of selection processes, attendance and working time control, and management of occupational risk prevention and workplace health.
• Legal bases:
  Performance of an employment contract (Art. 6(1)(b) GDPR).
  Compliance with legal obligations (Art. 6(1)(c) GDPR) in labour, Social Security and occupational risk prevention matters (Workers’ Statute, Occupational Risk Prevention Act).
  Consent of the data subject (Art. 6(1)(a) GDPR) for participation in recruitment processes.

3. Clinical and Health Area

• Purposes: Management of patient data at the University Clinic and Dental Clinic, management of medical records, provision of healthcare services, service billing, and management of the psychological care service for students.
• Legal bases:
  Processing necessary for preventive medicine purposes, medical diagnosis and the provision of healthcare (Art. 9(2)(h) GDPR).
  Compliance with a legal obligation (Art. 6(1)(c) GDPR), such as Law 21/2000 on patients’ rights to health information.
  Performance of a contract for the provision of healthcare services (Art. 6(1)(b) GDPR).
  Consent of the data subject (Art. 6(1)(a) GDPR)

4. Security and General Administrative Area

• Purposes: Ensuring the safety of individuals and facilities through video surveillance, access control, management of document entry and exit registers, accounting and supplier management, and handling complaints and suggestions.
• Legal bases:
  Legitimate interest of FUB in ensuring security and the proper functioning of its activities (Art. 6(1)(f) GDPR).
  Performance of a task carried out in the public interest (Art. 6(1)(e) GDPR)
  Compliance with legal obligations (Art. 6(1)(c) GDPR) in accounting and tax matters

2. What categories of personal data do we process?

We process only the data necessary for each purpose. The main categories of data are:

• Identification data: name, surname, national ID number, image, voice, address, telephone number, email address.
• Personal characteristics data: sex, date of birth, nationality.
• Social circumstances data: family data, accommodation characteristics.
• Academic and professional data: academic records, qualifications, professional experience.
• Economic and financial data: bank details, scholarship information, payroll data.
• Special category data: health data (disabilities, medical records, allergies, etc.). These data receive enhanced protection.

3. To which recipients will your data be disclosed?

Your personal data will only be disclosed to third parties when strictly necessary to fulfil the purposes described or as required by law. The main recipients are:

• Public Authorities: Ministry and Department of Universities, Tax Agency, Social Security, Labour Inspectorate, Courts and Tribunals.
• Collaborating entities: universities in mobility programmes, companies where internships are carried out (with your consent), organisations hosting sporting events.
• Service providers: banking institutions for payment and collection management, insurance companies, payroll management companies or occupational risk prevention providers acting as data processors.
• Law enforcement authorities: in the event of security incidents captured by video surveillance systems.

4. Are there international data transfers?

As a general rule, your data are not transferred to countries outside the European Economic Area. The only foreseen exception is within the framework of student mobility and exchange programmes, where, with your explicit consent, the necessary academic and identification data are communicated to host universities.

5. How long will we retain your data?

Your personal data will be retained for the period strictly necessary to fulfil the purposes for which they were collected, as well as to comply with applicable legal obligations in each case. Below are the main retention periods according to the processing area:

• Academic Management and Student Records: Data forming part of the academic record (grades, degrees, certificates) will be retained permanently, in accordance with educational and university archive regulations, to ensure future issuance of certificates and verification of qualifications. Other documentation related to enrolment management will be retained for the legally applicable periods.
• Human Resources Management: Staff data will be retained for the duration of the employment relationship. Once terminated, they will be blocked and retained for the statutory limitation periods to address potential liabilities in labour, Social Security and tax matters (generally between 4 and 6 years).
• Clinical and Health Data: Medical records and healthcare documentation will be retained for a minimum period of fifteen years from the date of discharge of each care process or the last visit, in compliance with specific healthcare regulations and to ensure quality and continuity of care.
• Recruitment Processes: Data of unsuccessful candidates will be retained for a maximum period of two years after completion of the process, in order to consider them for future vacancies, unless the candidate objects or withdraws consent.
• Video Surveillance: Images captured by video surveillance systems will be retained for a maximum period of one month from capture, unless required for the investigation of a criminal offence or administrative infringement, in which case they will be made available to the competent authorities.
• Billing and Administrative Management Data: Data required for accounting and tax management (invoices, contracts, etc.) will be retained for the periods established by commercial and tax regulations (for example, six years under the Commercial Code).

Once the applicable retention periods have elapsed, the data will be securely deleted or, where appropriate, duly blocked for the duration of the statutory limitation periods of any legal actions that may arise.

6. What are your rights and how can you exercise them?

You have the right to maintain control over your personal data. You may exercise the following rights:

• Right of access: to request information on what personal data we hold and how we process it.
• Right to rectification: to request correction of inaccurate or incomplete data.
• Right to erasure (right to be forgotten): to request deletion of your data when, among other reasons, they are no longer necessary for the purposes for which they were collected.
• Right to object: to object to processing based on legitimate interest or for direct marketing purposes.
• Right to restriction of processing: to request suspension of the processing of your data under certain circumstances.
• Right to data portability: to receive your data in a structured, commonly used and machine-readable format and to transmit them to another controller.

You may exercise these rights free of charge by sending a written request, together with a copy of your ID document, to:

• DPO email: dpd@umanresa.cat
• Postal address: Avinguda Universitària, 4-6, 08242 Manresa (Barcelona), for the attention of the Data Protection Officer.

If you believe that your rights have not been properly addressed, you may lodge a complaint with the Catalan Data Protection Authority (APDCAT).

7. What security measures do we apply?

The FUB is committed to protecting your personal data by applying appropriate technical and organisational measures to ensure a level of security appropriate to the risk, guaranteeing the confidentiality, integrity and availability of the information. These measures are reviewed and updated periodically.

8. Update of this policy

   This Data Protection Policy may be modified to adapt to regulatory changes or new processing activities. Any updates will be duly published on our website.

   Specific Data Protection Policies

   • University Clinic Patient Management
   • Academic and Enrollment Management