Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation - GDPR), and for the purposes of complying therewith.

Given that the new Regulation replaces Organic Law 15/1999, of 13 December, on the protection of personal data -LOPD-, although the latter remains in force in all matters not contradictory thereto, and incorporates significant developments; there is a need to adapt the internal organization to the new regulatory framework in order to regulate the functions of the different administrative units and define the structure of responsibilities in this regard.

Hence, by the powers invested in me by Article 52.a of the UPF Statutes,

I HAVE HEREBY DECIDED:

Article 1. Functions of the general manager

The general manager is the body responsible for the protection of personal data in relation to all processing carried out by the University, both as data controller and as data processor.

Article amended by the Resolution of 13 April, 2021, regulating the procedure for exercising rights over personal data processed by Pompeu Fabra University

2. The functions of the general manager as the body responsible for the organization of university administrative units and services, without prejudice to those corresponding to the secretary-general, are the following:

a) To issue internal instructions concerning data protection.

b) To decide on the purpose and type of personal data managed in UPF’s processing of personal data.

c) To ensure compliance with the duty to inform the subjects of the personal data being processed.

d) To establish the necessary measures to guarantee the principles of data minimization, preciseness and limitation of the retention period for personal data processed by the University.

e) To establish the necessary measures to ensure the principles of data protection by design and by default in the processing of personal data carried out by the University.

f) To establish the necessary measures to facilitate the detection of security incidents that may arise.

g) To deal with requests by data subjects to exercise their rights.

h) To authorize the communication of data to third parties, in accordance with Article 10 herein.

i) To represent Pompeu Fabra University before the data protection authorities and, in particular, before the Catalan Data Protection Authority -APDCAT-.

j) All that may be required by current legislation on the protection of personal data and are not attributed to any body.

Article 2.Functions of the secretary-general

1. The functions of the secretary-general, as head of the University Archive, are the following:

a) To establish criteria to ensure the principles of data minimization, preciseness and limitation of the retention period for personal data managed by the University.

b) To establish criteria to provide an adequate degree of protection for non-automated data processing carried out by the services or units and the detection of any security incidents that may arise.

c) To advise the services or units regarding the preparation of risk analyses and impact assessments related to data protection they may perform, within their scope of competences.

d) To immediately inform the data protection officer of any incident concerning the security of personal data within the scope of their competences.

Article 3. Functions of the data protection officer

1. Pompeu Fabra University will have a data protection officer who will participate in issues related to data protection, in accordance with the provisions herein and the current legislation. The functions of the UPF Data Protection Officer are the following:

a) To ensure the awareness and training of University staff who process personal data.

b) To advise the University and its employees on their duties in order to ensure that data is processed compliantly with the applicable data protection legislation at all times.

c) To advise the University in order to ensure that the commission agreements entered into comply with the applicable data protection legislation at all times.

d) To establish the criteria for conducting risk analyses of the processing of personal data carried out by the University.

e) To assist heads of service or unit in carrying out their functions in relation to the protection of personal data at the University. The data protection officer will provide templates for the recording of processing activities, for the performance of risk analyses, will collaborate in the preparation of impact assessments relating to data protection and will advise the heads of service or unit or their delegates on the implementation of personal data processing.

f) To prepare the data protection reports that are required of them.

g) To issue certificates of compliance with data protection legislation by the University, when so required.

h) To attend to queries or complaints from data subjects in relation to the processing of their data by the University.

i) To cooperate with the data protection authorities and, in particular, with the Catalan Data Protection Authority.

j) Any other function attributed to them by current legislation on personal data protection.

2. The data protection officer will exercise their functions independently, the administrative units will involve them in matters relating to data protection, and the governing bodies may request reports on issues raised within their scope of competences.

3.The data protection officer shall exercise their functions paying attention to the risks associated with processing operations, taking into account the nature, scope, context and purposes of such processing. The University will provide the data protection officer with the necessary resources to carry out their tasks.

Article 4. Functions of the management areas

1. The deputy general manager responsible for information and communication technologies shall undertake to establish the technological measures to ensure compliance with the legislation on personal data protection in its automated processing, as well as ensure that it is complied with. The functions of the deputy general manager responsible for information and communications technologies are the following:

a) To establish the necessary technological safety measures to ensure the principles of data minimization, preciseness and limitation of the retention period for personal data processed  by the University.

b) To establish the necessary technological safety measures to ensure the principles of data protection by design and by default in the definition of automated personal data processing by the University.

c) To define the technological security measures required to provide an adequate degree of protection for automated data processing carried out by the services or units and the detection of any security incidents that may arise.

d) To assist the services or units regarding the preparation of impact assessments related to data protection within their scope of competences.

e) To immediately inform the data protection officer of any incident concerning the security of personal data within the scope of their competences.

The head of the computing service will assist the deputy general manager responsible for information and communication technologies in the application of the measures set out above.

2. Responsibility for ensuring compliance with personal data protection legislation in University contracts involving a commission agreement shall fall with the deputy general manager responsible for administrative procurement. The functions of the deputy general manager responsible for administrative procurement are the following:

a) To ensure that when a data processor is chosen, it offers sufficient guarantees to apply the appropriate technological and organizational measures, so that processing is in accordance with data protection legislation and ensures the protection of the rights of the data subjects.

b) To ensure that commission agreements on behalf of Pompeu Fabra University are governed by a contract or other legal instrument in accordance with the law and with the GDPR.

c) To keep a record of the commission agreements entered into by the University.

d) To immediately inform the data protection officer of any incident concerning the security of personal data within the scope of their competences.

Article 5. Functions of the administrative units

1. The responsibility for the implementation of personal data processing falls with the services, or to the units that report directly to the rector, the secretary-general, the general manager or a deputy general manager. The functions of the heads of these services or units in relation to the processing they carry out within their scope of competences are the following:

a) To process personal data in accordance with the legislation.

b) To document the processing activities carried out in the Processing Register.

c) To ensure that a risk analysis is conducted in the processing of personal data carried out within their scope of competences.

d) To ensure that an impact assessment is conducted concerning personal data protection in processing carried out within the scope of their competences that so require.

e) In the event that personal data processing has to be entrusted to a third party, to contact the responsible University service to ensure that processing is carried out on the basis of a contract or legal instrument in accordance with the law and with the GDPR.

f) To immediately inform the data protection officer of any incident concerning the security of personal data within the scope of their competences.

g) To take care that the processing of personal data carried out within their scope of competences is at all times in accordance with current legislation.

Article 6. Considerations regarding the processing of personal data for research purposes.

1. In the event that the performance of a research project involves the processing of personal data by the University, the principal investigator of the project will be responsible for its implementation and, for the processing, will assume the functions set forth in Article 5 herein.

2. The review of the processing of personal data of UPF research projects will be part of its ethical evaluation process.

Article 7. Register of personal data processing activities and security

1. The University will have a register of the processing of personal data it carries out. Each service, management unit or research group must maintain in the register the entries corresponding to the processing carried out under its responsibility. These entries must contain the following elements:

a) The status of UPF data controller or processor.

b) If acting as data processor, the name and contact details of the data controller and their data protection officer.

c) The purposes of processing.

d) The description of the categories of data subjects and the categories of personal data.

e) Data communications to third parties, if applicable.

f) The deadlines provided for deleting the different categories of data, if possible.

g) A general description of the technological and organizational security measures established for processing, if possible.

2. The University’s process mapping management application will be adapted in order to allow the services or units to maintain the register of the processing activities carried out by the University.

Article 8.Compliance with the duty to inform

1. In the event that personal data processing includes personal data, the heads of the service or unit, or the principal investigator who carries out the processing, must inform the data subjects of the following aspects:

a) The status of University data controller and their contact details.

b) The contact details of the data protection officer.

c) The purpose of and legal basis for processing.

d) Foreseen data communications to third parties.

e) The period during which the data will be kept.

f) The possibility to exercise rights.

g) The right to lodge an appeal with the Catalan Data Protection Authority.

h) Where appropriate, of the existence of automated decisions including profiling.

2. The data protection officer will provide templates for compliance with the duty to inform and will assist the heads of service or the unit that carries out processing in compliance with the duty to inform the data subject.

Article 9. Attention to data subjects’ exercise of rights

1. The personal data subjects or their legal representatives may exercise their rights of access, rectification and deletion of their personal data, as well as the rights of opposition or limitation of the processing that may affect them. These rights will be exercised in accordance with the resolution for exercising such rights and before the UPF general manager, unless otherwise stipulated.

2. The heads of the service or unit, or the principal investigator who carries out processing, must provide the information necessary for the exercise of rights and must take the measures stipulated in order to satisfy the request of the data subject.

Article 10. Attention to requests for data communication

1. In the event of receiving a request for data communication, the heads of the service or unit or the principal investigator who carries out processing will request authorization from the general manager, who will in turn request a report from the data protection officer.

2. Data may only be communicated with the prior authorization of the general manager, who may stipulate conditions or limitations thereto.

3. Data communications made by legal requirement or for the execution of a commission agreement will not require authorization by the general manager.

Article 11. Repealing provision

The following resolutions are repealed:

  • Resolution of 26 June, 2003 on organizational measures on the protection of personal data, as amended by the resolutions of 15 June, 2011 and 17 January, 2012.
  • Resolution of 18 January, 2012 approving the procedure for the transfer of personal data with consent and the communication of data in accordance with Article 21 of the LOPD.

Article 12. Final provision

The general manager is authorized to take any appropriate measures to deploy and implement this resolution.

 

Jaume Casals Pons

Rector

Barcelona, 4 June, 2018.