Personal Data Protection
Personal Data Protection
This document describes Fundació Esade’s data protection policy. The latter is based on the principles detailed in Regulation (EU) 2016/679 of the European Parliament and Council of 27th April, 2016 (General Data Protection Regulation). We fully assume the spirit of this European Regulation because it reinforces the rights of individuals and offers additional guarantees regarding the processing of their data. This objective coincides completely with our aim to continuously improve the services we provide. Below is a summary of the fundamental elements included in this data protection policy:
1. Who is responsible for processing personal data?
More info, 1. Who is responsible for processing personal data?2. What role does the Data Protection Delegate play?
More info, 2. What role does the Data Protection Delegate play?3. For what ends do we process data?
More info, 3. For what ends do we process data?4. How do we legally justify this data processing?
More info, 4. How do we legally justify this data processing?5. To whom do we cede data?
More info, 5. To whom do we cede data?6. How long do we store data?
More info, 6. How long do we store data?7. What rights do people have in terms of the personal data we process?
More info, 7. What rights do people have in terms of the personal data we process?8. How can the affected parties exercise and defend their rights?
More info, 8. How can the affected parties exercise and defend their rights?9. Specific data protection policies
More info, 9. Specific data protection policies1. Who is responsible for processing personal data?
The entity responsible for processing data is Fundació Esade (hereafter, “Esade”), with headquarters in Barcelona (Avinguda Pedralbes 60-62, 08034 – Barcelona), fiscal ID G-59716761, telephone number, (34) 932 806 162, and e-mail address, webmaster@esade.edu. Esade is duly registered in the Government of Catalonia’s Registry of Private Foundations under entry 510.
Esade is a higher-education centre integrated within Universitat Ramon Llull.
2. What role does the Data Protection Delegate play?
The Data Protection Delegate (DPD) is the person in charge of supervising that we comply with this data protection policy and ensuring that we process said personal data correctly and duly protect the affected parties. The DPD’s functions include receiving and answering questions, doubts, suggestions and complaints raised by people whose data we process. Affected parties can contact the DPD by writing to our postal address above, by calling the above phone number or by sending an e-mail to the following address: dpo@esade.edu.
3. For what ends, do we process data?
We process personal data in a proportional fashion, all the while taking into account the affected parties’ rights. This means that we process the appropriate, pertinent and limited data required for each specific situation and in due compliance with the explicit purposes for which data are gathered; that is, only the data required to carry out the educational services we provide in keeping with our mission. In some cases, we may require additional data, for example, to learn about people’s opinions or assessment of our services. In these cases, we process their responses statistically and in no way associate them to the personally identifiable data of those responding.
Esade processes personal data primarily to offer academic and extra-academic services, provide information about our activities and services and to establish commercial relations with our suppliers. Below are details on the key purposes for which we gather and process data.
Academic management
Esade registers the data of those who pre-register for and later enrol in our programmes. The aim is to store this data and, based on the latter, provide the higher-education services in question. The data provided and gathered as a result of students’ academic activity also allow us to follow-up on the latter’s progress. The data also serve for evaluation purposes. Managing students’ academic transcripts is the most important data processing we undertake in this respect. Students’ data are also used for administrative purposes, to identify them as university service users, provide them access to these services, forward information of interest, process and issue their diplomas and, lastly, follow-up on their job placement (additional information on the data processed in this case and its purpose).
Contact
We process data to answer the questions raised by people using the contact forms available on our website. Said data are used solely for this purpose.
Personnel recruitment
We gather and store the CVs of people interested in working with us and we process their personal data for personnel recruitment processes. The aim is to analyse how well candidates’ profiles fit with job vacancies and/or recently-created positions. Our criteria is to store these data, including those pertaining to those not eventually hired, for one year should a new vacancy arise or a new position be created over the short term. That notwithstanding, we will immediately eliminate the personal data of those who expressly request we do so.
Activity and service information
With the explicit authorisation of each student, we will use their contact data after they’ve completed their programmes to contact them and send them information about our services and activities. Similarly, we will also send them information about activities and services organised by other institutions in our group if the affected parties expressly authorise this. We shall also send this information to all those who, even if not enrolled at Esade, specifically request this information (additional information on the data processed in this case and its purpose).
Client services
We register new clients that contract our services and manage any additional data generated as a result of the commercial relations established with these clients. The contracting process necessarily includes data such as bank account or credit card numbers. We cede said data to banking institutions to manage payments (solely for this purpose). This relation also includes other data processing such as maintaining accounting records, billing and sending information to the competent tax authorities.
Information sent to our clients
While the contractual relation exists with our clients, we use their contact information to inform them about this relation. We may send them this information after the contractual relation ends if the clients agree to receive this information (additional information on the data processed in this case and its purpose).
Suppliers’ data
We register and process the data of the suppliers from whom we receive services or goods. Said data may pertain to self-employed suppliers or representatives of legal entities. We obtain the data required to maintain the commercial relation and use said data solely for this purpose and type of relation.
Register donations
We register the data of all those who donate to our scholarship and/or endowment funds to help to finance the institution and our activities. We process said data in keeping with standard procedures for donations made to foundations: accounting, certificates and to duly notify the competent tax authorities.
Video surveillance
When applicable, buildings include standardised signs to duly notify visitors that video-surveillance cameras are in use. These cameras only record images at points in which they are required to ensure the safety and security of goods and people. These images are used solely for this purpose.
Website users
Our website’s navigation system and the underlying software which ensures the website functions correctly gather data generally created by using internet protocols. This data category includes, amongst others, users’ IP addresses or domains of the computers used by people to access our website. We do not associate said data to concrete users. We gather data for the exclusive purpose of gaining statistical insights on the use of our website. Our website also uses cookies which make it easier for users to navigate through our site and provide data on users and their interests (additional information about our cookies policy).
Other means of gathering data
We may also gather data from in-person interactions and other means such as e-mails and telephone calls, registrations to download our app, subscriptions to our blogs and by means of our social media profiles. In all cases, said data are used solely for the explicit purposes justifying their gathering and processing
How do we obtain personal data?
In the previous section we refer to some of the origins of the data we process. In most cases, the affected parties expressly provide us with their data, and we obtain them primarily through forms designed for this purpose. We also obtain data through open-door events, information sessions given on our campuses and fairs in which we inform about our programmes.
In terms of our relation with students, faculty and service providers, we gather other data which we incorporate into Esade systems.
A smaller amount of data may also originate from the competent public administrations in the higher-education area or from other academic institutions.
4. How do we legally justify this data processing?
The different types of data processing imply different legal justifications depending on their nature. We classify the different types of data processing in keeping with the legal bases established in Article 6.1 in the General Data Protection Regulation.
To provide educational services
Once admitted, our students obtain educational services from Esade. Providing these services to students represents a type of contractual relation in which both parties assume their respective rights and obligations: the rights of students to receive a good education and the right and obligation for Esade to process their data to provide them this service. This processing is based on Organic Law 6/2001, dated 23rd December, on Universities, and on Law 1/2003, dated 19th February, on Universities in Catalonia and their respective amendments.
To fulfil pre-contractual relations
This is the case with people who indicate an interest in Esade’s educational services. For this reason and with a similar justification, we process the data of possible candidates or suppliers with whom we have relations prior to formalising a contractual relation with them. This is also the case when processing the data of those who provide us their CVs or participate in personnel recruitment processes.
To fulfil a contractual relation
In the case of relations with our clients and suppliers, all data processing is legitimated in the contractual relation as occurs with the data that these commercial relations imply.
To fulfil legal obligations
Providing higher-education services implies that we have to comply with different norms involving data processing. In this respect, Esade communicates its students’ data to Universitat Ramon Llull to recognise and issue the degrees for the programmes taught. Similarly, in compliance with legal obligations (tax norms), data are communicated to the competent tax authorities. Ceding data to judicial bodies or security and safety forces, if requested by any of the latter, would also be to comply with legal obligations.
Based on consent
When we send information about our activities and services, we use the contact information provided by the person receiving said information with their explicit consent. We also obtain data on the use of our website with the website users’ consent. In the latter case, said website users can revoke this consent at any time by eliminating our cookies.
Legitimate interest
The images recorded through our video surveillance cameras are gathered based on our institution’s legitimate interest in protecting our assets and facilities. This legitimate interest also justifies the processing of data from contact forms as well as data from people who register to comment on our blogs or download and install our apps.
5. To whom do we cede data?
As a general norm, we will only cede data to comply with legal obligations. In the preceding sections we also describe how we cede our students’ data to provide them the educational services requested and those of our clients and suppliers to maintain the economic and commercial relations agreed on. We may also cede students’ data to other institutions within our group if duly authorised by said students.
Data are transferred outside of the European Union (international transfer) to manage students’ study abroad programmes and to respond to job offers from non-European firms. In both cases, said data are transferred with the students’ consent.
For some tasks, we also contract the services of companies or individuals based on their experience and specialisation. In some cases, these third parties may have access to personal data. In keeping with the General Data Protection Regulation, this access is not considered a type of data cession but, rather, a request to process said data. Esade only contracts the services of companies that guarantee they comply with this norm. When contracted, they duly recognise their confidentiality obligations, and we monitor them to ensure their compliance. Examples of the services contracted are data storage in external servers, providing computer assistance or legal, accounting and/or fiscal consulting.
6. How long do we store data?
The time we store data depends on different factors. The primary criterion is if the data are still necessary to fulfil the purposes for which they were originally gathered. The second criterion is to duly respond to any legal responsibility regarding Esade’s data processing and to comply with any legal requirements from public administrations and judicial bodies.
Consequently, we have to store data the time necessary to preserve their legal or informational value and to accredit our fulfilment of legal obligations. However, this time shall not exceed the time required for the purposes for which they are processed (“storage period” limitation in the General Data Protection Regulation). With respect to data accrediting the educational programmes students complete, we store said data permanently to preserve these students’ rights.
In specific cases, such as data included in accounting records and billing documents, fiscal norms require we store them until no longer legally required. The norms governing foundations require that we store some accounting-related data for ten years (in keeping with Law 10/2010, dated 28th April).
In the case of data processed solely based on the affected parties’ consent, we store said data until the affected parties revoke their consent.
Lastly, in the case of images obtained through our video-surveillance cameras, we store said images a maximum of one month. However, in case of incidents requiring they be stored longer, we shall preserve them the time necessary to facilitate the work of safety and security forces and judicial bodies.
The norms regulating the storage of public documents and the decisions issued by qualifying committees are a reference when deciding to store or eliminate data linked to providing public interest services.
7. What rights do people have in terms of the personal data we process?
As stipulated in the General Data Protection Regulation, people whose data we process have the following rights:
Know if their data are being processed
Be informed when data are gathered
When we gather personal data from the affected parties, they have to be clearly informed about the purposes for which their data are gathered, who is in charge of their processing and other key issued related to this processing.
Access their data
This is a very broad right which includes knowing exactly what personal data are being processed, for what purposes, to whom they are ceded (if applicable) and the right to obtain a copy of said data and know how long their data will be stored.
Rectify incorrect data
Affected parties have the right to demand we modify any inexact data we are currently processing.
Request their elimination
In specific cases, affected parties have the right to request we eliminate their data altogether. Amongst other motives, this can include when said data are no longer needed for the purposes for which they were originally gathered and which justified their processing.
Limit their processing
Similarly, in specific cases, affected parties have the right to request limiting the processing of their data. In these cases, we will no longer process their data and we will only store them to process or defend ourselves against complaints, in keeping with the General Data Protection Regulation.
Portability
In certain cases, norms recognise the right of affected parties to obtain a copy of their personal data in a machine-readable and commonly used format to then be able to transmit said data to another party for their processing if the affected parties so decide.
Oppose their processing
The affected parties may refer to motives related to their particular situations so that we no longer process their data insofar as it is harmful to them. This shall not apply if there are legitimate motives or in the case of exercising or defending ourselves against complaints.
Not receive information
We will immediately respect requests from affected parties who no longer want to receive information about our activities and services so long as said information is sent to the recipients based solely on their consent.
8. How can the affected parties exercise and defend their rights?
The affected parties can exercise the above-mentioned rights fast and easily through the following application form ARCO rights or writing to Esade at the address above or using any of the other means to contact us as indicated.
If the affected parties are not satisfied with this exercise of their rights, they may file a complaint with the Catalan Data Protection Authority by means of the forms or other channels available via its website (https://apdcat.gencat.cat/).
In all cases, whether to present complaints, clarify doubts or make suggestions, the affected parties may send an e-mail to the Data Protection Delegate via the following address: dpo@esade.edu
Specific data protection policies
Enrolment Process
Who is the data controller?
Fundación Esade, CIF G-59716761, with registered office at Avinguda Pedralbes, 60-62 (08034) Barcelona; Tel: +(34) 932806162, email: webmaster@esade.edu, www.esade.edu (hereinafter “Esade”). You can contact the data protection officer by writing to dpo@esade.edu.
For what purpose does Esade process your personal data?
Esade processes your data in order to keep a record of your enrolment and, on this basis, to provide the higher education services you have requested. The data provided, as well as any data resulting from the academic activity, will serve as the basis for the evaluation of this activity; the management of your academic record; administrative management; your identification as a user of Esade’s services and the facilitation of access to these services; the sending of information of interest; the processing, issuing and registration of degrees and the promotion and follow-up of job placement.
How long does Esade keep your personal data?
Data are deleted when they are no longer necessary for the purpose for which they were collected. The most important information (such as data accredited courses of study completed) is kept permanently. The criteria for the conservation or deletion of data are based on the regulation in force regarding public documentation or documentation derived from the exercise of public functions.
What are the legal grounds for Esade to process your data?
Your data are processed in order to perform a task carried out in the public interest, namely, the provision of higher education services. Some forms of processing – for example, disclosure to other institutions or public administrations – are carried out in compliance with the laws relating to universities, primarily Organic Law 6/2001, of 23rd December, on universities, Law 1/2003, of 19th February, on Catalan universities, and their implementing regulations.
Who else receives your personal data?
Data are disclosed to different institutions, always with explicit purposes and solely in a proportional manner – that is, only data which are essential to the fulfilment of this purpose are disclosed. For the purpose and recognition of the courses of study followed and the issuing of degrees, data are disclosed to Ramon Llull University. In compliance with the law, data are disclosed to insurers and banks for the purpose of administering payments. For internship purposes, we communicate with host companies and institutions. When part of a course of study takes place at another academic institution, we disclose data to said institution, as well as to quality and ranking institutions. With the student’s consent, data may be provided to professional entities and non-profit organisations.
Do other companies or institutions have access to the data?
Esade obtains services from private companies that contribute their experience and specialisation. In some cases, these external companies must access personal data controlled by Esade. Esade only contracts services with companies that are able to guarantee compliance with data protection regulations. At the time of contracting, such companies sign a confidentiality agreement and their activities are monitored. For example, certain data may be stored on the servers of specialised companies or public institutions that offer services to the university system of Catalonia. Likewise, information and data controlled by Esade is accessed by IT and software support companies, security firms, labour-law consultancies and accounting firms. Precise information about the companies providing these services can be obtained at any time by writing to dpo@esade.edu.
What rights do you have in relation to data processing?
Any person has the right to obtain information about whether Esade processes his or her personal data. If Esade does process the person’s data, the data subject has the right to know how Esade obtained his or her data (if not provided by the data subject), the purpose for which they are processed, any disclosures that have been made, and any disclosures foreseen in the future. The law recognises the data subject’s right to request access to his or her data, rectification of inaccurate data, or erasure of data, provided that said data are no longer necessary for the purposes for which they were collected and the obligation to keep said data no longer exists. In cases in which the processing of data is carried out solely on the grounds of the data subject’s consent, deletion is carried out immediately. In certain circumstances, data subjects may request restriction of the processing of their data; this right gives data subjects control over their data primarily for the purposes of correcting inappropriate processing and presenting claims in defence of the data subject’s rights.
How can you exercise or defend your rights?
By writing to the data protection officer at Avinguda Pedralbes, 60-62 (08034) Barcelona.
If you consider that your rights have not been properly addressed, you may submit a complaint with the Catalan Data Protection Authority (https://apdcat.gencat.cat/). You may contact Esade’s data protection officer by email at any time by writing to: dpo@esade.edu .
Information Requests
Who is the data controller?
Fundación Esade, CIF G-59716761, with registered office at Avinguda Pedralbes, 60-62 (08034) Barcelona; Tel: +(34) 932806162, email: webmaster@esade.edu, www.esade.edu (hereinafter “Esade”). You can contact the data protection officer by writing to dpo@esade.edu
For what purpose does Esade process your personal data?
Esade processes your data in order to have a record of the people who, either individually or in their capacity as a representative of a legal entity, receive information about Esade’s activities, services and initiatives. These data allow Esade to manage these communications. This information can be sent by one or more of the communication channels used by Esade – for example, texts sent by email, publications, and notifications sent to mobile devices.
How long does Esade keep your personal data?
Personal data are kept until the data subject expresses a desire to stop receiving information. In the case of people who receive information in their capacity as a representative of a legal entity, the data may be deleted if the person ceases to act in such a capacity.
What are the legal grounds for Esade to process your data?
Data are processed with the consent of the recipient of the information, who may revoke this consent at any time. If you revoke consent, your data will be deleted immediately. The data of people included on the recipient list in their capacity as a representative of a legal entity are processed in order to perform a task carried out in the public interest, namely, guaranteeing Esade’s communication with other institutions.
Who else receives your personal data?
Personal data are not disclosed to third parties without the prior consent of the data subject; this consent must be explicitly expressed.
What rights do you have in relation to data processing?
Any person has the right to obtain information about whether Esade processes his or her personal data. If Esade does process the person’s data, the data subject has the right to know how Esade obtained his or her data (if not provided by the data subject) and for what purpose they are processed. In general, the law recognises the right of data subjects to request access to their personal data, rectification of inaccurate personal data or, if appropriate, erasure of personal data when the data are no longer necessary for the purposes for which they were collected and Esade is not required to store them. In the case of subscription to informational channels or services, erasure of personal data is carried out immediately after the data subject’s request is received. In certain circumstances, data subjects may request restriction of the processing of their data; this right gives data subjects control over their data primarily for the purposes of correcting inappropriate processing and presenting claims in defence of the data subject’s rights.
How can you exercise or defend your rights?
By writing to the DPO at Avinguda Pedralbes, 60-62 (08034) Barcelona.
If you consider that your rights have not been properly addressed, you may submit a complaint with the Catalan Data Protection Authority (https://apdcat.gencat.cat/). You may contact Esade’s data protection officer by email at any time by writing to: dpo@esade.edu
Admissions Forms
Who is responsible for processing personal data?
Fundació Esade, with tax ID number, G-59716761; headquartered at Avinguda Pedralbes, 60-62, (08034) in Barcelona; telephone number, (34) 93 280 6162; e-mail address: webmaster@esade.edu; and website: www.esade.edu (hereafter, “Esade”). Affected parties may also contact the Esade Data Protection Delegate (DPD) by e-mail: dpo@esade.edu.
How and for what purposes does Esade process this data?
Esade gathers the affected parties’ personal data to register their applications for admission to Fundació Esade programmes. Based on the latter, it gathers the necessary data and documentation to assess if the candidates fulfil the requirements needed to be admitted to the programmes as well as determine their suitability. The data provided and those gathered through the admissions process will serve as the basis to evaluate if the candidates are accepted into the programmes. If accepted, said data will then be incorporated into students’ academic transcripts.
How long does Esade maintain this data?
Esade will eliminate the data once they’re no longer necessary to fulfil the purpose for which they were gathered. The most relevant data, such as accreditation for the degrees completed at Esade, will be kept permanently. The criteria used to determine if data should be eliminated or maintained are based on the currently valid norms regarding public documentation and/or those stemming from the exercise of public functions.
How does Esade legitimate this data processing?
Esade processes data based on the express decision of those requesting admission to its programmes. It processes their data prior to formalising a service relation between the parties. Said relation shall be formalised should candidates be admitted to the programme and in fulfilment of a public interest mission such as higher education. Esade carries out some processing, for example, communicating with other institutions or public administrations, in due compliance with the norms governing universities, primarily, Organic Law 6/2001, dated 23rd December, on universities, Law 1/2003, dated 19th February, on the universities in Catalonia, and their respective amendments.
To whom does Esade cede data?
Esade cedes data to different institutions for explicit aims and only proportionally, that is, ceding the data that are fundamental to fulfil said aims. Similarly, it cedes data to banking institutions for payment in due compliance with legal norms.
Do other companies or institutions have access to the data?
Esade contracts services from private companies for their experience and specialisation. On some occasions, some of these external companies have to access personal data under Esade’s care. Esade only contracts services from companies that guarantee their compliance with data protection norms. When contracting these firms, said companies’ confidentiality obligations are duly detailed, and Esade monitors their activity. For example, certain data may reside in servers contracted with specialised companies or public administrations that provide services to the university system in Catalonia. Similarly, some companies access information and data under Esade’s responsibility. These firms include those that provide computer support for the use of software programmes, security companies and labour-related and accounting consulting firms. For additional information on the companies that are currently offering these services, please feel free to send us an e-mail: dpo@esade.edu.
What rights do affected parties have in terms of their data?
Everyone has the right to receive confirmation that Esade is processing their personal data. If affirmative, they have the right to know where Esade obtained said data If the affected parties did not provide said data directly, in addition to the purpose for which the data were gathered and any cession of said data already carried out or foreseen. The Law recognises that the affected parties have the right to access their data as well as request that incorrect data be rectified or, if applicable, request they be eliminated when the data are no longer necessary for the purposes for which they were gathered and there are no legal obligations to maintain said data. Data have to be eliminated immediately when Esade processes the data solely based on the affected parties’ consent. In certain circumstances, the affected parties can also request limiting the processing of their data, a right entitling them to monitor their data, particularly in terms of their inappropriate processing, and to present any complaints in defence of their rights.
How can the affected parties exercise or defend their rights?
They can write to Esade’s Data Protection Delegate (DPD): Avinguda Pedralbes, 60-62, 08034, Barcelona - Spain.
If someone feels that their rights have not been duly respected, they may file a complaint with the Catalan Data Protection Authority (https://apdcat.gencat.cat/). Affected parties may also write to Esade’s Data Protection Delegate (DPD) at any given time via e-mail: dpo@esade.edu.
Donations Forms
Who is responsible for processing personal data?
The entity responsible for processing data is Fundació Esade (hereafter, “Esade”), with headquarters in Barcelona (Avinguda Pedralbes 60-62, 08034 – Barcelona), fiscal ID G-59716761, telephone number, (34) 932 806 162, and e-mail address, webmaster@esade.edu. Affected parties may contact the Data Protection Delegate (DPD) by sending an e-mail to: dpo@esade.edu.
For what ends does Esade process this data?
Esade registers personal data to manage donations, that is, to register, enter into the books and accredit donations as well as to contact donors to provide them transparent information about how donations to Esade are assigned and managed as well as to invite them to events related to their donations.
Donors’ name and surnames will be published in the Annual Report of Donations, Fundacion Esade Annual Report, the “Wall of Donors” and other material related to donations, with their consent.
How long does Esade store this data?
Esade stores this data for 10 years in keeping with Law 10/2010, dated 28th April, on the prevention of money laundering and the funding of terrorist activity. Esade shall store donors’ personally identifiable data beyond this time solely with their consent.
How does Esade legally justify this data processing?
Esade undertakes this data processing based on the donor’s decision to freely donate any asset or right to Fundació Esade. Esade shall process said data in fulfilment of a public interest mission and in keeping with legal obligations, primarily those detailed in Law 49/2002, dated 23rd December, on the fiscal regime governing not-for-profit organisations and fiscal incentives for patronage and other complementary laws, as well as, if applicable, Law 10/2010, dated 28th April, on the prevention of money laundering and the funding of terrorist activity and other complementary laws.
To whom does Esade cede data?
In due fulfilment of legal norms, Esade communicates said data to banking institutions for payment purposes, the competent tax authorities and, if applicable, SEPBLAC.
Do other companies or institutions have access to the data?
Esade contracts services from private companies for their experience and specialisation. On some occasions, some of these external companies have to access personal data under Esade’s care. Esade only contracts services from companies that guarantee their compliance with data protection norms. When contracting these firms, said companies’ confidentiality obligations are duly detailed, and Esade monitors their activity. For example, certain data may reside in servers contracted with specialised companies or public administrations that provide services to the university system in Catalonia. Similarly, some companies access information and data under Esade’s responsibility. These firms include those that provide computer support for the use of software programmes, security companies and labour-related and accounting consulting firms. For additional information on the companies that are currently offering these services, please feel free to send us an e-mail: dpo@esade.edu.
What rights do people have in terms of data processing?
Everyone has the right to receive confirmation that Esade is processing their personal data. If affirmative, they have the right to know where Esade obtained said data If the affected parties did not provide said data directly, in addition to the purpose for which the data were gathered and any cession of said data already carried out or foreseen. The Law recognises that the affected parties have the right to access their data as well as request that incorrect data be rectified or, if applicable, request they be eliminated when the data are no longer necessary for the purposes for which they were originally gathered and there are no legal obligations to maintain said data. Data have to be eliminated immediately when Esade processes the data solely based on the affected parties’ consent. In certain circumstances, the affected parties can also request limiting the processing of their data, a right entitling them to monitor their data, particularly in terms of their inappropriate processing, and to present any complaints in defence of their rights.
How can the affected parties exercise and defend their rights?
Affected parties can write to Esade’s Data Protection Delegate (DPD): Avinguda Pedralbes, 60-62, 08034, Barcelona - Spain.
If someone feels that their rights have not been duly respected, they may file a complaint with the Catalan Data Protection Authority (https://apdcat.gencat.cat/). Affected parties may also write to Esade’s Data Protection Delegate (DPD) at any given time via e-mail: dpo@esade.edu.