PERSONAL DATA PROTECTION POLICY

This document explains the data protection policy of the Bages University Foundation, as a federated member of the higher education centres of the University of Vic - Central University of Catalonia. It is based on the principles of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 (General Regulation on Data Protection). We fully concur with the spirit of this European Regulation because it reinforces individuals’ rights and gives them more guarantees regarding how their data is processed, an objective that fully coincides with our objective for the permanent improvement of our educational services. Below, a summary of the fundamental aspects of our data protection policy can be found.

 

Who is responsible for processing personal data?

What is the function of the Data Protection Officer?

What is the purpose of processing personal data?

How is data obtained?

What is the legal legitimacy for processing data?

Who is the data communicated to?

How long is data kept for?

What rights do people have regarding the processing of their data?

How can one’s rights be exercised or defended?

Specific data protection policies                                                                                                                                                  

 

Who is responsible for processing personal data?

 

The Bages University Foundation is responsible for processing personal data. Its legal address is Avinguda Universitària, 4 – 6, Manresa (CP – 08242), CIF G-59330795, telephone number, 938 774 179, email contact, umanresa@umanresa.cat, and it is registered under the number 286 in the Registry of Private Foundations of the Government of Catalonia.

 

The Foundation provides its teaching services by identifying them under the brand of UManresa.

 

The Bages University Foundation is the owner of the University Clinic, a teaching and healthcare centre used by students of the different degrees of the Healthcare Sciences Faculty of UManresa, as well as for lifelong learning, postgraduate and master's degree students.

 

 

What is the function of the Data Protection Officer?

 

The Data Protection Officer (DPD) is the person who oversees compliance with our data protection policy, ensuring that individuals’ data is processed appropriately and their rights are protected at all times. Their functions include dealing with any questions, suggestions, complaints or claims which may arise by people whose data is processed. The Data Protection Officer can be contacted by writing to our postal address or by telephone or directly at dpd@umanersa.cat.

 

 

What is the purpose of processing personal data?

 

Personal data is always processed bearing in mind the rights of the individual and always in a proportional way. This means that in each case only the appropriate, pertinent and limited data is processed in order to fulfil the explicit purposes that lie behind obtaining it; this means that only the necessary data is processed which allows us to provide the educational services that are our mission. In some cases, more data may be requested, for example to learn about the opinions or evaluations of our services. In these cases, the answers are treated statistically and in a dissociated way concerning the identification data of the person who answers.

 

The Bages University Foundation processes personal data mainly with the aim of providing academic and extra-academic services, for sending communications related to our activities and services and for carrying out business relationships with our suppliers. The main purposes are listed in the following section:

 

Academic management. The Bages University Foundation registers the data of the pre-enrolled persons who subsequently formalise their enrolment, in order to have a record of these people and, based on that, to provide higher education educational services. The data contributed, as well as the information resulting from the academic activity, allow students to be tracked academically, and this data is used as a basis for assessment. The management of student academic records is the most relevant case of data processing. Student data is also used for administrative management purposes, to identify them as users of the University services, to make these services accessible, to send them information of their interest, to process and to issue university graduation titles and, finally, to keep track of their entry in the labour market.

 

Contact. Data is processed to answer the queries of the people who use the contact forms on our website. Data is only used for this purpose.

 

Staff recruitment. We collect and custody the CVs sent by people who are interested in working with us, and we also process personal data when carrying out personnel selection processes, in order to analyse the suitability of candidate profiles according to vacancies or new positions. Our policy is to keep the data of people who are not hired for a maximum period of one year, in case there is a new vacancy or a new position in the short term. However, in the latter case, the data is immediately eliminated if the interested party requests us to do so.

 

Information on activities and services. With the explicit authorisation of each student, once their studies have finished, we use their contact details to send information about our services and activities. Again, with their authorisation, we also send them information about activities or services from other institutions in our group. This information is also sent to anyone who requests it, despite not having enrolled in the Bages University Foundation.

 

Management of supplier data. We record and process the data of the providers from whom we obtain goods or services. The data may refer to people who work as freelancers or who are legal representatives of other people or entities. The data obtained is only that which is essential to maintain the business relationship. Moreover, it is only used for this purpose and is only used internally for this specific relationship.

 

Video Surveillance. When applicable, the existence of video surveillance cameras is notified on accessing our facilities by means of the accredited signs. The cameras only record those images which are justified to guarantee the safety and security of the FUB’s buildings, assets, staff and visitors and the images are only used for this purpose.

 

Users of our website. The browsing system and software which enables the operation of our website collects data which is normally generated in the use of Internet protocols. This category of data includes the IP address or domain name of the computer used by the person who connects to the website. This information is not associated to specific users and is used for the sole purpose of obtaining statistical information about the use of the website. Our website uses cookies which facilitate browsing and provide us with information about our users and their interests (more information about our cookie policy).

 

Other channels for obtaining data. We also obtain data through face-to-face contacts and other channels such as receipt of emails, the registration of users who download our app, participation in our blogs with comments, the subscription to our blog, or through Social Network profiles. In all cases, the data is used only for the explicit purposes that justify its collection and processing.

 

 

How is data obtained?

 

In the previous section we have referred to some of the origins of the data which is processed. In most cases the data comes directly from interested parties and is obtained mainly from the forms which are prepared for that purpose. We also obtain data from Open Days, from the informative sessions that we carry out in educational centres and from participation in educational fairs where we provide information about our services.

 

In the course of the daily contact with students, teachers and service providers, other data is also generated which is incorporated into the Bages University Foundation's systems.

 

A more limited volume of data may also come from competent public administrations in the field of higher education or other academic institutions.

 

What is the legal legitimacy for processing data?

 

Data processing which is carried out has different legal foundations, depending on the nature of each situation. The main processing of data carried out is classified according to the legal bases of article 6.1 of the General Regulation on Data Protection.

 

For the provision of educational services. Once our students are admitted, they obtain educational services from the Bages University Foundation. The provision of services to the student constitutes a contractual relationship, with obligations from each part: the right of the student to receive a good education and the right and obligation of the Bages University Foundation to process their data. This processing has its legal base in the Organic Law 6/2001, of December 23rd, of universities, and in Law 1/2003, of February 19th, concerning universities of Catalonia and regulations concerning how they function.

 

In compliance with a pre-contractual relationship. This is the case of the data belonging to people who are interested in courses offered by the Bages University Foundation. For other reasons but with a similar legal framework, we process the data of possible clients or suppliers with whom we have previous relationships before a contractual relationship is formalised. It is also the case regarding processing data of people who have sent us their CV or who are participating in recruitment processes.

 

In compliance with a contractual relationship. The case of the relationships with our customers and suppliers and all the actions and uses of the data that these commercial relationships entail.

 

In compliance with legal obligations. The provision of higher education services determines that we must comply with different standards that entail data processing. In this sense, the Bages University Foundation communicates data from its students to the Balmes University Foundation for the procedures for the recognition and issuance of the degree titles corresponding to the studies which are taught. It is also in compliance with legal obligations (tax regulations) that we communicate data to the tax administration. It would also be in compliance with legal obligations that we would communicate data to judicial organs or bodies and security forces if required.

 

Based on consent. When we send information about our activities or services, we use contact information with the explicit consent of the person who will receive it. It is also based on consent that we obtain browsing data from the person who visits our website. This consent can be revoked at any time by disabling the cookies.

 

For legitimate interest. The images obtained with the video surveillance cameras are processed due to the legitimate interest of our institution in ensuring the safety and security of its assets and facilities. Our legitimate interest also justifies processing the data that we obtain from the contact forms, as well as the data belonging to people who register to comment on blogs or install our app.

 

 

Who is the data communicated to?

 

As a general rule, we only communicate data in compliance with legal obligations. In the preceding sections we have explained how data concerning our students is communicated when necessary in order to provide educational services. Data regarding our clients and suppliers is also processed within the normal procedures of economic and commercial relationships. Student contact details can be communicated to other institutions of our group whenever the student has authorised it.

 

Data transfers are carried out outside the scope of the European Union (international transfer) for the management of international student mobility and to respond to job offers from non-European companies. In both cases, data processing is based on the consent of the student.

 

In another sense, for certain tasks we obtain the services of companies or people who provide us with their experience and specialisation, and who sometimes need to have access to personal data. In the terms of the General Regulation of Data Protection it is not a data transfer itself but a processing order. Only company services are contracted that guarantee compliance with these regulations. At the time of contracting, their confidentiality obligations are formalised and their actions are monitored. This may be the case of data hosting services on servers, computer support services or legal, accounting or tax advisers. More detailed information concerning the identity of these companies can be found by going to cgti@umanresa.cat.

 

How long is data kept for?

 

The time of data storage is determined by different factors. Principally, the most important fact concerns whether data is still necessary to meet the purposes for which it was collected in each case. Secondly, it is conserved to deal with any possible responsibilities for data processing by the Bages University Foundation, and to attend to any requirement of the public administrations or judicial organs.

 

Consequently, data must be kept for as long as necessary to preserve its legal or informative value and to ensure compliance with legal obligations, but not for a period exceeding that necessary for the purposes of processing ("limitation of the term of conservation", which is a requirement of the General Regulation of Data Protection). In the case of information which certifies the academic training received by the students, data is permanently preserved in order to preserve the rights of these students.

 

In certain cases, such as the data contained in financial documentation and billing, tax regulations compel us to conserve the data until the responsibilities in this matter prescribe. The regulations governing foundations specify that some accounting data will be kept for ten years (compliance with Law 10/2010, of April 28th).

 

In the case of data that is processed exclusively on the basis of the consent of the interested party, it is kept until such person should revoke their consent.

 

Finally, in the case of images obtained by video surveillance cameras, these are kept for a maximum of one month. Nonetheless, in the case of incidents that justify it, the images may be kept for the time deemed necessary to facilitate the actions of the security forces and bodies or of judicial organs.

 

The regulations governing the conservation of public documentation, and the opinions of the qualifying committees, are a determining factor when deciding on the conservation or elimination of the data linked to the exercise of services of public interest.

 

 

What rights do people have regarding the processing of their data?

 

As provided in the General Regulation on Data Protection, individuals whose data is processed have the following rights:

 

To know if their data has been processed. In the first place, everyone has the right to know if their data is processed, regardless of whether there has been a previous relationship or not.

 

To be informed about the collection. When personal data is obtained from the interested party, at the time of doing so, individuals must have clear information about the purposes for which the data will be assigned, who will be responsible for the processing and the main aspects derived from this processing.

 

To access it. A very broad law that includes knowing precisely which personal information is being processed, what is the purpose for which it is processed, communications to other people who will process it (if applicable) or the right to obtain a copy or to know the expected period of conservation.

 

To ask for its rectification. It is the individual’s right to rectify any inaccurate data that is subject to processing on our part.

 

To ask for its deletion. In certain circumstances there is the right to request the deletion of data when, among other reasons, it is no longer necessary for the purposes for which it was collected and its processing justified.

 

To request the limitation of processing. In certain circumstances, the right to request the limitation of data processing is also recognised. In this case it will no longer be processed and it will only be retained for the exercise or defence of claims, in accordance with the General Regulation for Data Protection.

 

For portability. In the cases provided for in the regulations, the right to obtain personal data in a structured format that is commonly readable by machine is recognised, as well as the right to transmit it to another person responsible for its processing if the interested party so decides.

 

To oppose processing. A person can adduce reasons related to their particular situation. These reasons can imply that their data cannot be processed to the extent that can be detrimental to them, except for legitimate reasons or for the exercise or defence against claims.

 

To not receive information. Requests to stop receiving information about our activities and services are immediately actioned, when these communications were based solely on the consent of the recipient.

 

 

How can ones rights be exercised or defended?

 

The rights that we have just listed can be exercised by sending a request to the Bages University Foundation either to its postal address or to the other contact details included in the document heading.

 

If a satisfactory response has not been obtained concerning the exercising of your rights, a claim may be filed with the Catalan Data Protection Authority, either by filling in a form or using one of the other channels accessible on its website (www.apd.cat).

 

In all cases, either for filing complaints, asking for clarification or sending suggestions, it is possible to contact the Data Protection Officer by e-mail at dpd@umanresa.cat.

 

 

Specific data protection policies

 

- Enrolment process
- Sending information
- Cookie Policy
- Management of the University Clinic