CiTIUS - Centro Singular de Investigación en Tecnoloxías Intelixentes da Universidade de Santiago de Compostela belongs to the University of Santiago de Compostela (hereinafter USC), which protects and guarantees the fundamental right to data protection and is particularly sensitive to safeguarding the privacy of individuals.
Data processing is carried out in accordance with European Union Regulation 2016/679 of 27 April on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and Organic Law 3/2018 of 5 December on Personal Data Protection and guarantee of digital rights.
Accordingly, this processing follows the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and proactive responsibility.
The register of data processing activities carried out by USC can be consulted at https://www.usc.gal/gl/institucional/goberno/area/normativa/proteccion-datos-caracter-persoal
In any case, USC will maintain a dynamic understanding of this matter in order to adapt it to new developments, whether in regulations, case law, decisions of the supervisory authorities or practices in this field. This may make it advisable to modify this privacy and data protection policy, which will be announced in due course.
The overall responsible of data processing is the University of Santiago de Compostela, domiciled for these purposes at the Rectorado de la USC, Praza do Obradoiro s/n, 15782- Santiago de Compostela (Spain). The telephone number is 881811000. Informal online contact can be established through https://www.usc.gal/gl/contacto.
Specific applications must be made through the USC's 'Sede Electrónica' through https://sede.usc.es/sede/publica/index.htm.
The USC, as the overall responsible, is embodied, depending on the particular processing, in the General Secretariat, in the Vice-rectorates or in the Management Office, as it appears in the particular information of each data processing operation.
For any enquiries regarding personal data protection you can write to protecciondatos@usc.gal.
The data protection officer is Marcos Almeida Cerreda, and your email account is dpd@usc.es
The primary legal basis for USC's processing is the provision of the public service of higher education. The consent given by data subjects may also be the basis for processing in those cases where they so authorise.
In other processing operations, the legal basis is the need to perform contracts, to comply with specific legal provisions, or to carry out a task in the public interest or in the exercise of official authority. All these conditions are in accordance with Article 6.1 of the European Regulation.
The purposes of the processing of personal data by USC are to fulfil its obligations and responsibilities in the field of teaching, study and research, which includes the management of the administrative services of a public university administration and the management of requests for information and actions of academic and institutional dissemination. Each specific processing operation specifies these purposes.
The origin of personal data lies with the data subjects themselves, obtained through various means such as applications, forms and digital or physical questionnaires. For this, the expression of consent will be free, specific, informed and unequivocal. In some cases the data is obtained from other educational administrations.
The processing of special categories of data will be carried out taking into account the specific protective measures in Article 9 of the European Regulation.
Transfers of personal data may be made on an exceptional basis under university exchange and academic collaboration programmes, and also to public administrations with educational authority. In any case, transfers shall comply with the provisions of Articles 44 and following of the European Regulation. Likewise, in accordance with regulations, data will be transferred to data processors and in cases of legal obligations.
The data may also be used for statistical purposes or for incident management and, preferably pseudonymised, for research purposes.
Personal data provided will be kept for the period in which the purpose for which it was collected is carried out, or for as long as necessary to comply with legal obligations. Once the purpose has been fulfilled, the data will be blocked until the applicable limitation periods have expired.
Data subjects have the rights to transparency of information, access to their personal data, rectification of inaccurate data, erasure where possible, restriction of processing, portability, objection, the right not to be subject to a decision based solely on automated processing which significantly affects them, the right to withdraw consent at any time and the right to lodge a complaint with the Spanish Data Protection Agency.
These rights may be exercised before the data controller, after identification of the applicant through the USC Electronic Headquarters. The USC will facilitate their exercise by means of an electronic form at https://sede.usc.es/sede/publica/catalogo/procedimiento/55/ver.htm.
In addition, data subjects also have rights that give access to administrative and judicial means of guarantee, provided for in the legal system for this purpose.
The USC, from a proactive position, adopts all the technical and organisational measures necessary to guarantee data processing and the privacy of individuals. It thus assumes a total commitment to guaranteeing fundamental rights, which includes data protection by design and by default.
In this way, among these security measures, and in accordance with Article 32 of the European Regulation, will be pseudonymisation and encryption of personal data; the ability to ensure the confidentiality, integrity, availability and ongoing resilience of processing systems and services; the ability to restore the availability of and access to personal data quickly in the event of an incident; and a process of regular verification, evaluation and assessment of the effectiveness of technical and organisational measures.
These measures comply with legally established obligations, taking into account the state of the art, the costs of implementation, and the nature, context and purposes of the processing. Likewise, the specific risks in terms of severity and likelihood that each type of processing poses to the rights and freedoms of individuals must be taken into account.
Breaches of security of personal data shall be reported to the supervisory authority and, where appropriate, to data subjects in accordance with Article 34 of the European Regulation.
The USC provides a communication channel for data protection incidents at https://www3.usc.es/uscincidencias/.