Personal Data Protection

People first have the right to know if we are processing their data, regardless if a prior relation exists with them.

When we gather personal data from the affected parties, they have to be clearly informed about the purposes for which their data are gathered, who is in charge of their processing and other key issued related to this processing.

This is a very broad right which includes knowing exactly what personal data are being processed, for what purposes, to whom they are ceded (if applicable) and the right to obtain a copy of said data and know how long their data will be stored.

Affected parties have the right to demand we modify any inexact data we are currently processing.

In specific cases, affected parties have the right to request we eliminate their data altogether. Amongst other motives, this can include when said data are no longer needed for the purposes for which they were originally gathered and which justified their processing.

Similarly, in specific cases, affected parties have the right to request limiting the processing of their data. In these cases, we will no longer process their data and we will only store them to process or defend ourselves against complaints, in keeping with the General Data Protection Regulation.

In certain cases, norms recognise the right of affected parties to obtain a copy of their personal data in a machine-readable and commonly used format to then be able to transmit said data to another party for their processing if the affected parties so decide.

The affected parties may refer to motives related to their particular situations so that we no longer process their data insofar as it is harmful to them. This shall not apply if there are legitimate motives or in the case of exercising or defending ourselves against complaints.

We will immediately respect requests from affected parties who no longer want to receive information about our activities and services so long as said information is sent to the recipients based solely on their consent.

Who is the data controller?

Fundación Esade, CIF G-59716761, with registered office at Avinguda Pedralbes, 60-62 (08034) Barcelona; Tel: +(34) 932806162, email: webmaster@esade.edu, www.esade.edu (hereinafter “Esade”). You can contact the data protection officer by writing to dpo@esade.edu.

For what purpose does Esade process your personal data?

Esade processes your data in order to keep a record of your enrolment and, on this basis, to provide the higher education services you have requested. The data provided, as well as any data resulting from the academic activity, will serve as the basis for the evaluation of this activity; the management of your academic record; administrative management; your identification as a user of Esade’s services and the facilitation of access to these services; the sending of information of interest; the processing, issuing and registration of degrees and the promotion and follow-up of job placement.

How long does Esade keep your personal data?

Data are deleted when they are no longer necessary for the purpose for which they were collected. The most important information (such as data accredited courses of study completed) is kept permanently. The criteria for the conservation or deletion of data are based on the regulation in force regarding public documentation or documentation derived from the exercise of public functions.

What are the legal grounds for Esade to process your data?

Your data are processed in order to perform a task carried out in the public interest, namely, the provision of higher education services. Some forms of processing – for example, disclosure to other institutions or public administrations – are carried out in compliance with the laws relating to universities, primarily Organic Law 6/2001, of 23rd December, on universities, Law 1/2003, of 19th February, on Catalan universities, and their implementing regulations.

Who else receives your personal data?

Data are disclosed to different institutions, always with explicit purposes and solely in a proportional manner – that is, only data which are essential to the fulfilment of this purpose are disclosed. For the purpose and recognition of the courses of study followed and the issuing of degrees, data are disclosed to Ramon Llull University. In compliance with the law, data are disclosed to insurers and banks for the purpose of administering payments. For internship purposes, we communicate with host companies and institutions. When part of a course of study takes place at another academic institution, we disclose data to said institution, as well as to quality and ranking institutions. With the student’s consent, data may be provided to professional entities and non-profit organisations.

Do other companies or institutions have access to the data?

Esade obtains services from private companies that contribute their experience and specialisation. In some cases, these external companies must access personal data controlled by Esade. Esade only contracts services with companies that are able to guarantee compliance with data protection regulations. At the time of contracting, such companies sign a confidentiality agreement and their activities are monitored. For example, certain data may be stored on the servers of specialised companies or public institutions that offer services to the university system of Catalonia. Likewise, information and data controlled by Esade is accessed by IT and software support companies, security firms, labour-law consultancies and accounting firms. Precise information about the companies providing these services can be obtained at any time by writing to dpo@esade.edu.

What rights do you have in relation to data processing?

Any person has the right to obtain information about whether Esade processes his or her personal data. If Esade does process the person’s data, the data subject has the right to know how Esade obtained his or her data (if not provided by the data subject), the purpose for which they are processed, any disclosures that have been made, and any disclosures foreseen in the future. The law recognises the data subject’s right to request access to his or her data, rectification of inaccurate data, or erasure of data, provided that said data are no longer necessary for the purposes for which they were collected and the obligation to keep said data no longer exists. In cases in which the processing of data is carried out solely on the grounds of the data subject’s consent, deletion is carried out immediately. In certain circumstances, data subjects may request restriction of the processing of their data; this right gives data subjects control over their data primarily for the purposes of correcting inappropriate processing and presenting claims in defence of the data subject’s rights.

How can you exercise or defend your rights?

By writing to the data protection officer at Avinguda Pedralbes, 60-62 (08034) Barcelona.

If you consider that your rights have not been properly addressed, you may submit a complaint with the Catalan Data Protection Authority (https://apdcat.gencat.cat/). You may contact Esade’s data protection officer by email at any time by writing to: dpo@esade.edu .

Who is the data controller?

Fundación Esade, CIF G-59716761, with registered office at Avinguda Pedralbes, 60-62 (08034) Barcelona; Tel: +(34) 932806162, email: webmaster@esade.edu, www.esade.edu (hereinafter “Esade”). You can contact the data protection officer by writing to dpo@esade.edu

For what purpose does Esade process your personal data?

Esade processes your data in order to have a record of the people who, either individually or in their capacity as a representative of a legal entity, receive information about Esade’s activities, services and initiatives. These data allow Esade to manage these communications. This information can be sent by one or more of the communication channels used by Esade – for example, texts sent by email, publications, and notifications sent to mobile devices.

How long does Esade keep your personal data?

Personal data are kept until the data subject expresses a desire to stop receiving information. In the case of people who receive information in their capacity as a representative of a legal entity, the data may be deleted if the person ceases to act in such a capacity.

What are the legal grounds for Esade to process your data?

Data are processed with the consent of the recipient of the information, who may revoke this consent at any time. If you revoke consent, your data will be deleted immediately. The data of people included on the recipient list in their capacity as a representative of a legal entity are processed in order to perform a task carried out in the public interest, namely, guaranteeing Esade’s communication with other institutions.

Who else receives your personal data?

Personal data are not disclosed to third parties without the prior consent of the data subject; this consent must be explicitly expressed.

What rights do you have in relation to data processing?

Any person has the right to obtain information about whether Esade processes his or her personal data. If Esade does process the person’s data, the data subject has the right to know how Esade obtained his or her data (if not provided by the data subject) and for what purpose they are processed. In general, the law recognises the right of data subjects to request access to their personal data, rectification of inaccurate personal data or, if appropriate, erasure of personal data when the data are no longer necessary for the purposes for which they were collected and Esade is not required to store them. In the case of subscription to informational channels or services, erasure of personal data is carried out immediately after the data subject’s request is received. In certain circumstances, data subjects may request restriction of the processing of their data; this right gives data subjects control over their data primarily for the purposes of correcting inappropriate processing and presenting claims in defence of the data subject’s rights.

How can you exercise or defend your rights?

By writing to the DPO at Avinguda Pedralbes, 60-62 (08034) Barcelona.

If you consider that your rights have not been properly addressed, you may submit a complaint with the Catalan Data Protection Authority (https://apdcat.gencat.cat/). You may contact Esade’s data protection officer by email at any time by writing to: dpo@esade.edu

Who is responsible for processing personal data?

Fundació Esade, with tax ID number, G-59716761; headquartered at Avinguda Pedralbes, 60-62, (08034) in Barcelona; telephone number, (34) 93 280 6162; e-mail address: webmaster@esade.edu; and website: www.esade.edu (hereafter, “Esade”). Affected parties may also contact the Esade Data Protection Delegate (DPD) by e-mail: dpo@esade.edu.

How and for what purposes does Esade process this data?

Esade gathers the affected parties’ personal data to register their applications for admission to Fundació Esade programmes. Based on the latter, it gathers the necessary data and documentation to assess if the candidates fulfil the requirements needed to be admitted to the programmes as well as determine their suitability. The data provided and those gathered through the admissions process will serve as the basis to evaluate if the candidates are accepted into the programmes. If accepted, said data will then be incorporated into students’ academic transcripts.

How long does Esade maintain this data?

Esade will eliminate the data once they’re no longer necessary to fulfil the purpose for which they were gathered. The most relevant data, such as accreditation for the degrees completed at Esade, will be kept permanently. The criteria used to determine if data should be eliminated or maintained are based on the currently valid norms regarding public documentation and/or those stemming from the exercise of public functions.

How does Esade legitimate this data processing?

Esade processes data based on the express decision of those requesting admission to its programmes. It processes their data prior to formalising a service relation between the parties. Said relation shall be formalised should candidates be admitted to the programme and in fulfilment of a public interest mission such as higher education. Esade carries out some processing, for example, communicating with other institutions or public administrations, in due compliance with the norms governing universities, primarily, Organic Law 6/2001, dated 23rd December, on universities, Law 1/2003, dated 19th February, on the universities in Catalonia, and their respective amendments.

To whom does Esade cede data?

Esade cedes data to different institutions for explicit aims and only proportionally, that is, ceding the data that are fundamental to fulfil said aims. Similarly, it cedes data to banking institutions for payment in due compliance with legal norms.

Do other companies or institutions have access to the data?

Esade contracts services from private companies for their experience and specialisation. On some occasions, some of these external companies have to access personal data under Esade’s care. Esade only contracts services from companies that guarantee their compliance with data protection norms. When contracting these firms, said companies’ confidentiality obligations are duly detailed, and Esade monitors their activity. For example, certain data may reside in servers contracted with specialised companies or public administrations that provide services to the university system in Catalonia. Similarly, some companies access information and data under Esade’s responsibility. These firms include those that provide computer support for the use of software programmes, security companies and labour-related and accounting consulting firms. For additional information on the companies that are currently offering these services, please feel free to send us an e-mail: dpo@esade.edu.

What rights do affected parties have in terms of their data?

Everyone has the right to receive confirmation that Esade is processing their personal data. If affirmative, they have the right to know where Esade obtained said data If the affected parties did not provide said data directly, in addition to the purpose for which the data were gathered and any cession of said data already carried out or foreseen. The Law recognises that the affected parties have the right to access their data as well as request that incorrect data be rectified or, if applicable, request they be eliminated when the data are no longer necessary for the purposes for which they were gathered and there are no legal obligations to maintain said data. Data have to be eliminated immediately when Esade processes the data solely based on the affected parties’ consent. In certain circumstances, the affected parties can also request limiting the processing of their data, a right entitling them to monitor their data, particularly in terms of their inappropriate processing, and to present any complaints in defence of their rights.

How can the affected parties exercise or defend their rights?

They can write to Esade’s Data Protection Delegate (DPD): Avinguda Pedralbes, 60-62, 08034, Barcelona - Spain.

If someone feels that their rights have not been duly respected, they may file a complaint with the Catalan Data Protection Authority (https://apdcat.gencat.cat/). Affected parties may also write to Esade’s Data Protection Delegate (DPD) at any given time via e-mail: dpo@esade.edu.

Who is responsible for processing personal data?

The entity responsible for processing data is Fundació Esade (hereafter, “Esade”), with headquarters in Barcelona (Avinguda Pedralbes 60-62, 08034 – Barcelona), fiscal ID G-59716761, telephone number, (34) 932 806 162, and e-mail address, webmaster@esade.edu. Affected parties may contact the Data Protection Delegate (DPD) by sending an e-mail to: dpo@esade.edu.

For what ends does Esade process this data?

Esade registers personal data to manage donations, that is, to register, enter into the books and accredit donations as well as to contact donors to provide them transparent information about how donations to Esade are assigned and managed as well as to invite them to events related to their donations.

Donors’ name and surnames will be published in the Annual Report of Donations, Fundacion Esade Annual Report, the “Wall of Donors” and other material related to donations, with their consent.

How long does Esade store this data?

Esade stores this data for 10 years in keeping with Law 10/2010, dated 28th April, on the prevention of money laundering and the funding of terrorist activity. Esade shall store donors’ personally identifiable data beyond this time solely with their consent.

How does Esade legally justify this data processing?

Esade undertakes this data processing based on the donor’s decision to freely donate any asset or right to Fundació Esade. Esade shall process said data in fulfilment of a public interest mission and in keeping with legal obligations, primarily those detailed in Law 49/2002, dated 23rd December, on the fiscal regime governing not-for-profit organisations and fiscal incentives for patronage and other complementary laws, as well as, if applicable, Law 10/2010, dated 28th April, on the prevention of money laundering and the funding of terrorist activity and other complementary laws.

To whom does Esade cede data?

In due fulfilment of legal norms, Esade communicates said data to banking institutions for payment purposes, the competent tax authorities and, if applicable, SEPBLAC.

Do other companies or institutions have access to the data?

Esade contracts services from private companies for their experience and specialisation. On some occasions, some of these external companies have to access personal data under Esade’s care. Esade only contracts services from companies that guarantee their compliance with data protection norms. When contracting these firms, said companies’ confidentiality obligations are duly detailed, and Esade monitors their activity. For example, certain data may reside in servers contracted with specialised companies or public administrations that provide services to the university system in Catalonia. Similarly, some companies access information and data under Esade’s responsibility. These firms include those that provide computer support for the use of software programmes, security companies and labour-related and accounting consulting firms. For additional information on the companies that are currently offering these services, please feel free to send us an e-mail: dpo@esade.edu.

What rights do people have in terms of data processing?

Everyone has the right to receive confirmation that Esade is processing their personal data. If affirmative, they have the right to know where Esade obtained said data If the affected parties did not provide said data directly, in addition to the purpose for which the data were gathered and any cession of said data already carried out or foreseen. The Law recognises that the affected parties have the right to access their data as well as request that incorrect data be rectified or, if applicable, request they be eliminated when the data are no longer necessary for the purposes for which they were originally gathered and there are no legal obligations to maintain said data. Data have to be eliminated immediately when Esade processes the data solely based on the affected parties’ consent. In certain circumstances, the affected parties can also request limiting the processing of their data, a right entitling them to monitor their data, particularly in terms of their inappropriate processing, and to present any complaints in defence of their rights.

How can the affected parties exercise and defend their rights?

Affected parties can write to Esade’s Data Protection Delegate (DPD): Avinguda Pedralbes, 60-62, 08034, Barcelona - Spain.

If someone feels that their rights have not been duly respected, they may file a complaint with the Catalan Data Protection Authority (https://apdcat.gencat.cat/). Affected parties may also write to Esade’s Data Protection Delegate (DPD) at any given time via e-mail: dpo@esade.edu.