Privacy Policy

How can you contact UDIT's Data Protection Officer (DPD)?

• UDIT has appointed a DPD with the Spanish Data Protection Agency (AEPD).
• You can contact the DPD at UDIT's registered office, or easily and free of charge, by e-mail at dpd@udit.es.
• You can consult the registration of UDIT's DPD on the website of the AEPD, through the section "Consulta DPD": https://www.aepd.es/

For what purpose do we process your personal data?

At UDIT we process the information provided by the interested parties in order to carry out the administrative, accounting and fiscal management of the services requested (admission applications, enrolment management for undergraduate, postgraduate and higher vocational training courses, grant applications and management, internships, international mobility applications, transfer of files to other centres, enrolment in research projects).

Also for the sending of electronic communications to inform you of the status of the requested service and to send you commercial communications about our services, events, acts or initiatives developed by UDIT, including by electronic means. Similarly, we may process your data in order to respond to queries and requests submitted through the forms and contact methods indicated on this website.

How long will we keep your data?

Personal data will be kept for as long as they are useful for the purposes for which they were obtained or for the legally established periods of time that must be complied with.

Once this purpose has disappeared, UDIT may keep the data blocked, subject to security measures that guarantee their inaccessibility and processing, remaining only at the disposal of Judges and Courts or Public Administrations, during the periods of limitation of actions established in the regulations in force, in order to purge possible responsibilities derived from the processing. Once the aforementioned periods have elapsed, the data will be securely deleted.

What is the legal basis for the processing of your data?

• Performance of a contract or legal relationship between the parties (art. 6.1 b) GDPR): Provision of the requested services, in this case, the academic or higher education service.
• Unequivocal consent of the interested party (art. 6.1 a) RGPD): Sending of commercial communications by electronic means (art. 21 LSSI-CE) or of the information requested through our contact forms, as well as the provision of consent for the processing of the student's personal image, in events or acts promoted by UDIT to which he/she may have registered through this website.
• Fulfilment of legal obligations applicable to UDIT (art. 6.1 c) RGPD): Especially, for the fulfilment of legal obligations in the field of Education, with regard to Administrations and Public Bodies competent in this field. The legal obligations may be in tax, accounting, corporate and educational matters.

What personal data can we process if you register for events and events organised by UDIT?

If you register through this website for events, acts and initiatives organised, promoted and developed by UDIT, you are informed that, by attending these events, your personal image may be captured.

The use of your personal image, in terms of its capture, reproduction and/or dissemination, is subject to the provision of your consent (including through acceptance of this Privacy Policy), which you may withdraw and which may be revoked at any time. You may address your request at any time, with the aim of revoking the consent given, to the physical address of UDIT or to the e-mail address proteccion.datos@udit.es.

The consent given covers the capture, reproduction and dissemination of your personal image and/or voice, during events and acts of communication organised and promoted by UDIT, which you attend or in which you participate, for publication in the following media:

• Essentially, on the corporate website (https://udit.es/) and social networks of UDIT (Linkedin, Instagram, Twitter, Facebook, Youtube, TikTok).
• In case of media coverage of the event, please note that your image may appear in the written press or audiovisual media.

As your image and voice are also personal data, the data controller is UDIT. The purpose of the processing of your data is the capture, reproduction and/or publication of your personal image, associated with your interventions and/or participation in the events and acts mentioned at the beginning. They will not be subject to international transfers by UDIT and will be kept for as long as they are useful for the purposes intended, as well as for the periods of limitation of actions in accordance with the legislation in force.

The data may be processed by subcontracted service providers, such as external agencies (image recording or photography), within the framework of a service contract signed with UDIT. On the other hand, as well as by the media, in the event that the act or event is covered by the media.

You may exercise the same rights recognised in the last section of this Privacy Policy, through the means indicated therein.

To which recipients will your data be communicated?

Your data may be transferred or communicated to third parties, in the event that it is essential for the performance of the contract or legal relationship with UDIT (art. 6.1 b) RGPD), or when it is imperative by legal obligation (art. 6.1 c) RGPD). In accordance with the aforementioned legal bases, it may be necessary to communicate personal data to banks, Public Administrations and Bodies, competent bodies in the field of Education, other university centres in the case of transfer of files, external collaborating bodies for curricular or extracurricular internships. Likewise, for the management and enrolment in higher vocational training courses, data may be transferred between both Data Controllers, i.e. between UDIT and UDIT FP, or vice versa.

Similarly, certain service providers (e.g. technology, computer, cloud or IT services) may have access to personal data from time to time only within the framework of the provision of the service contracted with UDIT and after signing the mandatory data processing or confidentiality agreement.

Can UDIT receive your personal data from a third party?

In certain cases, UDIT may receive your personal data from a third party, without it having been provided directly by you as the data subject. In these cases, the source of the data will not be the data subject, but a third party with whom you have an academic, contractual or service relationship.

This will be the case if you submit an application for international mobility or file transfer to our institution. In such cases, the original data controller (who transmits the data) will apply its own security measures in the communication of the data, and may inform you in advance of the transfer.

With respect to UDIT, the conditions and means for exercising your rights will be the same as those indicated in the last section of this Privacy Policy, "What are your rights under the GDPR?
In any case, the same conditions and measures set out in this Privacy Policy will apply to these cases, with regard to the processing of your data by UDIT.

Do we transfer data to third countries?

A priori, there are no plans to carry out international transfers of data to third countries located outside the European Economic Area (EEA). The EEA consists of the countries of the European Union (EU), together with Liechtenstein, Iceland and Norway.

However, in certain cases (successful applications for international mobility; registration and granting of participation in research projects at international level), it may be necessary to transfer data internationally to other collaborating centres or recipients.

In these cases, the existence of Adequacy Decisions issued by the European Commission (EC) will be taken into account, which guarantee the security in the transmission of the data, or failing this, the necessary guarantees will be adopted (e.g. standard contractual clauses) to safeguard the confidentiality of the information. In any case, both the receiver and the transmitter of the data shall ensure the adoption and implementation of security measures, both technical and organisational, in order to protect the integrity, security and confidentiality of the data. In the absence of an EC Adequacy Decision, or additional safeguards, where the transfer is necessary for the performance of a contract to which the data subject is a party, or for his or her benefit, it shall be legitimate under this legal basis.

What are your rights under the GDPR?

Any person has the right to obtain confirmation as to whether or not UDIT is processing personal data concerning them.

Data subjects have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, to request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.

In certain circumstances, data subjects may request the limitation of the processing of their data, in which case we will only keep it for the exercise or defence of claims.

In certain circumstances and for reasons related to their particular situation, data subjects may object to the processing of their data. In this case, UDIT will stop processing the data, except for compelling legitimate reasons, or the exercise or defence of possible claims.

You can obtain more information about your rights through the web page of the Spanish Data Protection Agency (AEPD): https://www.aepd.es/derechos-y-deberes/conoce-tus-derechos

You may materially exercise your rights in the following way: by sending an e-mail to proteccion.datos@udit.es or by writing to the attention of the Data Protection Delegate (DPD), at the address Avenida de Alfonso XIII, nº97 - 28016 Madrid.

If you have given your consent for any specific purpose, you have the right to withdraw the consent given at any time, without affecting the lawfulness of the processing based on the consent prior to its withdrawal.

In the event that you feel that your rights concerning the protection of your personal data have been violated, especially when you have not obtained satisfaction in the exercise of your rights, you may file a complaint with the competent Data Protection Supervisory Authority through its website (Spanish Data Protection Agency): https://www.aepd.es/.