Personal Data Protection

Personal Data Protection

This document describes Fundació Esade’s data protection policy. The latter is based on the principles detailed in Regulation (EU) 2016/679 of the European Parliament and Council of 27th April, 2016 (General Data Protection Regulation). We fully assume the spirit of this European Regulation because it reinforces the rights of individuals and offers additional guarantees regarding the processing of their data. This objective coincides completely with our aim to continuously improve the services we provide. Below is a summary of the fundamental elements included in this data protection policy:

How do we obtain personal data?

In the previous section we refer to some of the origins of the data we process. In most cases, the affected parties expressly provide us with their data, and we obtain them primarily through forms designed for this purpose. We also obtain data through open-door events, information sessions given on our campuses and fairs in which we inform about our programmes.

In terms of our relation with students, faculty and service providers, we gather other data which we incorporate into Esade systems.

A smaller amount of data may also originate from the competent public administrations in the higher-education area or from other academic institutions.

6. How long do we store data?

The time we store data depends on different factors. The primary criterion is if the data are still necessary to fulfil the purposes for which they were originally gathered. The second criterion is to duly respond to any legal responsibility regarding Esade’s data processing and to comply with any legal requirements from public administrations and judicial bodies.

Consequently, we have to store data the time necessary to preserve their legal or informational value and to accredit our fulfilment of legal obligations. However, this time shall not exceed the time required for the purposes for which they are processed (“storage period” limitation in the General Data Protection Regulation). With respect to data accrediting the educational programmes students complete, we store said data permanently to preserve these students’ rights.

In specific cases, such as data included in accounting records and billing documents, fiscal norms require we store them until no longer legally required. The norms governing foundations require that we store some accounting-related data for ten years (in keeping with Law 10/2010, dated 28th April).

In the case of data processed solely based on the affected parties’ consent, we store said data until the affected parties revoke their consent.

Lastly, in the case of images obtained through our video-surveillance cameras, we store said images a maximum of one month. However, in case of incidents requiring they be stored longer, we shall preserve them the time necessary to facilitate the work of safety and security forces and judicial bodies.

The norms regulating the storage of public documents and the decisions issued by qualifying committees are a reference when deciding to store or eliminate data linked to providing public interest services.

7. What rights do people have in terms of the personal data we process?

As stipulated in the General Data Protection Regulation, people whose data we process have the following rights:

Know if their data are being processed

People first have the right to know if we are processing their data, regardless if a prior relation exists with them.

Be informed when data are gathered

When we gather personal data from the affected parties, they have to be clearly informed about the purposes for which their data are gathered, who is in charge of their processing and other key issued related to this processing.

Access their data

This is a very broad right which includes knowing exactly what personal data are being processed, for what purposes, to whom they are ceded (if applicable) and the right to obtain a copy of said data and know how long their data will be stored.

Rectify incorrect data

Affected parties have the right to demand we modify any inexact data we are currently processing.

Request their elimination

In specific cases, affected parties have the right to request we eliminate their data altogether. Amongst other motives, this can include when said data are no longer needed for the purposes for which they were originally gathered and which justified their processing.

Limit their processing

Similarly, in specific cases, affected parties have the right to request limiting the processing of their data. In these cases, we will no longer process their data and we will only store them to process or defend ourselves against complaints, in keeping with the General Data Protection Regulation.

Portability

In certain cases, norms recognise the right of affected parties to obtain a copy of their personal data in a machine-readable and commonly used format to then be able to transmit said data to another party for their processing if the affected parties so decide.

Oppose their processing

The affected parties may refer to motives related to their particular situations so that we no longer process their data insofar as it is harmful to them. This shall not apply if there are legitimate motives or in the case of exercising or defending ourselves against complaints.

Not receive information

We will immediately respect requests from affected parties who no longer want to receive information about our activities and services so long as said information is sent to the recipients based solely on their consent.

8. How can the affected parties exercise and defend their rights?

The affected parties can exercise the above-mentioned rights fast and easily through the following application form ARCO rights or writing to Esade at the address above or using any of the other means to contact us as indicated.

If the affected parties are not satisfied with this exercise of their rights, they may file a complaint with the Catalan Data Protection Authority by means of the forms or other channels available via its website (https://apdcat.gencat.cat/).

In all cases, whether to present complaints, clarify doubts or make suggestions, the affected parties may send an e-mail to the Data Protection Delegate via the following address: dpo@esade.edu

Specific data protection policies

Enrolment Process

Who is the data controller?

Fundación Esade, CIF G-59716761, with registered office at Avinguda Pedralbes, 60-62 (08034) Barcelona; Tel: +(34) 932806162, email: webmaster@esade.edu, www.esade.edu (hereinafter “Esade”). You can contact the data protection officer by writing to dpo@esade.edu.

For what purpose does Esade process your personal data?

Esade processes your data in order to keep a record of your enrolment and, on this basis, to provide the higher education services you have requested. The data provided, as well as any data resulting from the academic activity, will serve as the basis for the evaluation of this activity; the management of your academic record; administrative management; your identification as a user of Esade’s services and the facilitation of access to these services; the sending of information of interest; the processing, issuing and registration of degrees and the promotion and follow-up of job placement.

How long does Esade keep your personal data?

Data are deleted when they are no longer necessary for the purpose for which they were collected. The most important information (such as data accredited courses of study completed) is kept permanently. The criteria for the conservation or deletion of data are based on the regulation in force regarding public documentation or documentation derived from the exercise of public functions.

What are the legal grounds for Esade to process your data?

Your data are processed in order to perform a task carried out in the public interest, namely, the provision of higher education services. Some forms of processing – for example, disclosure to other institutions or public administrations – are carried out in compliance with the laws relating to universities, primarily Organic Law 6/2001, of 23rd December, on universities, Law 1/2003, of 19th February, on Catalan universities, and their implementing regulations.

Who else receives your personal data?

Data are disclosed to different institutions, always with explicit purposes and solely in a proportional manner – that is, only data which are essential to the fulfilment of this purpose are disclosed. For the purpose and recognition of the courses of study followed and the issuing of degrees, data are disclosed to Ramon Llull University. In compliance with the law, data are disclosed to insurers and banks for the purpose of administering payments. For internship purposes, we communicate with host companies and institutions. When part of a course of study takes place at another academic institution, we disclose data to said institution, as well as to quality and ranking institutions. With the student’s consent, data may be provided to professional entities and non-profit organisations.

Do other companies or institutions have access to the data?

Esade obtains services from private companies that contribute their experience and specialisation. In some cases, these external companies must access personal data controlled by Esade. Esade only contracts services with companies that are able to guarantee compliance with data protection regulations. At the time of contracting, such companies sign a confidentiality agreement and their activities are monitored. For example, certain data may be stored on the servers of specialised companies or public institutions that offer services to the university system of Catalonia. Likewise, information and data controlled by Esade is accessed by IT and software support companies, security firms, labour-law consultancies and accounting firms. Precise information about the companies providing these services can be obtained at any time by writing to dpo@esade.edu.

What rights do you have in relation to data processing?

Any person has the right to obtain information about whether Esade processes his or her personal data. If Esade does process the person’s data, the data subject has the right to know how Esade obtained his or her data (if not provided by the data subject), the purpose for which they are processed, any disclosures that have been made, and any disclosures foreseen in the future. The law recognises the data subject’s right to request access to his or her data, rectification of inaccurate data, or erasure of data, provided that said data are no longer necessary for the purposes for which they were collected and the obligation to keep said data no longer exists. In cases in which the processing of data is carried out solely on the grounds of the data subject’s consent, deletion is carried out immediately. In certain circumstances, data subjects may request restriction of the processing of their data; this right gives data subjects control over their data primarily for the purposes of correcting inappropriate processing and presenting claims in defence of the data subject’s rights.

How can you exercise or defend your rights?

By writing to the data protection officer at Avinguda Pedralbes, 60-62 (08034) Barcelona.

If you consider that your rights have not been properly addressed, you may submit a complaint with the Catalan Data Protection Authority (https://apdcat.gencat.cat/). You may contact Esade’s data protection officer by email at any time by writing to: dpo@esade.edu .

Information Requests

Who is the data controller?

Fundación Esade, CIF G-59716761, with registered office at Avinguda Pedralbes, 60-62 (08034) Barcelona; Tel: +(34) 932806162, email: webmaster@esade.edu, www.esade.edu (hereinafter “Esade”). You can contact the data protection officer by writing to dpo@esade.edu

For what purpose does Esade process your personal data?

Esade processes your data in order to have a record of the people who, either individually or in their capacity as a representative of a legal entity, receive information about Esade’s activities, services and initiatives. These data allow Esade to manage these communications. This information can be sent by one or more of the communication channels used by Esade – for example, texts sent by email, publications, and notifications sent to mobile devices.

How long does Esade keep your personal data?

Personal data are kept until the data subject expresses a desire to stop receiving information. In the case of people who receive information in their capacity as a representative of a legal entity, the data may be deleted if the person ceases to act in such a capacity.

What are the legal grounds for Esade to process your data?

Data are processed with the consent of the recipient of the information, who may revoke this consent at any time. If you revoke consent, your data will be deleted immediately. The data of people included on the recipient list in their capacity as a representative of a legal entity are processed in order to perform a task carried out in the public interest, namely, guaranteeing Esade’s communication with other institutions.

Who else receives your personal data?

Personal data are not disclosed to third parties without the prior consent of the data subject; this consent must be explicitly expressed.

What rights do you have in relation to data processing?

Any person has the right to obtain information about whether Esade processes his or her personal data. If Esade does process the person’s data, the data subject has the right to know how Esade obtained his or her data (if not provided by the data subject) and for what purpose they are processed. In general, the law recognises the right of data subjects to request access to their personal data, rectification of inaccurate personal data or, if appropriate, erasure of personal data when the data are no longer necessary for the purposes for which they were collected and Esade is not required to store them. In the case of subscription to informational channels or services, erasure of personal data is carried out immediately after the data subject’s request is received. In certain circumstances, data subjects may request restriction of the processing of their data; this right gives data subjects control over their data primarily for the purposes of correcting inappropriate processing and presenting claims in defence of the data subject’s rights.

How can you exercise or defend your rights?

By writing to the DPO at Avinguda Pedralbes, 60-62 (08034) Barcelona.

If you consider that your rights have not been properly addressed, you may submit a complaint with the Catalan Data Protection Authority (https://apdcat.gencat.cat/). You may contact Esade’s data protection officer by email at any time by writing to: dpo@esade.edu

Admissions Forms

Who is responsible for processing personal data?

Fundació Esade, with tax ID number, G-59716761; headquartered at Avinguda Pedralbes, 60-62, (08034) in Barcelona; telephone number, (34) 93 280 6162; e-mail address: webmaster@esade.edu; and website: www.esade.edu (hereafter, “Esade”). Affected parties may also contact the Esade Data Protection Delegate (DPD) by e-mail: dpo@esade.edu.

How and for what purposes does Esade process this data?

Esade gathers the affected parties’ personal data to register their applications for admission to Fundació Esade programmes. Based on the latter, it gathers the necessary data and documentation to assess if the candidates fulfil the requirements needed to be admitted to the programmes as well as determine their suitability. The data provided and those gathered through the admissions process will serve as the basis to evaluate if the candidates are accepted into the programmes. If accepted, said data will then be incorporated into students’ academic transcripts.

How long does Esade maintain this data?

Esade will eliminate the data once they’re no longer necessary to fulfil the purpose for which they were gathered. The most relevant data, such as accreditation for the degrees completed at Esade, will be kept permanently. The criteria used to determine if data should be eliminated or maintained are based on the currently valid norms regarding public documentation and/or those stemming from the exercise of public functions.

How does Esade legitimate this data processing?

Esade processes data based on the express decision of those requesting admission to its programmes. It processes their data prior to formalising a service relation between the parties. Said relation shall be formalised should candidates be admitted to the programme and in fulfilment of a public interest mission such as higher education. Esade carries out some processing, for example, communicating with other institutions or public administrations, in due compliance with the norms governing universities, primarily, Organic Law 6/2001, dated 23rd December, on universities, Law 1/2003, dated 19th February, on the universities in Catalonia, and their respective amendments.

To whom does Esade cede data?

Esade cedes data to different institutions for explicit aims and only proportionally, that is, ceding the data that are fundamental to fulfil said aims. Similarly, it cedes data to banking institutions for payment in due compliance with legal norms.

Do other companies or institutions have access to the data?

Esade contracts services from private companies for their experience and specialisation. On some occasions, some of these external companies have to access personal data under Esade’s care. Esade only contracts services from companies that guarantee their compliance with data protection norms. When contracting these firms, said companies’ confidentiality obligations are duly detailed, and Esade monitors their activity. For example, certain data may reside in servers contracted with specialised companies or public administrations that provide services to the university system in Catalonia. Similarly, some companies access information and data under Esade’s responsibility. These firms include those that provide computer support for the use of software programmes, security companies and labour-related and accounting consulting firms. For additional information on the companies that are currently offering these services, please feel free to send us an e-mail: dpo@esade.edu.

What rights do affected parties have in terms of their data?

Everyone has the right to receive confirmation that Esade is processing their personal data. If affirmative, they have the right to know where Esade obtained said data If the affected parties did not provide said data directly, in addition to the purpose for which the data were gathered and any cession of said data already carried out or foreseen. The Law recognises that the affected parties have the right to access their data as well as request that incorrect data be rectified or, if applicable, request they be eliminated when the data are no longer necessary for the purposes for which they were gathered and there are no legal obligations to maintain said data. Data have to be eliminated immediately when Esade processes the data solely based on the affected parties’ consent. In certain circumstances, the affected parties can also request limiting the processing of their data, a right entitling them to monitor their data, particularly in terms of their inappropriate processing, and to present any complaints in defence of their rights.

How can the affected parties exercise or defend their rights?

They can write to Esade’s Data Protection Delegate (DPD): Avinguda Pedralbes, 60-62, 08034, Barcelona - Spain.

If someone feels that their rights have not been duly respected, they may file a complaint with the Catalan Data Protection Authority (https://apdcat.gencat.cat/). Affected parties may also write to Esade’s Data Protection Delegate (DPD) at any given time via e-mail: dpo@esade.edu.

Donations Forms

Who is responsible for processing personal data?

The entity responsible for processing data is Fundació Esade (hereafter, “Esade”), with headquarters in Barcelona (Avinguda Pedralbes 60-62, 08034 – Barcelona), fiscal ID G-59716761, telephone number, (34) 932 806 162, and e-mail address, webmaster@esade.edu. Affected parties may contact the Data Protection Delegate (DPD) by sending an e-mail to: dpo@esade.edu.

For what ends does Esade process this data?

Esade registers personal data to manage donations, that is, to register, enter into the books and accredit donations as well as to contact donors to provide them transparent information about how donations to Esade are assigned and managed as well as to invite them to events related to their donations.

Donors’ name and surnames will be published in the Annual Report of Donations, Fundacion Esade Annual Report, the “Wall of Donors” and other material related to donations, with their consent.

How long does Esade store this data?

Esade stores this data for 10 years in keeping with Law 10/2010, dated 28th April, on the prevention of money laundering and the funding of terrorist activity. Esade shall store donors’ personally identifiable data beyond this time solely with their consent.

How does Esade legally justify this data processing?

Esade undertakes this data processing based on the donor’s decision to freely donate any asset or right to Fundació Esade. Esade shall process said data in fulfilment of a public interest mission and in keeping with legal obligations, primarily those detailed in Law 49/2002, dated 23rd December, on the fiscal regime governing not-for-profit organisations and fiscal incentives for patronage and other complementary laws, as well as, if applicable, Law 10/2010, dated 28th April, on the prevention of money laundering and the funding of terrorist activity and other complementary laws.

To whom does Esade cede data?

In due fulfilment of legal norms, Esade communicates said data to banking institutions for payment purposes, the competent tax authorities and, if applicable, SEPBLAC.

Do other companies or institutions have access to the data?

Esade contracts services from private companies for their experience and specialisation. On some occasions, some of these external companies have to access personal data under Esade’s care. Esade only contracts services from companies that guarantee their compliance with data protection norms. When contracting these firms, said companies’ confidentiality obligations are duly detailed, and Esade monitors their activity. For example, certain data may reside in servers contracted with specialised companies or public administrations that provide services to the university system in Catalonia. Similarly, some companies access information and data under Esade’s responsibility. These firms include those that provide computer support for the use of software programmes, security companies and labour-related and accounting consulting firms. For additional information on the companies that are currently offering these services, please feel free to send us an e-mail: dpo@esade.edu.

What rights do people have in terms of data processing?

Everyone has the right to receive confirmation that Esade is processing their personal data. If affirmative, they have the right to know where Esade obtained said data If the affected parties did not provide said data directly, in addition to the purpose for which the data were gathered and any cession of said data already carried out or foreseen. The Law recognises that the affected parties have the right to access their data as well as request that incorrect data be rectified or, if applicable, request they be eliminated when the data are no longer necessary for the purposes for which they were originally gathered and there are no legal obligations to maintain said data. Data have to be eliminated immediately when Esade processes the data solely based on the affected parties’ consent. In certain circumstances, the affected parties can also request limiting the processing of their data, a right entitling them to monitor their data, particularly in terms of their inappropriate processing, and to present any complaints in defence of their rights.

How can the affected parties exercise and defend their rights?

Affected parties can write to Esade’s Data Protection Delegate (DPD): Avinguda Pedralbes, 60-62, 08034, Barcelona - Spain.

If someone feels that their rights have not been duly respected, they may file a complaint with the Catalan Data Protection Authority (https://apdcat.gencat.cat/). Affected parties may also write to Esade’s Data Protection Delegate (DPD) at any given time via e-mail: dpo@esade.edu