Instagram Youtube Facebook
Request Info

Personal data protection policy

PROTECCIÓ DE DADES DE CARÀCTER PERSONAL

This is the data protection policy of EUMES Girona S.L. It is based on the principles of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) and Organic Law 3/2018 of 5 December on personal data protection and guarantee of digital rights (LOPDGDD).

Data Controller

EUMES Girona S.L. (hereinafter EUMES)

CIF B55134449

Carrer Galligants, 6 17007, Girona

Phone: +34 972 241 010, Email: eumes@eumes.cat.

Data Protection Officer

The Data Protection Officer (DPO) supervises compliance with our data protection policy, ensuring that data is handled properly and individuals’ rights are protected. The DPO also addresses any queries, suggestions, complaints, or claims from individuals whose data is being processed. The Data Protection Officer can be contacted by writing to our postal address, by phone, or directly via email at protecciodades@eumes.cat.

Purposes of Personal Data Processing

EUMES processes personal data for various purposes, primarily to provide educational services, send information on activities and services, and maintain business relationships with our suppliers.

  • Academic Management: EUMES processes students’ data to provide them with educational services. The data provided and the information resulting from educational activities form the basis for evaluation. Students’ data is also used for administrative management, to send relevant information, and to process and issue certificates or diplomas.
  • Contact: We process data to respond to queries from individuals using the contact forms on our website, and such data is used solely for this purpose.
  • Information on Activities and Services: With explicit authorization from each student, once studies are completed, we use their contact information to send updates on our services and activities.
  • Supplier Data Management: We record and process data from suppliers from whom we receive goods or services. We only process the data essential for maintaining the commercial relationship, using it solely for this purpose.
  • Other Data Collection Channels: We collect data through in-person interactions and other channels, such as receiving emails or via our social media profiles. In all cases, the data is used only for the specific purposes that justify its collection and processing.

Personal Data Collection

In the previous section, we mentioned some sources of the data we process. In most cases, data comes directly from the individuals concerned, primarily through forms prepared for this purpose. For training activities organized in partnership with other institutions, data may come from the co-organizing institution.

Legal Basis for Data Processing

The legal basis for our data processing activities varies depending on the nature of each processing purpose.

  • For the Provision of Educational Services: Once admitted, our students receive educational services from EUMES. Their data processing begins with their consent and is conducted under a contractual relationship (service provision) and legal obligations.
  • In a Pre-Contractual Relationship: This applies to data from individuals interested in EUMES’s educational offerings with whom we establish initial contact. Similarly, we process data from potential clients or suppliers with whom we have relationships prior to formalizing a contract.
  • In a Contractual Relationship: This applies to relationships with our suppliers and all related actions and data processing required for these commercial relationships.
  • To Fulfill Legal Obligations: In compliance with tax regulations, we communicate data to tax authorities. We may also communicate data to judicial bodies or law enforcement agencies when legally required.
  • Based on Consent: When sending information about our activities or services, we use contact data with the explicit consent of the recipient.

Data Disclosure

As a general rule, we only disclose data to comply with legal obligations. In the previous sections, we outlined the data disclosures of our students necessary for providing educational services, and of our clients and suppliers for economic and commercial relations.

For the recognition of completed studies and issuance of diplomas, student data is disclosed to university institutions. In compliance with legal norms, data may also be disclosed to insurance entities and banks for payment processing. For internship placements, data is shared with host companies or institutions with the student’s consent.

We may transfer data outside the European Union (international transfer) when required for students’ international mobility.

Access to Personal Data by Other Companies and Institutions

EUMES entrusts teaching to specialists in subjects outlined in the curriculum. Educators receive information about their obligations under data protection regulations and formalize their commitment to proper data handling.

Additionally, EUMES obtains services from private companies that provide expertise and specialization. In some cases, these external companies need access to personal data. We only contract services from companies that guarantee compliance with data protection regulations. At the time of contracting, we formalize confidentiality obligations and monitor their performance. For instance, certain data may be stored on servers managed by specialized companies or processed by companies providing IT support.

Data Retention Period

The retention period for data is determined by the specific purpose of each processing activity. Data is also retained to respond to possible requests from public administrations or judicial bodies. Consequently, we retain data for the necessary time to preserve its legal or informational value and to demonstrate EUMES’s compliance with obligations, but no longer than necessary for the purpose of the processing. In cases where data verifies the education received by students, it is retained permanently to protect their rights.

For cases such as accounting records and invoices, fiscal regulations require data retention until the expiration of responsibilities in this matter.

Data processed solely based on the individual’s consent is retained until the individual revokes this consent.

Regulations governing the retention of public documents, and opinions from rating commissions, are key references when deciding to retain or delete data related to the performance of public interest services.

Rights of Individuals Regarding Personal Data

As established by the General Data Protection Regulation, individuals whose data we process have the following rights:

  • Right to Know if Data is Being Processed: Any person has the right to know if we are processing their data, regardless of whether there was a prior relationship.
  • Right to be Informed at the Point of Collection: When personal data is obtained from the individual, they must receive clear information on the purposes of the data, who will be responsible for its processing, and the main aspects related to this processing.
  • Right of Access: This broad right includes knowing exactly what personal data is being processed, the purpose for which it is processed, any data disclosures to others (if applicable), the right to obtain a copy, and the anticipated retention period.
  • Right to Rectification: This is the right to have inaccurate data rectified.
  • Right to Erasure: In certain circumstances, individuals have the right to request the deletion of their data when it is no longer needed for the purposes for which it was collected and processed.
  • Right to Restrict Processing: In certain circumstances, individuals have the right to request restriction of data processing. In this case, data will cease to be processed and will only be retained for the exercise or defense of claims, in accordance with the General Data Protection Regulation.
  • Right to Data Portability: Individuals have the right, in certain circumstances, to obtain their data in a structured, commonly used, and machine-readable format and to transfer it to another data controller.
  • Right to Object to Processing: An individual can object to the processing of their data based on their particular situation, leading to the cessation of processing to the extent that it may cause harm, except for legitimate reasons or the exercise or defense against claims.
  • Right to Refuse Information: We promptly respect requests to stop receiving information about our activities and services when these communications are based solely on the recipient’s consent.

Exercising and Defending Rights

The aforementioned rights can be exercised by submitting a request to EUMES at the postal address or other contact details provided at the beginning of this document.

If a satisfactory response is not received, individuals may file a complaint with the Spanish Data Protection Agency, using forms or other channels accessible on its website (www.agpd.es).

In all cases, whether for submitting complaints, requesting clarification, or providing suggestions, the Data Protection Officer can be contacted by email at protecciodades@eumes.cat.