This document explains the data protection policy of the Institut Químic de Sarrià CETS Fundació Privada and its associated entities (IQS Tech Transfer SA and Fundació Privada Empreses IQS). It is based upon the principles of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation). We fully embrace the spirit of this European Regulation in strengthening rights and giving greater guarantees to individuals regarding the processing of their data. This objective fully coincides with our aim to constantly improve our educational services.
This document summarises the fundamental aspects of our data protection policy.
The Data Controller is the Institut Químic de Sarrià CETS Fundació Privada (IQS), with registered office at Via Augusta, 390, 08017 – Barcelona, TIN G58022849, tel: (+34) 93 267 20 00, email email@example.com registered in the Government of Catalonia Foundations Registry under number 88.
IQS has created the following institutions that complement its services and operations. These institutions include:
IQS is a higher education institution and a founding member of the Universitat Ramon Llull.
The Data Protection Officer (DPO) is the person who oversees compliance with our data protection policy, ensuring that data are processed properly and protecting the rights of data subjects. The DPO’s duties include responding to questions, suggestions, complaints, or claims from data subjects. All three institutions share the same Data Protection Officer, who can be contacted by writing our mailing address, calling by telephone, or emailing firstname.lastname@example.org.
We process personal data proportionally, always taking the rights of data subjects into consideration. In all cases, this means that we process the data that are adequate, relevant, and limited in relation to the purposes for which they are processed. We solely process the data necessary to enable us to provide the educational services that are part of our mission. In some cases, further data may be requested, such as when we seek opinions or ratings of our services.
IQS processes personal data primarily for the following purposes:
The data received will not be used for any purpose that is inconsistent with the purposes listed above.
Academic management. IQS stores the data of individuals who pre-register and subsequently formalise their enrolment to make a record of this and to provide higher education academic services on that basis. The data provided and data from academic records enable us to review and evaluate applications. The most relevant data processing is our handling of a student’s academic record. Students’ data are also used for administrative purposes, to identify them as users of the services, to enable them to access these services, to send them relevant information, to process and issue degrees, and to track workforce participation (click here for more information about this processing and purpose).
Contact. We process data to respond to inquiries from people who use the contact forms on our website. Data are only used to send information related to this purpose.
Personnel selection. We collect and store the curricula vitae sent to us by individuals interested in working with us. We also process personal data during the personnel selection processes in order to analyse the suitability of a candidate’s profile based on job openings or newly created positions. Our policy is to store the data of individuals who we do not end up hiring for a maximum period of one year in case a new job opening or a new position matching their profile is created in the short term. However, in the latter case, we immediately delete the data if a data subject requests that we do so.
Information about activities and services. With explicit authorisation from each student, we use their contact data to send information about our services and activities once they have graduated. We also send students information, with their authorisation, about activities or services of other institutions in our group. Such information is also sent to individuals who request it, even if they have not enrolled at IQS.
Customer service. We register new clients who pay for our services and process the additional data that may be generated as a result of the business relationship with these clients. In the contracting process, essential data are requested, which must include bank details (checking account or credit card number) that will be disclosed to banking entities that handle payments (the data can only be used for this purpose). This relationship involves other processing, such as incorporating data into accounting, invoicing, or sending information to the tax authorities.
Information for our clients. As long as there is a contractual relationship with our clients, we use their contact information to share information related to this relationship. Such information may also be sent once the contractual relationship has ended, if the client has agreed to receive it.
Data processing of our suppliers. We store and process the data of the suppliers from whom we obtain services or goods. This can include data on individuals who are self-employed as well as data on representatives of legal entities. We obtain the essential data to maintain the commercial relationship. We use the data solely for the purposes inherent to this type of relationship.
Video surveillance. When accessing our facilities, individuals are informed, where appropriate, of the existence of video surveillance cameras through approved signs. The cameras record images only at the points in which doing so is justified to ensure the safety of property and persons and the images are used only for this purpose.
Other data collection channels. We also obtain data through face-to-face relationships and other channels such as receiving emails, participation on our blogs with comments, signing up to the blog, or through our profiles on social networks. In all cases, the data are intended only for the purposes related to those justifying their collection and processing.
The previous section refers to some of the origins of the data that we process. In most cases, data come directly from the data subjects, and we obtain them mainly through the forms provided for this purpose. We also obtain data during open houses, in the information sessions that we hold at educational centres, and through participation in fairs where we present the services we offer.
To support our relationship with students, teachers, and service providers, other data are generated that are incorporated into IQS’s systems. A more limited volume of data may come from public higher education authorities or from other academic institutions.
The data processing we carry out has different legal grounds, depending on the nature of the processing. We classify the main data processing that we carry out pursuant to the lawfulness of processing established in Article 6.1 of the General Data Protection Regulation.
To provide educational services. Once admitted, our students obtain educational services from IQS. Providing services to students constitutes a contractual relationship, with each party being bound to certain obligations, the student’s right to receive a good education, and the right and obligation of IQS to process their data. The legal grounds for this processing are established in Organic Law 6/2001, of 23 December, on Universities, and in Law 1/2003 and its implementing regulations, of 19 February, on universities in Catalonia.
To fulfil a pre-contractual relationship. This is the case of the data from data subjects interested in the educational offer at IQS. For other reasons but with similar legal grounds, we process the data of potential clients or suppliers with whom we have a relationship prior to the formalisation of a contractual relationship. This is also the case for the data processing of individuals who have sent us their curriculum vitae or who participate in selection processes.
To fulfil a contractual relationship. This involves relationships with our clients and suppliers and any processing and use of the data that these business relationships entail.
To comply with legal obligations. Providing higher education services means that we must comply with various standards that involve data processing. In this sense, IQS discloses the data of its students at the Universitat Ramon Llull Foundation for the degree recognition and issuance procedures corresponding to the studies taken. To comply with legal obligations (tax regulations), we also disclose data to the tax authorities. Disclosing data to judicial bodies or security forces and bodies if we were required to do so would also fall under compliance with legal obligations.
Based on consent. We use contact information with explicit consent from the party who will receive it when we send information about our activities or services. We also obtain consent for obtaining data from individuals who browse our website, which may be withdrawn at any time by uninstalling cookies.
Legitimate interest. The images we obtain with video surveillance cameras are processed in the legitimate interest of our institution to safeguard our assets and facilities. Our legitimate interest also justifies the processing of data we obtain from contact forms, as well as data from individuals who register to comment on the blog.
As a general standard we only transfer data to comply with legal obligations. In the above sections, we have explained the disclosure of data in communications with our students, necessary to enable the provision of educational services, and with our clients and suppliers in supporting economic and commercial relationships. Student contact data may be disclosed to other institutions in our group provided that the student has authorised it.
Data transfers are made beyond the European Union (international transfers) to handle international student mobility and to respond to job offers from non-European companies. In both cases, the processing is based upon the student’s consent. Likewise, we contract the services of companies or individuals who provide us with experience and specialisation for certain tasks, for which personal data must be accessed at times. Pursuant to the terms in the General Data Protection Regulation, this is not a data transfer, but a processing of data.
Services are only contracted with companies that guarantee compliance with these regulations. Their confidentiality obligations are formalised when the contract is drawn up and their performance is monitored. This may apply to data hosting services on servers, computer support services, or legal, accounting, or tax consultancies. You can get detailed information on the identity of these companies by addressing email@example.com.
The data storage time is determined by different factors. Data storage times are primarily affected by the fact that the data are still necessary to meet the purposes for which they have been collected in each case. Secondly, they are stored in view of IQS’s potential data processing responsibilities and to comply with any demand from public authorities or judicial bodies.
Consequently, the data will be stored for the time necessary to preserve its legal or informative value and to prove compliance with legal obligations, but not for a period longer than necessary for the purposes of the processing (“storage limitation” requirement in the General Data Protection Regulation).
Regarding information that accredits the education received by students, the data are stored permanently to preserve their rights.
In certain cases, such as data contained in accounting and invoicing documentation, tax regulations require the data to be stored until the statute of limitations for these responsibilities expires. The regulations governing foundations specify that certain accounting data will be stored for ten years (pursuant to Law 10/2010, of 28 April).
Regarding data that are processed exclusively based on the consent of the data subject, they are stored until the data subject withdraws consent.
Finally, images obtained by video surveillance cameras are stored for a maximum of one month. However, in the case of justifying incidents, data will be stored for the time necessary to facilitate action by security forces and bodies or judicial bodies.
The regulations governing the storage of public documentation, and the rulings of examination boards, are a determining factor when deciding to store or erase data.
Pursuant to the General Data Protection Regulation, the data subjects whose data we process have the following rights:
To be informed if their data are being processed. Everyone is entitled to know if we are processing their data, regardless of whether a relationship has been established beforehand.
To be informed when data are collected. When personal data are collected from a data subject, when providing said data, data subjects must be given clear information about the purposes for which the data will be used, who will be the controller of the processing, and the main aspects derived from this processing.
To access. The right to access is understood in a broad sense, including knowing precisely what personal data are subject to processing, what is the purpose for which they are processed, disclosures to other parties that will be made (if any), the right to obtain a copy, or the right to know the envisaged storage period.
To request rectification. This is the right to rectify inaccurate data that may be processed by us.
To request erasure. In certain circumstances, data subjects can request the erasure of their data when, among other reasons, the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
To request the restriction of processing. In certain circumstances, the right to request the restriction of data processing is also recognised. In this case, data will no longer be processed and shall only be stored for the exercise or defence of claims, in accordance with the General Data Protection Regulation.
Portability. In the cases established in the General Data Protection Regulation, data subjects have the right to obtain the data concerning them in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller should the data subject so decide.
To object. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her to the extent or degree to which they may be harmful, except for the exercise or defence of legal claims.
To not receive information. We immediately respond to requests from data subjects no longer wishing to continue receiving information about our activities and services when sending such information was based solely on the consent of the data subject who is the recipient.
The rights listed above can be exercised by sending a request to IQS at our mailing address or through the other contact information indicated above.
If a data subject has not obtained a satisfactory response in exercising their rights, they may lodge a complaint with the Catalan Data Protection Authority through the forms or other channels accessible on its website (www.apd.cat).
In all cases, whether to lodge complaints, request clarifications, or make suggestions, our Data Protection Officer can be contacted by email at firstname.lastname@example.org.