- Law 29/2021, of October 28th, Qualified of Personal data Protection of the Principality of Andorra (hereafter, LQPD), and the regulations implementing it
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and the free movement of such data (hereafter, “RGPD”)
2. Who is responsible for the processing of personal data?
The responsible for the use of your personal data according to what is indicated in this policy is:
University of Andorra, with NRT D-800044-K and registered office in Germandat square, 7, AD600 Sant Julià de Lòria, (Principality of Andorra).
You can contact the Data Protection Officer by email at email@example.com.
The UdA is not responsible for the activities carried out by other websites even if they access to it through links in our website. Is for this reason that we recommend you to read carefully the information (especially privacy and cookies policy) provided by those responsible before giving your personal data.
3. How are personal data obtained?
In general, is you who directly provides your personal data, for example, through the forms on this website. The only exceptions to this rule are:
- Data provided by third-party who request our services on your behalf (as a beneficiary)
- Contact details provided by service and product suppliers when represented by you
- Personal data that may appear about you in emails and instant messages we receive, or through forms in our website
- The cookies on this website, about which more information can be found in our Cookies Policy.
4. What are the data used for and on what legal basis?
What we use the non-mandatory data on the forms for
We collect the optional data that you voluntarily provide us in the forms to offer you a more personalized service in relation to the purpose to which the form is specifically dedicated.
The basis that authorizes us to process this data for this purpose is the consent you express when you provide it to us. You can withdraw your consent at any time as indicated in section 7.
To initiate and maintain the relationship with suppliers
If you represent a supplier of products or services, we collect your data to:
- Manage all kinds of relationships with the company you represent
- Manage the relevant list of authorised service provider
- Manage the budgets and invoices of the company you represent
Treatments linked to purposes a) and b) are legitimised by the contract of employment or services that you have signed with the provider that you represent and our legitimate interest when contacting him. Treatments linked to purpose c) are legitimised because they are necessary for the execution of the contract that the company you represent has signed with us.
To initiate and maintain the relationship with our students
We collect your data that we receive orally or in writing, directly from your or from a third party who you represent to or of which you are beneficiary, when you contract a service or product with us to manage said contract, provide you the corresponding service.
If you make a payment via POS, we collect the last 4 digits of your payment card along with your payment identifier, date and amount, in order to handle any information request or refund in relation to this payment. These data do not allow us to identify you.
As a result of this contractual relationship, we can communicate you orally or in writing comercial information related to the products or services you have contracted.
The processing of this data is legitimate because it is necessary for the execution of the contract for the services or products in which you are an interested party, and for our legitimate interest in keeping you informed in relation to the purchased products or services.
To select and hire staff
We will process the personal data of the curriculum (CV) that you voluntarily send us to manage your application for a job at the University of Andorra. This management includes the research, filtering and storing process of the CV as a possible candidate, the staff selection process and the recruitment process.
The basis of legitimacy for the aforementioned treatments is the consent that you express when you send us your CV, the execution of pre-contractual measures and, if we do not have an open selection process or you are not selected and we consider that your candidacy may fit in future selection processes, our legitimate interest in keeping your CV for the purpose of including it in those future processes.
You can withdraw your consent or object to our legitimate interest, as indicated in section 7. If not done, there will be no effect other than the destruction of your CV (if you withdraw the consent) or the limitation of its retention to the selection process for which you sent us the CV.
To attend your requests, inquiries, or complaints
We collect the personal data that you provide to us through emails, forms, instant messaging, over the phone, or through other requests, to handle your application, inquiries or complaints in relation to our services or to the rights that you have over your personal data.
The legal basis for this treatment is the consent you express when you send us or give us this data, our legal obligation to meet your right requests, and the basis of the execution of the contract to handle the inquiries.
The provision of your personal data is, therefore, voluntary, if you do not provide them, we will not be able to process your request, query or claim.
In the case of legitimation based on consent and where there are no other legitimate bases, you can revoke the consent whenever you wish, albeit such revocation could make impossible to continue processing your request, query or claim.
To preserve security through video surveillance
We collect the image of the user through video surveillance systems to preserve the security of people, goods and facilities.
The basis of legitimacy for the aforementioned treatments is the public interest in public security, the legitimate interest of third parties seeking judicial protection over an alleged offence that may be substantiated by a fragment of a recording, and our own legitimate interest in preventing or reducing losses arising from committed crimes in the premises, protect our assets and facilities, and speeding up the rapidity of response to serious risks such as fire or robbery by third parties.
To extract aggregated usage statistics of the website (analytical cookies)
Analytical or statistical cookies are used to identify the most and least visited pages, to analyse what content is of most interest to our visitors, and to measure the success of information campaigns, all with the aim of improving the services offered through the web. All these purposes provide aggregated results, in which it is not possible to identify the interests of any person.
As they are analytical cookies, we will not use them until we have your consent, and not giving to us or withdrawing it will have no other effect than limit our purpose of improving the web through the statistics analysis aggregated from the browsing of our visitors.
To control access to our facilities, events or services through tickets or credentials
We use the data of your enrolment or credential, and sometimes those of your identity card or passport, to authorize or not your access to the restricted areas of our events or services, analyse and control the occupation and logistics of the different areas.
The legal basis for this treatment is the contract of services when you take part.
To give media coverage to events
If you participate in person at our events or awards ceremony, independent press and our own professionals may record your image and, where previously agreed, your voice, in the context of the event or award ceremony.
The legal basis for this processing of your image is our legitimate interest in media coverage of the event that we organize or sponsor with the purpose of using the recordings in our promotional materials, including our web and our social media accounts.
You are not obliged to appear in a recording. If you wish, you have the right to object our interest according to the provisions of section 7.
To ensure the operation of our website (functional cookies)
We use functional cookies to collect, store, consult and process personal information (linked to the user through unique identifiers or IP addresses), from the browser of your device, to guarantee the correct functioning of our website.
As they are necessary cookies for the proper functioning of the website, their use does not require that you give us your express consent, and the basis that legitimizes us to use them is our legitimate interest in being able to offer you the services of our website.
You can find more information regarding these cookies in our Cookies Policy.
To send you newsletters with personalized information
We collect your email when you purchase one of our services or you subscribe to our commercial communication service (bulletins or newsletters, among others) to inform you about events, innovations, news, advice, so that you can make profit of the UdA services and products.
If you have subscribed through our website, the legal basis for this treatment is the execution of the newsletter subscription agreement, with its terms and conditions, and you can cancel it at any time by exercising your right as indicated further on in this policy, or through the link at the bottom of each email. The only consequence of cancelling your subscription is that you will no longer receive the newsletter that we sent you by email.
If you receive the information because you have purchased one of our services, the legal basis for this processing is our legitimate interest in keeping you informed about our products and services related to those you have purchased, which you can object to at any moment, exercising your right as indicated in section 7 of this policy or through the link that you can find at the bottom of our emails.
For other purposes that are not incompatible with the above
We may use your personal data for other purposes that are not incompatible with those indicated above (such as archival purposes for reasons of public interest, scientific or historical research purposes, or statistical purposes) whenever permitted by law in force in matters of personal data protection, and of course, according with this and the rest of the applicable regulations.
5. With whom can we share your personal data?
We do not share your personal data, unless:
- It is the user himself who requests it
- There is a legal obligation to do so
- Any service of insurance mediators has hired us, for the execution of whom is necessary to share your data with the insurance entities and other agents
- We are co-responsible for data collection
- It is necessary to protect your rights, our rights, our employees’ rights and third parties (a fact that may require the transfer to the police services for safety reasons or to the health authorities to prevent the spread of diseases, for example, for contact tracing purposes):
- If video surveillance cameras record a robbery in our premises, or
- If a third party requests video surveillance images on the basis of its legitimate interest in seeking effective judicial protection with respect to the commission of a crime or compensation for damages that may be proved by the images transferred, and with the commitment of that third party to use them exclusively for the reporting of this crime or for the claim for damages suffered, and to reduce the transfer of images to the minimum and indispensable to fulfil the intended purpose.
- A subcontracted company by us needs to process them on our behalf (for example, payment processing services or external Data Protection Delegate, who will have to answer your questions and requests of rights in this matter) under the terms and conditions of the corresponding processor contract.
- A subcontracted company by us may have Access to the personal data on our website or in our systems from time to time, even if they do not need to process them on our behalf. This is the case, for example, of the web development and maintenance company or for some of the services of our IT or hosting providers. Given that they could Access to the UdA data, they have signed a service provision contract that obliges them to maintain the same level of privacy that we have at the UdA.
Any international transfer that may need to be made Will comply with the regulations in force at any time.
6. How long are the personal data kept?
The University of Andorra keeps the personal data of the user exclusively during treatments that require them and, afterwards, for as long as legal responsibilities in force resulting from the processing in question take to prescribe (including the obligation to be able to demonstrate that we have complied with the request of destruction of the personal data).
- According to article 15 of Law 37/2021, of December 16th, amending Law 14/2017, of June 22nd, on the prevention and fight against money laundering and terrorism financing (calculated from the end of our relationship, or if it is an occasional operation, from this date),
- In accordance with the economic and tax regulations, we will keep for five years, all the documentation, data and information that we are obliged to require according this law, as well as proof and records of the transactions and operations, the account information and commercial correspondence, and the results of all analysis, including, where applicable, the information obtained by means of electronic identification according to the current Certification and e-Trust Act.
- The personal data collected through the accessible forms in this website will be treated for the indicated purposed in each case, as long as they are necessary to manage and provide the requested services in each case and, in the cases in which you have provided us prior and express consent, until you inform us to stop doing it.
- The data provided for the formalization of the registration are kept during the validity of the academic record. The academic record will be kept until the applicable retention period expires.
- Regarding the data that allows the access to the email and to the Campus, as well as the associated tools that the University of Andorra makes available for the university community, they will be kept until the interested person requests the cancellation of this right or until the applicable retention period expires.
- We will keep the video surveillance recordings for a maximum of 30 days if they do not contain incidents, and, if exceptionally a security incident has happened during this period or there are indications that a crime has been committed (for example, a robbery), we will extract a copy of the part of the recording that captures the incident and it will be kept until it is handed to the police or to the interested person involved who requires it to prove their request for judicial protection.
- We will destroy your curriculum after having it for two years, as we consider it to be out of date in relation to the purpose for which it is dedicated.
- We will keep your data for sending newsletters if the concerned person does not revoke the consent.
- We will destroy any unnecessary or disproportionate personal data that may appear in emails and instant messages we receive, or through forms of our website, as soon as we receive it.
We will destroy (and rectify) any personal data that we find inaccurate as soon as we verify its inaccuracy.
When there is no legitimate purpose to process some of your personal data, we will delate or anonymize, and if this is not possible (form example because they are in backups), they are stored securely and locked to isolate them from any further processing until disposal is possible.
7. What rights do you have?
You have the right to obtain confirmation on whether we have or not any of your personal data.
We explain you below which other right you have and how to exercise them.
You can request the execution of the following rights:
- Access to your personal data
- Rectification of any of your personal data, specifying the reason
- Suppression of any or all of your personal data
- Restriction of the treatment of your personal data, specifying the reason of restriction
- Opposition to the processing of your personal data
- Portability of your data when the basis of legitimation of the collection has been a consent or a contract
- Right not to be the object of automated individual decisions
The given consent, both for the treatment and for the transfer of the data of the interested parties, can be revoked at any time by informing us, just like any other right, as indicated in the following section. This revocation will not have retroactive nature.
Where and how you can exercise your rights
You can exercise your rights:
- By sending a written request to the UdA with the confirmation of reception, addressed to the postal address indicated in paragraph 2 of this policy, indicating a means of contact to be able to answer your request or to ask for more information if necessary.
- By sending the form associated to the right that you wish to exercise to the email address firstname.lastname@example.org, specifying in the subject “Exercise of Rights of protection of Personal Data”.
In both cases, if it is not possible to verify your identity, we will ask you to send us proof of your identity to be sure to answer to the interested person or his legal representative.
Even so and specially if you consider that you have not obtained full satisfaction of the attention of the exercise of your rights, you can submit a complaint to the national supervisory authority in your country or to the Andorran Data Protection Agency (APDA).
Forms for the exercise of your rights
To facilitate the exercise of the user’s rights, it is recommended to use the corresponding application forms from among the following:
- Form to exercise the right of access
- Form to exercise the right of rectification
- Form to exercise the right of opposition
- Form to exercise the right of withdrawal
- Form to exercise the right of limitation of processing
- Form to exercise the right of portability
- Form to exercise the right not to be the object of automated individual decisions
8. What are your responsibilities?
By providing your data, you guarantee that they are accurate and complete. Likewise, you confirm that you are responsible for the veracity of the personal data you have provided and that you will keep them updated, being responsible for any false or inaccurate personal data that you may provide us, as well as for damages, direct or indirect, which could result from your inaccuracy.
In cases where you must provide us personal data of a person under the age of 16 or of a person with limited rights, when doing it you are obliged to have the holder’s authorisation of their parental authority or guardianship. Without this authorisation, it is forbidden that you provide us any personal data of these people.
9. How are personal data protected?
We are fully committed with the protection of your privacy and personal data. Is for this reason that we have prepared the registration of all activities of personal data processing that we carry out, we have analysed the risk that can suppose each of these activities, and we have implemented the suitable legal, technique and organisational safeguards to avoid, as far as possible, the alteration of your personal data, its misuse, loss, robbery, denied access or unauthorised processing.
Data policies are kept up to date to ensure that we provide you all the information that we have about the processing of your personal data, and to ensure that our staff receive appropriate guidelines regarding how to process your personal data. We have signed data protection clauses and processor contracts with all our service providers, considering the need for each of them to process personal data.
Access to personal data is restricted to those employees who really need to know them to perform any of the treatments referred to in this policy, and they have been trained and made aware of the importance of confidentiality, the maintenance of integrity and the availability of the information.
However, if the UdA determines that your data has been misappropriated (even by an employee of the UdA), they have been exposed through a security breach or acquired improperly by a third party, the UdA will immediately inform you of this security breach, misappropriation or improper.
We will update this policy whenever necessary to reflect any changes in the regulations or data processing. In the case of substantial changes, we will notify you before its entry into force by means of a notification or the publication of a prominent notice in this website, so you will have the option to exercise your rights as have been informed.
For any questions or concerns about this policy, do not hesitate to send us an email to email@example.com.
Last update: November 18th, 2022