Record of Processing Activities (ROPA) | ESIC
Updated 20/05/2024
This record complements and completes the Legal Notice, Privacy and Cookies, through which information is provided about the identity of the data controllers and the rights of the interested parties and how to exercise them: https://www.esic.edu/en/legal-notice
The data Controller analysing browsing and behavioural habits of visitors in order to identify the use they make of the tools and to adapt them to their needs, and also to improve communication, marketing and service activities.
Controller | Controller Independent controllers in the virtual classroom and communications for Teaching and Research Staff (PDI) and Administration and Services Staff (PAS) in view of needs related to fulfilling contracts, and other communication requirements that they manage independently. ESIC and FESIC. Independent responsibilities for the analysis of data taken from opening and action through e-mail. Joint controllers in own common communication channels (same website): ESIC (main) and FESIC. |
Legal Grounds | In the case of PDI and PAS, and only to the extent that performance of a contract justifies such, processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6.1.b of the GDPR). In all other cases, including ESIC Play, data subjects gave their consent for the processing of their personal details for one or several of the specific purposes (Article 6.1.a of GDPR). In order to obtain consent, data subjects must be individually informed about any sale and purchase contract, general conditions or service contract. This processing will be carried out on the browsing data obtained on the website, Apps, etc. |
Purposes of processing | In the case of analytics processing being based on the performance of a contract, the necessary analytics will be carried out to perform the contract: in the case of PDI for example, the number of times each one accesses the virtual classroom documents or if such are downloaded, will be analysed to know and encourage learning activity. In the case of PAS, the Controller may obtain acknowledgement of receipt from whoever has received the secure communication regarding the information the Controller has sent, without this entailing additional processing. In all other cases, whenever prior acceptance by a data subject is required, the purpose of analytics processing of personal details will be as follows:
|
Collective | Users who access websites, Apps or social media profiles managed by the Controller, and those who open and reply to communication sent by the Controller. |
Data categories | Analytics service provides aggregate the data they obtain to provide the Controller with quantitative information about browsing and behaviour by people, without it being possible to identify any individuals. The processed data are as follows:
|
Addressee category | Data communication are not planned. Data processor:
|
International Transfer | The data processor is Google Ireland and sub-processor is Google LLC, 1600 Amphitheatre Parkway Mountain View, CA USA. Security measures: data protection agreement with standard clauses via Google Workspace (formerly, GSuite). https://privacy.google.com/businesses/processorterms/
|
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
Labelling of users according to their website activity at the centres and through creative publicity in order to show them adverts and promotional content in line with their preferences.
Controller | Independent controllers: ESIC and FESIC. |
Legal Grounds | The data subject has given consent to the processing of his or her personal data for one or more specific purposes; Including ESIC Play. In order to obtain consent, data subjects must be individually informed about any sale and purchase contract, general conditions or service contract and it shall be obtained in the same way. |
Purposes of processing | Labelling of users according to their website activity at the centres and through creative publicity in order to show them adverts and promotional content in line with their preferences. |
Collective |
|
Data categories |
|
Addressee category | No data transfers are planned. Data Processor:
|
International Transfer | No international transfers are planned |
Erasure period | Until the data subject requests cancellation or erasure of his/her data. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
Sending personalised messages with advertising and promotional content.
Controller | Independent controllers: ESIC and FESIC. |
Legal Grounds |
|
Purposes of processing | Sending advertising or promotional communication via electronic channels, post or by telephone. |
Collective | Customers and persons interested in the activities and information about activities, products and services provided by the Controller or the contents that it creates, publishes or drives:
|
Data categories |
|
Addressee category | No personal data transfers are planned. Data processor:
|
International Transfer | International transfers to data processors are planned. |
Erasure period |
|
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
The Controller carries out surveys and consultations to prepare reports about different scopes and subjects; to know the performance of teaching staff and the programmes; and to find out about student satisfaction and other persons who take part in the Controller's activities and programmes. For this purpose, it is sometimes necessary to know the details about the person who replies to the questionnaire so that they can be linked to the information, without prejudice to make this information anonymous in most cases through technical procedures to aggregate data.
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | Data compilation and management:
|
Purposes of processing | Data compilation and management for:
|
Collective |
|
Data categories |
|
Addressee category |
|
Data Processors | Survey management companies |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. Assessments about teaching staff will be attached to their employee file. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. Despite it not being necessary, an DPIA has been prepared. The anonymisation processes will be documented before they begin in order to guarantee irreversibility. |
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). More specifically, regarding the retail sale and purchase of products or services. |
Purposes of processing | For the sale of products and services, both via the on-line store and in-person processes, data will be compiled for the following purposes:
|
Collective |
|
Data categories | Identification details: name and surname, ID No., e-mail address, postal address, telephone number. |
Addressee category | Banks. Tax Administration. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | The data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing, in accordance with Law 58/2003 of 17th December on General Taxation, in addition to the periods of time established in regulations on archives and documentation. 5 years in view of the Civil Code (Article 1964) for personal actions without special periods, and when processed, 10 years in view of the Law on the Prevention of Money Laundering and the Financing of Terrorism (Article 25). |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
The Controller promotes its activities (teaching staff, research and others) through draws, raffles and other games of random combinations for publicity or promotional purposes, and also through other actions such as direct gifts and contests with a panel of judges.
As described in the rules, the processing related to these activities involves taking and using photographs and videos, and sending advertising and promotional communications.
Controller | Separate controllers: ESIC and FESIC |
Legal Grounds |
|
Purposes of processing |
|
Collective |
|
Data categories |
|
Addressee category |
|
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. Other related processing activities (access to data to obtain further information):
|
Taking photographs and recording image and/or voice for (1) teaching activities and creation of student files or worker files; (2) publication thereof in promotional books, class photographs and virtual classroom; and (3) for advertising or promotion by the Controller.
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | In the case of Teaching and Research Staff (PDI) and Administration and Services Staff (PAS) in regard to the management of their cards, accreditations and other specific cases, and for the case of speakers at events and conferences, processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of the General Data Protection Regulation). In the case of recordings and broadcasting of speakers at specific events, processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6.1.f of the General Data Protection Regulation). Enabling the camera during on-line classes can be considered lawful processing in general terms, given the obligation of educational centres to ensure and guarantee their educational functions in regard to the students and in fulfilment of public interests (ex. Article 6.1.e) GDPR) and the provisions established by the health and education authorities within the context of the pandemic, without consent by data subjects being necessary. In any event, the principle of proportionality must be taken into account. The above is all in accordance with the Ruling CNS 11/2021 of the Catalonian Data Protection Authority. Specific consent, both for capture and other purposes, as established in:
|
Purposes of processing | Taking photographs and recording images and voice for:
|
Collective |
|
Data categories |
|
Addressee category | The data will be published on the Controller’s website pages and transferred to the media when consent has been granted by the data subject for this processing, or where applicable, whenever necessary to perform a contract to which the data subject is party or to fulfil the Controller’s aforementioned legitimate interests. No other personal data transfers are planned. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data compiled for teaching activities or through a contract will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. In all other cases processing of personal data shall continue until data subjects withdraw their consent. If data has been published on third party websites or in the press, outside the control of the Controller, it may be impossible to exercise the data subject right to effective erasure of the data. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
Extracurricular activities such as visits to museums and third party companies or registration in amateur races (ESIC Companies Virtual Race). The activities may be restricted to specific groups.
Controller | Separate controllers: ESIC and FESIC |
Legal Grounds | The Controller will process the data in accordance with the following legitimate grounds:
|
Purposes of processing | Controlling attendance at activities. Transfer of the data to the collaborating controller and third parties when necessary for performing the contract. Transfer of data to other controllers under authorisation by data subjects. |
Collective |
|
Data categories | Main identification details: Name and surname, user name, other data: ID or other identity document, postal or electronic address, signature, telephone number and activity sector. |
Addressee category | Collaborating companies, depending on activity. Data processor:
|
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. Prior consent by registered persons, data may be kept for future actions. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). |
Purposes of processing | To guarantee equal conditions in learning activities dealing with special educational needs.
|
Collective | Alumnos Students, contact person (when legally required): father, mother or legal guardians. |
Data categories | Identification details
|
Addressee category | No personal data transfers are planned. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | The data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. |
Additional information | A DPIA is required. |
Study, assessment and management of grants and benefits offered and awarded to ESIC students.
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | Processing is necessary for compliance with the legal obligation applicable to the data controller (Article 6.1.c of GDPR). Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (Article 6.1.e of GDPR). |
Purposes of processing | Study, assessment and management of grants and benefits for studies arranged by ESIC or other entities that have been offered and awarded to ESIC students. |
Collective |
|
Data categories | Identification details Name and surname, ID Card / Passport / Social Security No. / Health Card, Address (postal or e-mail), telephone number (land line or mobile). Personal details: marital status, age, family details, sex, date of birth, nationality, place of birth, mother tongue. Data related to social circumstances: accommodation, home, properties, possessions, hobbies and lifestyle, membership in clubs, associations, licences, permits, authorisations. Academic and professional details: Education, Qualifications, Student's Case File, Professional Experience, Membership in Professional Societies or Associations. Economic details of the student and the family unit (Income Tax), financial data and insurance data, income, earnings, credit, loans, guarantees, bank details, tax deductions data, subsidies, allowances, etc. Data on asset and services transactions. |
Addressee category | State Administration, Autonomous Community Administration, Tax Administration, Banks. Data will be transferred to third parties explicitly indicated in the first layer notice, according to the purpose required in each case. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
Management of students’ profiles to monitor their attendance at different teaching activities and through tests, the quality of their learning.
This processing is carried out on all types of students: degree, postgraduate, with and without special needs, languages and therefore if only a student or a teacher as well (professor or associate professor) or worker of any category, whether employee or external.
This processing activity is linked to some of the Controller's other activities, such as analytics, commercial activity, extracurricular activities, etc.
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds |
|
Purposes of processing |
|
Collective |
|
Data categories |
|
Addressee category | No data transfers are planned. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. A DPIA is required. |
Management and control of access to the library and lending library journals and books.
Controller | ESIC |
Legal Grounds | For access to the library and lending of books, processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). For functional analysis of the use of the library, processing is necessary to meet this legitimate interest pursued by the data controller (Article 6.1.f of GDPR). |
Purposes of processing | Management and control of access to the Controller's library and lending library journals and books. Functional analysis of the use of the library by each of the users in order to know if the facilities and related resources are used or not, and where applicable which ones should be maintained and which should be improved or changed. The Controller may withdraw permission to access the library for any persons who request it or do not use it within the established period under the conditions of use, providing that there is no contractual link with ESIC or FESIC. |
Collective |
|
Data categories |
|
Addressee category | Pozuelo de Alarcón Town Hall, Madrid |
International Transfer | There will be no international data transfers |
Erasure period | The data of users of this service shall be kept in the system indefinitely unless the data subject requests erasure. Lending data will be cancelled once books are returned. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
One of the services provided by the Professional Development Department (PDD) for former students is “advice and coaching”.
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). This service is offered under a contract of training services which students formalise with ESIC or FESIC. |
Purposes of processing | Mentoring and advisory services for students and former students to further their professional development. |
Collective | Students, Former students |
Data categories |
|
Addressee category | External professionals Mentors and coaches |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
Entrepreneurialism Speed-up Bootcamp is an advisory programme to give a boost to projects by entrepreneurs.
Controller | ESIC |
Legal Grounds | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). This service is provided under an agreement that is formalised to take part in the On-line Entrepreneurialism Speed-up Bootcamp. |
Purposes of processing | Mentoring and advisory services for students and former students to further their professional development. Mentoring, advice and professional boost for entrepreneurs. |
Collective | Entrepreneurs |
Data categories |
|
Addressee category | Mentors and coaches Companies interested in the profiles and projects of the data subjects. |
International Transfer | Companies who interested in finding out about or investing in the projects may be in third party countries. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
The job portal (for candidates) is one of the services offered by the Professional Development Department (PDD).
Controller | Separate controllers: ESIC and FESIC |
Legal Grounds | Creating and maintaining candidate profiles: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). Verification by the Controller about the truthfulness of the academic data related to the studies the data subject claims to have taken at ESIC or FESIC. Processing is necessary to meet the legitimate interests pursued by the Data Controller or by a third party. Communicating data to registered companies, data subjects give their consent for the processing of their personal details for one or several of the specific purposes (Article 6.1.a of GDPR). |
Purposes of processing | Management of candidate profiles. Verifying the truthfulness of academic data related to studies at ESIC and FESIC. Communication of personal data to registered companies. |
Collective | Students, Former students |
Data categories |
|
Addressee category | Publication in portal with access by interested companies. Data Processor: DOUBLE-DOT. In charge of managing the portal. |
International Transfer | Data may be viewed by companies registered in the portal, who may be located in third party countries. |
Erasure period | Data will be kept until data subjects request cancellation or erasure of his/her data, and to determine any possible liabilities that could stem from the said purpose and data processing. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
The job portal (for companies) is one of the services offered by the Professional Development Department (PDD).
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | Obtaining initial data Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). Updating of the registered companies’ data: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and the interests and fundamental rights and freedoms shall not prevail (Article 6.1.f of GDPR and Article 19 of Organic law 3/2018 of 5th December, on Personal Data Protection and Guarantee of Digital Rights). |
Purposes of processing | Updating of the contact details of the managers at the registered companies. |
Collective | Company managers and contact persons. |
Data categories |
|
Addressee category | No data transfers to third parties are planned. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
To ensure respect for the rights and freedoms of professors, students, administration and services staff in view of different actions by university bodies and services, FESIC has established the structural figure of the University Ombudsman as provided for in the fourteenth additional provision of Organic Law 6/2001, of 21st December on Universities ( https://www.boe.es/eli/es/lo/2001/12/21/6/con ). The Ombudsman’s actions shall always focus on improving university quality in all fields that, not being subject to imperative mandate of any university body and governed by the principles of independence and autonomy.
Controller | FESIC |
Legal Grounds | Processing is necessary for compliance with the legal obligation applicable to the data controller (Article 6.1.c of GDPR). Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (Article 6.1.e of GDPR). |
Purposes of processing | Attention and processing of complaints, queries and claims in order to ensure the respect for the rights and freedoms of professors, students, administration and services staff. |
Collective |
|
Data categories |
|
Addressee category | ESIC ESIC, State Security Forces |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled and for 2 years at the most from the date of the resolution, and to determine any possible liabilities that could stem from the said purpose and data processing. |
Additional information | Is additional information required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. A DPIA is required. |
Belonging to the former students group and enjoying different activities that are proposed, from debate forums to country retreats.
Controller | Joint controllers ESIC and FESIC. |
Legal Grounds | Formalising adhesion: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). Requesting transfer of data (from ESIC or FESIC to ESIC + FESIC): The data subject has given consent to the processing of his or her personal data for one or more specific purposes; |
Purposes of processing | To manage registrations on the list of Former Students. Checking the data to accredit links to ESIC or FESIC. To manage matters related to experience by the members of the Group of Former Students. To send own information to the group of Former Students. To send information about other activities: training, extracurricular experience, sport... |
Collective | Former ESIC and FESIC students |
Data categories |
|
Addressee category | No personal data transfers are planned. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Until data subjects request cancellation or erasure of his/her data, after which the data will be blocked as described previously. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
The Controller manages payments, payment collection, repayments and refunds, where applicable, and also financial management of grants.
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | GDPR: Article 6.1.b) Processing necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; GDPR: Article 6.1.c). Processing necessary for compliance with the legal obligation applicable to the data controller. GDPR: Article 6.1.e). Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Law 9/2017 of 8th November, on Public Sector Contracts. Law 47/2003, of 26th November, on General Budgets. Law 58/2003, of 17th December, on General Taxation. Law 38/2003, of 17th November, on General Subsidies. Law 35/2006 of 28th November, on Income Tax and Partial Amendment of the Corporation Tax Laws, Income by Non-Residents and Equity. Law 37/1992 of 28th December, on Value Added Tax. |
Purposes of processing | Necessary management of personal details to manage payments, payment collection, repayments and refunds, where applicable, and also financial management of grants. Recording and checking VAT, Income Tax, Registration in Tax Agency and Social Security, bank certificates, etc. |
Collective |
|
Data categories | Name, surname, telephone number, postal and e-mail addresses, ID Card, electronic signature. Economic, financial and insurance details. Bank and business details. Certificates issued by the Public Administration for data subjects. |
Addressee category |
Banks, State Tax Agency. Upon prior request and express acceptance by the interested party, their personal contact data and data related to the registration they have requested will be communicated to SABADELL CONSUMER FINANCE, S.A.U, with registered office at Pl. Cataluña, 1, 08201 Sabadell, for the purpose of this entity analyzing and evaluating their financing application, in accordance with the information on this data processing activity detailed at www.sabadellconsumer.com, under “Information for customers” “Annex detailed information on personal data protection”. For the same purpose, personal data could be transferred to other recipients different from the aforementioned, provided that the interested party is previously aware of the identity of the assignee and expressly accepts this communication. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | The data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. Depending on each case, the following periods shall apply:
|
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
Defence and representation of ESIC in any administrative procedures and resolution of conflicts.
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | The data subject has given consent to the processing of his or her personal data for one or more specific purposes; Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). |
Purposes of processing | Registration and management for the Controller in regard to legal matters, and internal provisions, legal services or consultancy in its different modalities. |
Collective | Persons who are directly or indirectly party to procedures or other legal matters. |
Data categories | Name and surname, ID Card or identity document, postal address, e-mail, signature, position in the represented company and information about the company, telephone number, personal circumstances, business circumstances, commercial information, economic, financial data and insurance data, and information on asset and services transactions. Other data: Any other data that may be included in the query or that require processing in view of the provided service, which may include special category data and information on criminal sentences. |
Addressee category | ESIC or FESIC, depending on each case. Security Forces, State Tax Agency, Social Security, Public Prosecution Ministry, Judges and Courts. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
The Controller offers an e-mail hosting service for PDI, PAS and former students.
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). |
Purposes of processing | Managing registration in the service |
Collective |
|
Data categories | Name and surname, postal address, e-mail, telephone number, personal file regarding relations with the Controller. |
Addressee category | Microsoft Google (Blogger) Automattic (WordPress) |
International Transfer | International data transfers are planned to data processors (state at least those that could make international transfers and the country) or addressees of transfers that are stated. |
Erasure period | E-mail:
|
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. A DPIA is required. |
Covering job vacancies and personnel selection, both internal and external staff.
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). Checking the background of the data subject is based on fulfilment of a legal obligation applicable to the data controller (Article 6.1.c of the General Data Protection Regulation). Proactive searches for candidates and details about them in third party databases are based on the grounds of legitimate interest to identify candidates to cover positions, or to find out more if their profile fits the vacancy (Article 6.1.f of the General Data Protection Regulation). Workers’ Statute, Royal Legislative Decree 1/2013 of 29th November, approving the Amended Text of the General Law on the Rights of Disabled Persons and Social Inclusion. Organic Law 6/2001, of 21st December on Universities. Organic Law 2/2006, of 3rd May on Education. |
Purposes of processing | Analysis and verification of the professional backgrounds of candidates. Analysis of the candidate’s personality when this is a determining factor for the envisaged job (e.g. teaching). The Controller will analyse documents submitted by candidates, all content directly accessible through search engines (Bing, Yandex, Google, Baidu, DuckDuckGo, etc.), professional social media profiles (LinkedIn, Xing, Viadeo, etc.), data obtained in access tests and the information disclosed at job interviews, in order to assess the candidate and make a job offer, where applicable. This analysis may be carried out to identify and assess candidates required for certain vacancies or assignments. |
Collective | Participants in selection processes. Professionals with public profiles. |
Data categories |
|
Addressee category | Companies where they have been employed in order to check data and verify truthfulness. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. The Controller may keep the unsuccessful candidates’ CVs for a maximum of two years for any future recruitment processes, unless the candidate states otherwise or wishes the CV to be kept for longer or until consent is withdrawn. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
Processing activity related to the management of labour contracts for teaching, administration and services staff, including the management of their training and other activities inherent to labour relations.
Controller | Independent controllers: ESIC and FESIC, Organic Law 6/2001, of 21st December on Universities. Organic Law 2/2006, of 3rd May on Education. |
Legal Grounds | The management of labour or business relations is based on the following grounds of legitimation:
|
Purposes of processing | Labour relations with contracted staff:
|
Collective | Teaching and Research Staff (PDI), Administration and Services Staff (PAS) |
Data categories |
|
Addressee category | Transferees:
|
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. At the end of the contract, depending on the type of personnel, the periods are as follows:
|
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
The Controller contracts professional collaborators for different tasks, and external teaching staff and associate professors to deliver master classes, talks at conferences or for general teaching of courses, master’s programmes or other training programmes.
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). Organic Law 6/2001, of 21st December on Universities. Organic Law 2/2006, of 3rd May on Education. |
Purposes of processing | Business relations with contracted external teaching staff and associate professors:
|
Collective | External teaching staff and contracted associate professors |
Data categories |
|
Addressee category | Transferees:
|
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
Under registration, only students and professors may access information charts with professional contact details of the people who on the programme they are registered in, or in which they deliver classes or carry out teaching management or coordination actions.
Without registering, through the Controller's website, anybody may access professional information about the teaching staff meetings for each programme.
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). |
Purposes of processing | Publication of identification and professional details:
|
Collective | Teaching and Research Staff (PDI), both internal and external, Administration and Services Staff (PAS) |
Data categories | Name and surname, Image, Professional details: Company and position, E-mail and Social profiles |
Addressee category | The data will be accessible via the Internet of Virtual Classroom. No data transfers to third parties are planned. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
Management of the ESIC Editorial in regard to the authors and collaborators and exploitation of their work.
Controller | ESIC |
Legal Grounds | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). |
Purposes of processing | Management of work and publication assessments regarding editorial projects offered to ESIC as authors, management, invoicing and publishing thereof. |
Collective | Authors, Interested parties |
Data categories | Identification details
|
Addressee category | Tax Agency, Banks |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
The Controller contracts professionals, suppliers and trade and business partners for different actions. To do so, the Controller needs to contact the professionals or individuals who represent those companies who sell their products or provide their services.
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and the fundamental rights and freedoms of ................ do not prevail (Article 6.1.f of GDPR). |
Purposes of processing | Registration and management of supplier and business and trade partners contact details. |
Collective | Service suppliers or vendors, and if these are businesses, the contact details of physical individuals. |
Data categories | Identification details:
|
Addressee category | Banks, State Tax Agency |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
Management of the inbound and outbound documents register.
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). Processing is necessary for compliance with the legal obligation applicable to the data controller (Article 6.1.c of GDPR). Organic Law 6/2001, of 21st December on Universities. |
Purposes of processing | Management of the inbound and outbound documents register. Verification of identity and details of data subjects. |
Collective |
|
Data categories | Identification details Name and surname, ID Card No., address, telephone number, type of relationship with the Controller and signature. Data related to the received or delivered document. |
Addressee category | No personal data transfers are planned. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, for the legally established period, and to determine any possible liabilities that could stem from the said purpose and data processing. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. A DPIA is required. |
Attending to applications for the exercising of the rights established in the GDPR.
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | Processing is necessary for compliance with the legal obligation applicable to the data controller (Article 6.1.c of GDPR). Specifically, to receive, manage and reply to applications for the exercising of data subject rights (Chapter III of the GDPR). |
Purposes of processing | To receive, manage and reply to applications for the exercising of data subject rights (Chapter III of the GDPR). |
Collective | Any persons |
Data categories | Identification details Name and surname, ID Card No., address, telephone number, type of relationship with the Controller and signature. Data on applications for exercising the relevant rights. |
Addressee category | From ESIC to FESIC and vice versa. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Data will be kept for as long as necessary to resolve any claims. |
Additional data | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
Recording and managing queries submitted to ESIC about its activities.
Controller | Personal data collection: Joint controllers ESIC and FESIC. Attention and management of complaints and suggestions. Independent controllers at ESIC and FESIC. |
Legal Grounds | The data subject has given consent to the processing of his or her personal data for one or more specific purposes; |
Purposes of processing | Recording and managing queries about the Controller's activities. |
Collective | Any persons |
Data categories | Identification details:
|
Addressee category | From FESIC to ESIC and vice versa, depending on each case. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | The data will be kept for the time necessary to process and reply to the query. |
Additional data | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
Controller | Personal data collection: Joint controllers ESIC and FESIC. Attention and management of complaints and suggestions. Independent controllers at ESIC and FESIC. |
Legal Grounds | Processing is necessary for compliance with the legal obligation applicable to the data controller (Article 6.1.c of GDPR)., Organic Law 6/2001, of 21st December on Universities, Royal Decree 1791/2010 of 30th December approving the University Students’ Statutes. |
Purposes of processing | To know the opinion of users and improve the quality of the services provided by ESIC and FESIC. In the case of FESIC, processing includes the management of complaints or suggestions by the University Ombudsman. |
Collective | Students, Other persons |
Data categories | Identification, academic, professional or other data the data subject wishes to import. |
Addressee category | From the joint controller ESIC-FESIC to ESIC or to FESIC, depending on each case. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | The data will be kept for the period of time necessary to deal with the complaint or suggestion, ensuring this is carried out within the maximum period of 3 months. |
Additional data | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
To guarantee the security and safety of persons, assets and facilities in physical and electronic spaces.
Register and control of visits with the only purpose of guaranteeing security.
Controller | Joint controllers: ESIC and FESIC |
Legal Grounds | Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (Article 6.1.e of GDPR). Processing necessary for reasons of essential public interest as determined by Law. Article 9.2.g) GDPR. |
Purposes of processing | The purpose of processing is physical security, register and control of access to guarantee the security of persons, assets and facilities in physical and virtual spaces. |
Collective | All individuals who access the Controller's facilities or activities:
|
Data categories | Identification details:
|
Addressee category | State Security Forces From the joint controller ESIC-FESIC to ESIC or to FESIC, depending on each case. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Thirty days at the most, computed from the collection date. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
The Controller analyses the behaviour of users when browsing its website and the different social media profiles in order to prevent and block logical attacks.
Controller | Joint controllers ESIC and FESIC. |
Legal Grounds | Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and the fundamental rights and freedoms of ................ do not prevail (Article 6.1.f of GDPR). In particular, these legitimate interests consist of avoiding unauthorised access to or destruction or alteration of data and systems, and also to block access to such or to prevent third parties from carrying out any unauthorised processing. |
Purposes of processing | To analyse:
|
Collective | Users who access the websites and social media profiles managed by the Controller, by ESIC or by FESIC. |
Data categories | IP Addresses User's browser agent chain. |
Addressee category | From the joint controller ESIC-FESIC to ESIC or to FESIC, depending on each case. |
International Transfer | International data transfers are planned to data processors (state at least those that could make international transfers and the country) or addressees of transfers that are stated: Google LLC (United States of America). |
Erasure period | reCaptcha, by Google LLC: approximately 26 months (privacy policy). |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. Comments:
|
Video-surveillance of the perimeter and accesses to the facilities or rooms in order to guarantee the security of persons, assets and facilities inside the buildings.
Controller | Independent controllers: ESIC and FESIC |
Legal Grounds | Processing necessary for the performance of a task carried out in the public interest or in the exercise of public powers. Article 6.1.e) GDPR. Processing necessary for reasons of essential public interest as determined by Law. Article 9.2.g) GDPR. Organic Law 6/2001, of 21st December on Universities. Law 5/2014, of 4th April, on Private Security. |
Purposes of processing | To guarantee the security of persons, assets and facilities. |
Collective | Physical persons who enter ESIC. |
Data categories | Images |
Addressee category | State Security Forces, Public Prosecutor Judicial Bodies. |
International Transfer | No international transfers of personal data are foreseen. |
Erasure period | Before 30 days after recording. |
Additional information | No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. |
Implementation of and access to a Whistleblower Channel for reporting alleged infractions, in accordance with applicable regulations.
Manager | Independent managers: ESIC and FESIC |
Legal basis | Processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party (art. 6.1.f) GDPR) and, where applicable, for compliance with a legal obligation applicable to the controller (art. 6.1.c) GDPR) |
Purposes of data processing | Management of a whistleblower channel, in accordance with the provisions of the Internal Policy and Manuals on Regulatory Compliance and Criminal Risk Avoidance for ESIC and FESIC. |
Group | Students, Employees, Collaborators, People affected in Suppliers/Customers and Managers of the entities. |
Data categories | Identification data: ID card number, name and surname, postal address, e-mail and telephone number (in case of anonymous complaint, this data may be collected during the internal investigation). Academic and professional data: center and group of studies or work, if relevant.Other data: the content of the complaint and any other data that may be collected during the investigation. |
Target Category | Spanish Data Protection Agency in inspection processes in application of Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights. State Security Forces and Corps, with prior judicial authorization and in the exercise of their judicial police functions. Judges and courts in the terms defined by the procedural legislation. In these cases, ESIC/FESIC before making the data available to third parties ensures that these authorities request and access the data in accordance with the Laws. |
Data Processing | Not foreseen. |
International Transf. | Internationally transferring data is not foreseen. |
Deadline for deletion |
The data will be kept for the time necessary to deal with and manage the complaints and to carry out the necessary investigations. It is also kept for the purpose of carrying out or taking the necessary decisions in relation to each complaint, in compliance with the corresponding legal obligations. The information will be kept duly blocked for the additional periods necessary for the prescription of possible legal responsibilities. |
Additional information | A risk analysis and, where appropriate, a Data Protection Impact Assessment (DPA) will be carried out periodically to assess the impact and risk of this processing, according to its evolution. |
In the event that ESIC or FESIC organizes events, congresses, seminars and similar activities, it is possible that personal data of different categories of groups may be collected.
Manager | Independent managers: ESIC and FESIC |
Legal basis |
Processing necessary for the performance of a contract (art. 6.1.b) RGPD): Consent to processing (art. 6.1.a) RGPD): Where appropriate, for the management of grants and subsidies: |
Purposes of data processing | Purposes of data processing Management of events developed, organized or executed by any of the responsible parties. It includes, in any case, the advertising of the event in social networks, communication of content and dates, registration of participants and speakers. Management of grants and subsidies. |
Group | Event attendees, organizers and speakers. |
Data categories | - Identification data: NIF, name and surname, postal/electronic address and telephone number. - Personal data: date and place of birth, age, sex and nationality. - nationality. - Academic and professional data: education and degrees, academic history, professional experience and languages. - Economic-financial data: bank details. |
Target Category | - Publication of events on the website and in the media. - Banking institutions for the making of payments. - Travel agencies or hotels for the management of your accommodation and travel. - To public entities when the event has been the subject of aid or subsidy for verification and control of expenditure. |
Data Processing | Entities collaborating or providing services for the events such as registration, hotel management, attendee verification, video recording, catering services, etc. |
International Transf. | Internationally transferring data is not foreseen. |
Deadline for deletion | The data will be kept for the duration of the event organized. Data subject to disclosure or publication (recordings, press releases, programs, etc.) may be kept indefinitely. Otherwise, the information will be duly blocked for the additional periods necessary for the prescription of possible legal liabilities. |
Additional information | Aditional Information No EIPD is required for this processing, because of the data processed and the way it is carried out by the data controller, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
Processing carried out in the case of teachers and/or collaborators of the Entities, as well as students who are going to carry out exchanges or courses abroad or attend courses, seminars and similar in Schools, Universities and Organizations outside Spain.
Manager | Independent managers: ESIC and FESIC |
Legal basis | he processing is necessary for the performance of a contract to which the data subject is party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b GDPR). In specific cases, the data subject gave his consent to the processing of his personal data for one or more specific purposes (art. 6.1.a GDPR). |
Purposes of data processing | Purposes of data processing Management, administration and control of students and teachers participating in international programs that include courses, stays, seminars and similar in other countries, whether in the EU or other countries, as well as in other international organizations. It also includes administration and control of language courses. u otros diferentes, así como en otros organismos internacionales. Incluye, asimismo, administración y control de cursos de idiomas. |
Group | - ESIC/FESIC students and professors who stay or take courses, seminars, etc. scholarships abroad. - Foreign students and professors at ESIC/FESIC. - Students participating in language courses. |
Data categories | - Identifying data: name, surname, postal address and email. - Academic and professional data: education, degrees and professional experience. - Detailed employment data: professional category of the PDI. - Economic-financial data: bank details. - Personal data related to the socio-economic situation. |
Target Category | - Where appropriate, the National Agency for Erasmus, the National Agency for Quality Assessment and affected regional agencies, in the quality assessment processes provided for by Organic Law 6/2001, of December 21, 2001, on Universities. - Ministry of Education and Science and affected autonomic Regional Ministries and dependent bodies with competences in university matters and Ministry of Science, Innovation and Universities and dependent bodies with competences in university matters, for the exercise of the competences of these administrations in academic and research matters in accordance with the respective legislation. - Other university institutions in compliance with the missions of public interest defined by the Organic Law 6/2001, of December 21, 2001, on Universities, or for the deployment of legal relationships established by - Entities, Organizations, Universities, etc., that receive or host students and/or professors. |
Data Processing | Data Proccesors Travel agencies and companies that organize transfers and obtain visas. |
International Transf. |
International data transfers are foreseen in the cases provided for by Article 49.1 of the GDPR: |
Deadline for deletion |
|
Additional information | No EIPD is required for this processing, due to the data processed and the way it is carried out by the data controller, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |