The Universidad Politécnica de Madrid (UPM) is an institution firmly committed to respecting the fundamental freedoms and rights of individuals.
The application, since 25 May 2018, of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) represents a significant step forward in recognising every individual’s right to the protection of their personal data, and provides us with the opportunity to update our Privacy Policy and inform you of its main aspects through this statement:
Who is responsible for the processing of your personal data?
At the Universidad Politécnica de Madrid, we are responsible for all personal data processing activities carried out by us, and we undertake to make public and keep up to date a Record of Personal Data Processing Activities containing the information set out in Article 30 of the GDPR.
How are your personal data processed at UPM?
At UPM, we endeavour to process your personal data in strict compliance with the obligations arising from the applicable data protection legislation, adopting the principle of accountability set out in the GDPR as a fundamental pillar of our actions. On the basis of this commitment, your personal data shall be:
Processed lawfully, fairly and in a transparent manner.
Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accurate and, where necessary, kept up to date, with all reasonable steps taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing.
Processed in such a manner as to ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, through the application of appropriate technical or organisational measures.
Appropriate technical or organisational security measures shall be applied both at the time of determining the means of processing and at the time of the processing itself, in accordance with the principle of data protection by design. Likewise, such measures shall be applied to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed and, in particular, that personal data are not made accessible, without human intervention, to an indefinite number of natural persons.
For what purpose do we process your personal data?
The ultimate purpose underlying the personal data processing activities we carry out is the fulfilment of one of the functions entrusted to us by Organic Law 6/2001 on Universities, in service to society, in relation to the provision of the fundamental public service of higher education.
For each processing activity we carry out, the specific purpose pursued is established and communicated to the data subject at the time their personal data are collected. Likewise, the purposes of each processing activity are set out in the Record of Personal Data Processing Activities.
Are the processing activities carried out by UPM lawful?
For each personal data processing activity we carry out, at least one of the conditions set out in Article 6 of the GDPR for lawful processing is fulfilled. The legal basis for each processing activity is expressly included in our Record of Personal Data Processing Activities and, in most cases, consists of the necessity of processing for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in UPM. Other lawful bases are also contemplated, such as the data subject’s consent; the necessity of processing for the performance of a contract to which the data subject is party or in order to take steps at the data subject’s request prior to entering into a contract; the protection of vital interests; or the pursuit of legitimate interests.
Where processing is based on your consent, and in application of the principle of accountability, UPM must be able to demonstrate that you have consented to such processing. Consent is defined in the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Where consent is to be given in the context of a written declaration that also concerns other matters, our request for consent will be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration that constitutes an infringement of the GDPR shall not be binding.
To whom may we disclose your personal data?
There are cases of processing activities in which UPM must communicate personal data to different institutions, bodies or entities, whether public or private, in compliance with a legal provision or where the recipient acts as a data processor. In certain processing activities, the possibility of international data transfers is also contemplated, with the appropriate safeguards provided for by law.
In any event, such possible disclosures and/or international transfers of personal data (also generally referred to as data transfers) are recorded in our Record of Processing Activities, and the data subject is provided with all relevant information on this matter at the time their personal data are obtained.
Where processing activities foresee possible voluntary disclosure of your personal data, you will be informed accordingly so that you may decide whether or not to grant your consent to the proposed data transfer.
How long will we retain your personal data?
In accordance with Article 5(1)(e) of the GDPR, we shall retain your personal data for no longer than is necessary for the purposes of the processing and for determining any potential liabilities that may arise from those purposes. Data may be retained for longer periods where required by specific legislation or where they are processed exclusively for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, in which cases we undertake to apply appropriate technical and organisational measures to safeguard your rights and freedoms.
Prior to obtaining your personal data, you will be informed of the period for which your data will be retained or, where this is not possible, of the criteria used to determine that period.
What are your rights in relation to the personal data provided?
Under the terms and within the limits established in Chapter III of the GDPR, you have the right to:
Be informed about the processing of your personal data at the time they are collected.
Obtain confirmation as to whether or not personal data concerning you are being processed and, where that is the case, to access such data.
Obtain without undue delay the rectification of inaccurate personal data or the completion of incomplete data.
Obtain without undue delay the erasure of your personal data.
Obtain restriction of the processing of your data.
Receive your personal data in a portable format, subject to the limitations set out in Article 20 of the GDPR.
Object to the processing of your personal data.
Not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where legally permitted.
In accordance with Article 19 of the GDPR, we undertake to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the data have been disclosed, unless this proves impossible or involves disproportionate effort.
How can you exercise your rights in relation to the personal data provided?
You may obtain further information about each processing activity and how to exercise your rights in relation to your personal data through the contact details provided in the information relating to each processing activity.
You may also consult and/or exercise your rights in this area by contacting the Data Protection Officer appointed by UPM at the following email address: proteccion.datos@upm.es.
If you are not satisfied with the exercise of your rights, you may lodge a complaint with the Spanish Data Protection Agency: https://www.aepd.es.
Is the UPM Privacy Policy reviewed and updated?
UPM periodically reviews its data protection policy and whenever necessary in order to adapt it to any changes in the applicable regulatory framework in this area.
This update of the main aspects of our Privacy Policy was approved on 27 September 2018.