Privacy policy
1. PURPOSE OF THE POLICY
Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data (hereinafter the GDPR), and Organic Law 3/2018, of 5 December, on the protection of personal data and guarantee of digital rights (hereinafter the LOPDGDD), Rovira i Virgili University (hereinafter the URV or the University) hereby establishes this privacy policy to provide concise, transparent, intelligible and easily accessible information on how it collects, uses and safeguards the data of individuals who have a relationship with the University (hereinafter Data Subjects).
The purpose of this privacy policy is to define how Rovira i Virgili University protects the personal data it processes in the course of its activities and how it complies with applicable regulations on this matter.
This policy does not regulate security measures applicable to personal data processed by the University. Security measures are covered in the University's security policy in accordance with the guidelines set out in Royal Decree 3/2010 on the national security system, which, as stipulated in the LOPDGDD, is also the regulatory framework for security measures to be applied by the University for the processing of personal data.
2. RECORD OF PROCESSING ACTIVITIES
The URV maintains a record of personal data processing activity. The record of processing activity and this privacy policy are available on the URV website (https://seuelectronica.urv.cat/rgpd/).
In order to inform Data Subjects and personal data holders about the processing of their data as a result of their relationship with the URV, in accordance with Articles 13 and 14 of the GDPR and Article 11 of the LOPDGDD, the URV has adopted a system to provide the following information:
- Identity of the data controller, i.e. the URV
- Type of data processed, source of information, how data was collected in the event the data is not directly from the Data Subject
- Purpose of processing
- Legal basis for processing
- Creation of profiles and the purpose of these, if applicable
- Where applicable, recipients of data transfers, including possible international data transfers, as well as the specific purpose of each transfer
- How long the URV will keep the data and the grounds for this
- Information on the rights of the Data Subject regarding the processing of personal data by the URV and the methods and channels to exercise these rights
- Information on the right to file a complaint with the Catalan Data Protection Authority and how to exercise this right
- Security measures applied by the URV to ensure the confidentiality, integrity, availability, authenticity and traceability of personal data that is processed
- The email address of the data protection officer to provide a convenient contact method for any queries
All information on the processing of personal data by the URV is available at the URV's electronic office in its record of processing activities, which includes the following information on each activity, in accordance with Article 30 of the GDPR:
- Name of the activity, also listed in the main clause
- Purpose of the activity
- Legal basis for the activity
- Categories of Data Subjects
- Categories of personal data processed
- Transfers of personal data to other entities
- Purpose of data transfers
- International transfers outside the European Economic Area
- Data retention period
The record of processing activities also lists data processing activities related to URV activities carried out on behalf of third parties using the University's resources and applying its directives, i.e. acting as a data processor.
Lastly, the record of processing activities provides access to the information clause for each processing operation.
3. COMMON CHARACTERISTICS OF PERSONAL DATA PROCESSING AT ROVIRA I VIRGILI UNIVERSITY
The section below identifies the general approach to personal data processing and the specifics of each processing operation. You will find information on these specifics in the record of processing activities as well as in the information clause for each processing operation, as indicated in the previous section.
3.1. Data controller
Any person who provides the URV with personal details online or in person must be informed that the URV (with national tax identification number Q9350003A; address Carrer del Escorxador, s/n, 43003, Tarragona, Spain; and email address info@urv.cat) will process their data.
3.2. Data protection officer
The role of the data protection officer (DPO) is to ensure that personal data is secure at the URV, to ensure the basic rights and freedoms of natural persons.
The DPO's contact information is: email dpd@urv.cat; address Carrer Escorxador, s/n, 43003 Tarragona, Spain; and telephone +34 977 559 761 or +34 977 558 255.
The DPO's updated details are indicated in the data protection officer register published by the Catalan Data Protection Authority on its website https://apdcat.gencat.cat/, in the section "Consulta de delegats de protecció de dades" (View data protection officers).
3.3. Legal basis for processing personal data
The URV generally processes personal data in accordance with one of the following lawful purposes:
- Compliance with a legal obligation, in accordance with Article 6.1.c) of the GDPR
- Performance of a task carried out in the public interest or in the exercise of official authority, in accordance with Article 6.1.e) of the GDPR
- Performance of a contract, in accordance with Article 6.1.b) of the GDPR
- Consent to the processing has been given by the Data Subject, in accordance with Article 6.1.f) of the GDPR
Since the URV is a public university, personal data processing may be necessary to comply with the legal obligation to provide public higher education services, to conduct research, for university extension activities, etc. As such, the URV is generally entitled to process personal data in accordance with the provisions of Article 6.1.c) of the General Data Protection Regulation, i.e. processing necessary to comply with a legal obligation.
Specifically, but not exclusively, the legal basis for processing personal data according to a legal obligation is established in Organic Law 6/2001, of 21 December, on universities; Law 1/2003, of 19 February, on universities in Catalonia; Law 39/2015, of 1 October, on common administrative procedure; Law 40/2015, of 1 October, on the public sector legal system; Law 14/2011, of 1 June, on science, technology and innovation; Royal Legislative Decree 8/2015, of 30 October, approving the consolidated text of the General Law on Social Security; Law 58/2003, of 17 December, on general taxation; and Law 38/2003, of 17 November, on general subsidies.
The processing of personal data by the University also has a legal basis in the exercise of public authority as expressly stipulated in Article 6.1.e) of the GDPR, conferred on the URV by the provisions of Organic Law 6/2001 on universities; the URV's Statutes approved by Agreement GOV/23/2012, of 27 March; and other applicable regulations.
In this context, the URV is entitled to process personal data for the purpose of carrying out tasks of public interest and exercising public authority, for example, maintaining relations with members of the university community in the academic arena and other areas, and, for example, promoting research activities or cultural and sporting activities in its sphere of influence.
Personal data may also be used for educational and promotional purposes related to the URV's academic and research activities when carrying out tasks in the public interest and/or exercising public authority. Pursuant to the 21st Additional Provision of Organic Law 4/2007, amending Organic Law 6/2001 on universities, the consent of university staff is not required to publish the results of assessment processes related to teaching, research and administrative activities on the part of the University or public assessment agencies or institutions.
The processing of data by the University is generally justified by Article 6.1.b) of the GDPR, i.e. processing necessary for the performance of a contract to which the Data Subject is a party and for pre-contractual provisions.
However, pursuant to Article 6.1.f) of the GDPR, the Data Subject's consent is required when the processing of personal data is not covered by one of the aforementioned justifications. In this case, the Data Subject may withdraw consent at any time.
Lastly, the URV reserves the option of applying the legal basis of processing in accordance with the legitimate interest of the University, provided that it is sufficiently justified and these interests are not overridden by the Data Subject's interests or fundamental rights related to the protection of personal data.
The legal basis for data processing should be stipulated in the record of processing activities for each activity.
3.4. Purpose of data processing
As indicated in the previous section, personal information is collected because it is required to provide the higher education services provided by the University in accordance with Organic Law 6/2001, of 21 December, on universities, and other applicable regulations.
The personal data of University personnel must also be processed to maintain labour relations and comply with applicable legal regulations.
Data on the research activities of teaching and research staff may also be used to fulfil the University's purpose, pursuant to Organic Law 6/2001 on universities, i.e. disseminating, applying and transferring knowledge to promote culture, quality of life and economic development. This data may also be disseminated in accordance with Law 19/2014, on transparency, access to public information and good governance.
The purpose of collecting and the automated processing of personal data provided by users of the URV website and portals is to manage, provide, expand and improve services requested by users at any given time, and to address user queries. The URV website does not request personal data from users without their knowledge, nor is this data transferred to third parties, unless required by law. Data Subjects are also shown the terms and conditions for personal data protection as well as an information clause.
The specific purpose of each data processing operation can be viewed in the record of processing activities.
3.5. Source of personal data
In general, personal data processed by the University comes directly from the Data Subject. When the data comes from sources other than the Data Subject, the source of the data must be indicated in the record of processing activities and in the information clause.
3.6. Security measures
The URV is responsible for applying security measures and other required measures in accordance with personal data protection law and the National Security Framework, regulated by Royal Decree 3/2010.
The URV accordingly has a data security policy, approved by the Governing Council, which can be viewed on the URV website in the section 'Normativa pròpia' (URV regulations).
Where appropriate, the information clause will indicate any additional measures that may be applied for specific processing beyond those provided for as part of the National Security Framework
3.7. Provision of personal data
Personal data will not be transferred to third parties except where required by law or with the consent of the Data Subject.
In the event that the URV transfers data to third parties when processing personal data, information defining the purpose of the transfer and the recipients must be included in the record of processing activities and in the information clause.
International transfers of data are governed by the provisions of the GDPR, the LOPDGDD and implementing regulations approved by the Government, and in the regulations and guidelines of the Catalan and Spanish Data Protection Authorities within the scope of their respective competences. Appropriate security measures will be implemented to ensure a level of data security commensurate with European security standards.
3.8. Data retention period
The personal data in the custody of the University will be kept for the period required to fulfil legal obligations, and in accordance with admissions and documentary assessment tables, or, if processing requires the Data Subject's consent, until the Data Subject exercises the right to withdraw consent.
Information on each instance of personal data processing can be found in the record of processing activities and in the processing information clause.
3.9. Data subject rights
Data subjects may exercise any of the rights provided by law pertaining to their personal data:
- Right of access, i.e. to consult personal data being processed and obtain a copy of it, provided that the data is stored in the University's computer systems.
- Right to rectify personal data if it is inaccurate and both the error and the corrected data are duly justified.
- Right to erasure, i.e. to have certain data deleted, except when a legal obligation prevents this.
- Right to restrict automated processing, i.e. to not allow the processing of personal data for certain purposes.
- Right to be forgotten, i.e. to have all personal data held by the University deleted, except when a legal obligation prevents this.
- Right to restrict data processing, i.e. the Data Subject may request that their personal data not be processed in specific cases. This right can only be requested in certain situations:
- When the accuracy of personal data is being verified
- When processing is unlawful, but the Data Subject objects to erasure of their data
- When the University does not need to process the data, but the Data Subject needs the data to be stored to exercise or defend claims
- When the Data Subject objects to processing of their data to perform a task carried out in the public interest or to fulfil a legitimate interest, while determining whether the grounds for processing override the Data Subject's objection
- Right to data portability, i.e. a more advanced form of the right of access in which the copy provided to the Data Subject must be in a common structured machine-readable format so the Data Subject can transfer it to another data controller and add it to computerised systems.
- Right to object to profiling, i.e. the Data Subject can refuse to allow the University to create profiles to manually or automatically send information which may be of interest to the Data Subject, using the personal data provided to the University.
- Right to lodge a complaint with the nearest data protection supervisory authority if the Data Subject considers there has been abuse in the processing of their personal data. In Catalonia, for public and private universities in the Catalan university system, such as the URV, the Catalan Data Protection Authority is responsible for functions governed by Law 32/2010, of 1 October, on the Catalan Data Protection Authority.
3.10. Exercise of the rights of Data Subjects
Data Subjects may exercise their rights in person, by written communication with an enclosed photocopy of their National Identity Document, at URV's General Registry, or by electronic means, as indicated in the URV electronic office at https://seuelectronica.urv.
Data subjects can also request information related to personal data protection by sending an email to the data protection officer at dpd@urv.cat.
4. PUBLICATION OF THE PRIVACY POLICY AND ENTRY INTO FORCE
This privacy policy will come into force the day after it is published in the Official Gazette of the URV. It will also be published on the University's website at https://seuelectronica.urv.cat/rgpd/.
5. ANNEX: GLOSSARY
Terms related to the protection of personal data are defined below to help readers interpret the content of this document:
- Processing activity: any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, dissemination, erasure or destruction.
- Authenticity: the property or characteristic whereby an entity guarantees or claims to be the source of the information or service.
- Data transfer: any transfer of data by the person who processes data or the data controller to a party other than the Data Subject.
- Consent of the Data Subject: any freely given, specific, informed and unambiguous indication of the Data Subject's wishes, by which he or she, by a statement or by a clear affirmative action, agrees to the processing of personal data relating to him or her.
- Confidentiality: the property or characteristic whereby information is not made available or disclosed to unauthorised individuals, entities or processes which do not require knowledge of the data in question.
- Personal data: any information which is related to an identified or identifiable natural person (compare with the term 'Data Subject'). For example, a person's full name, ID card number or photograph are considered personal data, as well as other information that can be used to identify a person, such as the IP address used to access a computer system.
- Data Protection Officer (DPO): the person in charge of coordinating and ensuring compliance with data protection regulations. The DPO's duties are as follows:
- Informing and advising the data controller, the data processor and staff on data protection obligations
- Overseeing compliance with data protection regulations
- Working with the Data Protection Authority
- Data recipient: a natural or legal person, public authority, agency or another body, to which the data controller provides personal data.
- Availability: the property or characteristic that ensures that authorised entities and processes have access to the data when they need it.
- Profiling: any form of automated processing of personal data in which personal data is used to assess certain aspects of a natural person.
- Data processor: a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller.
- Integrity: the property or characteristic whereby information is not altered in an unauthorised manner.
- Data Subject: an identified or identifiable natural person. An identifiable natural person is any person whose identity can be ascertained directly or indirectly with certain information.
- Legal basis of processing: the grounds for processing personal data in accordance with personal data protection regulations.
- Security measures: actions to protect data against accidental or deliberate damage that could affect the confidentiality, availability, integrity, authenticity and traceability of the data being processed or the activities the data is used for.
- Security policy: a document defining guidelines for data security.
- Record of processing activities: a register of all actions carried out within the scope of the University's activities involving the processing of personal data.
- Data controller: a natural or legal person, public authority, agency or other body which determines the purposes and means of processing alone or jointly. In the context of this privacy policy, the data controller is Rovira i Virgili University.
- Traceability: the property or characteristic whereby the actions of an entity can be uniquely attributed to it, and actions carried out in connection with the information or service can be duly identified or reconstructed.
- International data transfer: data processing that involves the transmission of data outside the European Economic Area. This can take the form of a transfer or disclosure of data, or may entail data processing on behalf of the data controller in Spain.