Privacy Policy of the Polytechnic University of Madrid

The Polytechnic University of Madrid (UPM) is firmly committed to respecting the fundamental freedoms and rights of individuals.

The implementation, since May 25, 2018, of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), represents a significant advancement in recognizing the right of every individual to the protection of their personal data. This provides us with an opportunity to update our Privacy Policy and inform you of its key aspects through this statement:

Who is responsible for the processing of your personal data? At the Polytechnic University of Madrid, we are responsible for all personal data processing activities we undertake and are committed to making public and keeping updated a Record of Processing Activities, with the information specified in Article 30 of the GDPR.

How is your personal data processed at UPM? At UPM, we strive to process your personal data in strict compliance with the obligations arising from the current Data Protection Regulations, adopting the principle of proactive responsibility, as outlined in the GDPR, as a fundamental aspect of our actions. Based on this commitment, your personal data will be:

• Processed lawfully, fairly, and transparently.
• Collected for specified, explicit, and legitimate purposes, and not further processed in a manner incompatible with those purposes.
• Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
• Accurate and, if necessary, updated, taking all reasonable measures to ensure that inaccurate personal data is erased or rectified without delay.
• Kept in a form that permits identification of data subjects for no longer than necessary for the purposes of the processing.
• Processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, through the application of appropriate technical or organizational measures.

The application of appropriate technical or organizational security measures will be carried out both at the time of determining the means of processing and at the time of processing itself, in accordance with the principle of data protection by design. These measures will also be applied to ensure that, by default, only personal data necessary for each specific processing purpose are processed, and in particular, that personal data are not accessible, without the intervention of the data subject, to an indefinite number of individuals.

For what purpose do we process your personal data? The ultimate purpose underlying the personal data processing we carry out is to fulfill one of the functions entrusted to us by Organic Law 6/2001, on Universities, related to providing the fundamental public service of higher education.

For each processing activity, a specific purpose is established and communicated to the data subject at the time of data collection. Similarly, the purposes of each processing activity are listed in the Record of Processing Activities.

Are the processing activities of your personal data carried out by UPM lawful? For each personal data processing activity we perform, at least one of the conditions specified in Article 6 of the GDPR is met to consider it legitimate. This basis for legitimacy for each processing activity is expressly included in our Record of Processing Activities and, in most cases, consists of its necessity for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in UPM. Other conditions for considering our processing activities lawful include the data subject’s consent; the necessity of processing for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures at their request; the protection of vital interests; or the satisfaction of legitimate interests.

When processing is based on your consent, and in application of the principle of proactive responsibility, UPM must be able to demonstrate that you have consented to such processing. Consent is defined in the GDPR as “any freely given, specific, informed, and unequivocal indication of the data subject’s wishes by which they, by a statement or clear affirmative action, consent to the processing of personal data relating to them.”

If consent is to be given in the context of a written declaration that also refers to other matters, we will present our request for consent in such a way that it is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and simple language. No part of the declaration that constitutes a violation of the GDPR will be binding.

To whom can we communicate your personal data? There are instances where UPM must communicate personal data to various institutions, organizations, or entities, public or private, in compliance with a legal provision or because the recipient holds the status of a data processor. In certain processing activities, the possibility of international data transfers with legally adequate safeguards is also contemplated.

In any case, these potential communications and/or international transfers of personal data (also generically referred to as data transfers) are noted in our Record of Processing Activities, providing the data subject with all information related to this matter at the time their personal data is collected.

For processing activities where voluntary data transfers are anticipated, we will inform you of this possibility so that you can decide whether or not to consent to the proposed data transfer.

How long will we retain your personal data? In accordance with Article 5.1.e) of the GDPR, we will retain your personal data for no longer than necessary for the purposes of processing and to determine any potential liabilities arising from such purposes. We may retain them for longer periods if specified by any specific regulations or if they are processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, committing to apply appropriate technical and organizational measures to protect your rights and freedoms.

Before obtaining your personal data, we will inform you of the period during which it will be retained or, when not possible to specify, the criteria used to determine that period.

What are your rights concerning the personal data provided? Under the terms and limitations established in Chapter III of the GDPR, you have the right to:

• Be informed about the processing of your personal data at the time of collection.
• Obtain confirmation of whether or not your personal data is being processed and, if so, the right of access to it.
• Obtain without undue delay the rectification of inaccurate personal data or the completion of incomplete data.
• Obtain without undue delay the erasure of your personal data.
• Obtain restriction of processing of your personal data.
• Obtain the portability of your personal data within the limitations set out in Article 20 of the GDPR.
• Object to the processing of your personal data.
• Not be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you, except in legally permitted cases.

In accordance with Article 19 of the GDPR, we are committed to communicating any rectification or erasure of personal data or restriction of processing to each recipient to whom the data has been communicated, unless this is impossible or requires a disproportionate effort.

How can you exercise your rights regarding the provided personal data? You can obtain more information about each processing activity and how to exercise your rights regarding your personal data through the contact details provided in the information corresponding to each processing activity.

You can also consult and/or exercise your rights in this area by contacting the Data Protection Officer designated by UPM via the email address: proteccion.datos@upm.es.

If you are not satisfied with the exercise of your rights, you may file a complaint with the Spanish Data Protection Agency: https://www.aepd.es/index.html.

Is the UPM Privacy Policy reviewed and updated? UPM will periodically review its data protection policy and when necessary to adapt to any changes in the current regulatory framework in this matter.

This update of the key aspects of our Privacy Policy was approved on September 27, 2023.