Privacy policy and treatment of information
1.- RIGHT TO INFORMATION
In accordance with Article 11 of Organic Law 3/2018, of December 5, on Personal Data Protection and the Guarantee of Digital Rights (hereinafter LOPDGDD) and Article 13 of Regulation (EU) 2016/679 (GDPR), we describe how personal data is processed at the Escola Superior de Música de Catalunya (ESMUC).
1.2.- Definitions
The following terms are defined as:
1) Personal data: Any information relating to an identified or identifiable natural person (the data subject). An identifiable natural person is one whose identity can be determined, directly or indirectly, using an identifier such as a name, identification number, location data, an online identifier, or one or more specific elements of that person’s physical, physiological, genetic, mental, economic, cultural, or social identity.
2) Processing: Any operation or set of operations performed on personal data or sets of personal data, whether automated or not, such as collection, recording, organization, structuring, storage, adaptation, modification, extraction, consultation, use, communication by transmission, dissemination, or any other form of access, comparison, interconnection, limitation, erasure, or destruction.
3) Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects relating to the person’s professional performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
4) Pseudonymization: Processing of personal data in such a way that it can no longer be attributed to a data subject without the use of additional information, provided that this additional information is kept separately and subject to technical and organizational measures to ensure that the personal data cannot be attributed to an identified or identifiable natural person.
5) File: A structured set of personal data that is accessible according to specified criteria, whether centralized, decentralized, or distributed functionally or geographically.
6) Data Controller or Controller: The natural or legal person, public authority, service, or any other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
7) Data Processor: The natural or legal person, public authority, service, or any other body that processes personal data on behalf of the data controller.
8) Recipient: A person to whom personal data is disclosed, whether a third party or not. However, public authorities who may receive personal data in the context of a specific investigation are not considered recipients.
9) Third Party: A natural or legal person, public authority, service, or body other than the data subject, data controller, data processor, and the persons authorized to process the personal data under the direct authority of the controller or processor.
10) Data Subject’s Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, either by a statement or by a clear affirmative action, whereby the data subject signifies agreement to the processing of personal data relating to them.
11) Supervisory Authority: The independent public authority established by a Member State in accordance with Article 51 of the GDPR.
12) Cross-border processing:
a) The processing of personal data in the context of the activities of establishments in more than one Member State of a data controller or processor in the European Union, where the controller or processor is established in more than one Member State, or
b) The processing of personal data carried out in the context of the activities of a single establishment of a data controller or processor in the Union, but which affects or may affect substantially data subjects in more than one Member State.
1.3.- Who decides on the use of the data and the means that will be used for processing?
The data controller is ESMUC.
| NIF: | G62429329 |
| Address: | C. Padilla, 155, Edifici de L’Auditori, 08013 Barcelona |
| Telephone: | 93 352 30 11 |
| Email: | info@esmuc.cat |
1.4.- Who oversees the correct application of all the rules governing data processing at ESMUC?
The Data Protection Officer is CIPDI Tratamiento de la Información SL, located at Mataró, c/Sant Agustí n. 1 1º 1ª, dpd@cipdi.com.
1.5.- What purpose will we use your data for, what is the legal basis for these data processing activities, and how long will we keep them?
| Purpose | Legal Basis | Retention |
| Provision of services you request | Contractual relationship | 10 years |
| Sending information about activities by email or post | Contractual relationship and consent | Until consent is revoked |
| Request for information | Consent | 1 year |
| Labor personnel management | Contractual relationship and legal obligation. | 5 years |
| Supplier management | Contractual relationship and legal obligation. | 5 years |
| Fulfilling legal and contractual obligations | Contractual relationship and legal obligation. | 5 years |
| Image management | Consent and Art. 8 LO 1/1982 | Until consent is revoked |
| Video surveillance | Legitimate interest. Maintaining security | Maximum 30 days from capture |
1.6.- Do we process your images?
The data controller documents public events it organizes with photographs and videos, with the aim of disseminating them on its website or other public information dissemination platforms such as: the website, social networks where the data controller has a profile, and its own publications or press releases. You can obtain more information on this by consulting the data controller’s website or contacting the DPO.
1.7.- Who will be able to access and know the content of your data?
In order to fulfill the aforementioned purposes, the following individuals and entities may have access to personal data. Their access will be limited to the data required to perform the functions of the data controller. Confidentiality agreements and/or specific agreements have been signed with all recipient entities and individuals, regulating access to information, security measures, and the use of the data. The data may be accessed by:
- Authorized personnel by the data controller.
- Service providers necessary to fulfill the services you request or to comply with legal and contractual obligations.
- Public administration within its competencies.
- Social networks, provided you have previously consented to the dissemination of your identifying data.
You can expand this information by contacting the Data Protection Officer (DPO).
1.8.- Are there any cross-border data transfers?
The data controller uses the following programs, including the social networks listed on the website, which may involve data transfer outside the Schengen Area:
| Program | Privacy policy |
| Office 365 | https://privacy.microsoft.com/es-es/privacystatement |
| Moodle | https://moodle.com/privacy-notice/ |
| Mailchimp | https://mailchimp.com/legal/privacy/ |
In these cases, data transfer is made to countries considered adequate, as they have an adequacy decision by the European Commission; or in accordance with the guarantees required by the GDPR, such as having standard data protection clauses approved by the European Commission.
All information regarding the rights of users who have allowed digitalized processing is available in the legal notices of the websites that contain the software and applications. Since access is free, we consider all content in the notices to be reproduced. Given the extent of the content in the published policies, you may request a copy by contacting the data controller or the Data Protection Officer at the addresses listed in section 1.3 of this document.
1.9.- What rights do data subjects and owners have?
Right of access: Regulated in Article 15 of GDPR 2016/679 of April 27, 2016. This is the right to request the data controller for all information they have about their personal data and any communications made or planned.
Right to rectification: Regulated in Article 16 of the GDPR. This is the right to request the data controller to change the content of the information about the individual’s data, following the instructions of the data subject.
Right to deletion: Regulated in Article 17 of the GDPR 2016/679. This consists of requesting the data controller to delete any information regarding the data subject. Deletion involves blocking all data and keeping them available for public administrations for the statutory period for legal actions to prescribe.
Right to restrict processing: Regulated in Article 18 of the GDPR 2016/679 of April 27, 2016. This is the right to request the data controller to limit processing under any of the following conditions:
i.- The personal data is inaccurate;
ii.- The processing is unlawful;
iii.- The data controller no longer needs the data;
iv.- When the data subject’s reasons for limiting processing outweigh those of the data controller.
Right to data portability: Article 20 of the GDPR 2016/679 of April 27, 2016.. This is the right to request the data controller to provide the data subject’s personal data in a structured, commonly used, and machine-readable format to transmit it to another data controller when the processing is automated and based on explicit consent.
Right to object: Regulated in Article 21 of the GDPR 2016/679 of April 27, 2016. This is the right to request the data controller to process the data according to specific instructions made by the data subject.
Right to withdraw consent: Regulated in Article 13.2.c) of the GDPR 2016/679 of April 27, 2016. This is the order given by the data subject to the data controller, notifying them of the withdrawal of consent for processing their data.
Rights not to be subject to automated decisions: This is the request to the data controller to ensure that any decisions with legal effects are not taken solely by automated means.
To exercise the above rights, you can contact the data controller in writing, or send an email to dpd@cipdi.com with the subject “DATA PROTECTION” and attach a photocopy of your ID, NIE, or passport.
1.10.- How can a complaint be made?
You can contact the responsible party for internal compliance by sending an email to…
If you believe your rights have been violated, the competent body to oversee the correct application of the rules on data processing is the Spanish Data Protection Authority, located at Jorge Juan Street No. 6, Madrid.
1.11.- What obligations do I have as a data subject?
The data subject must provide truthful and up-to-date information in all data collection processes and is responsible in case of any breach of this obligation.
Depending on the request made by the data subject, mandatory data fields are marked on the forms. Failure to provide the mandatory data could affect the right to participate in the activity or prevent the requested service or provision from being provided.
1.12.- Can the data controller create profiles?
In order to provide more personalized, accurate, and efficient user attention, it may be necessary to create profiles of service recipients. Profiles are not created without the direct involvement of a physical person.
2.- USER CONSENT
It is understood that the user accepts the proposed conditions by pressing the “ACCEPT” button found on the data collection forms or by sending an email to the contact addresses listed on the website.
Personal data is stored in the general administration database of the data controller, which guarantees the technical and organizational measures to preserve the integrity and security of the information being processed.
3.- SECURITY
The general database has the required security document and all the technical means available to prevent loss, misuse, alteration, unauthorized access, or theft of the data you provide. The processing of personal data is in accordance with the provisions of Organic Law 3/2018 on data protection and digital rights, and Regulation (EU) 2016/679 of the European Parliament and Council, of April 27, 2016.
4.- USE OF IP ADDRESSES
To facilitate the search for resources we believe are of interest to you, you may find links to other websites on this site.
This privacy policy only applies to this website. The data controller does not guarantee compliance with these rules on other websites, nor is it responsible for access through links from this site.