GDPR: Commercial
Who is the personal data controller?
Escola Superior de Comerç Internacional (ESCI-UPF)
Q5856335D
Pg. Pujades, 1, 08003 – BARCELONA
+34 932 954 710
rgpd@esci.upf.edu
Contact details for our data protection officer
Why do we process personal data?
The Escola Superior de Comerç Internacional (ESCI-UPF) processes the information provided by the interested party in order to manage the commercial relationship between us and them in all areas, from signing a contract of sale and/or service provision and related matters to fulfilling the contract and sending marketing messages by electronic means.
How long do we keep personal data?
We keep personal data for the duration of the commercial relationship and for five years following the last business transaction or delivery of service provision.
Automated individual decision-making and profiling
We do not make any automated decisions.
What is the lawful basis for processing personal data?
The lawful basis for processing personal data is the need to fulfil the obligations stipulated in the contract of sale and/or service provision signed by the interested party.
Personal data will be processed for the purpose of sending marketing messages by email or other equivalent electronic means of communication in accordance with Article 21.2 of Act 34/2002 on Information Society Services and Electronic Commerce, which authorises us to send the interested party marketing messages related to products and services similar to those covered by an agreement signed by both parties, until such time as the interested party lets it be known that they no longer wish to receive these messages (for further information see the section on Rights below). Each message sent will include a simple procedure for unsubscribing.
Who will we share students’ personal data with?
During the period of time when we are processing personal data, the Escola Superior de Comerç Internacional (ESCI-UPF) will not share personal data with anyone else, notwithstanding any legal obligations.
Nevertheless, the Escola Superior de Comerç Internacional (ESCI-UPF) may collaborate with third-party service providers, who may require access to users’ personal data in order to provide the service in question. This personal data will be processed under the same legally binding conditions, in accordance with our instructions and the provisions of a previously signed data protection agreement. This agreement will stipulate that personal data be used solely for the agreed purposes, that suitable technical and organisational measures be put in place and that the personal data be erased and returned once the period of service provision is over. We require service providers to have signed up to the EU–US Privacy Shield.
The Escola Superior de Comerç Internacional (ESCI-UPF) selects third-party service providers in accordance with strict criteria designed to ensure that we fulfil our obligations in the field of personal data protection.
What rights do users have once they have provided us with their personal data?
All users have the right to ask the Escola Superior de Comerç Internacional (ESCI-UPF) whether or not we have processed their personal data.
They may also exercise the following rights:
- Right to request access to their personal data;
- Right to ask for their personal data to be corrected;
- Right to ask for their personal data to be erased;
- Right to ask for the processing of their personal data to be restricted;
- Right to object to the processing of their personal data;
- Right to personal data portability;
- Right to withdraw consent;
- Right to information about personal data processing.
To exercise their rights, users should send a written request, together with a copy of their passport or ID card, to:
ESCOLA SUPERIOR DE COMERÇ INTERNACIONAL (ESCI-UPF)
Exercici de Drets i Protecció de Dades
Pg. Pujades, 1
08003 – BARCELONA
Or send an email to: rgpd@esci.upf.edu
Users may contact the Catalan Data Protection Authority (Autoritat Catalana de Protecció de Dades, https://seu.apd.cat) to request further information or to lodge a complaint if, for example, they feel that their personal data rights have not been respected.