Personal data protection

This document explains the the Ramon Llull University Foundation's data protection policy, which is based on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the General Data Protection Regulation). The fundamental aspects are summarised below.

Who is responsible for processing personal data?

The party responsible for data processing is the Ramon Llull University Foundation, tax number G-59069740, domiciled at Carrer Claravall, 1-3, Barcelona (Post Code 08022), registered in the Registry of Private Foundations of the Generalitat de Catalunya, under number 472 in the Registry.

The Foundation is the owner of the Ramon Llull University and comprises the following federated institutions:

  • Sarrià Chemical Institute CETS Private Foundation
  • Blanquerna Foundation
  • La Salle-FUNITEC University and Technology Foundation
  • Esade Foundation
  • Pere Tarrés Foundation
  • Ebro Observatory Foundation
  • Vidal i Barraquer Foundation
  • Borja Institute of Bioethics

What is the role of the Data Protection Officer?

The Data Protection Officer (DPO) is the person who oversees compliance with our data protection policy, ensuring that individual rights are properly treated and protected. Its functions include dealing with any doubt, suggestion, complaint or claim from subjects whose data are processed. You can contact the Data Protection Officer by writing to our postal address or telephone or directly to the email address dpd@url.edu.

For what purpose do we process the data?

We process personal data primarily to provide academic services, send communications related to our activities and services and develop business relationships with our suppliers. The main purposes are listed below.

  • Academic management. The institutions comprising the Ramon Llull University send us information about students and teaching staff to enable us to perform the procedures established in the university regulations, which include recognition of the studies and the teaching activity performed.
  • Contact. We process data to attend enquiries by people who use the contact forms on our website. They are used for this purpose only.
  • Information on activities and services. We use contact information to send information about our services and activities with the explicit authorisation of each person concerned.
  • Management of our suppliers’ data. We record and process the data of the suppliers from which we obtain services or goods. We obtain the data that are essential for maintaining the business relationship and we use them solely for this purpose.
  • Video surveillance. When applicable, we inform users at the entrance to our facilities whether video surveillance cameras are installed, using the approved signage. The cameras record images only of the points in which this is justified, in order to guarantee the security of property and people, and the images are used solely for this purpose.
  • Other data-collection channels. We also collect data through face-to-face relationships and other channels such as receiving emails. In all cases data are used only for the explicit purposes that justify their collection and processing.

How do we obtain the data?

In the previous section we mentioned some of the sources of the data that we process. In most cases the data come directly from the interested parties, and we obtain them mainly through the forms prepared for that purpose. We also obtain data from the schools and faculties comprising the Ramon Llull University to perform the actions provided for in the management contract signed with the corresponding federated institution. A more limited volume of data may come from public administrations competent in the field of higher education or other academic institutions.

What is legal legitimacy of the data processing?

The data processing operations that we perform are based on various legal foundations, depending on the nature of each operation.

  • For the provision of services at the schools and faculties making up the URL. The legal basis of this processing is Organic Law 6/2001 of 23 December 2001 on universities, Law 1/2003 of 19 February 2003 on universities of Catalonia, and their implementing regulations.
  • In compliance with a contractual or pre-contractual relationship. This is the legal basis on which we process data from service providers.
  • In compliance with legal obligations. The provision of higher education services determines that we must comply with different standards that entail data processing. In this connection, we communicate data to carry out the procedures for the recognition and issuance of the qualifications corresponding to the studies imparted. We communicate data to the tax administration also in compliance with legal obligations (tax regulations).
  • Based on consent. When we send information about our activities or services we use contact details with the explicit consent of the person who will receive such information.
  • In legitimate interest. The images that we obtain via the video surveillance cameras are processed in the legitimate interest of our institution to preserve its property and facilities.

To whom are the data communicated?

As a general rule, we communicate data only in compliance with legal obligations. In the preceding sections we explained the communications regarding data on our students, which are necessary for us to provide educational services, and on our customers and suppliers, as part of the performance of economic and commercial relations. Contact details can be communicated to other institutions provided that the interested party has authorised this.

How long do we keep the data?

Data are essentially kept for as long as they are required to fulfil the purposes for which they were collected, in each case. Consequently, the data must be kept for as long as necessary to preserve their legal or information value and to prove compliance with the legal obligations, but for no longer than necessary for processing purposes. For information accrediting the training received by students, data are held permanently to preserve the rights of these students.

In certain cases, for example in accounting and billing documentation, tax regulations compel these data to be kept until the expiry of liabilities in this area. The rules governing the foundations specify that certain accounting data will be kept for ten years (in compliance with Law 10/2010 of 28 April 2010).

Data processed exclusively on the basis of consent by the data subject are kept until that person revokes their consent.

Finally, images obtained by video surveillance cameras are kept for a maximum of one month, although they may kept for as long as necessary to facilitate the work of the police and security forces or of the judiciary in the event of any incident that  justifies this.

The rules governing the keeping of public documents, and the opinions of the qualifying committees, are a determining factor when deciding on whether to keep or delete data linked to the exercise of public interest services.

What are the rights of subjects whose data we process?

Pursuant to the General Data Protection Regulation, subjects whose data we process have the right:

  • To know whether data are processed. The right to know whether we process their data.
  • To be informed on data collection. At the time they provide their data, subjects must be informed of the purposes for which their data will be used, who will be responsible for processing and the main aspects deriving from this processing.
  • To access their data. The right to know what personal data are processed, for what purpose, communications made to other people, the right to obtain a copy and to know for how long they will be kept.
  • To request rectification. The right to rectify any inaccurate data.
  • To request deletion. In certain circumstances there is also a right to request that data be deleted, for example when data are not required for the purposes for which they were collected.
  • To request limited processing. In certain circumstances, the right to request limited processing of the data is also recognised. In this case they will no longer be processed and will be retained only for the exercise or defence of claims.
  • To portability. The right to obtain their own personal data in a structured format that can be commonly machine-read, and to send these data to another person responsible if the data subject so decides.
  • To oppose processing. Data subjects can put forward reasons related to their particular situation, which will stop their data being processed if such processing is detrimental to them, except for legitimate reasons or the exercise or defence against claims.

How can these rights be exercised or defended?

The rights that we have just listed can be exercised by sending a request to the Ramon Llull University to the postal address or the other contact details listed in the heading.

If data subjects fail to receive a satisfactory response in the exercise of their rights, they may file a complaint with the Catalan Data Protection Authority, using the forms or other channels accessible from its website (www.apd.cat).

In all cases, either by filing complaints, requesting clarification or sending suggestions, the Data Protection Officer can be contacted by sending an e-mail to dpd@url.edu.

Specific policies