In compliance with Article 13 of Regulation (EU) 2016/679 (hereinafter, the ‘GDPR’) and Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter, the ‘LOPDGDD’), we inform you that your personal data will be processed by the Europa Education Group entity with which you establish the relevant relationship, with each entity acting as a data controller individually in respect of its own students, applicants and users:
- UNIVERSIDAD EUROPEA DE MADRID, S.A.U., with Tax Identification Number (N.I.F.) A-79122305 and registered office at C/ Tajo s/n 28670 Villaviciosa de Odón, Madrid.
- UNIVERSIDAD EUROPEA DE VALENCIA, S.L.U., with Tax Identification Number B-97934467 and registered office at Paseo de la Alameda 7, 46010 Valencia.
- UNIVERSIDAD EUROPEA DE CANARIAS, S.L.U., with Tax Identification Number B-57257263 and registered office at C/ Inocencio García Feo 1 Casa Salazar, 38300 La Orotava, Santa Cruz de Tenerife.
- INSTITUCION ARTÍSTICA DE ENSEÑANZA IADE, S.L., with tax identification number B-06988380 and registered office at C/ María de Molina 39, Madrid, 28006.
- INICIATIVA EDUCATIVA UDDI, S.L., with Andorran tax registration number L-718330-G and registered office at Carrer Prat de la Creu núm. 59-65, Escala B, Planta baixa B2, AD500 - Andorra la Vella, Principat d' Andorra
- INICIATIVA EDUCATIVA UEA, S.L., with tax identification number B-86130044 and registered office at C/ Eolo 10, 29010, Málaga.
- PROYECTOS EDUCATIVOS ASTUR, S.L.U., with tax identification number B-70938899 and registered office at C/ Tajo s/n, 28670, Villaviciosa de Odón, Madrid.
Hereinafter, jointly or individually, ‘the Entity’ or ‘the University’. Each entity acts as an independent data controller with regard to the personal data of individuals associated with it.
The University has formally appointed a Data Protection Officer and has also set up the following communication channels:dpo@universidadeuropea.es ,dpo@iade.es ,dpo@universidaduddi.com , to which you may, at your discretion, address any queries regarding the processing of your personal data.
Universidad Europea de Madrid, S.A.U. provides technological, administrative and data protection support services to the other entities of the Europa Education Group in its capacity as a data processor, under an intra-group agreement in accordance with Article 28 of the GDPR. [AND1]
3.1. Source of the data
The personal data we process comes from the following sources:
- Data provided directly by you via web forms, admission processes, enrolment contracts, applications and other communications.
- Data generated during the course of the academic, administrative or contractual relationship with the Organisation (grades, academic records, payments, communications).
- Data from third parties with your authorisation: institutions collaborating on scholarship programmes, previous educational institutions, accrediting bodies.
3.2. Categories of data processed
Depending on the specific processing activity, we may process the following categories of data:
- Identifying data: first name, surname, tax identification number/foreign resident identification number/passport number, postal address, telephone number, email address, photograph.
- Personal data: date and place of birth, nationality, gender, marital status.
- Social circumstances data: family situation, languages.
- Academic and professional data: academic record, grades, qualifications, experience.
- Financial data: bank account, payments made, credit status (only where strictly necessary).
- Image and voice: in recordings of academic sessions and supervised assessment tests.
Special categories of data (Art. 9 GDPR) are not processed unless strictly necessary and always on a specific legal basis and with enhanced safeguards.
Biometric data will not be processed, unless expressly stated.
4.1. Request for information about academic programmes
- Purpose: to respond to your request for information, send you documentation on academic programmes and address pre-contractual enquiries.
- Data categories: identification and contact details.
- Legal basis: Article 6(1)(b) GDPR (pre-contractual measures taken at the data subject’s request).
4.2. Application for admission and admissions process
- Purpose: to manage the admission process, including entrance examinations, aptitude assessments and the issuance of a decision.
- Data categories: identification, personal, academic, and social circumstances relevant to the programme.
- Legal basis: Article 6(1)(b) GDPR (pre-contractual measures). For programmes or personal circumstances requiring additional sensitive information, express consent will be sought in accordance with Article 6(1)(a) GDPR.
5.1. Academic and administrative management
Purpose: to process, maintain, develop, manage and monitor the student’s academic relationship, including the management of academic records, grades, student ID cards, access to facilities and the management of the institutional mobile app through which academic services, communications and notifications are made available to the student.
Categories of data: identification, personal, academic, social circumstances and, where applicable, economic and financial.
Legal basis: Article 6(1)(b) GDPR (performance of the academic contract) and Article 6(1)(c) GDPR (compliance with obligations arising from applicable academic regulations).
5.2. University activities and student services
- Purpose: to manage the student’s participation in voluntary activities, university sports, international mobility programmes, Career Services, the Student Ombudsman and other institutional services.
- Data categories: identification, personal, academic, and specific data depending on the activity.
- Legal basis: Article 6(1)(b) of the GDPR (performance of a contract) for services included in the tuition fees; Article 6(1)(a) of the GDPR (consent) for voluntary and optional activities.
5.4. Conducting surveys
- Purpose: to conduct surveys, either independently or in collaboration with third parties, on the academic activities and services of the Europa Education Group, with the aim of evaluating and improving the quality of the educational experience, the services provided, the employability of graduates and, where applicable, responding to the requirements of university evaluation and accreditation bodies.
- Data categories: identification and contact details, academic data, responses and opinions provided in the survey.
- Legal basis: Article 6(1)(f) GDPR (the University’s legitimate interest in the continuous improvement of its programmes and services and in compliance with quality assessment processes). Article 6(1)(a) GDPR (express consent) where applicable.
5.3. Recording of academic sessions
- Purpose: to record video and audio during sessions delivered on the Virtual Campus for teaching purposes, to enable asynchronous learning, the traceability of the educational process and the safeguarding of evidence of the conduct of academic activities.
- Data categories: image, voice, identifying data associated with the Virtual Campus user.
- Legal basis: Article 6(1)(f) GDPR (legitimate interest). The processing serves the legitimate interest of both the controller and the data subject, based on the possibility afforded by the recording of evidence to ensure the traceability and integrity of the assessment process, as well as to preserve evidence of the conduct of work sessions on the Virtual Campus and of examinations and oral examinations before examination boards. This recording also safeguards the student’s effective right to review, by enabling the content and circumstances in which these academic activities took place to be verified. The data subject’s interest prevails insofar as the recording constitutes a safeguard of their own rights against potential disputes regarding the outcome or conduct of the assessment.
6.1. Profiling and sending commercial communications
- Purpose: to create profiles using statistical and segmentation techniques based on internal sources, with the aim of personalising our academic and service offerings, and to send you advertising and promotional communications tailored to your profile via post, email, SMS, instant messaging apps (WhatsApp, Telegram, Line) and other electronic means.
- Data categories: identification and contact details; preferences and interaction history.
- Legal basis: Article 6(1)(a) of the GDPR (explicit consent) and Article 21 of Law 34/2002 on Information Society Services (LSSI) for electronic communications.
- Profiling: The processing includes profiling based exclusively on internal information that you have provided to us or that has been generated from your interaction with us. The result of profiling is limited to determining which academic content, products or services may be of interest to you, without having any legal or effects on you or significantly affecting you in other areas. You may withdraw your consent at any time via the unsubscribe link included in every electronic communication or by writing to the DPO.
6.2. Communications following the end of the academic relationship
- Purpose: to maintain contact with graduates and former students to inform them about programmes, alumni events and new academic offerings.
- Legal basis: Article 6.1.a GDPR (express consent obtained upon termination of the relationship). Without consent, this purpose will not be pursued.
7.1. Direct debit and payment management
- Purpose: to manage the collection of tuition fees, monthly instalments and other academic charges.
- Data categories: identification, financial.
- Legal basis: Article 6(1)(b) GDPR (performance of a contract) and Article 6(1)(c) GDPR (tax and commercial obligations).
7.2. Scholarships, grants and discounts
- Purpose: to process the award of scholarships, grants or discounts, including, where applicable, the transfer of data to partner institutions or organisations that fund or co-manage the programme.
- Categories of data: first name and surname, student ID number, qualification, email address, country.
- Legal basis: Article 6(1)(b) of the GDPR for the essential transfer to partner organisations that jointly manage the grant; Article 6(1)(a) of the GDPR (explicit consent) for additional uses.
- Publication of lists: in accordance with the strictest transparency criteria, the list of grant recipients may be published in a duly pseudonymised form, so that it is not possible to directly identify the data subject.
7.3. Student Portal
- Purpose: to provide students with a personalised platform for accessing academic information (timetables, grades, events, grants, mobility programmes) and financial information (receipts, invoices, supporting documents).
- Data categories: identification, academic, economic and financial.
- Legal basis: Article 6(1)(b) GDPR (performance of the academic contract).
7.4. Compliance with legal obligations
- Purpose: to fulfil legal obligations incumbent upon the University, including responses to judicial, administrative and tax requirements, and other obligations arising from university, tax and commercial regulations.
- Legal basis: Article 6(1)(c) GDPR (compliance with a legal obligation).
8.1. Categories of recipients
Your personal data may be disclosed to the following recipients where necessary for the specific purpose:
- Other entities within the Europa Education Group.
- Regional, national, European and international public authorities responsible for education, taxation or regulatory matters.
- Financial institutions and payment gateways for the management of payments.
- Institutions awarding the university degree.
- Institutions collaborating on scholarship, grant and discount schemes.
- The student’s financial guarantors (family members or third-party payers).
- Technology providers acting as data processors with whom the relevant data processing agreements have been signed.
8.2. International transfers
Transfers to Andorra: given that the Europa Education Group includes Iniciativa Educativa UDDI, S.L., which is based in the Principality of Andorra, certain processing operations may involve the transfer of data to that jurisdiction. These transfers are covered by the European Commission’s Adequacy Decision 2010/625/EU of 19 October 2010, which recognises an adequate level of protection.
Other transfers: for transfers to other countries, the safeguards set out in Articles 45 to 49 of the GDPR shall apply.
Personal data will be retained provided that you have not exercised your right to erasure, and will be retained in accordance with the applicable legal time limits in each specific case, the type of data and the purpose of the processing. Once the above time limits have elapsed, the data will be blocked and retained exclusively for the use of public authorities, judges and courts to address any potential liabilities arising from the processing, for the duration of the limitation period for legal actions. Once this period has expired, the data will be permanently deleted.
Data protection legislation grants you the following rights, which you may exercise free of charge and at any time:
- Access. To find out what personal data we process about you and for what purpose.
- Rectification. To request the correction of inaccurate or incomplete data.
- Erasure (‘right to be forgotten’). To request the deletion of your data when, amongst other reasons, it is no longer necessary for the purposes for which it was collected or when you withdraw your consent.
- Objection. To object to the processing of your data on grounds relating to your particular situation.
- Restriction. To request that your data be retained without being actively processed in the circumstances set out in Article 18 of the GDPR (whilst the accuracy of the data is being verified, during the processing of an objection, etc.).
- Portability. To receive, in a structured, commonly used and machine-readable format, the data you have provided to us and which is processed on the basis of consent or for the performance of a contract, or to request that it be transmitted directly to another controller where technically feasible.
- Not to be subject to automated decision-making. Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you (Article 22 of the GDPR).
- Withdrawal of consent. Where processing is based on your consent, you may withdraw it at any time without this affecting the lawfulness of processing carried out prior to such withdrawal.
How to exercise your rights?
You may exercise any of these rights, without distinction, through the following channels, and a response will be provided within the statutory period of one month, which may be extended by a further two months:
- Email to the Data Protection Officer:dpo@universidadeuropea.es ·dpo@iade.es · dpo@universidaduddi.com
- Post: Data Protection Officer — Universidad Europea de Madrid, S.A.U., C/ Tajo s/n, 28670 Villaviciosa de Odón (Madrid).
You may lodge a complaint with the Spanish Data Protection Agency (www.aepd.es). As a preliminary and voluntary step, we recommend that you contact the Data Protection Officer.
