General Data Protection Regulation (GDPR)

 

In accordance with the provisions of the General Data Protection Regulation, Regulation (EU) 2016/679,
we summarize our data protection information:

Data controller: Universitat Pompeu Fabra. Carrer de la Mercè, 12. 08002 Barcelona. Tel. (+34) 935 422
000.
Purpose: to provide the services managed by Scientific Computing Core facility. Your personal data will
be kept throughout the process. Your personal data may be stored up to 2 years after your withdrawal.
Legal basis: data owner’s consent. It can be withdrawn at any time.
Recipients: Pompeu Fabra University and companies providing ancillary computing services, upon the
signature of contracts that preserve privacy. Your personal data will not be transferred to third parties
without your consent, except when otherwise provided for by law.
Rights: you can access your data, request their rectification or deletion, oppose their processing and
request their limitation by contacting the UPF general manager ([email protected]). You can contact the
UPF Data Protection Officer ([email protected]) if you have any questions regarding your personal data. You
have the right to lodge a complaint with Catalan Data Protection Authority.

The parties undertake to comply with all the obligations derived from Regulation (EU) 2016/679 on the
protection of natural persons with regard to the processing of personal data and on the free movement of
such data (hereinafter, GDPR) and Spanish Organic Law 3/2018 on the Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), as well as any complementary legislation or that may
replace them in terms of personal data protection, and undertake to collaborate with each other to
facilitate compliance.

The contracting institution (hereinafter, the Data Controller) acknowledges acting as data controller or
data processor on behalf of a third party for the personal data that may be stored or processed in the
University's ICT infrastructure by the performance of this Agreement.

Universitat Pompeu Fabra (hereinafter, the Data Processor) acknowledges acting as data processor or
sub-processor for the personal data that may be stored or processed by the provider in its ICT
infrastructure by the performance of this Agreement.

This Annex regulates the relationship between Data Controller and Data Processor in accordance with
the provisions of GDPR’s article 28.

The personal data processing will consist of the execution of the services contracted in the terms defined
below:

1. Purpose of the treatment: provision of the services contracted as defined in the Application Form.

2. Categories of data subjects and personal data to be processed: participants in research projects and
personal data related to the research projects, which may include special categories of personal data.

3. The data processor and all its workers are obliged to:

a)      To use the personal data only for the purpose of this contract. Under no circumstances may the
          processor use the data for own purposes.
b)     To process the data in accordance with Data Controller instructions only. If the Data Controller
         considers that any instruction violates any applicable data protection provision, must immediately
         inform the Data Controller.
c)      Not to communicate the data to third parties, unless having the express authorization of the Data
          Controller.
d)     To maintain the duty of secrecy with respect to the personal data, even after the service is
         finished.
e)     To ensure that the personnel authorized to process the personal data are expressly committed to
         following UPF's instructions, to respect confidentiality, under the terms required by UPF and to
         comply with the corresponding security measures, of which these conveniently authorized
         persons must be informed.
f)      To keep available to UPF the documentation proving that the obligation established in the
          previous section is fulfilled.
g)     To guarantee the necessary training in personal data protection to the personnel authorized to
         process the data.
h)     To assist the data controller in the response to the exercise of rights by the interested parties.
i)       In the case of collection of personal data, the data controller must provide, at the time of
         collecting the data, the information related to the data processing that will be carried out. The
         wording and format in which the information will be provided must be agreed with the data
         controller, before starting the collection of the data.
j)       To inform the data controller at the earliest any security breach that may affect the personal data,
         along with any relevant information important to assess the incident.                                                                               

k)      To apply the appropriate technical and organizational measures to guarantee a level of security
          appropriate to the risk and the national applicable legislation.
l)        In the event that the offer included specific security measures (for example, a certain backup
          policy), apply and maintain documentation proving that these measures are being applied.
m)     Once the processing has been completed, to ask the data controller if it is necessary to return the
          personal data or the Data Processor may proceed to delete them. To proceed as indicated by the
          Data Controller.
n)       In the case of outsourcing of auxiliary services necessary for its normal operation, to do so only
          with companies with which contracts have been signed to provide services that preserve the
          confidentiality of the data processed and ensure the same conditions of data processing as
          between Data Controller and Data Processor.