The University of Vigo assumes the responsibility of complying with current legislation on data protection. Its objectives include guaranteeing the protection of information and the processing of personal data for students, professors, administration and services personnel and, in general, any other citizen who has at any point had a relationship with the University of Vigo.
The protection of individuals in relation to the processing of personal data is a fundamental right protected by article 18.4 of the Spanish Constitution. The fundamental right to data protection recognises individuals right to control their personal data and grants them all authority regarding their use.
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 regarding the protection of individuals in which it respects the processing of personal data and the free circulation of these data (GDPR) establishes the principles and rules that guarantee the essential content of the fundamental right to protection, reinforcing legal certainty and transparency.
Organic Law 3/2018, of December 5, on the protection of personal data and guarantee of digital rights, provides for the adaptation of the Spanish legislation to the GDPR, preserving the principle of legal certainty and seeking a complementary internal regulation to make the GDPR application fully effective. Data Controller
The Data Controller is the individual, public authority, service or other organisation that, alone or together with others, determines the purposes and means of data processing. The University of Vigo is responsible for the data processing.
The University of Vigo will apply appropriate technical and organisational measures in order to guarantee and be able to demonstrate that the data processing is in accordance with the data protection regulations, taking into account the nature, scope, context and purposes of the data processing, as well as the risks to the rights and freedoms of individuals.
Universidade de Vigo
As Lagoas, Marcosende, s/n
+34 986 813 600
Data Protection Officer
The Data Protection Officer (DPO) is a figure of mandatory application by the General European Data Protection Regulation (GDPR) and Organic Law 3/2018, on the protection of personal data and guarantee of digital rights.
This may be an individual or a legal entity who performs their functions within the framework of a service contract, or may be part of the staff of the University of Vigo, which in the latter case will not be dismissed or sanctioned for the proper execution of their duties as DPO, except in the event of fraud or gross negligence.
They will be appointed on the basis of their professional qualifications and, in particular, their specialised knowledge of data protection law and practice.
They will receive all the necessary resources for executing their duties from the person in charge. They will also have access to personal data and processes of data treatment.
The DPO may perform other duties and tasks and the person in charge will guarantee that said duties do not give rise to a conflict of interest.
Their contact details must be public. Subjects may contact the DPO regarding all questions pertaining to the processing of their personal data and the exercise of their rights under the provisions of the GDPR and the Organic Law on the protection of personal data and guarantee of digital rights.
The data controller will guarantee that the DPO does not receive any instructions, so they have full autonomy in the exercise of their duties as DPO and will maintain a fluid relationship with the Vice-Chancellor and the management team to improve the public service commissioned to them.
The DPO performs at least the following duties:
- Inform and advise the data controller and data processor and employees of their responsibilities under the data protection regulations.
- Supervise compliance with the provisions of the data protection regulations and the policy of the data processor regarding the protection of personal data, including the assignment of responsibilities, the awareness and training of the personnel who participate in data processing and the corresponding audits.
- Offer the advice that is requested on the impact assessment related to data protection and supervise its application in accordance with the data protection regulations.
- Cooperate with the Spanish Data Protection Agency (AEPD).
- Act as a contact point for the AEPD for questions regarding processing, including prior consultation referred to in the regulations on data protection and make inquiries, where appropriate, on any other matter.
- Document and communicate to the administration and management bodies of the data processor of the existence of relevant violations in terms of data protection.
Ana Garriga Domínguez
Facultade de Dereito
As Lagoas, s/n
+34 988 368 834
The Data Processor is the individual or legal entity, public authority, service or other organisation that processes personal data on behalf of the University of Vigo.
The University of Vigo must decide on the purpose and uses of the information, while the data processor must comply with the instructions entrusted to them by the University for a certain service regarding the correct treatment of personal data to which they may have access as a result of the provision of this service.
The University of Vigo must choose a data processor who offers sufficient guarantees regarding the implementation and maintenance of the appropriate technical and organisational measures and who guarantees the protection of the rights of the persons affected. Adherence to codes of conduct or possession of a data protection certificate can serve as a testing mechanism.
The Data Processor can make all organisational decisions and adopt all operations necessary for the provision of the contracted service, but in no case can the purposes and uses of the data be changed nor can they use them for their own purposes.
The regulation of the relationship between the Data Controller and the Data Processor must be established through a contract or a unilateral legal act and must be in writing, including in electronic format. The Data Processor can carry out all processing, automated or not, that the Data Controller formally entrusts to him in the agreement that is adopted, respecting the data protection regulations and the principles related to data processing indicated in article 5 of the GDPR.
There is no duty to make public the appointment of a Data Controller.
The minimum content of a data processor contract or agreement is:
- The instructions of the data controller
- Duty of confidentiality
- Duty of confidentiality
- Subcontracting regime
- The rights of subjects
- Collaboration in the fulfilment of the duties of the person in charge
- Destination of the data at the end of the service
- Collaboration with the person in charge to demonstrate compliance
- Identification of the person in charge of data processing
The University of Vigo does not give up the role of data controller when it contracts an individual as data controller and continues to be responsible for the correct processing of personal data and the guarantee of the rights of those affected.
The University of Vigo will only collect the personal data that is strictly necessary in relation to the purposes for which they are processed, in accordance with the principles set forth in article 5 of the GDPR, and will provide subjects, at the time the data is obtained, the information necessary to guarantee fair and transparent treatment, in accordance with the provisions of articles 13 and 14 of the GDPR.
The purposes of data processing are protected in the public interest and for the provision of the higher education service entrusted to the University of Vigo through Organic Law 6/2001, of December 21, on Universities and other related regulations.
The data that the University of Vigo collects serves the purposes directly related to its competences and functions and it will collect, process, store and use it to carry out its relations with students, former students, teaching and research staff, administration and services, other users of the services it provides, as well as suppliers and other individuals or legal entities. @Dito data will be processed confidentially and will be incorporated into the corresponding processing activity owned by the University of Vigo.
Principles of legitimacy
The University of Vigo is entitled to process personal information in accordance with the principle of lawfulness indicated in article 6 of the GDPR and, mainly for:
- The fulfilment of a mission carried out in the public interest or a governmental exercise. Most of the personal data processing of the University of Vigo is carried out according to this basis of legitimation. The University of Vigo is part of the institutional public sector and, therefore, the processing of personal data is necessary for the provision of the public service of higher education conferred by Organic Law 6/2001, of December 21, on universities, by its Statutes and by the rest of its own regulations.
- The fulfilment of different legal duties. Certain data processing is applicable to the University of Vigo for the realisation of its purposes based on the application of the regulations of Spanish or European Union law.
- The execution of a contract in which the subject is a party or for the application at their request of pre-contractual measures.
- Exceptionally, it may be necessary to carry out data processing to protect the vital interests of the subjects or other individuals.
- The fulfilment of a legitimate interest pursued by the person in charge or by a third party: for example, for the correct maintenance of the relations of the members of the university community with the University of Vigo.
- Finally, if the previous legitimation requirements are not met, the University of Vigo will process personal data for one or more specific purposes when the subjects give their consent.
The personal data provided will be kept for the time necessary to fulfil the purpose for which they are collected and to determine the possible responsibilities that may have arisen from the same purpose, in addition to the periods established in the regulations on files and documentation.
Depending on the type of data processing activities carried out, the University of Vigo may be obliged to communicate information related to subjects to different Institutions, Organisations or public or private #Entities, including recipients in other countries or international organisations.
The planned communications are identified in the Data Processing Activity Log.
Likewise, personal data may be communicated to Collaborating Companies or Entities, for example, to carry out external internships. If authorisation to communicate the data is not granted in these cases, these services cannot be provided.
International data transfers
Personal information collected by the University of Vigo resides in Spain, but it may be transferred to countries outside the European Union, for example, in the case of some exchange programmes. If so, the University of Vigo undertakes to comply with the legal requirements established by Spanish and European Union regulations.
Specifically, the data may be communicated had they been from the European Economic Area, in the terms indicated in articles 45 to 50 of the GDPR:
- Transfers based on an adequacy decision. A country or territorial organisation when the Commission had decided that the country, territory or one or more specific sectors of that country, or the international organisation in question, guaranteed an adequate level of protection. @Dito transfer will not require any specific authorisation.
- Transfers through adequate guarantees. In the absence of an adequate decision, the University of Vigo or the Data Processor may not transmit personal data to another country or international organisation, the appropriate guarantees are offered that may be provided by a legally binding instrument, by binding corporate regulations, by standard data protection clauses adopted by the Commission or by a supervisory authority, by a code of conduct or by a certification mechanism.
- The lack of adequacy decision and guarantees: only one of the following conditions may be fulfilled: The subject explicitly gave consent, the transfer is necessary for the execution of a contract between the subject and the data controller or for the execution of pre-contractual measures adopted at the request of the subject, the transfer is necessary for important reasons of public interest, the transfer is necessary for the presentation, exercise or defence of claims, the transfer is necessary to protect the vital interests of the subject or other persons if the subject is physically or legally incapable of giving their consent or the transfer is made from a public registry that aims to provide information to the public and is open to consultation with the general public or any person who can prove a legitimate interest, but only to the extent that the conditions established by the law of the Union or of the Member States for the consultation are met in each particular case.
Outside of these assumptions, prior authorisation must be obtained from the AEPD.
The University of Vigo undertakes to protect personal data by applying the necessary security measures in accordance with its Information Security Policy. It will take into account the state of the art, the costs of application and the nature, scope, context and purposes of processing, as well as the risks of variable probability and severity to the rights and freedoms of the subjects. Both the University of Vigo and the different data controllers will apply appropriate technical and organisational measures to guarantee a level of security appropriate to the risk and in accordance with that set forth in article 32 of the GDPR.
The Vice-Chancellor’s Office for Planning and Sustainability is responsible for the design of the security policy at the University of Vigo and for the implementation of the National Security Scheme.