EXPLANATORY STATEMENT
The fundamental concern of the Universitat Jaume I is to guarantee the privacy of the personal data of the members of its community and, in general, of all the users of the information systems of the institution, and for this purpose they have been adopted. the technical and organizational measures necessary to protect them.
The stated goal of preserving privacy and guaranteeing the mechanisms that enable the exercise of the rights and freedoms of users is already present in the previous regulations on data protection at the national level, as seen in Organic Law 15/1999 , of 13 December, on the protection of personal data and Royal Decree 1720/2007, of 21 December, approving the Regulations for the implementation of Organic Law 15/1999, of 13 December, on the protection of of personal data, as well as at European level with Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free circulation of this data.
With the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of these data and repealing Directive 95/46 / EC is a further step towards improving the aforementioned freedoms and rights of users and is based on this European directive, plus the foreseeable additions that may be added with the updated national regulations, which create the following privacy policy to define and regulate the use of personal data within the Universitat Jaume I.
This goal of improving data security can not only be achieved with a set of technical and operational procedures and measures around the treatments themselves but must be part of a broader vision where in addition to being considered the data The necessary measures at the level of the systems, services and processes involved in the whole process must be added. This need is very much in line with the requirements and purposes of other regulations in force such as the national security scheme, presented in Royal Decree 3/2010, of 8 January, which regulates the National Security Scheme in the in the field of e-government and Royal Decree 4/2010, of 8 January, which regulates the National Interoperability Scheme in the field of e-government.
It is for all this that the privacy policy is closely linked to the information security policy and it is necessary to define a set of measures that, in a unique way, are aimed at achieving these purposes of common interest.
CHAPTER I
General provisions
Article 1
Purpose
This policy establishes the rules relating to the protection of individuals with regard to the processing of personal data and the rules relating to the free movement of such data. The fundamental rights and freedoms of individuals and, in particular, their right to the protection of personal data are protected.
The personal data collected, whether by electronic means or by any other means, will not be used for any purpose other than that related to the activities carried out by the university.
Article 2
Scope of application
This policy applies to the fully or partially automated processing of personal data, as well as to the non-automated processing of personal data contained in a file or intended to be included in it.
Article 3
Definitions
For the purposes of this Regulation, the following definitions shall apply:
a) Personal data: any information about an identified or identifiable natural person (the interested party). An identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
b) Processing: any operation or set of operations carried out on personal data or sets of personal data, whether by automated or non-automated procedures, such as collection, registration, organization, structuring, conservation, adaptation or the modification, extraction, consultation, use, communication by transmission, dissemination or any other form of enabling access, collision or interconnection, limitation, suppression or destruction.
c) Limitation of processing: the marking of personal data retained, in order to limit its processing in the future.
d) File: any structured set of personal data accessible in accordance with certain criteria, whether centralized, decentralized or distributed functionally or geographically.
e) Data controller or controller: the natural or legal person, public authority, service or any other body that, alone or together with others, determines the purposes and means of processing; if Union or Member State law determines the purposes and means of processing, the controller or the specific criteria for his appointment may be established by Union or Member State law.
f) Data controller or controller: the natural or legal person, public authority, service or any other body that processes personal data on behalf of the controller.
g) Recipient: the natural or legal person, public authority, service or any other body to which personal data is communicated, whether it is a third party or not. However, public authorities which may receive personal data in the context of a specific investigation should not be considered as recipients, in accordance with the law of the Union or of the Member States. The processing of such data by these public authorities complies with the data protection rules that apply to the purposes of the processing.
h) Third party: natural or legal person, public authority, service or body other than the data subject, the controller, the controller and the persons authorized to process personal data under the direct authority of the controller or of the manager.
i) Consent of the interested party: any manifestation of free, specific, informed and unequivocal will by which the interested party accepts, by means of a declaration or a clear affirmative action, the processing of personal data that affect him.
j) Violation of the security of personal data: any breach of security that causes the destruction, loss or accidental or unlawful alteration of personal data transmitted, stored or otherwise processed, or the communication or unauthorized access to this data.
k) Genetic data: personal data relating to the genetic characteristics inherited or acquired from a natural person, which provide unique information about their physiology or health, obtained from the analysis of a biological sample of that person.
l) Biometric data: personal data obtained from a specific technical treatment, relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of this person, such as facial images or data dactyloscopic.
m) Health-related data: personal data relating to the physical or mental health of a natural person that reveals information about their state of health, including the provision of health care services.
n) Information society service: any service as defined in Article 1 (1) (b) of Directive (EU) 2015/1535 of the European Parliament and of the Council.
o) International organization: an international organization and its subordinate bodies under public international law, or any other body created by an agreement between two or more countries or under that agreement.
CHAPTER II
Principles of data protection
Article 4
Data quality
The personal data collected will be:
a) Treated in a lawful, loyal and transparent manner in relation to the interested party.
b) Collected for specific, explicit and legitimate purposes and subsequently will not be treated in a manner incompatible with these purposes. The subsequent processing of personal data for archival purposes in the public interest, for scientific and historical research purposes or for statistical purposes will not be considered incompatible with the initial purposes.
c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are treated.
d) Exact and, if necessary, will be updated by adopting reasonable measures so that personal data that are inaccurate for the purposes for which they are processed are deleted or rectified without delay.
e) Retained in such a way as to identify the interested parties for a period not exceeding that necessary for the purposes of the processing of personal data. Personal data may be retained for longer periods, provided that it is processed exclusively for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes by applying the appropriate technical and organizational measures in order to protect the rights. and the liberties of the interested party.
g) Treated in such a way as to ensure adequate security, including protection against unauthorized or unlawful treatment and against accidental loss, destruction or damage, through the application of appropriate technical or organizational measures.
Article 5
Special categories of personal data
In the case of processing of personal data of a special category, such as personal data revealing ethnic or racial origin, political opinions, religious or philosophical beliefs or trade union affiliation, and the processing of genetic data, biometric data intended to uniquely identify a natural person, data relating to health or data relating to the sexual life or sexual orientations of a natural person, it is guaranteed that one of the following circumstances occurs:
(a) The data subject has given his or her explicit consent to the processing of such personal data for one or more of the purposes specified, unless Union or Member State law provides that the data subject may not lift the prohibition. mentioned above.
b) The treatment is necessary to fulfill obligations and to exercise the specific rights of the controller or the data subject, in the field of labor law and social security and protection, if authorized by the law of the Union of Member States or a collective agreement in accordance with the law of the Member States which establishes adequate guarantees of respect for the fundamental rights and interests of the person concerned.
c) The treatment is necessary to protect the vital interests of the data subject or of another natural person, in the event that the data subject is not physically or legally qualified to give consent.
d) The processing is carried out, within the scope of its legitimate activities and with the appropriate guarantees, by a foundation, an association or any other non-profit organization that has a political, philosophical, religious or trade union purpose. This, provided that the processing refers exclusively to current or former members of these bodies or to persons who maintain regular contacts with them in relation to their purposes, and if personal data are not communicated outside these bodies without the consent of the interested parties. .
e) The processing refers to personal data that the interested party has made manifestly public.
f) The treatment is necessary to formulate, exercise or defend claims or when the courts act in the exercise of their judicial function.
g) The processing is necessary for reasons of an essential public interest, in accordance with the law of the Union or of the Member States, which must be proportionate to the aim pursued, to respect the right to data protection in the and to establish appropriate and specific measures to protect the interests and fundamental rights of the person concerned.
h) The treatment is necessary for the purposes of preventive or occupational medicine, assessment of the work capacity of the worker, medical diagnosis, provision of assistance or treatment of a health or social nature, or management of systems and health and social care services, on the basis of Union or Member State law or under a contract with a health professional. Personal data may be processed if they are processed by a professional subject to the obligation of professional secrecy or under his responsibility, in accordance with Union or Member State law or in accordance with the rules laid down by the competent national bodies. , or by any other person also subject to the obligation of secrecy,
i) Treatment is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health, or to ensure high levels of quality and safety of health care. and medicinal products or health products, on the basis of the law of the Union or of the Member States which lays down appropriate and specific measures to protect the rights and freedoms of the person concerned, in particular professional secrecy.
j) The processing is necessary for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes, which must be proportionate to the objective pursued, respect the right to data protection in essence and establish appropriate and specific measures to protect the interests and fundamental rights of the person concerned.
Article 6
Communication of data
Universitat Jaume I will only communicate data when it is exercising its powers marked by current laws, as well as in the circumstances set out in the general data protection regulations, as informed to those concerned when collecting the your data. Any other communication must be communicated and have the explicit consent of the interested party before making it.
Article 7
International transfers
A transfer of personal data may be made to a third country or to an international organization ensuring an adequate level of protection taking into account, in particular, the following elements:
(a) The rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including that relating to public security, defense, national security and criminal law; public authorities’ access to personal data, as well as the application of this legislation, data protection rules, professional rules and security measures, including rules on subsequent transfers of personal data to another third country or international organization that are complied with in that country or international organization, the jurisprudence, as well as the recognition to the interested parties from whom the personal data are transferred, of effective and enforceable rights and of administrative resources and judicial actions that are effective.
b) The existence and effective operation of one or more independent control authorities in the third country or to which an international organization is subject, with the responsibility to guarantee and enforce data protection rules, including the powers implementing measures, assisting and advising those concerned in the exercise of their rights and cooperating with the supervisory authorities of the Union and the Member States, and
c) International commitments entered into by the third country or international organization in question, or other obligations arising from legally binding agreements or instruments, as well as from their participation in multilateral or regional systems, in particular in relation to the protection of personal data.
CHAPTER III
Rights of interested parties
Article 8
Information in data collection
When the personal data that refer to the interested party, are obtained from the same interested party, at the time of collecting them the information of the treatment will be provided, in a clear and intelligible way: first with a basic level and giving access later to a second level in more detail.
If it is planned to subsequently process personal data for a purpose other than that which motivated the collection, the data subject will be informed before such subsequent processing of any other purpose and any additional relevant information, provided that the interested party no longer has of this information
Article 9
Consents of those affected
In any treatment based on the consent of the interested party there is the possibility of withdrawing it at any time. Withdrawal of consent does not affect the lawfulness of the treatment based on prior consent to withdrawal.
Article 10
Right of access
The data subject has the right to obtain confirmation from the data controller that personal data affecting him is being processed, and if so, he has the right to access this data and information relating to the purposes, recipients, categories of data. treaties, their origin and retention period, claims, existence of automated decisions with their consequences and all additional rights of rectification, deletion, limitation, opposition and portability.
When personal data is transferred to a third country or to an international organization, the data subject has the right to be informed of the appropriate guarantees relating to the transfer.
The controller must provide a copy of the personal data subject to processing. For any other copy requested by the interested party, the person responsible is entitled to receive a reasonable fee based on administrative costs. When the interested party submits the application by electronic means, and unless the latter requests that it be done otherwise, the information must be provided in a commonly used electronic format.
Article 11
Right of rectification and suppression
The data subject has the right to obtain from the data controller the rectification of inaccurate personal data that affect him, without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, even by means of an additional declaration.
The data subject has the right to obtain from the data controller, without undue delay, the deletion of personal data that affect him. The controller must delete them without undue delay, when the data are no longer necessary or have been processed illegally, when the data subject withdraws consent or opposes the processing and there is no legal basis to protect it, when a legal obligation has to be fulfilled or the data are obtained in relation to the offer of information society services.
If the controller has made the personal data public and is obliged to delete it, reasonable measures will be taken to inform the controllers that they are processing this data of the request for deletion of the data subject.
The exceptions contemplated in the current legislation will be of obligatory fulfillment like the cases, among others, when the treatment is necessary to fulfill a legal obligation, for reasons of public interest or for the purpose of file, search or statistics.
Article 12
Right of limitation
The data subject has the right to obtain from the controller the limitation of the processing of the data, in cases of challenge to the accuracy of the data, when the processing is illegal and the data subject opposes the deletion, when the data subject needs to retain the data to make or exercise claims or while verifying whether the legitimate reasons of the data subject prevail over those of the data subject in the event that the data subject opposes the processing.
In such situations, with the exception of their retention, such data may only be processed with the consent of the interested party, or to make, exercise or defend claims, or in order to protect the rights of another natural or legal person, or for reasons of important public interest in the Union or in a given Member State. Before removing the limitation, the interested party will be informed of this situation by the person in charge.
Article 13
Right of portability
The interested party has the right to receive, in a structured format, of common use and mechanical reading, the personal data that affect him and that he has provided to a data controller. He has the right to transmit them to another person in charge, without being prevented by the person in charge to whom he had provided them, when the processing is based on consent or a contract and the processing is carried out by automated means. Personal data will be transmitted directly from manager to manager, when technically possible.
This right does not apply to the treatment necessary to fulfill a mission carried out in the public interest or in the exercise of public powers conferred on the controller.
Article 14
Right of opposition
The interested party has the right to object to the personal data affecting him being processed. The controller must stop processing this personal data, unless he proves compelling legitimate reasons for the processing that prevail over the interests, rights and freedoms of the data subject, or for the formulation, exercise or defense of claims.
If personal data are processed for the purposes of scientific or historical research or for statistical purposes, for reasons related to their particular situation the interested party has the right to object to the processing of personal data affecting him, unless necessary for fulfill a mission performed for reasons of public interest.
Article 15
Procedures for exercising rights
The rights of access, rectification or deletion, limitation, portability and, where appropriate, opposition are of a personal nature, so they can only be exercised by the person concerned. However, its legal representative may act in the cases provided for by current legislation.
You can exercise your rights by contacting the General Secretariat of the UJI through the Electronic Register ( https://ujiapps.uji.es/reg/rest/publicacion/solicitud_generica )
You can obtain additional information about your rights or submit a claim, if deemed appropriate, before the Spanish Data Protection Agency ( https://www.agpd.es ).
Upon receipt at the check-in desk, or by any other valid means, of the interested party’s letter and subsequent referral to the body to which it is addressed, the responsible internal owners of the affected treatments, once the relevance has been verified. of the application, they must take the measures necessary to satisfy the request and must notify the results to the person concerned.
The controller must communicate to each of the recipients to whom the personal data have been communicated any rectification or deletion of personal data or limitation of the processing, unless it is impossible or requires a disproportionate effort. If the interested party so requests, the person in charge must inform them of these recipients.
CHAPTER IV
Responsible and in charge of treatments
Article 16
Those responsible within the Universitat Jaume I
The person in charge of processing personal data is Universitat Jaume I and, by resolution of the Rector of 30 January 2014, this responsibility will be exercised by the General Secretariat of the University.
The heads of each service or unit who, in order to carry out their administrative tasks, need to process personal data, will be internally responsible for the processing in the field of their function and will have to ensure that the processing is adjusted in all time to what is provided in the law as well as ensuring the establishment and compliance with the appropriate security provisions.
In the case of treatments under the responsibility of research groups, the internal responsibility will be exercised by the
The internal managers will be accountable to the General Secretariat, as the person in charge of the University’s treatments, and will be the bodies to which the interested parties will have to turn in order to exercise the rights of access, rectification, suppression, limitation, opposition or portability. The internal managers of the treatments are determined by the Rector in the dispositions of creation or modification of each one of them.
Article 17
The Universitat Jaume I as head of treatments
The treatments for which Universitat Jaume I is responsible can be consulted electronically at the web address:
The creation or modification of treatments where the Universitat Jaume I is responsible for it will be done by resolution of the Rector.
Article 18
The Universitat Jaume I as the person in charge of the treatment
The treatments in which the Universitat Jaume I is in charge can be consulted electronically at the web address:
Article 19
Treatments carried out by research groups
The treatments in which a research group from the Universitat Jaume I is responsible can be consulted electronically at the web address:
The creation or modification of treatments where a research group of the Universitat Jaume I is responsible for it will be done by resolution of the Rector.
Article 20
Data protection by design and by default
The controller shall implement the appropriate technical and organizational measures designed to effectively apply the principles of data protection, both at the time of determining the means of processing and at the time of processing.
It will also ensure that, by default, only the personal data necessary for each of the specific purposes of the processing are processed. This obligation applies to the amount of personal data collected, the scope of processing, the retention period and the accessibility of the data. These measures must ensure in particular that, by default, personal data are not accessible, without the intervention of the person, to an indeterminate number of natural persons.
CHAPTER V
Safety of treatments
Article 21
Applicable security measures
Those responsible make an assessment of the risk of the treatments they do to establish the measures they should apply and how they should do so. The type of analysis may change depending on the types of treatments, the categories of data, the number of stakeholders affected and the number and variety of treatments that the organization performs.
Treatment managers and managers establish the necessary technical and organizational measures to ensure an adequate level of safety based on the risks detected in the previous analysis. These measures will take into account the cost of the technique and the application, the context, scope and purposes of the treatments and the risks to rights and freedoms.
Data controllers will carry out a Data Protection Impact Assessment prior to the start of processing that is likely to pose a high risk to the rights and freedoms of data subjects.
CHAPTER VI
The Data Protection Officer
Article 22
Appointment of the data protection delegate
The General Data Protection Regulation (RGPD) of the European Union stipulates that data controllers and data controllers must appoint a data protection officer (DPD) in the cases established by the RGPD itself, as well as in other cases where the legislation of the Member States also considers it mandatory.
Among the cases in which a DPD must be designated is that “the treatment is carried out by a public authority or body”, both as a manager and as a data controller (art. 37.1.a RGPD ).
The position of the Data Protection Officer must include:
a) Participation in an appropriate and timely manner in all matters relating to the protection of personal data.
b) To receive the support of the person in charge or in charge, who will have to facilitate the necessary resources to him for the performance of his functions.
c) Not to receive any instruction regarding the performance of these functions and not to be dismissed or sanctioned by the person in charge or the person in charge for causes related to this performance of functions
d) Report directly to the highest hierarchical level of the person in charge or in charge. This characteristic must be interpreted in the sense that the DPD must be able to relate to hierarchical levels that have the capacity to adopt or promote decisions based on the recommendations, proposals or evaluations made by the DPD.
Article 23
Functions of the data protection delegate
The RGPD indicates between the functions of the DPD those of:
(a) Informing and advising the controller or data controller and employees dealing with the processing of their obligations under the RGPD and other data protection provisions of the Union or the Member States.
(b) to monitor compliance with the provisions of this Regulation, other data protection provisions of the Union or the Member States and the policies of the controller or controller of personal data protection.
These generic functions of the DPD can be specified in advisory and supervisory tasks in, among others, the following areas:
a) Compliance with principles relating to the processing, such as those of limitation of purpose, minimization or accuracy of the data
b) Identification of the legal bases of the treatments
c) Assessment of compatibility of purposes other than those that originated the initial collection of data
d) Existence of sectorial regulations that may determine specific processing conditions different from those established by the general data protection regulations
e) Design and implementation of information measures for those affected by data processing
f) Establishment of mechanisms for the reception and management of applications for the exercise of rights by interested parties
g) Assessment of applications for the exercise of rights by interested parties
h) Hiring of data controllers, including the content of the contracts or legal acts that regulate the responsible-manager relationship
g) Identification of international data transfer instruments appropriate to the needs and characteristics of the organization and the reasons justifying the transfer
h) Design and implementation of data protection policies
i) Data protection audit
j) Establishment and management of records of treatment activities
k) Risk analysis of the treatments performed
l) Implementation of data protection measures from the design and protection of default data appropriate to the risks and nature of the treatments
m) Implementation of safety measures appropriate to the risks and nature of the treatments
n) Establishment of procedures for managing data security breaches, including risk assessment for the rights and freedoms of those affected and notification procedures to supervisory authorities and those affected
o) Determining the need to carry out impact assessments on data protection
p) Carrying out impact assessments on data protection
q) Relations with supervisory authorities
r) Implementation of training programs and awareness of data protection personnel
Article 24
Appointment of the data protection delegate
The appointment of the data protection delegate is made by Resolution of the Rector.
The way to officially contact the data protection delegate is by email: [email protected]
