Resolution of the Rector of 13 April 2021 regulating the procedure for exercising the rights over personal data processed by Pompeu Fabra University
Data protection regulations safeguard that data subjects should have the right to know which of their personal data are being processed by the University, the right to request their amendment, erasure or portability, the right to request the restriction of processing, the right to express their objection or the right not to be subject to automated individual decision-making, including profiling.
This resolution updates the Resolution of 17 January 2012 regulating the procedure for the exercise of the rights of access, rectification, cancellation and opposition (ARCO) to personal data and adapting the aforementioned procedure to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data repealing Directive 95/46/EC (GDPR) and Organic Law 3/2018, of 5 December, on the protection of personal data and the guarantee of digital rights (LOPDGDD). One of the characteristic features of the new legal framework on data protection is the extension of rights for data subjects. These rights are regulated in Chapter III of the GDPR and in Chapter II of Title III of the LOPDGDD.
The rector’s Resolution of 4 December 2018 on organizational measures in the field of personal data protection at UPF, as already provided for in the previous regulations, recognizes the general manager as the sole body before which data subjects can exercise these rights.
Moreover, Instruction 1/2009, of the Catalan Data Protection Authority, of 10 February, on the processing of personal data by means of cameras for video surveillance purposes, which remains in force, establishes a specific procedure for the exercise of rights when the data have been collected by this system.
Hence, by the powers invested in me by Article 52 of the Statutes of Pompeu Fabra University,
I HAVE HEREBY DECIDED:
Article one.- To approve the procedure for the exercise of the rights over personal data processed by Pompeu Fabra University, as set out in the appendix hereto.
Article two.- To authorize the general manager to take any appropriate action to deploy and implement this resolution.
Sole additional provision
Section 1 of Article 1 of the Resolution of 4 December 2018 on organizational measures in the field of the personal data protection at UPF is amended, which is now worded as follows:
“1. The general manager is the body responsible for the protection of personal data in relation to all processing carried out by the University, both as data controller and as data processor.”
First transitional provision
Within one year of this procedure coming into force, the administrative units, services and principal investigators responsible for handling data processing shall modify the data protection information they provide at the time of collecting personal data, in order to adapt it to the channels for submitting requests to exercise these rights set out herein.
Second transitional provision
For as long as a specific procedure for the exercise of rights on personal data is not available on the UPF Electronic Administration Platform, these rights may be exercised by submitting a general application to the University’s Electronic Office.
Sole repealing provision
The Resolution of 17 January 2012 regulating the procedure for the exercise of the rights of access, rectification, cancellation and opposition (ARCO) to personal data is repealed.
Sole final provision
This resolution shall enter into force on 19 April 2021.
Rector, Jaume Casals Pons
Barcelona, 13 April 2021.
APPENDIX
PROCEDURE FOR THE EXERCISE OF THE RIGHTS OVER PERSONAL DATA PROCESSED BY POMPEU FABRA UNIVERSITY
Chapter I. Rights of data subjects
Article 1. Right of access
1. Data subjects have the right to obtain confirmation from UPF as to whether or not it processes personal data concerning them and, if so, have the right to access such data and, at least, the following information:
a. The purposes of the processing.
b. The categories of personal data concerned.
c. In the event that data communications have been made or are planned, the recipients or categories of recipients, especially if they are located in third countries, indicating, where appropriate, the suitable safeguards adopted.
d. The envisaged period of data storage or the criteria used to determine such period.
e. The possibility of exercising all other rights provided by data protection regulations.
f. The right to file a complaint with the Catalan Data Protection Authority.
2. At the time of making the request, the data subject may opt for the following consultation systems, provided the information systems so allow:
a. Screen display on University premises.
b.Document, copy or photocopy sent by certified mail with acknowledgement of receipt.
c. Electronic communication.
d. Direct, secure remote access by the data subject or their representative through telematic systems via the website with own username and password.
3. In the event of a lack of choice of consultation system, UPF will choose the one that best suits the nature of the processing. When the request is submitted by electronic means, without prejudice to the data subject requesting that it be done in another way, the information will be provided in a commonly used electronic format.
4. When the data subject chooses a medium other than the one offered to them that involves a disproportionate cost, they will have to assume the excess costs that their choice entails.
5. In the event that UPF does not process data of the subject, it will expressly notify them thereof within a maximum of one month from receipt of the request.
6.UPF will provide the personal data subject to processing provided that it does not adversely affect the rights and freedoms of third parties, including trade secrets or intellectual property.
7. If UPF processes a large amount of data of the data subject and the latter exercises their right of access without specifying whether it refers to all or only part of their data, UPF may, prior to providing the information, request specification of the data or processing requested.
8. In the event that the data subject requests additional copies, UPF has the right to demand a fee based on its administration cost.
9. The right of access to personal data may be denied when it has already been exercised in the 6 months prior to the request, unless a legitimate cause is upheld for such purpose. Access may also be refused in cases where it is provided for by a law or directly applicable rule of Community law or where such law or rule prevents revealing to those affected the processing of the data to which access refers.
10. The exercise of the right of access by the data subject must always be recorded.
Article 2. Right to rectification
1. Data subjects are entitled to obtain from UPF the rectification of inaccurate personal data concerning them, without undue delay. They are also entitled to have incomplete personal data completed.
2. In their request, the data subject must identify incomplete or inaccurate data and provide UPF with the documentation accrediting the rectification they request.
3. In resolving the request, UPF will indicate the items of rectified or completed data.
4. If the data have been transferred or communicated to third parties, UPF will inform them of this for the purposes of also rectifying the inaccurate or incomplete data in question, except when it is impossible or requires a disproportionate effort. UPF will inform the data subject of these recipients if they so request.
5. UPF will proceed to block the rectified data in accordance with the provisions of Article 13.
Article 3. Right to erasure or “right to be forgotten”
1. Data subjects are entitled to obtain from UPF the erasure of the personal data concerning them.
2. UPF will erase them, without undue delay, when any of the following circumstances apply:
a. The personal data are no longer necessary in relation to the purposes for which they were collected or processed.
b. The data subject withdraws consent on which processing is based, and where there is no other legal grounds for the processing.
c. The data subject objects, for reasons related to their particular situation, to the processing based on the fulfilment of a mission of public interest, on the exercise of public powers or on legitimate interests. UPF may only continue to process the personal data if it demonstrates compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
d. The data subject objects to processing for direct marketing purposes. UPF may retain the identifying data necessary to prevent future processing for direct marketing purposes.
e. Personal data have been processed illegally.
f. Personal data must be erased in order to comply with a legal obligation established in state, regional or Community law.
g. Personal data have been obtained in relation to the offer of information society services to children under 14 years of age.
3. If personal data have been communicated to third parties and under this Article UPF were obliged to erase them, it must inform these third parties thereof, unless the task is impossible or requires a disproportionate effort. UPF will inform the data subject of these recipients if they so request. If UPF has made the data public, it shall take reasonable measures, taking into account the available technology and the cost of implementation, to inform controllers processing these data of the data subject’s request to erase the links to these data. or of any existing copy.
4. UPF will not be obliged to erase personal data nor to report the erasure of such data to third party data controllers to whom the data have been communicated when the processing in question is necessary:
a. For exercising the right to freedom of expression and information.
b.For compliance with a legal obligation established in state, regional or Community law to which UPF is subject and which requires the processing of the data in question, or to fulfil a mission carried out in the public interest or in the exercise of public powers vested in UPF.
c. For reasons of public interest in the field of public health, in accordance with Article 9 (2) h) and i), and Section 3 of the GDPR.
d. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89 (1) of the GDPR, to the extent that the erasure of the data may render impossible or seriously impair the achievement of the purposes of such processing.
e. To establish, exercise or defend claims.
5. UPF will proceed to block the erased data in accordance with the provisions of Article 13.
Article 4. Right to restrict processing
1. Data subjects shall have the right to obtain from UPF the restriction of processing where one of the following applies:
a. The accuracy of the personal data is contested by the data subject, for a period enabling UPF to verify their accuracy.
b. The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
c. UPF no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
d. The data subject objects, for reasons related to their particular situation, to processing based on the fulfilment of a mission of public interest, on the exercise of public powers or on legitimate interests, pursuant to Article 6 (1), e) and f) of the GDPR, while verifying whether UPF’s legitimate grounds override those of the data subject.
2. Where personal data processing has been restricted, with the exception of their storage, data may only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or to safeguard the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State
3. The restriction of processing can be carried out by any of the following methods:
a. The temporary transfer of the affected data to another processing system.
b. The prevention of user access to the affected data.
c. The temporary withdrawal of published data.
4. The fact that the processing of data is restricted must be clearly stated in the UPF information systems.
5. If personal data have been communicated to third parties and under this Article UPF were obliged to restrict their processing, it must inform these third parties thereof, unless the task is impossible or requires a disproportionate effort. UPF will inform the data subject of these recipients if they so request.
6. A data subject who has obtained restriction of processing shall be informed by UPF before the restriction of processing is lifted.
Article 5. Right to portability
1. The data subject shall have the right to receive the personal data concerning them, which they have provided to UPF, in a structured, commonly used and machine-readable format. This right does not include data concerning them that have been generated by the University or provided to it by third parties. Likewise, the data subject has the right to request the transfer of these data to another controller.
2. The right to data portability may be exercised provided that the following circumstances apply:
a. The processing is based on consent or a contract into which the data subject has entered, and
b. The processing is carried out by automated means
3. UPF will seek encoding formats and communication protocols that allow secure and effective data portability.
4. The data subject shall have the right to have their personal data transmitted directly from UPF to another body that becomes data controller, where technically feasible.
5. The right to portability shall not apply when UPF processes personal data in fulfilment of a mission carried out in the public interest or in the exercise of public powers, or when the processing is necessary to fulfil a legal obligation required of UPF.
6. The right to portability shall not adversely affect the rights and freedoms of others and does not include the right to obtain their data, not even when the data subject has provided them.
7. The right to portability in accordance with the GDPR is independent of other rights to data portability that may be recognized in other sectoral legal provisions.
8. The exercise of the right to portability does not involve the automatic erasure of data at UPF nor does it affect its storage period established and linked to the legitimacy and purpose for which they were collected and processed at the University.
9. The right to portability may be exercised without prejudice to the right to data erasure, the restriction of processing or any other right recognized by the GDPR.
10. In the event that UPF is the recipient of personal data due to the exercise of a right to portability of the data subject before a third party, the University will only have to process the data that are necessary for the processing for which portability is performed and will not be required to accept or process irrelevant data. Should it receive irrelevant data, it shall delete them immediately.
Article 6. Right to object
1. The data subject shall have the right to object, on grounds relating to their particular situation, to the processing of their data, including profiling based on the fulfilment of a mission of public interest, on the exercise of public powers or on legitimate interests. UPF must comply with this right unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. At the latest at the time of the first communication with the data subject, this right shall be explicitly mentioned and shall be presented clearly and separately from any other information
2. The data subject has the right to object, for reasons related to their particular situation, to their data being processed for the purposes of scientific or historical research or for statistical purposes, unless it is necessary for the fulfilment of a mission carried out in the public interest.
3. In their request to object, the data subject must indicate the data to which they refer, the processing to which they object and the personal circumstances justifying this.
4. The data subject has the right to object at all times to the processing of their data for the purpose of direct marketing, including the creation of profiles when it is related to the said marketing. The processing of data must be stopped for this purpose. At the latest at the time of the first communication with the data subject, this right shall be explicitly mentioned and shall be presented clearly and separately from any other information
Article 7. Right not to be subject to automated individual decision-making
1. The data subject shall have the right not to be subject by UPF to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, except when the decision is based on one of the following grounds:
a. It is necessary for entering into or the performance of a contract between the data subject and UPF.
b. It is authorized by European Union or Spanish law to which UPF is subject and which lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests.
c. It is based on the data subject’s explicit consent.
2. In the cases referred to in points a) and c), UPF shall implement suitable measures to safeguard the data subject’s rights and freedoms.
3. In the case of special categories of personal data, the data subject may only be subject to decisions based solely on the automated processing of their personal data if their explicit consent is recorded, or if the processing is necessary for reasons of essential public interest in accordance with Article 9 (2) g) of the GDPR, and provided that appropriate measures are put in place to safeguard the rights and freedoms and legitimate interests of the data subjects.
4. In the cases set out in Section 1, a) and c), and Section 3 of this Article, the data subject may:
a. request human intervention from UPF to make the decision concerning them.
b. express their point of view.
c. request an explanation as to the decision taken once their submitted data have been assessed.
d. challenge the decision.
In their request, the data subject shall indicate the automated decision to which they refer.
Chapter II. Procedure for the exercise of rights
Article 8. Exercise of rights
1. The rights set out in Chapter I are very personal, hence they can only be exercised by the affected person or their legal representative when the affected person is incapacitated or is under 14 years of age rendering it impossible to exercise these rights personally. They may also be exercised through a voluntary representative, expressly designated for the exercise of the right. Representation may be accredited by any valid means in law that reliably records its existence in accordance with the provisions of Article 5 of Law 39/2015, of 1 October, of the common administrative procedure of the public administrations.
2. Rights may be exercised at any time.
3. The exercise of rights is free.
4. If requests are manifestly unfounded or excessive, especially due to their repetitive nature, the University may:
a. Charge a reasonable fee in accordance with the administrative costs incurred to facilitate information or communication or to carry out the requested action.
b. Refuse to act on the request.
5. The University must be able to demonstrate the manifestly unfounded or excessive nature of the request.
6. Communications between the University and the data subject will be made by administrative notification.
Article 9. Where to exercise rights
The rights set out in Chapter I are exercised before the UPF general manager.
Article 10. Requests
1. Requests will be made in writing through the UPF electronic office, in person at the University General Registry or by any of the means provided for in Article 16.4 of Law 39/2015, of 1 October.
2. Requests must include the following information:
a. Given name(s) and family name(s) of the data subject.
b. Document or electronic instrument accrediting representation, if applicable.
c. Name or brief description of the processing of personal data, if known.
d. The specific petition of the request. The purpose of the request must be clearly set out in detail and, if applicable, the substantiated and legitimate reasons must be stated.
e. Address, date and signature of the applicant or their representative.
f. Documents accrediting the request made, if applicable.
3. In the event that the system used for submitting the request does not allow proving the identity of the data subject, a copy of an identification document (Spanish DNI, passport, or equivalent document) must be attached. When the data subject is a member of the UPF university community, the University may not require a copy of their DNI or equivalent identification document if it already has a copy, in accordance with Article 28.3 of Law 39/2015, of 1 October.
4. In the event of the exercise of the rights set out in Chapter I on data obtained by video surveillance systems or other systems that include image recording, the request must also indicate the place, date and approximate time, in time bands not exceeding two hours, at which their image was captured. The request must be accompanied by an image of the applicant that corresponds to the period during which it was captured, so that they can be identified. In systems that record voice, the right of access may be exercised by providing a voice recording of the affected person.
5. Requests for rectification must indicate the inaccurate or incomplete data and the correction that must be made, and the documentation supporting the requested rectification must be submitted.
6. The University will provide data subjects with a request form for the exercise of their rights.
7. The request will be rejected in the following cases:
a. When there is no proof of the identity of the data subject or proof of representation.
b. When the request is submitted by a legal person.
c. When the applicant is a person other than the data subject or their representative.
d. When the documentation accrediting the rectification requested in the requests for rectification is not attached.
e. In the case of generic requests, or requests that do not include the data stipulated in Section 2 of this Article.
f. When UPF no longer stores identifying data of the data subject that allows them to exercise these rights.
8. In the case of b) and c), the request will be rejected. In the case of f), the data subject will be informed and will be allowed to provide additional information that will allow their identification. In all other cases, the data subject will be granted the amendment period provided for in Section 2 of Article 11.
Article 11. Deadlines
1. The University must take a decision regarding the request within one month of receiving it. This period may be extended for a further two months, if necessary, taking into account the complexity and number of requests. UPF will inform the data subject of any such extension within one month of receiving the request, indicating the reasons for the delay.
2. In the event that the request is defective or does not include the necessary documentation, the University must notify the data subject thereof within a maximum of ten (10) days, and the data subject will also have ten (10) days.to correct any defects or attach any necessary additional information.
3. After the deadline has elapsed without an express decision being issued, the request will be deemed to have been rejected.
4. In the event that the data subject addresses the UPF Data Protection Officer prior to submitting a complaint with the Catalan Data Protection Authority, the latter shall inform them of the decision taken within two (2) months from the receipt of the claim.
Article 12. Competent body for resolving claims and claims system
1. The body responsible for all decisions is the UPF general manager.
2. The data subject will be informed of their right to request a remedy from the Catalan Data Protection Authority.
3. Prior to submitting this complaint to the Catalan Data Protection Authority, the data subject may address the UPF Data Protection Officer.
Article 13. Data blocking
1. UPF shall block the data when rectifying or erasing them.
2. The blocking of the data will consist of their identification and reservation, adopting technical and organizational measures to prevent their processing, including their visualization, except for their provision to judges and courts, the Public Prosecutor’s Office or the competent public administrations, in particular the data protection authorities, for the purpose of determining any liability arising from processing, and only for the duration of such liability. Once this period has elapsed, the heads of the administrative units or services or the principal investigators in charge of managing processing will ensure their destruction.
3. Blocked data may not be processed for any purpose other than that indicated in the previous section.
4. When in order to fulfil this obligation, the configuration of the information systems does not allow blocking data or disproportionate efforts are required, a secure copy of the information will be made in any format that allows accrediting its authenticity, the date of blocking and non-manipulation of data during this period.
5. Data will not be blocked when the Spanish Data Protection Agency or the Catalan Data Protection Authority so establish.
Article 14. Processing that does not require identification
UPF will not be obliged to store data for the sole purpose of being able to attend to the exercise of these rights by data subjects.