PRIVACY AND DATA PROTECTION POLICY
The University of Santiago de Compostela (USC) protects and guarantees the fundamental right to data protection and is particularly sensitive to safeguarding the privacy of individuals. Data processing is done in accordance with the Regulation (EU) 2016/679, of 27 April, on the protection of natural persons with regard to the processing of personal data and the free movement of such data and the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights. As such, this processing complies with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, limitation of the storage period, integrity, confidentiality and accountability.
The record of processing activities carried out by the USC can be consulted at:
http://www.usc.es/gl/normativa/protecciondatos/index.html
In any case, the USC will maintain a dynamic understanding of this issue in order to adapt it to new developments that arise, whether in regulations, case jurisprudence, decisions of the supervisory authorities or practices in this field. This may make it advisable to modify the present privacy and data protection policy, which will be announced in due time.
Controller
The generic responsibility for data processing lies with the University of Santiago de Compostela, with address for these purposes at the Rectorado de la USC, Praza do Obradoiro s/n, 15782- Santiago de Compostela (Spain). The telephone number is 881811000. Informal online contact can be established through www.usc.es/gl/web/contacto.html. Specific requests should be made through the USC Electronic Headquarters.
https://sede.usc.es/sede/publica/index.htm
DPO
The Data Protection officer is José Julio Fernández Rodríguez, and his e-mail address is dpd@usc.es.
Basis of legitimacy
The primary basis of legitimacy of the treatment that makes the USC is the provision of public service of higher education. It can also be based on the consent given by the persons concerned in those cases that so authorize.
In other processing operations, the basis of legitimacy is the need for the execution of contracts, the fulfillment of specific legal provisions, or the fulfillment of a mission carried out in the public interest or in the exercise of the official authority. All these conditions are in line with article 6.1 of the European Regulation.
Processing purposes
The purposes of processing of personal data by the USC is to fulfill its obligations and responsibilities in the field of teaching, study and research, which includes management of administrative services typical of a university public administration and the management of requests for information and academic and institutional outreach activities. Each specific processing specifies these purposes.
Data origin, use and conservation
The origin of the personal data is in the interested parties themselves, obtained by various means, such as applications, forms and digital or analog questionnaires. For these purposes, the manifestation of consent will be free, specific, informed and unequivocal. In some cases, the data are obtained from other educational administrations.
The processing of special categories of data will be made taking into account the specific protective measures of Article 9 of the European Regulation.
Exceptional assignments and transfers of personal data may be made under university exchange and academic collaboration programs, and also with public administrations with educational powers. In any case, the transfers will comply with the provisions of articles 44 and following of the European Regulation. Also, in accordance with the regulations, data will be transferred to data processors and in cases of legal duties.
Data may also be used for statistical purposes or for incident management and, preferably pseudonymized, for research purposes.
The personal data provided will be kept for the period during which the purpose for which they were collected is carried out, or for the time necessary to comply with legal obligations. Once the purpose has been fulfilled, the data will be blocked until the applicable statute of limitations expires.
Rights
Data subjects have the rights of transparency of information, access to their personal data, rectification of inaccurate data, erasure of data where possible, limitation of processing, portability, opposition, the right not to be subject to a decision based solely on automated processing that significantly affects them, the right to withdraw consent at any time and the right to lodge a complaint with the Spanish Data Protection Agency. These rights may be exercised before the data controller, after identification of the applicant through the Electronic Headquarters of the USC.
The USC will facilitate the exercise of these rights by means of an electronic form at
https://sede.usc.es/sede/publica/catalogo/procedimiento/55/ver.htm
In addition, the interested parties also have the rights that give access to administrative and judicial channels of guarantee, provided for in the legal system for this purpose.
Security
USC, from a proactive position, adopts all the necessary technical and organizational measures to ensure the processing of data and the privacy of individuals. Thus, it assumes a total commitment to the guarantee of fundamental rights, which includes data protection by design and by default.
Thus, in accordance with Article 32 of the European Regulation, these security measures include the pseudonymization and encryption of personal data; the ability to ensure the confidentiality, integrity, availability and permanent resilience of processing systems and services; the ability to restore availability and access to personal data quickly in the event of an incident; and a process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures.
These measures respond to the legally established duties, depending on the state of the art, the costs of implementation, and the nature, context and purposes of processing. Likewise, it is necessary to take into account the specific risks of severity and probability that each type of processing entails for the rights and freedoms of individuals.
Security breaches and breaches of personal data shall be reported to the supervisory authority and, where appropriate, to the persons concerned on the basis of Article 34 of the European Regulation. The USC provides a channel for reporting data protection incidents at: