html

Record of Processing Activities (ROPA) | ESIC

Updated 20/05/2024

This record complements and completes the Legal Notice, Privacy and Cookies, through which information is provided about the identity of the data controllers and the rights of the interested parties and how to exercise them: https://www.esic.edu/en/legal-notice

1. Web analytics for statistical, functional and teaching purposes

The data Controller analysing browsing and behavioural habits of visitors in order to identify the use they make of the tools and to adapt them to their needs, and also to improve communication, marketing and service activities.

Controller	Controller Independent controllers in the virtual classroom and communications for Teaching and Research Staff (PDI) and Administration and Services Staff (PAS) in view of needs related to fulfilling contracts, and other communication requirements that they manage independently. ESIC and FESIC. Independent responsibilities for the analysis of data taken from opening and action through e-mail. Joint controllers in own common communication channels (same website): ESIC (main) and FESIC.
Legal Grounds	In the case of PDI and PAS, and only to the extent that performance of a contract justifies such, processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6.1.b of the GDPR). In all other cases, including ESIC Play, data subjects gave their consent for the processing of their personal details for one or several of the specific purposes (Article 6.1.a of GDPR). In order to obtain consent, data subjects must be individually informed about any sale and purchase contract, general conditions or service contract. This processing will be carried out on the browsing data obtained on the website, Apps, etc.
Purposes of processing	In the case of analytics processing being based on the performance of a contract, the necessary analytics will be carried out to perform the contract: in the case of PDI for example, the number of times each one accesses the virtual classroom documents or if such are downloaded, will be analysed to know and encourage learning activity. In the case of PAS, the Controller may obtain acknowledgement of receipt from whoever has received the secure communication regarding the information the Controller has sent, without this entailing additional processing. In all other cases, whenever prior acceptance by a data subject is required, the purpose of analytics processing of personal details will be as follows: Analysis of opening communication sent by ESIC. Analysis of browsing of the Controller's websites, mobile Apps and social media profiles by users. Analysis of behaviour during commercial telephone calls.
Collective	Users who access websites, Apps or social media profiles managed by the Controller, and those who open and reply to communication sent by the Controller.
Data categories	Analytics service provides aggregate the data they obtain to provide the Controller with quantitative information about browsing and behaviour by people, without it being possible to identify any individuals. The processed data are as follows: For website analytics: The chain of user agents of the browser and list of IP addresses, along with the graphs and total values regarding browsing by all users for each of the website pages. E-mail analytics: The chain of user agents of the browser and list of IP addresses, along with the graphs and total values regarding browsing by all users for each of the website pages. Telephone analytics: Behaviour and reactions to commercial messages. In the specific case of e-mail analytics, and in addition to the above, the number of openings, opening time, opening day, forwards, conversation (if forms are included in e-mail), users clicks on the internal mail links (with outputs to: landing, website, direct mailto to contact personnel...), devices that opens it, hard, block and soft e-mail bounces, and subscription cancellations will be obtained and analysed.
Addressee category	Data communication are not planned. Data processor: Google LLC - Google Analytics - https://analytics.google.com/analytics/web/
International Transfer	The data processor is Google Ireland and sub-processor is Google LLC, 1600 Amphitheatre Parkway Mountain View, CA USA. Security measures: data protection agreement with standard clauses via Google Workspace (formerly, GSuite). https://privacy.google.com/businesses/processorterms/ Twitter Inc LinkedIn Facebook.com
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

2. Basic profiling by the data controller for publicity purposes

Labelling of users according to their website activity at the centres and through creative publicity in order to show them adverts and promotional content in line with their preferences.

Controller	Independent controllers: ESIC and FESIC.
Legal Grounds	The data subject has given consent to the processing of his or her personal data for one or more specific purposes; Including ESIC Play. In order to obtain consent, data subjects must be individually informed about any sale and purchase contract, general conditions or service contract and it shall be obtained in the same way.
Purposes of processing	Labelling of users according to their website activity at the centres and through creative publicity in order to show them adverts and promotional content in line with their preferences.
Collective	Lead (people on the way to becoming customers) Users Any other person
Data categories	Location Professional interests Studies taken and résumé, Age
Addressee category	No data transfers are planned. Data Processor: ESIC provides the service to FESIC.
International Transfer	No international transfers are planned
Erasure period	Until the data subject requests cancellation or erasure of his/her data.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

3. Commercial activity and sending advertising and promotion communication

Sending personalised messages with advertising and promotional content.

Controller	Independent controllers: ESIC and FESIC.
Legal Grounds	The data subject gave consent to the processing of his/her personal data for one or several of the specified purposes (Article 6.1.a of GDPR); Article 21.1 of Law 34/2002 of 11th July on the Information Society and E-Commerce. Law 3/1991, of 10th January, on Antitrust. Law 34/1988, of 11th November, on General Publicity. For persons who have entered into contracts with the Controller: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6.1.f of GDPR).
Purposes of processing	Sending advertising or promotional communication via electronic channels, post or by telephone.
Collective	Customers and persons interested in the activities and information about activities, products and services provided by the Controller or the contents that it creates, publishes or drives: Leads Teaching and Research Staff (PDI) Administration and Services Staff (PAS) Students Former students
Data categories	Name and Surname E-mail Mobile number
Addressee category	No personal data transfers are planned. Data processor: Marketing cloud Salesforce Sales agents: When the commercial purposes advise for such because of the location of the data subject and the opportunities that the Controller can offer the data subject in his/her area, data may be transferred to sales agents in Latin America with whom the Controller has established and maintains appropriate security measures for the risk level in regard to the personal data through data processing contracts in regard to which audits and periodical inspections are conducted. Related audience platforms (Facebook Audience Insights; LinkedIn Lookalike Audience for Ad Targeting; and Google Custom Affinity Audiences) which the Controller permits access to data with the sole purpose of displaying segmented adverts to other related users.
International Transfer	International transfers to data processors are planned.
Erasure period	Sending communications to customers: the data will be kept for this purpose while there is reasonable expectation by the recipient of the messages to continue receiving advertising or promotional communication. Sending communication after requests or specific authorisation: the data will be kept for this purpose until the user withdraws consent.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

4. Teaching or sectoral assessment questionnaires and market surveys

The Controller carries out surveys and consultations to prepare reports about different scopes and subjects; to know the performance of teaching staff and the programmes; and to find out about student satisfaction and other persons who take part in the Controller's activities and programmes. For this purpose, it is sometimes necessary to know the details about the person who replies to the questionnaire so that they can be linked to the information, without prejudice to make this information anonymous in most cases through technical procedures to aggregate data.

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	Data compilation and management: In the case of teacher assessments by students, processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6.1.b of the GDPR). In all other cases, data subjects gave their consent for the processing of their personal details for one or several of the specific purposes (Article 6.1.a of GDPR). Anonymisation data processing in regard to participants in the Controller’s activities: The data subject has given consent to the processing of his or her personal data for one or more specific purposes; Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and the fundamental rights and freedoms do not prevail (Article 6.1.f of GDPR). In particular, interest is based on obtaining statistical data about the progress of the company and its activities in relation to which people post comments in different media.
Purposes of processing	Data compilation and management for: Queries and studies by the Controller on different scopes and subjects. To know the performance of teaching staff and the Controller's programmes. For example, by means of questionnaires, students anonymously qualify professors, and can even add constructive criticism about their lectures. To know student satisfaction and the satisfaction of people who participate in the Controller's programmes and activities. To boost positioning of ESIC’S programmes in different rankings.
Collective	Faculty that teaches in the different subjects provided by the Person in Charge Administration and Services Staff (PAS) Students Former students Other persons
Data categories	Identification data: identity card number, name and surname, e-mail address. Academic data: degree, registration number (students) and faculty. Comments and opinions on the contents of the surveys.
Addressee category	National Agency for Quality Assessment. The Quality Assurance Agency of the University System of Madrid (as provided for by the Organic Law 6/2001, of December 21, 2001, on Universities). Survey management companies Web publication of personal data and PDI CVs in accordance with the applicable legislation. No other personal data transfers are foreseen.
Data Processors	Survey management companies
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. Assessments about teaching staff will be attached to their employee file.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. Despite it not being necessary, an DPIA has been prepared. The anonymisation processes will be documented before they begin in order to guarantee irreversibility.

5. Gestión de la relación contractual para comercio físico y electrónico (entre otros, libros, mochilas, cursos, grados y posgrados)

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). More specifically, regarding the retail sale and purchase of products or services.
Purposes of processing	For the sale of products and services, both via the on-line store and in-person processes, data will be compiled for the following purposes: To receive and manage products and services purchase requests. To withhold products and services in the on-line shopping cart and, where applicable, to send reminders. To issue full or simplified invoices. To collect payment of the price of the products and services that the Controller sells. To provide the relevant after sales service.
Collective	Teaching and Research Staff (PDI) Administration and Services Staff (PAS) Students Former students Collaborators Any persons
Data categories	Identification details: name and surname, ID No., e-mail address, postal address, telephone number.
Addressee category	Banks. Tax Administration.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	The data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing, in accordance with Law 58/2003 of 17th December on General Taxation, in addition to the periods of time established in regulations on archives and documentation. 5 years in view of the Civil Code (Article 1964) for personal actions without special periods, and when processed, 10 years in view of the Law on the Prevention of Money Laundering and the Financing of Terrorism (Article 25).
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

6. Promotions: contests and draws

The Controller promotes its activities (teaching staff, research and others) through draws, raffles and other games of random combinations for publicity or promotional purposes, and also through other actions such as direct gifts and contests with a panel of judges.

As described in the rules, the processing related to these activities involves taking and using photographs and videos, and sending advertising and promotional communications.

Controller	Separate controllers: ESIC and FESIC
Legal Grounds	The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Purposes of processing	Assessment of participants to accredit that they meet the requirements established in the rules. Winner selection Prize giving
Collective	Participants in promotions, contests and draws
Data categories	Name and Surname ID No.: Postal address E-mail Telephone number Content shared to take part in the promotional activity
Addressee category	Tax Administration Banks
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. Other related processing activities (access to data to obtain further information): Photographs and videos: in cases when this has been established, some personal details of the winners may be published, including their name and surname, city/town, relation with the Controller, shared content and their image (photograph or video). • Sending commercial communications: in cases when this is established, to take part in the promotional activity the data subject must receive the advertising or promotional communications from the Controller. Consent for this processing will be obtained separately from the promotional activity consent.

7. Photograph, video and voice recording for teaching purposes to improve the personal or commercial brand image

Taking photographs and recording image and/or voice for (1) teaching activities and creation of student files or worker files; (2) publication thereof in promotional books, class photographs and virtual classroom; and (3) for advertising or promotion by the Controller.

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	In the case of Teaching and Research Staff (PDI) and Administration and Services Staff (PAS) in regard to the management of their cards, accreditations and other specific cases, and for the case of speakers at events and conferences, processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of the General Data Protection Regulation). In the case of recordings and broadcasting of speakers at specific events, processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6.1.f of the General Data Protection Regulation). Enabling the camera during on-line classes can be considered lawful processing in general terms, given the obligation of educational centres to ensure and guarantee their educational functions in regard to the students and in fulfilment of public interests (ex. Article 6.1.e) GDPR) and the provisions established by the health and education authorities within the context of the pandemic, without consent by data subjects being necessary. In any event, the principle of proportionality must be taken into account. The above is all in accordance with the Ruling CNS 11/2021 of the Catalonian Data Protection Authority. Specific consent, both for capture and other purposes, as established in: The data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article l6.1.a of the General Data Protection Regulation) Organic Law 1/1982 of 5th May on Civil Protection of the Right to Honour, Personal and Family Privacy and Image, especially Articles 2, 7 and 8. Organic Law 3/2018 of 5th December pursuant to Protection of Personal Data and Guarantees of Digital Rights.
Purposes of processing	Taking photographs and recording images and voice for: Teaching activities and creating students’ or workers files. Publication in the Virtual Classroom. Publication in promotional books, class photographs and Virtual Classroom. Controller's advertising and promotional purposes. Publication in the Controller's pages and website and transferred to the media.
Collective	Teaching and Research Staff (PDI), employees and external Administration and Services Staff (PAS) Students Former students Participants in contests and draws organised by the Controller. Other persons
Data categories	Picture Voice Name and surname Postal address E-mail Telephone Relation with the Controller Specific reason for accepted processing
Addressee category	The data will be published on the Controller’s website pages and transferred to the media when consent has been granted by the data subject for this processing, or where applicable, whenever necessary to perform a contract to which the data subject is party or to fulfil the Controller’s aforementioned legitimate interests. No other personal data transfers are planned.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data compiled for teaching activities or through a contract will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. In all other cases processing of personal data shall continue until data subjects withdraw their consent. If data has been published on third party websites or in the press, outside the control of the Controller, it may be impossible to exercise the data subject right to effective erasure of the data.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

8. Extracurricular experience and sport

Extracurricular activities such as visits to museums and third party companies or registration in amateur races (ESIC Companies Virtual Race). The activities may be restricted to specific groups.

Controller	Separate controllers: ESIC and FESIC
Legal Grounds	The Controller will process the data in accordance with the following legitimate grounds: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). For any data transfers that are not necessary for performing the contract: The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Purposes of processing	Controlling attendance at activities. Transfer of the data to the collaborating controller and third parties when necessary for performing the contract. Transfer of data to other controllers under authorisation by data subjects.
Collective	Teaching and Research Staff (PDI) Administration and Services Staff (PAS) Students Former students Interested parties Contact person (when legally required): father, mother or legal guardians.
Data categories	Main identification details: Name and surname, user name, other data: ID or other identity document, postal or electronic address, signature, telephone number and activity sector.
Addressee category	Collaborating companies, depending on activity. Data processor: • AvaiBook on-line S.L. (B99279622) - avaibooksports.com: manager of registrations in sporting events.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. Prior consent by registered persons, data may be kept for future actions.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

9. Management of Special Needs Students

This processing is additional and complementary to student management, and the rest applicable to students. The objective is to ensure a learning environment based on equal opportunities and equity, one that is closer and better adapted to all needs.

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR).
Purposes of processing	To guarantee equal conditions in learning activities dealing with special educational needs. Specialised file management. Suitable advice on students’ needs. Monitoring of the correct progress of students, encouraging such through specific activities to boost their capabilities.
Collective	Alumnos Students, contact person (when legally required): father, mother or legal guardians.
Data categories	Identification details Given name and surname ID Card No. / Passport / Social Security No. / Health Card Address (Postal or e-mail) Telephone number (land line or mobile) Other details: marital status, age, family details, sex, date of birth, nationality, place of birth, mother tongue. Data related to social circumstances: accommodation, home, properties, possessions, hobbies and lifestyle, membership in clubs, associations, licences, permits, authorisations. Academic and professional details: Education, Qualifications, Student's Case File, Professional Experience, Membership in Professional Societies or Associations. Special category data: Health in relation to functional diversity or special needs.
Addressee category	No personal data transfers are planned.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	The data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing.
Additional information	A DPIA is required.

10. Grant management

Study, assessment and management of grants and benefits offered and awarded to ESIC students.

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	Processing is necessary for compliance with the legal obligation applicable to the data controller (Article 6.1.c of GDPR). Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (Article 6.1.e of GDPR).
Purposes of processing	Study, assessment and management of grants and benefits for studies arranged by ESIC or other entities that have been offered and awarded to ESIC students.
Collective	Students Contact person (when legally required): father, mother or legal guardians.
Data categories	Identification details Name and surname, ID Card / Passport / Social Security No. / Health Card, Address (postal or e-mail), telephone number (land line or mobile). Personal details: marital status, age, family details, sex, date of birth, nationality, place of birth, mother tongue. Data related to social circumstances: accommodation, home, properties, possessions, hobbies and lifestyle, membership in clubs, associations, licences, permits, authorisations. Academic and professional details: Education, Qualifications, Student's Case File, Professional Experience, Membership in Professional Societies or Associations. Economic details of the student and the family unit (Income Tax), financial data and insurance data, income, earnings, credit, loans, guarantees, bank details, tax deductions data, subsidies, allowances, etc. Data on asset and services transactions.
Addressee category	State Administration, Autonomous Community Administration, Tax Administration, Banks. Data will be transferred to third parties explicitly indicated in the first layer notice, according to the purpose required in each case.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

11. Academic management of students - Student’s profile

Management of students’ profiles to monitor their attendance at different teaching activities and through tests, the quality of their learning.

This processing is carried out on all types of students: degree, postgraduate, with and without special needs, languages and therefore if only a student or a teacher as well (professor or associate professor) or worker of any category, whether employee or external.

This processing activity is linked to some of the Controller's other activities, such as analytics, commercial activity, extracurricular activities, etc.

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	• GDPR: 6.1.b) Processing necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Purposes of processing	To interview students to assess their profile, and where applicable to suggest or grant access to specific training programmes. Management of students’ profiles to monitor their attendance at different teaching activities and through tests, the quality of their learning. Academic and administrative follow-up on students in their different stages related to the Controller’s activities. Organisation of electoral processes for student representatives.
Collective	Students Contact person: father, mother or legal guardians.
Data categories	Name and surname, ID Card No., address, telephone number, picture, signature. Employment details: company or organisation and position. Contact person (when legally required): father, mother or legal guardians.
Addressee category	No data transfers are planned.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. A DPIA is required.

12. Library management

Management and control of access to the library and lending library journals and books.

Controller	ESIC
Legal Grounds	For access to the library and lending of books, processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). For functional analysis of the use of the library, processing is necessary to meet this legitimate interest pursued by the data controller (Article 6.1.f of GDPR).
Purposes of processing	Management and control of access to the Controller's library and lending library journals and books. Functional analysis of the use of the library by each of the users in order to know if the facilities and related resources are used or not, and where applicable which ones should be maintained and which should be improved or changed. The Controller may withdraw permission to access the library for any persons who request it or do not use it within the established period under the conditions of use, providing that there is no contractual link with ESIC or FESIC.
Collective	Teaching and Research Staff (PDI) Administration and Services Staff (PAS) Students Former students Workers Collaborators Other persons who are granted access to the library or to its services, according to the conditions of use of the library.
Data categories	Name and Surname Postal address E-mail Signature Telephone Academic and professional details
Addressee category	Pozuelo de Alarcón Town Hall, Madrid
International Transfer	There will be no international data transfers
Erasure period	The data of users of this service shall be kept in the system indefinitely unless the data subject requests erasure. Lending data will be cancelled once books are returned.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

13. Advice and coaching - Unidad de Desarrollo Profesional (UDP) (Professional Development Centre - PDC)

One of the services provided by the Professional Development Department (PDD) for former students is “advice and coaching”.

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). This service is offered under a contract of training services which students formalise with ESIC or FESIC.
Purposes of processing	Mentoring and advisory services for students and former students to further their professional development.
Collective	Students, Former students
Data categories	Name and Surname ID No.: Postal address E-mail Telephone Picture (photograph and video) Signature Details of previous and current employment: company or organisation and positions. Academic transcript Details of expectations and social and economic interests
Addressee category	External professionals Mentors and coaches
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

14. Advice for entrepreneurs - On-line Entrepreneurialism Speed-up Bootcamp

Entrepreneurialism Speed-up Bootcamp is an advisory programme to give a boost to projects by entrepreneurs.

Controller	ESIC
Legal Grounds	Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). This service is provided under an agreement that is formalised to take part in the On-line Entrepreneurialism Speed-up Bootcamp.
Purposes of processing	Mentoring and advisory services for students and former students to further their professional development. Mentoring, advice and professional boost for entrepreneurs.
Collective	Entrepreneurs
Data categories	Name and Surname ID No.: Postal address E-mail Telephone Picture (photograph and video) Signature Details of previous and current employment: company or organisation and positions. Academic transcript Details of expectations and social and economic interests
Addressee category	Mentors and coaches Companies interested in the profiles and projects of the data subjects.
International Transfer	Companies who interested in finding out about or investing in the projects may be in third party countries.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

15. Job portal for candidates - Unidad de Desarrollo Profesional (UDP) - (Professional Development Centre - PDC)

The job portal (for candidates) is one of the services offered by the Professional Development Department (PDD).

Controller	Separate controllers: ESIC and FESIC
Legal Grounds	Creating and maintaining candidate profiles: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). Verification by the Controller about the truthfulness of the academic data related to the studies the data subject claims to have taken at ESIC or FESIC. Processing is necessary to meet the legitimate interests pursued by the Data Controller or by a third party. Communicating data to registered companies, data subjects give their consent for the processing of their personal details for one or several of the specific purposes (Article 6.1.a of GDPR).
Purposes of processing	Management of candidate profiles. Verifying the truthfulness of academic data related to studies at ESIC and FESIC. Communication of personal data to registered companies.
Collective	Students, Former students
Data categories	Name and Surname ID No.: Postal address E-mail Telephone Picture (photograph or ) Signature Details of previous and current employment: company or organisation and positions. Academic transcript Details of expectations and social and economic interests
Addressee category	Publication in portal with access by interested companies. Data Processor: DOUBLE-DOT. In charge of managing the portal.
International Transfer	Data may be viewed by companies registered in the portal, who may be located in third party countries.
Erasure period	Data will be kept until data subjects request cancellation or erasure of his/her data, and to determine any possible liabilities that could stem from the said purpose and data processing.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

16. Job portal for companies - Unidad de Desarrollo Profesional (UDP) (Professional Development Department - PDD)

The job portal (for companies) is one of the services offered by the Professional Development Department (PDD).

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	Obtaining initial data Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). Updating of the registered companies’ data: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and the interests and fundamental rights and freedoms shall not prevail (Article 6.1.f of GDPR and Article 19 of Organic law 3/2018 of 5th December, on Personal Data Protection and Guarantee of Digital Rights).
Purposes of processing	Updating of the contact details of the managers at the registered companies.
Collective	Company managers and contact persons.
Data categories	Name and Surname ID No.: Postal address E-mail Telephone Professional details (company and position)
Addressee category	No data transfers to third parties are planned.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

17. University Ombudsman

To ensure respect for the rights and freedoms of professors, students, administration and services staff in view of different actions by university bodies and services, FESIC has established the structural figure of the University Ombudsman as provided for in the fourteenth additional provision of Organic Law 6/2001, of 21st December on Universities ( https://www.boe.es/eli/es/lo/2001/12/21/6/con ). The Ombudsman’s actions shall always focus on improving university quality in all fields that, not being subject to imperative mandate of any university body and governed by the principles of independence and autonomy.

Controller	FESIC
Legal Grounds	Processing is necessary for compliance with the legal obligation applicable to the data controller (Article 6.1.c of GDPR). Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (Article 6.1.e of GDPR).
Purposes of processing	Attention and processing of complaints, queries and claims in order to ensure the respect for the rights and freedoms of professors, students, administration and services staff.
Collective	Students Former students Teaching and Research Staff (PDI) Administration and Services Staff (PAS) Collaborators Other interested parties
Data categories	Name and Surname ID No.: Postal address E-mail Telephone Signature Personal, family and working circumstances Academic details Professional details: previous and current jobs and positions. Special category data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Personal data on sanctions in regard to public functions. Information on any relevant subject.
Addressee category	ESIC ESIC, State Security Forces
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled and for 2 years at the most from the date of the resolution, and to determine any possible liabilities that could stem from the said purpose and data processing.
Additional information	Is additional information required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. A DPIA is required.

18. Management of Former Students

Belonging to the former students group and enjoying different activities that are proposed, from debate forums to country retreats.

Controller	Joint controllers ESIC and FESIC.
Legal Grounds	Formalising adhesion: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). Requesting transfer of data (from ESIC or FESIC to ESIC + FESIC): The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Purposes of processing	To manage registrations on the list of Former Students. Checking the data to accredit links to ESIC or FESIC. To manage matters related to experience by the members of the Group of Former Students. To send own information to the group of Former Students. To send information about other activities: training, extracurricular experience, sport...
Collective	Former ESIC and FESIC students
Data categories	Name and Surname Postal Address E-mail Telephone number Information about their link to ESIC or FESIC
Addressee category	No personal data transfers are planned.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Until data subjects request cancellation or erasure of his/her data, after which the data will be blocked as described previously.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

19. Financial Management Payment and Repayment

The Controller manages payments, payment collection, repayments and refunds, where applicable, and also financial management of grants.

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	GDPR: Article 6.1.b) Processing necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; GDPR: Article 6.1.c). Processing necessary for compliance with the legal obligation applicable to the data controller. GDPR: Article 6.1.e). Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Law 9/2017 of 8th November, on Public Sector Contracts. Law 47/2003, of 26th November, on General Budgets. Law 58/2003, of 17th December, on General Taxation. Law 38/2003, of 17th November, on General Subsidies. Law 35/2006 of 28th November, on Income Tax and Partial Amendment of the Corporation Tax Laws, Income by Non-Residents and Equity. Law 37/1992 of 28th December, on Value Added Tax.
Purposes of processing	Necessary management of personal details to manage payments, payment collection, repayments and refunds, where applicable, and also financial management of grants. Recording and checking VAT, Income Tax, Registration in Tax Agency and Social Security, bank certificates, etc.
Collective	Teaching and Research Staff (PDI) Administration and Services Staff (PAS) Students Former students Other persons with whom the Controller holds debts or credit. Subscribers to ESIC Play
Data categories	Name, surname, telephone number, postal and e-mail addresses, ID Card, electronic signature. Economic, financial and insurance details. Bank and business details. Certificates issued by the Public Administration for data subjects.
Addressee category	Banks, State Tax Agency. Upon prior request and express acceptance by the interested party, their personal contact data and data related to the registration they have requested will be communicated to SABADELL CONSUMER FINANCE, S.A.U, with registered office at Pl. Cataluña, 1, 08201 Sabadell, for the purpose of this entity analyzing and evaluating their financing application, in accordance with the information on this data processing activity detailed at www.sabadellconsumer.com, under “Information for customers” “Annex detailed information on personal data protection”. For the same purpose, personal data could be transferred to other recipients different from the aforementioned, provided that the interested party is previously aware of the identity of the assignee and expressly accepts this communication.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	The data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. Depending on each case, the following periods shall apply: 4 years in accordance with the Law on Breaches and Sanctions of Public Order for obligations in regard to social security registration / cancellation, contributions, payment of salaries (Article 66); and in view of the General Taxation Law for Accounting Books. 5 years in view of the Civil Code (Article 1964) for personal actions with no special period. 6 years in view of the Code of Commerce (Article 30) for Accounting Books, Invoices, etc. 10 years in view of the Law on the Prevention of Money Laundering and the Financing of Terrorism (Article 25).
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

20. Legal Management Internal Advice and Appearances

Defence and representation of ESIC in any administrative procedures and resolution of conflicts.

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	The data subject has given consent to the processing of his or her personal data for one or more specific purposes; Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR).
Purposes of processing	Registration and management for the Controller in regard to legal matters, and internal provisions, legal services or consultancy in its different modalities.
Collective	Persons who are directly or indirectly party to procedures or other legal matters.
Data categories	Name and surname, ID Card or identity document, postal address, e-mail, signature, position in the represented company and information about the company, telephone number, personal circumstances, business circumstances, commercial information, economic, financial data and insurance data, and information on asset and services transactions. Other data: Any other data that may be included in the query or that require processing in view of the provided service, which may include special category data and information on criminal sentences.
Addressee category	ESIC or FESIC, depending on each case. Security Forces, State Tax Agency, Social Security, Public Prosecution Ministry, Judges and Courts.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

21. E-mail service

The Controller offers an e-mail hosting service for PDI, PAS and former students.

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR).
Purposes of processing	Managing registration in the service
Collective	Teaching and Research Staff (PDI) Administration and Services Staff (PAS) Students Former students
Data categories	Name and surname, postal address, e-mail, telephone number, personal file regarding relations with the Controller.
Addressee category	Microsoft Google (Blogger) Automattic (WordPress)
International Transfer	International data transfers are planned to data processors (state at least those that could make international transfers and the country) or addressees of transfers that are stated.
Erasure period	E-mail: Providing that students do not withdraw their consent for use of the service. While relations with the provider persist. Blogs: Until the end of the qualification that the student is taking.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. A DPIA is required.

22. Covering job vacancies at ESIC

Covering job vacancies and personnel selection, both internal and external staff.

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). Checking the background of the data subject is based on fulfilment of a legal obligation applicable to the data controller (Article 6.1.c of the General Data Protection Regulation). Proactive searches for candidates and details about them in third party databases are based on the grounds of legitimate interest to identify candidates to cover positions, or to find out more if their profile fits the vacancy (Article 6.1.f of the General Data Protection Regulation). Workers’ Statute, Royal Legislative Decree 1/2013 of 29th November, approving the Amended Text of the General Law on the Rights of Disabled Persons and Social Inclusion. Organic Law 6/2001, of 21st December on Universities. Organic Law 2/2006, of 3rd May on Education.
Purposes of processing	Analysis and verification of the professional backgrounds of candidates. Analysis of the candidate’s personality when this is a determining factor for the envisaged job (e.g. teaching). The Controller will analyse documents submitted by candidates, all content directly accessible through search engines (Bing, Yandex, Google, Baidu, DuckDuckGo, etc.), professional social media profiles (LinkedIn, Xing, Viadeo, etc.), data obtained in access tests and the information disclosed at job interviews, in order to assess the candidate and make a job offer, where applicable. This analysis may be carried out to identify and assess candidates required for certain vacancies or assignments.
Collective	Participants in selection processes. Professionals with public profiles.
Data categories	Identification details Name and surname, ID Card No. or other identity document, social security number, address, signature and telephone number. Personal data: Gender, nationality, age, date and place of birth. Academic and professional details: Qualifications, training and work experience. Special data categories: disabilities
Addressee category	Companies where they have been employed in order to check data and verify truthfulness.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. The Controller may keep the unsuccessful candidates’ CVs for a maximum of two years for any future recruitment processes, unless the candidate states otherwise or wishes the CV to be kept for longer or until consent is withdrawn.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

23. Labour contracts. Human Resources Department (HR) - Employees

Processing activity related to the management of labour contracts for teaching, administration and services staff, including the management of their training and other activities inherent to labour relations.

Controller	Independent controllers: ESIC and FESIC, Organic Law 6/2001, of 21st December on Universities. Organic Law 2/2006, of 3rd May on Education.
Legal Grounds	The management of labour or business relations is based on the following grounds of legitimation: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). Workers’ Statute. Royal Legislative Decree 1/2013 of 29th November, approving the Amended Text of the General Law on the Rights of Disabled Persons and Social Inclusion. Related processing, either through the custody of data for issuing certificates, transfer of data to the Public Administration or other purposes described in the section on processing purposes, are based on the legitimate grounds of necessary processing for fulfilment of the legal obligation applicable to the data controller (Article 6.1.c of GDPR). Organic Law 6/2001, of 21st December on Universities. Organic Law 2/2006, of 3rd May on Education.
Purposes of processing	Labour relations with contracted staff: Management of personnel files. Timetable control. Control of incompatibilities. Driving the training of contracted personnel and monitoring their development. Management of pension plans via a third party. Driving social action. Prevention of occupational hazards. Disciplinary Regime. Management of actions to raise awareness and fight against sexual and gender harassment in any of its forms. Analysis of productivity and performance through assessment questionnaires by students in the case of teaching staff. Management of trade union activity. Encouraging activity on forums, at conferences and round tables. Issue of payslips and payment of salaries, and all products stemming from such.
Collective	Teaching and Research Staff (PDI), Administration and Services Staff (PAS)
Data categories	E-mail Address ID Card No. Name and surname Telephone No. Academics and Professionals Social Security / Mutual No. Criminal Record Certificate Personal Characteristics Personal details: disability Bank details for payment of fees Family details (contact details of friends or families in case of emergency) Details about their professional development working for the Controller: training, courses delivered, assessments by students, national and international teaching experience, conferences, publications, etc.
Addressee category	Transferees: Competent Public Administration Tax Agency Social Security Banks Companies performing surveys for training in studies or rankings Insurance companies FUNDAE (State Occupational Training Foundation) Other universities or educational organisations Controller’s territorial partners. From ESIC to FESIC and vice versa, depending on each case. Data processors: ASTER ASESORÍA Y CONSULTORÍA, SL (B82508847) - https://www.asterasesoria.es/ ESIC or FESIC, depending on each case.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing. At the end of the contract, depending on the type of personnel, the periods are as follows: 4 years in accordance with the Law on Breaches and Sanctions of Public Order for obligations in regard to social security registration / cancellation, contributions, payment of salaries (Article 66); and in view of the General Taxation Law for Accounting Books. 5 years in view of the Civil Code (Article 1964) for personal actions with no special period. 6 years in view of the Code of Commerce (Article 30) for Accounting Books, Invoices. A record of the teaching staff will be kept for issue of the relevant certificates, unless there is objection to this processing, and possible liabilities that could stem from the undertaking of their functions as contracted staff.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

24. Human Resources Department (HR) - Collaborators, external teaching staff and associate professors

The Controller contracts professional collaborators for different tasks, and external teaching staff and associate professors to deliver master classes, talks at conferences or for general teaching of courses, master’s programmes or other training programmes.

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). Organic Law 6/2001, of 21st December on Universities. Organic Law 2/2006, of 3rd May on Education.
Purposes of processing	Business relations with contracted external teaching staff and associate professors: Management of files. Timetable control. Control of incompatibilities. Prevention of occupational hazards. Disciplinary Regime. Management of actions to raise awareness and fight against sexual and gender harassment in any of its forms. Record of training received and delivered and management of their activities at forums, conferences and round tables, in order to keep track of their professional development and their compatibilities. Analysis of productivity and performance through assessment questionnaires by students in the case of teaching staff. Payment of invoices issued by external personnel, and all products stemming from such.
Collective	External teaching staff and contracted associate professors
Data categories	E-mail Address Signature (manual, digitalised or electronic) Image / Voice ID No.: Name and surname Social Security / Mutual No. Telephone No. Academics and Professionals Personal Characteristics Employment details Bank account number for processing payments Applicable Civil Liability Insurance. Data on the status of payment to the Tax Agency and Social Security. Criminal Record Certificate
Addressee category	Transferees: Tax Agency Social Security organisations Banks Data processors: ASTER ASESORÍA Y CONSULTORÍA, SL (B82508847) - https://www.asterasesoria.es/ ESIC or FESIC, depending on each case.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

25. PDI, PAS and student Directory - Virtual Classroom and On-line Teaching Staff Meetings

Under registration, only students and professors may access information charts with professional contact details of the people who on the programme they are registered in, or in which they deliver classes or carry out teaching management or coordination actions.

Without registering, through the Controller's website, anybody may access professional information about the teaching staff meetings for each programme.

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR).
Purposes of processing	Publication of identification and professional details: Virtual Classroom: The Virtual Classroom, of restricted access, will display a chart with the professional identification details and contact details of the teaching staff and management of the relevant programme, and the students. Controller’s website and pages: In conjunction with the information published about the Controller's training programmes, the professional identification details of the persons comprising the teaching staff meetings will be included.
Collective	Teaching and Research Staff (PDI), both internal and external, Administration and Services Staff (PAS)
Data categories	Name and surname, Image, Professional details: Company and position, E-mail and Social profiles
Addressee category	The data will be accessible via the Internet of Virtual Classroom. No data transfers to third parties are planned.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

26. Editorial - Editorial, administrative and financial management of authors and collaborators

Management of the ESIC Editorial in regard to the authors and collaborators and exploitation of their work.

Controller	ESIC
Legal Grounds	Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR).
Purposes of processing	Management of work and publication assessments regarding editorial projects offered to ESIC as authors, management, invoicing and publishing thereof.
Collective	Authors, Interested parties
Data categories	Identification details Name and surname ID No.: Postal Address E-mail Employment details Picture Data required for processing payments
Addressee category	Tax Agency, Banks
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

27. Suppliers and trade and business partners

The Controller contracts professionals, suppliers and trade and business partners for different actions. To do so, the Controller needs to contact the professionals or individuals who represent those companies who sell their products or provide their services.

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and the fundamental rights and freedoms of ................ do not prevail (Article 6.1.f of GDPR).
Purposes of processing	Registration and management of supplier and business and trade partners contact details.
Collective	Service suppliers or vendors, and if these are businesses, the contact details of physical individuals.
Data categories	Identification details: Name and surname, ID Card No., address, telephone number, picture and signature. Employment details: company or organisation and position. Financial / Economic Information: Bank details.
Addressee category	Banks, State Tax Agency
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, and to determine any possible liabilities that could stem from the said purpose and data processing.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

28. Registration of inbound and outbound documents

Management of the inbound and outbound documents register.

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6.1.b of GDPR). Processing is necessary for compliance with the legal obligation applicable to the data controller (Article 6.1.c of GDPR). Organic Law 6/2001, of 21st December on Universities.
Purposes of processing	Management of the inbound and outbound documents register. Verification of identity and details of data subjects.
Collective	Teaching and Research Staff (PDI) Administration and Services Staff (PAS) Students Former students Individuals and company representatives who can be addressed or from communication can be received.
Data categories	Identification details Name and surname, ID Card No., address, telephone number, type of relationship with the Controller and signature. Data related to the received or delivered document.
Addressee category	No personal data transfers are planned.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for the period of time necessary to fulfil the purpose for which it is compiled, for the legally established period, and to determine any possible liabilities that could stem from the said purpose and data processing.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. A DPIA is required.

29. Attending to the rights of persons

Attending to applications for the exercising of the rights established in the GDPR.

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	Processing is necessary for compliance with the legal obligation applicable to the data controller (Article 6.1.c of GDPR). Specifically, to receive, manage and reply to applications for the exercising of data subject rights (Chapter III of the GDPR).
Purposes of processing	To receive, manage and reply to applications for the exercising of data subject rights (Chapter III of the GDPR).
Collective	Any persons
Data categories	Identification details Name and surname, ID Card No., address, telephone number, type of relationship with the Controller and signature. Data on applications for exercising the relevant rights.
Addressee category	From ESIC to FESIC and vice versa.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Data will be kept for as long as necessary to resolve any claims.
Additional data	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

30. In-person, telephone or e-mail queries

Recording and managing queries submitted to ESIC about its activities.

Controller	Personal data collection: Joint controllers ESIC and FESIC. Attention and management of complaints and suggestions. Independent controllers at ESIC and FESIC.
Legal Grounds	The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
Purposes of processing	Recording and managing queries about the Controller's activities.
Collective	Any persons
Data categories	Identification details: Name Surname E-mail Telephone No. Data that may be included in the query.
Addressee category	From FESIC to ESIC and vice versa, depending on each case.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	The data will be kept for the time necessary to process and reply to the query.
Additional data	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

31. Complaints and suggestions - Quality Department

Controller	Personal data collection: Joint controllers ESIC and FESIC. Attention and management of complaints and suggestions. Independent controllers at ESIC and FESIC.
Legal Grounds	Processing is necessary for compliance with the legal obligation applicable to the data controller (Article 6.1.c of GDPR)., Organic Law 6/2001, of 21st December on Universities, Royal Decree 1791/2010 of 30th December approving the University Students’ Statutes.
Purposes of processing	To know the opinion of users and improve the quality of the services provided by ESIC and FESIC. In the case of FESIC, processing includes the management of complaints or suggestions by the University Ombudsman.
Collective	Students, Other persons
Data categories	Identification, academic, professional or other data the data subject wishes to import.
Addressee category	From the joint controller ESIC-FESIC to ESIC or to FESIC, depending on each case.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	The data will be kept for the period of time necessary to deal with the complaint or suggestion, ensuring this is carried out within the maximum period of 3 months.
Additional data	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

32. Physical security on the facilities. Access registration and control

To guarantee the security and safety of persons, assets and facilities in physical and electronic spaces.

Controller	Joint controllers: ESIC and FESIC
Legal Grounds	Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (Article 6.1.e of GDPR). Processing necessary for reasons of essential public interest as determined by Law. Article 9.2.g) GDPR.
Purposes of processing	The purpose of processing is physical security, register and control of access to guarantee the security of persons, assets and facilities in physical and virtual spaces.
Collective	All individuals who access the Controller's facilities or activities: Students Former students Teaching and Research Staff (PDI) Administration and Services Staff (PAS) Accompanying persons Guests Persons occupying High Posts Speakers Suppliers
Data categories	Identification details: Name and Surname ID No.: Postal address Telephone No. Professional data: company and position Reason for visit
Addressee category	State Security Forces From the joint controller ESIC-FESIC to ESIC or to FESIC, depending on each case.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Thirty days at the most, computed from the collection date.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

33. Logical security

The Controller analyses the behaviour of users when browsing its website and the different social media profiles in order to prevent and block logical attacks.

Controller	Joint controllers ESIC and FESIC.
Legal Grounds	Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and the fundamental rights and freedoms of ................ do not prevail (Article 6.1.f of GDPR). In particular, these legitimate interests consist of avoiding unauthorised access to or destruction or alteration of data and systems, and also to block access to such or to prevent third parties from carrying out any unauthorised processing.
Purposes of processing	To analyse: the behaviour of users when browsing its website and the different social media profiles in order to prevent and block logical attacks. • the content and attachments, both of content hosting services and e-mail. In both cases, part of the processing is carried out directly by the Controller or through outsourcing. Nevertheless, most of the processing is carried out by third parties whose services have been contracted and who carry out processing for this purpose, but according to their own criteria regarding the purposes and resources.
Collective	Users who access the websites and social media profiles managed by the Controller, by ESIC or by FESIC.
Data categories	IP Addresses User's browser agent chain.
Addressee category	From the joint controller ESIC-FESIC to ESIC or to FESIC, depending on each case.
International Transfer	International data transfers are planned to data processors (state at least those that could make international transfers and the country) or addressees of transfers that are stated: Google LLC (United States of America).
Erasure period	reCaptcha, by Google LLC: approximately 26 months (privacy policy).
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD. Comments: Implementation of reCaptcha requires a specific warning for users about this processing on the website. The reCaptcha website states exactly what must be included in the warning.

34. Video-surveillance

Video-surveillance of the perimeter and accesses to the facilities or rooms in order to guarantee the security of persons, assets and facilities inside the buildings.

Controller	Independent controllers: ESIC and FESIC
Legal Grounds	Processing necessary for the performance of a task carried out in the public interest or in the exercise of public powers. Article 6.1.e) GDPR. Processing necessary for reasons of essential public interest as determined by Law. Article 9.2.g) GDPR. Organic Law 6/2001, of 21st December on Universities. Law 5/2014, of 4th April, on Private Security.
Purposes of processing	To guarantee the security of persons, assets and facilities.
Collective	Physical persons who enter ESIC.
Data categories	Images
Addressee category	State Security Forces, Public Prosecutor Judicial Bodies.
International Transfer	No international transfers of personal data are foreseen.
Erasure period	Before 30 days after recording.
Additional information	No additional information is required for this type of processing because of the processed data and since the Controller performs it, in accordance with Article 35 of the GDPR, and Article 28 of LOPD.

35. Infringement Communication Channel

Implementation of and access to a Whistleblower Channel for reporting alleged infractions, in accordance with applicable regulations.

Manager	Independent managers: ESIC and FESIC
Legal basis	Processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party (art. 6.1.f) GDPR) and, where applicable, for compliance with a legal obligation applicable to the controller (art. 6.1.c) GDPR)
Purposes of data processing	Management of a whistleblower channel, in accordance with the provisions of the Internal Policy and Manuals on Regulatory Compliance and Criminal Risk Avoidance for ESIC and FESIC.
Group	Students, Employees, Collaborators, People affected in Suppliers/Customers and Managers of the entities.
Data categories	Identification data: ID card number, name and surname, postal address, e-mail and telephone number (in case of anonymous complaint, this data may be collected during the internal investigation). Academic and professional data: center and group of studies or work, if relevant.Other data: the content of the complaint and any other data that may be collected during the investigation.
Target Category	Spanish Data Protection Agency in inspection processes in application of Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights. State Security Forces and Corps, with prior judicial authorization and in the exercise of their judicial police functions. Judges and courts in the terms defined by the procedural legislation. In these cases, ESIC/FESIC before making the data available to third parties ensures that these authorities request and access the data in accordance with the Laws.
Data Processing	Not foreseen.
International Transf.	Internationally transferring data is not foreseen.
Deadline for deletion	The data will be kept for the time necessary to deal with and manage the complaints and to carry out the necessary investigations. It is also kept for the purpose of carrying out or taking the necessary decisions in relation to each complaint, in compliance with the corresponding legal obligations. The information will be kept duly blocked for the additional periods necessary for the prescription of possible legal responsibilities.
Additional information	A risk analysis and, where appropriate, a Data Protection Impact Assessment (DPA) will be carried out periodically to assess the impact and risk of this processing, according to its evolution.

36. Eventos

In the event that ESIC or FESIC organizes events, congresses, seminars and similar activities, it is possible that personal data of different categories of groups may be collected.

Manager	Independent managers: ESIC and FESIC
Legal basis	Processing necessary for the performance of a contract (art. 6.1.b) RGPD): Legal relationship with speakers and communicators. Acceptance of the registration conditions by conference attendees. Consent to processing (art. 6.1.a) RGPD): Where provided for, consent of the attendee to data collection and recordings to be made or other acts that so require. Where appropriate, for the management of grants and subsidies: Law 19/2013, of December 9, on transparency, access to information and good governance and Law 38/2003, of November 17, General Subsidies.
Purposes of data processing	Purposes of data processing Management of events developed, organized or executed by any of the responsible parties. It includes, in any case, the advertising of the event in social networks, communication of content and dates, registration of participants and speakers. Management of grants and subsidies.
Group	Event attendees, organizers and speakers.
Data categories	- Identification data: NIF, name and surname, postal/electronic address and telephone number. - Personal data: date and place of birth, age, sex and nationality. - nationality. - Academic and professional data: education and degrees, academic history, professional experience and languages. - Economic-financial data: bank details.
Target Category	- Publication of events on the website and in the media. - Banking institutions for the making of payments. - Travel agencies or hotels for the management of your accommodation and travel. - To public entities when the event has been the subject of aid or subsidy for verification and control of expenditure.
Data Processing	Entities collaborating or providing services for the events such as registration, hotel management, attendee verification, video recording, catering services, etc.
International Transf.	Internationally transferring data is not foreseen.
Deadline for deletion	The data will be kept for the duration of the event organized. Data subject to disclosure or publication (recordings, press releases, programs, etc.) may be kept indefinitely. Otherwise, the information will be duly blocked for the additional periods necessary for the prescription of possible legal liabilities.
Additional information	Aditional Information No EIPD is required for this processing, because of the data processed and the way it is carried out by the data controller, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD.

37. Relaciones Internacionales

Processing carried out in the case of teachers and/or collaborators of the Entities, as well as students who are going to carry out exchanges or courses abroad or attend courses, seminars and similar in Schools, Universities and Organizations outside Spain.

Manager	Independent managers: ESIC and FESIC
Legal basis	he processing is necessary for the performance of a contract to which the data subject is party or for the implementation at the request of the data subject of pre-contractual measures (art. 6.1.b GDPR). In specific cases, the data subject gave his consent to the processing of his personal data for one or more specific purposes (art. 6.1.a GDPR).
Purposes of data processing	Purposes of data processing Management, administration and control of students and teachers participating in international programs that include courses, stays, seminars and similar in other countries, whether in the EU or other countries, as well as in other international organizations. It also includes administration and control of language courses. u otros diferentes, así como en otros organismos internacionales. Incluye, asimismo, administración y control de cursos de idiomas.
Group	- ESIC/FESIC students and professors who stay or take courses, seminars, etc. scholarships abroad. - Foreign students and professors at ESIC/FESIC. - Students participating in language courses.
Data categories	- Identifying data: name, surname, postal address and email. - Academic and professional data: education, degrees and professional experience. - Detailed employment data: professional category of the PDI. - Economic-financial data: bank details. - Personal data related to the socio-economic situation.
Target Category	- Where appropriate, the National Agency for Erasmus, the National Agency for Quality Assessment and affected regional agencies, in the quality assessment processes provided for by Organic Law 6/2001, of December 21, 2001, on Universities. - Ministry of Education and Science and affected autonomic Regional Ministries and dependent bodies with competences in university matters and Ministry of Science, Innovation and Universities and dependent bodies with competences in university matters, for the exercise of the competences of these administrations in academic and research matters in accordance with the respective legislation. - Other university institutions in compliance with the missions of public interest defined by the Organic Law 6/2001, of December 21, 2001, on Universities, or for the deployment of legal relationships established by - Entities, Organizations, Universities, etc., that receive or host students and/or professors.
Data Processing	Data Proccesors Travel agencies and companies that organize transfers and obtain visas.
International Transf.	International data transfers are foreseen in the cases provided for by Article 49.1 of the GDPR: (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks for him/her of such transfers due to the absence of an adequacy decision and adequate safeguards; (b) the transfer is necessary for the performance of a contract between the data subject and the controller or for the performance of pre-contractual measures taken at the request of the data subject
Deadline for deletion	The data will be kept as long as the legal relationship between the person concerned and ESIC/FESIC, without prejudice to indefinitely retain the information that is part of the student's academic record. The information of scholarship beneficiaries will be stored for the time necessary for administrative management without prejudice to the indefinite conservation of the same when the scholarship has the value of certifiable academic merit. The information may be kept indefinitely due to its historical or statistical value, subject to approval by the Expungement Commission or equivalent body in accordance with the provisions of Law 16/1985, of June 25, 1985, on Spanish Historical Heritage and the applicable regional regulations, if applicable.
Additional information	No EIPD is required for this processing, due to the data processed and the way it is carried out by the data controller, in accordance with the provisions of Article 35 of the RGPD and Article 28 of the LOPD.