Privacy Policy
Actualizada el 08/03/2021
1. Web analytics for statistical, functional and educational purposes
The manager analyzes people's browsing and behavior in order to understand how its tools are used and adapt them to their needs, as well as to improve its communication, marketing and customer service activities.
Responsible | Independent managers in the virtual classroom and in the communications made to PDI (Teaching and Research Staff) and PAS (Administration and Services Staff) for needs related to the fulfillment of the contract, as well as in other means of communication that they manage independently: ESIC and FESIC. Independent responsible for the analysis of data extracted by the opening and actions through e-mails. Co-responsible for their own common communication channels (same web): ESIC (main) and FESIC. |
Legal basis | In the case of PDI and PAS and only to the extent justified by the performance of the contract, the processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b of the GDPR). In all other cases, including ESIC Play, the data subject consented to the processing of his or her personal data for one or more specific purposes (art. 6.1.a of the GDPR). In order to obtain these consents, the data subject will be informed separately from any purchase-sale contract, general terms and conditions or service contract. This processing is carried out on navigation data extracted from the website, apps, etc. |
Treatment purposes | In the event that the analytical processing is based on the execution of a contract, the analytics necessary for the execution of the contract will be carried out: in the case of the PDI, it will be analyzed, for example, the number of times that each one has accessed the documentation of the virtual classroom or if they download it, to know and promote their learning activity; and in the case of the PAS, the responsible may obtain, for example, the acknowledgment of receipt that they have accessed the information security communications that the responsible sends them, without any additional processing being carried out for this reason. In all other cases, where prior acceptance by the data subject is required, the purpose of the analytical processing of personal data will be:
|
Collective | Users who access websites, applications, or social profiles managed by the controller, as well as those who open or respond to communications sent by the controller. |
Data categories | The analytics service providers aggregate the data they obtain to provide the data controller with quantitative information on the browsing and behavior of individuals, without being able to identify the specific individual. The data processed are:
|
Target Category | No data communications are foreseen. Data processors:
|
International Transf. | The data controller is Google Ireland and subcontractor Google LLC, 1600 Amphitheatre Parkway Mountain View, CA USA. Security measure: data protection agreement with standard clauses through Google Workspace (formerly GSuite). https://privacy.google.com/businesses/processorterms/
|
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and from the processing of the data. |
Additional information | It is not required for this treatment, for the data processed and as the person responsible for it executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
2. Basic profiling by the person responsible for advertising purposes.
Tagging of users based on their activity on the website, on the sites and through advertising creatives in order to send them advertising and promotional content tailored to their preferences.
Responsible | Independent directors: ESIC and FESIC. |
Legal basis | The data subject consented to the processing of his or her personal data for one or more specific purposes (art. 6.1.a of the GDPR). ESIC Play included. In order to obtain these consents, the data subject will be informed separately to any purchase-sale contract, general terms and conditions or service contract and in the same way will be obtained. |
Treatment purposes | Tagging of users based on their activity on the website, on the sites and through advertising creatives in order to send them advertising and promotional content tailored to their preferences. |
Collective |
|
Data categories |
|
Target Category | No transfer of data is foreseen. Data Processor:
|
International Transf. | No international transfers are planned |
Deadline for deletion | Until the data subject requests the cancellation or deletion of his or her data. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
3. Commercial activity and sending of advertising and promotional communications.
Sending personalized messages with advertising and promotional content.
Responsible | Independent managers: ESIC AND FESIC |
Legal basis |
|
Treatment purposes | Sending of advertising or promotional communications by electronic, postal and telephone means. |
Collective | Clients and persons interested in the activities and information about the activities, products and services of the responsible party or the contents it creates, publishes or promotes:
|
Data categories |
|
Target Category | No transfer of personal data is foreseen. Data processors:
|
International Transf. | International transfers to data processors are foreseen. |
Deadline for deletion |
|
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
4. Educational or sectorial valuation surveys and market studies.
The manager carries out surveys and consultations to prepare reports on different areas and subjects; to learn about the performance of teaching professionals and programs; and to learn about the satisfaction of students and participants in the manager's programs and activities. For this purpose, it sometimes needs to know the data of the participant in the survey, so that it can link the information to the person, without prejudice to the fact that in most cases it can anonymize the information by means, among other techniques, of data aggregation.
Responsible | Independent managers: ESIC and FESIC |
Legal basis | Data collection and management:
|
Treatment purposes | Data collection and management for:
|
Collective |
|
Data categories |
|
Target Category | No transfer of personal data is foreseen |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from this purpose and the processing of the data. Assessments on teachers will be attached to their employee file. |
Additional information | No se requiere para este tratamiento, por los datos tratados y tal y como su responsable lo ejecuta, conforme a lo dispuesto en el artículo 35 del RGPD y en el artículo 28 de la LOPD. A pesar de no ser necesaria se ha elaborado una EIPD. Los procesos de anonimización quedarán documentados antes de iniciarse, con el objetivo de garantizar la irreversibilidad. |
5. Management of the contractual relationship for physical and electronic commerce (among others, books, backpacks, courses, degrees and postgraduate studies).
Responsible | Independent managers: ESIC and FESIC |
Legal basis | The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b of the GDPR). Specifically, that relating to the purchase and sale of products or services at retail. |
Treatment purposes | For the sale of products and services, both in the online store and through face-to-face transactions, data is collected for the following purposes:
|
Collective |
|
Data categories | Identification data: name and surname, ID card number, e-mail address, physical address, telephone number. |
Target Category | Financial entities. Tax Administration. |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | The data will be kept for the time necessary to fulfill the purpose for which they were collected and to determine any possible liabilities that may arise from said purpose and the processing of the data, in accordance with Law 58/2003, of December 17, General Tax Law, in addition to the periods established in the archives and documentation regulations. 5 years under the Civil Code (art. 1964) for personal actions without special term and, when processing, 10 years under the Law for the Prevention of Money Laundering and Financing of Terrorism (art. 25). |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
6. Promotions: contests and sweepstakes
The person in charge promotes its activities (teaching, research and others) through raffles, sweepstakes and other random combination games for advertising or promotional purposes, as well as through other non-random actions such as direct gifts and juried contests.
This processing activity is related, as indicated in the bases, to the activities of taking and using photographs and videos, as well as sending advertising and promotional commercial communications.
Responsible | Separate responsible parties: ESIC and FESIC |
Legal basis |
|
Treatment purposes |
|
Collective |
|
Data categories |
|
Target Category |
|
International Transf. | No international transfers of personal data are foreseen |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and from the processing of the data. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. Other related processing activities (access them for more information):
|
7. Photography, video and voice recording for teaching, personal brand enhancement or commercial purposes.
Photography and image and/or voice recording for (1) teaching activities and the creation of student or employee records; (2) publication in promotional books, lectures and virtual classroom; and for (3) advertising or promotional purposes of the person in charge.
Responsible | Independent managers: ESIC and FESIC |
Legal basis | In the case of PDI (Teaching and Research Staff) and PAS (Administration and Services Staff), in relation to the management of their file, accreditations or other specific cases, and in the case of speakers at events and congresses, the processing is necessary for the performance of a contract to which the data subject is a party or for the application of pre-contractual measures at the request of the data subject (art. 6.1.b of the General Data Protection Regulation). For the case of recordings and broadcasts of attendees' speeches at specific events, the processing is necessary for the satisfaction of legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child (art. 6.1.f of the General Data Protection Regulation). The activation of the camera during online classes can generally be considered a lawful processing, given the obligation of educational institutions to ensure and guarantee the educational function in relation to the students concerned and the fulfillment of a mission in the public interest (ex. art. 6.1.e) RGPD), and the provisions established by the health and educational authorities in the context of pandemic, without requiring the consent of the data subjects. In any case, the principle of proportionality must be taken into account. All this also in accordance with the CNS Opinion 11/2021 of the Catalan Data Protection Authority. Express consent, both for the collection and for other purposes, as set forth in:
|
Treatment purposes | Taking photographs and recording images and voice for:
|
Collective |
|
Data categories |
|
Target Category | The data will be published on the pages and websites of the data controller and disclosed to the media, when consent has been obtained from the data subject for such processing or, where appropriate, when it is necessary for the performance of a contract to which the data subject is a party or when it is necessary to satisfy the above-mentioned legitimate interest of the data controller. No other transfers of personal data are foreseen. |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | Data collected for teaching activities or for contractual purposes will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from this purpose and from the processing of the data. In all other cases, the processing of personal data will be maintained until the user withdraws his consent. In the event that the data have been published on third party websites or in media outside the controller, the exercise of the rights may result in the impossibility of effectively deleting the data. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
8. Extracurricular experience and sports
Extracurricular activities, such as visits to museums and third-party companies or registration in popular races (Carrera Empresas ESIC Virtual). Activities may be restricted to a specific group.
Responsible | Separate responsible parties: ESIC and FESIC |
Legal basis | The data controller processes personal data on the following bases of legitimacy:
|
Treatment purposes | Control of attendance to the activities. Transfer of data to the collaborating manager and third parties, when necessary for the execution of the contract. Transfer of data to other data controllers, with the authorization of the interested party. |
Collective |
|
Data categories | Main identification data: Name and surname; user's name Other data: DNI, NIF or identification document; physical or electronic address; signature; telephone and sector of activity. |
Target Category | Collaborating company, depending on the activity. Data processors:
|
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and from the processing of the data. Subject to the consent of the person registering, the data may be kept for future actions. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
9. Management of Students with Special Education Needs
This treatment is additional and complementary to that of student management, as well as to the rest applicable to students, and aims to provide a learning environment based on equal opportunities and equity, closer and more adapted to all needs.Responsible | Independent managers: ESIC and FESIC |
Legal basis | The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b of the GDPR). |
Treatment purposes | To guarantee equality of conditions in learning activities, taking into account special educational needs.
|
Collective | Students Contact person (when legally applicable): father, mother or legal guardian |
Data categories | Identifying data:
|
Target Category | No transfer of personal data is foreseen. |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | The data will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and from the processing of the data. |
Additional information | An EIPD is required. |
10. Scholarship management
Study, evaluation and management of scholarships and grants offered and awarded to ESIC students.
Responsible | Independent managers: ESIC and FESIC |
Legal basis | The processing is necessary for compliance with a legal obligation applicable to the controller (art. 6.1.c of the GDPR). The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (art. 6.1.e of the GDPR). |
Treatment purposes | Study, evaluation and management of scholarships and study grants announced by ESIC or other entities, which have been offered and granted to ESIC students. |
Collective |
|
Data categories | Identification data: Name and Surname, DNI/NIF/NIE/Passport, S.S. No., Health Card, Address (postal or electronic), Telephone (landline or mobile), Personal data: marital status, age, family data, sex, date of birth, nationality, place of birth, mother tongue. Data relating to social circumstances: accommodation, housing, property, possessions; hobbies and lifestyle, membership of clubs, associations, licenses, permits, authorizations. Academic and professional data: education, qualifications, student record, professional experience, membership of professional bodies or associations. Economic data of both the student and his/her family unit (IRPF), financial data and insurance data - income, income, credits, loans, guarantees, bank data, data on tax deductions, subsidies, benefits, etc. Data related to transactions of goods and services |
Target Category | Administration of the State Administration of the Autonomous Community Administration Tax Administration Financial entities. Data will be transferred to third parties expressly indicated in the first layer notice, as required by the purpose in each case. |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and from the processing of the data. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
11. Student Academic Management - Student Profile
Management of the student's profile to monitor their attendance to the different teaching activities and, through tests, the quality of their learning.
This treatment is carried out on all types of students: undergraduate, graduate, with and without special needs, language students, and whether they are only students or also teachers (professors or associate professors) or workers in any category, whether employed or external.
This processing activity is linked to other activities of the data controller, such as analytical, commercial, extracurricular, etc. activities.
Responsible | Independent managers: ESIC and FESIC |
Legal basis |
|
Treatment purposes |
|
Collective |
|
Data categories |
|
Target Category | No transfer of data is foreseen |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and from the processing of the data. |
Additional information | ? It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. ? It is required to perform an EIPD. |
12. Library management
Management and control of access to the library and lending of publications and books deposited in the library.
Responsible | ESIC |
Legal basis | For access to the library and the lending of books, the processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b of the GDPR). For the functional analysis of the use of the library, the processing is necessary for the satisfaction of this legitimate interest pursued by the controller (art. 6.1.f of the GDPR). |
Treatment purposes | Management and control of access to the library and loans of books or publications deposited in the library of the person in charge. Functional analysis of the use of the library by each of its users, in order to know whether or not use is made of the facilities and related resources and, if so, which ones should be maintained and which ones should be improved or changed. The person in charge may withdraw permission to access the library from any person who requests it or who does not use it during the period established in the conditions of use, provided that he/she does not have a contractual relationship with ESIC or FESIC. |
Collective |
|
Data categories |
|
Target Category | Pozuelo de Alarcón City Council, Madrid |
International Transf. | No international transfer of data is foreseen. |
Deadline for deletion | Service user data will be kept in the system indefinitely as long as the interested party does not request its deletion. Loan data will be cancelled once the loan has been completed. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
13. Counseling and Coaching - Professional Development Unit (UDP)
One of the services offered by the Professional Development Unit (PDU) to students and alumni is "counseling and coaching".
Responsible | Independent managers: ESIC and FESIC |
Legal basis | The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b of the GDPR). This service is offered under the training services contract that the student has formalized with ESIC or FESIC. |
Treatment purposes | Mentoring and advising students and alumni for their professional development. |
Collective | Alumni Alumni |
Data categories |
|
Target Category | External professionals: Mentors and coaches. |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and from the processing of the data. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
14. Advice to entrepreneurs - Entrepreneurship Acceleration Bootcamp online
Bootcamp online Entrepreneurship Acceleration is a program of advice and promotion of projects for entrepreneurs.
Responsible | ESIC |
Legal basis | The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b of the GDPR). This service is offered under the agreement to be formalized to participate in the Entrepreneurship Acceleration Online Bootcamp. |
Treatment purposes | Mentoring and advice to students and alumni for their professional development. Mentoring, advice and professional development for entrepreneurs. |
Collective | Entrepreneurs |
Data categories |
|
Target Category | Mentors and coaches. Companies interested in the profiles and projects of those interested. |
International Transf. | Companies interested in learning about or investing in the projects may be located in third countries. |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and from the processing of the data. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
15. Job Portal, for candidates - Professional Development Unit (UDP)
The job portal (for candidates) is one of the services offered by the Professional Development Unit (UDP).
Responsible | Separate responsible: ESIC and FESIC |
Legal basis | Creation of the candidate profile and its maintenance: the processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b of the GDPR). Verification by the controller of the veracity of the academic data linked to the studies that the data subject claims to have studied at ESIC or FESIC, the processing is necessary for the satisfaction of legitimate interests pursued by the controller or by a third party. Communication of data to registered companies, the data subject consents to the processing of his or her personal data for one or more specific purposes (art. 6.1.a of the GDPR). |
Treatment purposes | Candidate profile management. Verification of the veracity of academic data related to studies at ESIC and FESIC. Communication of personal data to registered companies. |
Collective | Alumni Alumni |
Data categories |
|
Target Category | Publication on the portal with access for interested companies. Person in charge of the treatment: DOUBLE -DOT. Responsible for the management of the portal |
International Transf. | The data may be viewed by companies registered in the portal, which may be located in third countries. |
Deadline for deletion | They will be kept until the interested party requests the cancellation or deletion of their data and to determine the possible responsibilities that may arise from this purpose and the processing of the data. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
16. Employment Portal, for companies - Professional Development Unit (UDP)
The job portal (for companies) is one of the services offered by the Professional Development Unit (UDP).
Responsible | Independent managers: ESIC and FESIC |
Legal basis | Initial collection of data: The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b of the GDPR). Up-to-date maintenance of the data of the signatories: The processing is necessary for the satisfaction of legitimate interests pursued by the controller or by a third party and the interests and fundamental rights and freedoms of the (art. 6.1.f of the GDPR and art. 19 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights). |
Treatment purposes | Maintenance of updated contact information for the heads of the registered companies. |
Collective | Company officers and contact persons |
Data categories |
|
Target Category | No assignments to certeros are foreseen |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and from the processing of the data. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
17. University Ombudsman
In order to ensure respect for the rights and freedoms of professors, students and administrative and service personnel, FESIC has established in its organizational structure the figure of the University Ombudsman, in accordance with the fourteenth additional provision of the Organic Law 6/2001, of December 21, 2001, on Universities ( https://www.boe.es/eli/es/lo/2001/12/21/6/con ). Its actions, always aimed at improving university quality in all areas, are not subject to the imperative mandate of any university body and are governed by the principles of independence and autonomy.
Responsible | FESIC |
Legal basis | The processing is necessary for compliance with a legal obligation applicable to the controller (art. 6.1.c of the GDPR). The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (art. 6.1.e of the GDPR). |
Treatment purposes | Attention and processing of complaints, queries and claims in order to ensure respect for the rights and freedoms of teachers, students and administrative and service personnel. |
Collective |
|
Data categories |
|
Target Category | ESIC State Security Forces and Corps |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and a maximum of 2 years from the resolution of the case, as well as the time necessary to determine the possible responsibilities that may arise from that purpose and the processing of the data. |
Additional information | ? It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. ? It is required to perform an EIPD. |
18. Alumni Group Management
Belonging to the alumni group and enjoying the different activities proposed, from discussion forums to rural getaways.
Responsible | Co-responsibility ESIC and FESIC |
Legal basis | Formalize their adherence: The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b of the GDPR). Request the transfer of your data (from ESIC or FESIC to ESIC+FESIC): The data subject consented to the processing of his or her personal data for one or more specific purposes (art. 6.1.a of the GDPR). |
Treatment purposes | Manage registrations on the alumni list Checking data to certify your link with ESIC or FESIC Manage issues related to the experience of Alumni Group members Submitting information about the Alumni Group itself Send information about other activities: training, extracurricular experience, sports... |
Collective | ESIC and FESIC Alumni |
Data categories |
|
Target Category | No transfer of personal data is foreseen |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | Until the interested party requests the cancellation or deletion of their data, remaining blocked from that moment on in the aforementioned manner. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
Financial Management. Collection and recovery
The person in charge manages payments, collections, recoveries and, if applicable, refunds, as well as the financial management of scholarships.
Responsible | Independent managers: ESIC and FESIC |
Legal basis | GDPR: art. 6.1.b) Processing necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures. GDPR: art. 6.1.c). Processing necessary for compliance with a legal obligation applicable to the controller. GDPR: art.6.1.e). Processing necessary for the performance of a task carried out in the public interest or in the exercise of public powers vested in the controller. Law 9/2017, of November 8, on Public Sector Contracts. Law 47/2003, of November 26, 2003, on the General Budget. Law 58/2003, of December 17, 2003, General Tax Law. Law 38/2003, of November 17, 2003, General Law on Subsidies. Law 35/2006, of November 28, 2006, on Personal Income Tax and partial amendment of the Corporate Income Tax, Non-Resident Income Tax and Wealth Tax Laws. Law 37/1992, of December 28, 1992, on Value Added Tax. |
Treatment purposes | Necessary management of personal data to carry out payments, collections, recoveries and, where appropriate, refunds, as well as the economic management of grants. Registration and verification of data related to VAT, income tax, registration with the tax authorities and Social Security, bank certificates, etc. |
Collective |
|
Data categories | Name, surname, telephone, postal and e-mail address, DNI/NIF, signature, electronic signature. Economic, financial and insurance data. Banking and business data. Certificates issued by the Public Administration for interested parties. |
Target Category | Financial Entities State Agency of Tax Administration |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | The data will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and from the processing of the data. Depending on the case, the following may be retained during these time periods
|
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
Legal Management. In-house counsel and representation
Defense and representation of ESIC in administrative and dispute resolution proceedings.
Responsible | Independent managers: ESIC and FESIC |
Legal basis | The data subject consented to the processing of his or her personal data for one or more specified purposes (art. 6.1.a of the GDPR). The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b of the GDPR). |
Treatment purposes | Registration and management for the person in charge of legal matters, as well as the internal provision, also to the latter, of legal services or legal consultancy in its different modalities. |
Collective | Persons who are parties, directly or indirectly, to legal proceedings or other legal matters. |
Data categories | Name and surname; DNI, NIF or identification document; physical address; e-mail address; signature; position of the entity you represent and data about it; telephone; personal characteristics; social circumstances; commercial information; economic, financial and insurance data; and data on transactions of goods and services. Other data: Those that may be included in the consultation or that have to be processed because of the provision of the service, which may include special category data and data relating to criminal convictions and offenses. |
Category of recipients | ESIC or FESIC, as the case may be. State Security Forces and Corps Tax Agency Social Security Public Prosecutor's Office Judges and Courts |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and from the processing of the data. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
21. E-mail service and M365
The manager offers e-mail, collaborative tools and web hosting for PDI, PAS, students and alumni.
Responsible | Independent managers: ESIC and FESIC |
Legal basis | The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b of the GDPR). |
Treatment purposes | Manage service subscription |
Collective |
|
Data categories | Name and surname Mailing address Email Telephone number Personal data regarding your relationship with the person in charge |
Target Category | Microsoft Google (Blogger) Automattic (WordPress) |
International Transf. | International transfers are foreseen to the Processors (please indicate, at least, those that could carry out international transfers, together with the country) or recipients of transfers indicated. |
Deadline for deletion | E-mails:
|
additional information | ? It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. ? It is required to perform an EIPD. |
22. Provision of positions to work at ESIC
Provision of jobs and selection of personnel, both labor and external.
Responsible | Independent managers: ESIC and FESIC |
Legal basis | The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the data subject's request of pre-contractual measures (art. 6.1.b GDPR). Background checks on the data subject shall be based on the fulfillment of a legal obligation applicable to the controller (art. 6.1.c of the GDPR). The proactive search for candidates and details about them in third-party databases is based on the legitimate interest of discovering them to fill positions or getting to know them better in order to know if the position fits their profile (art. 6.1.f of the General Data Protection Regulation). Workers' Statute Royal Legislative Decree 1/2013, of November 29, 2013, approving the Consolidated Text of the General Law on the Rights of Persons with Disabilities and their Social Inclusion. Organic Law 6/2001, of December 21, 2001, on Universities. Organic Law 2/2006, of May 3, on Education. |
Treatment purposes | Analysis and comparison of the professional background of the candidates. Analysis of the candidate's personality when this is a determining factor for the planned work (e.g. teaching). The manager will analyze the documents submitted by the candidate, all content directly accessible through search engines (Bing, Yandex, Google, Baidu, DuckDuckGo, etc.), the profiles maintained on professional social networks (LinkedIn, Xing, Viadeo, etc.), the data obtained in the entrance tests and the information revealed in the job interview, in order to assess their candidacy and be able, if necessary, to offer them a position. This analysis can be used to identify and evaluate candidates you need for specific positions or assignments. |
Collective | Participants in selection processes. Professionals with public profiles. |
Data categories |
|
Target Category | Companies in or with which the employee has worked, in order to cross-check the data and verify its veracity. |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible liabilities that may arise from that purpose and the processing of the data. In the event that the candidate is not selected, the person responsible may keep his/her curriculum vitae stored for a maximum of two years in order to incorporate it in future calls, unless the candidate expresses otherwise or wishes to keep it for a longer period of time, until he/she withdraws his/her consent. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
23. Labor contracts. Human Resources Department (HR) - Labor personnel.
Processing activity related to the management of employment contracts for teachers and administrative and service personnel, including the management of training for them and other activities related to the employment relationship.
Responsible | Independent managers: ESIC and FESIC Organic Law 6/2001, of December 21, 2001, on Universities. Organic Law 2/2006, of May 3, 2006, on Education. |
Legal basis | The management of the labor or commercial relationship has the following bases of legitimacy:
|
Treatment purposes | Management of the labor relationship with contracted personnel:
|
Collective | PDI (Teaching and Research Staff) PAS (Administration and Services Staff) |
Data categories |
|
Target Category | Assignees:
|
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and from the processing of the data. At the end of the contract, the retention periods will be, depending on the type of personal data, as follows:
|
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
24. People Department (HR) - Collaborators, external teaching staff and faculty-associates
The manager hires professional collaborators for different tasks, as well as external teaching staff and associate professors to give master classes, lectures at conferences or for regular teaching in courses, master's degrees and other training programs.
Responsible | Independent managers: ESIC and FESIC |
Legal basis | The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b of the GDPR). Organic Law 6/2001, of December 21, 2001, on Universities. Organic Law 2/2006, of May 3, 2006, on Education. |
Treatment purposes | Management of the business relationship with external teaching staff and contracted associate teachers:
|
Collective | External teaching staff and contracted teaching-associate personnel |
Data categories |
|
Target Category | Assignees:
|
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and from the processing of the data. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
25. Directory of teaching and research staff, administrative and service staff and students - Virtual classroom and online faculty.
Under registration, only students and professors will be able to access information tables with the professional contact information of the people who are part of the program in which they are enrolled or in which they will teach or perform teaching management or coordination actions.
Without registration, anyone can access professional information about the faculty of each program through the manager's websites.
Responsible | Independent managers: ESIC and FESIC |
Legal basis | The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b of the GDPR). |
Treatment purposes | Publication of identification and professional data:
|
Collective | PDI (Teaching and Research Staff), both permanent and external. PAS (Administration and Services Staff) Students |
Data categories | Name and surname Image Professional data: Company and position Email and social profiles |
Target Category | The data will be accessible through the Internet or the virtual classroom. No transfer to third parties is foreseen. |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and from the processing of the data. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
26. Editorial - Editorial, administrative and financial management of authors and contributors.
Management of the ESIC Publishing House in relation to authors and collaborators and the exploitation of their works.
Responsible | ESIC |
Legal basis | The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b of the GDPR). |
Treatment purposes | Management of the evaluation of works and publications of the editorial projects offered as author to ESIC, their management, invoicing and editorial promotion. |
Collective | Authors Interested persons |
Data categories | Identifying Data
|
Category of recipients | Tax Agency Banking entities |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and from the processing of the data. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
27. Suppliers and commercial and business partners
The person in charge hires professionals, suppliers and commercial and business partners for different actions. To do so, he/she must contact the professionals or individuals who represent the companies that sell products or provide services to him/her.
Responsible | Independent managers: ESIC and FESIC |
Legal basis | The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b of the GDPR). The processing is necessary for the fulfilment of legitimate interests pursued by the controller or by a third party and the interests and fundamental rights and freedoms of the data subject do not override (art. 6.1.f of the GDPR). |
Treatment purposes | Registration and management of contact data of suppliers and commercial and business partners. |
Collective | Service providers or vendors and, if they are legal entities, the physical contact persons. |
Data categories | Identifying data:
|
Target Category | Financial Entities State Agency of Tax Administration |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected and to determine the possible responsibilities that may arise from that purpose and from the processing of the data. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
28. Documentary input and output register
Management of the general register of incoming and outgoing documents.
Responsible | Independent managers: ESIC and FESIC |
Legal basis | The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b of the GDPR). The processing is necessary for compliance with a legal obligation applicable to the controller (art. 6.1.c of the GDPR). Organic Law 6/2001, of December 21, 2001, on Universities. |
Treatment purposes | Management of the general incoming and outgoing document registry. Verification of identity and data of the interested party. |
Collective |
|
Data categories | Identification data: Name and surname, ID number, address, telephone number, type of relationship with the person in charge and signature. Data related to the document being received or delivered. |
Category of recipients | No transfer of personal data is foreseen |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to fulfill the purpose for which they were collected, for the legally established time and to determine the possible responsibilities that may arise from that purpose and the processing of the data. |
Additional information | ? It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. ? It is required to perform an EIPD. |
29. Attention to people's rights
To respond to requests to exercise the rights established in the RGPD.
Responsible | Independent managers: ESIC and FESIC |
Legal basis | The processing is necessary for compliance with a legal obligation applicable to the controller (art. 6.1.c of the GDPR). In particular, to receive, manage and respond to requests for data subject's rights (Chapter III of the GDPR). |
Treatment purposes | Receive, manage and respond to requests for data subjects' rights (Chapter III of the GDPR). |
Collective | Any person |
Data categories | Identification data: Name and surname, ID number, address, telephone number, type of relationship with the person in charge and signature. Data related to the corresponding exercise request |
Target Category | From ESIC to FESIC, and vice versa. |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to resolve the claims. |
Additional data | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
30. Face-to-face, telephone or electronic consultations.
Registration and management of queries made to ESIC about the entity's activities.
Responsible | Act of collecting personal data: Co-responsibility of ESIC and FESIC. Attention and management of complaints and suggestions. Independent persons responsible ESIC and FESIC. |
Legal basis | The data subject consented to the processing of his or her personal data for one or more specific purposes (art. 6.1.a of the GDPR). |
Treatment purposes | Registration and management of queries about the activities of the person in charge. |
Collective | Any person |
Data categories | Identifying data:
|
Target Category | From FESIC to ESIC and vice versa, as appropriate. |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to process and respond to the inquiry. |
Additional data | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
31. Complaints and suggestions - Quality Unit
Responsible | Act of collecting personal data: Co-responsibility of ESIC and FESIC. Attention and management of complaints and suggestions. Independent persons responsible ESIC and FESIC. |
Legal basis | The processing is necessary for compliance with a legal obligation applicable to the controller (art. 6.1.c of the GDPR). Organic Law 6/2001, of December 21, 2001, on Universities. Royal Decree 1791/2010, of December 30, approving the University Student Statute. |
Treatment purposes | To know the opinion of users and improve the quality of the services offered by ESIC and FESIC. In the case of FESIC, the treatment includes the management of the complaint or suggestion by the University Ombudsman. |
Collective | Alumni Others |
Data categories | Identification, academic, professional or other data that the interested party wishes to import. |
Target Category | From the correspondent "ESIC- FESIC" to ESIC or FESIC, as the case may be. |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | They will be kept for the time necessary to process and respond to the complaint or suggestion, trying to comply with a maximum response time of 3 months. |
Additional data | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
32. Physical security in the facilities. Registration and access control
Ensure the security of people, goods and facilities on physical and electronic spaces.
Registration and control of visits for the sole purpose of ensuring security.
Responsible | Co-responsibility: ESIC and FESIC |
Legal basis | The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (art. 6.1.e of the GDPR). The processing necessary for reasons of essential public interest determined by law. Art. 9.2.g) RGPD. |
Treatment purposes | The purpose of both physical security and access control and registration is to ensure the security of people, goods and facilities on physical and electronic spaces. |
Collective | Any natural person who attends the facilities or activities of the person in charge:
|
Data categories | Identifying data:
|
Target Category | State security forces and corps. From the correspondent "ESIC- FESIC" to ESIC or FESIC, as the case may be. |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | Thirty days maximum, counting from the date of collection. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |
33. Logical security
The responsible analyzes the behavior of users in their navigation through the website and the different social profiles in order to prevent and block logical attacks.
Responsible | Co-responsibility ESIC and FESIC |
Legal basis | The processing is necessary for the satisfaction of legitimate interests pursued by the controller or by a third party and the interests and fundamental rights and freedoms of the (art. 6.1.f of the GDPR) do not prevail. In particular, these legitimate interests consist of preventing non-consensual access to or destruction or alteration of the data and systems, as well as preventing access to them from being blocked or other unauthorized processing by third parties. |
Treatment purposes | Analyze:
|
Collective | Users accessing websites or social profiles managed by the responsible party, by ESIC or by FESIC. |
Data categories | IP addresses. Browser user agent string. |
Target Category | From the correspondent "ESIC- FESIC" to ESIC or FESIC, as the case may be. |
International Transf. | Están previstas transferencias internacionales a los Encargados del tratamiento (indicar, al menos, los que podrían realizar transferencias internacionales, junto con el país) o destinatarios de cesiones que se indican: Google LLC (Estados Unidos). |
Deadline for deletion | reCaptcha, by Google LLC: approximately 26 months (privacy policy). |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. Remarks:
|
34. Video surveillance
Video surveillance of the perimeter and accesses to the facilities or premises in order to ensure the security of people, goods and installations in the buildings.
Responsible | Independent managers: ESIC and FESIC |
Legal basis | Processing necessary for the performance of a task carried out in the public interest or in the exercise of public authority. Art. 6.1.e) GDPR. Processing necessary for reasons of essential public interest as determined by law. Art. 9.2.g) RGPD. Organic Law 6/2001, of December 21, 2001, on Universities. Law 5/2014, of April 4, on Private Security. |
Treatment purposes | Ensure the safety of people, goods and facilities. |
Collective | Individuals attending ESIC. |
Data categories | Image |
Target Category | State Security Forces and Corps Judicial bodies Public Prosecutor's Office |
International Transf. | No international transfers of personal data are foreseen. |
Deadline for deletion | Within 30 days from the date of collection. |
Additional information | It is not required for this treatment, for the data processed and as its responsible executes it, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD. |