1. Who is the data controller for your data?
The data controller is Gredos San Diego, S. Coop. Mad. (hereinafter GSD), with Spanish Tax ID (NIF) F78037520, domiciled at C/ José Gutiérrez Maroto, nº 26, 28051, Madrid, contact number 917861347, and email address: firstname.lastname@example.org. GSD has a Data-Protection Officer, to whom any questions regarding the processing of your personal data may be addressed and whose contact details are as follows:
Postal address: C/ José Gutiérrez Maroto, nº 26, 28051, Madrid or by email: email@example.com.
2. For what purposes do we process your personal data?
The data collected by GSD serves various purposes principally related to the proper performance of the educational and guidance function during our students’ time at the institution, for which we also require health or psychological data, as well as other data required to serve and communicate with families, and those required for the performance of additional essential administrative management, such as billing data or that necessary for the management of grants and aid.
We also collect data in the case of the purchase of complementary or extracurricular services and activities (including cultural and study trips or international exchanges) in order to properly provide said services, or to monitor access to our centres, as well as for the administrative management involved in customer and supplier management.
We may also collect data for the organisation of events and activities, or for the provision of advice in our areas of expertise.
Finally, we collect data to provide employment-mediation and job-search services through the “employment network” and the space on the website established for this purpose.
In all cases, the personal data we request is essential in order to correctly carry out the service, contract, provision, or activity requested by or established with the interested party, as well as to comply with our obligations to our students and offer an appropriate experience to each of our students, families, and users, as well as to maintain contact with each of you, providing the specific information that, in each case and as required, may be relevant.
Refusal to provide the requested personal data, or the delivery of inaccurate or incomplete data, may result in the impossibility of correctly providing the requested services. As such, the users – or, if applicable, their parents or legal guardians – or data subjects, will be responsible for the veracity of the data provided, as well as for communicating to GSD any changes thereto.
Finally, if desired and only if you have given your consent in this regard, we may keep you informed of activities or services organised by GSD similar to those purchased, which may be of interest.
The purpose in the case of the processing of images may be, firstly, to make them available to or to inform participants or the families of participants of the activity’s development and, secondly, to be used and included on our various communication media, whether through newsletters, school magazines, promotional DVD, websites, blogs, social media, or internet channels (YouTube or other similar media), always in an informative context with regard to the activity, not intended for profit, and of an educational-cultural nature. In any case, GSD will require express authorisation from the data subjects for any other purpose not indicated above, providing them with the corresponding information in this regard.
The images captured by the video-cameras in place at the entrances to GSD centres have the purpose of safeguarding the integrity of facilities, access thereto, and the security of people, complying in this regard with Spanish Security Law.
In case of the rental or transfer of facilities, the data required will be that necessary to carry out the contractual service of said rental and, in the case of overnight stays, to comply with the obligations established in the basic regulations governing travellers.
In no case will the purpose and processing of data be intended for the adoption of automated decisions or the creation of profiles.
How do we obtain your data?
GSD obtains data directly from the information provided by the data subject – or their parents, guardians or legal representatives, if applicable – upon their enrolment, registration in any activity, or request and contracting of services.
For how long do we keep your data?
In general, the personal data provided for academic administration, including that regarding health or guidance required, will be stored for the duration of the educational service, for which the data subject will be responsible for communicating any changes that may arise in this regard. All data that must be stored within an academic file will be encrypted, removing any other data after a year has passed since the student’s definitive withdrawal for any reason, unless the record is transferred. The data contained in the aforementioned academic record will remain in the entity’s custody for the purposes established in applicable educational legislation.
Data corresponding to admission applications or pre-registration for any service or activity ultimately not accepted will be deleted after the end of the legal period in which claims or liability may be derived therefrom.
Personal data provided for the provision of a complementary or extracurricular activity, camp, cultural trip, or educational exchange, as well as attendance at an activity or event or the rental of facilities will be deleted after a year has passed since the provision of the service. A copy may be retained, with the data duly encrypted, for as long as liability for the provision of the service may be derived, retained only for the purposes of any possible claim or the activation of a new request for the provision of services from the data subject. Contact details will not be deleted when their storage has been expressly authorised for the purposes of delivering information regarding products and services, deleting all data not related to this purpose, or for which the data subject requests deletion.
The data included in the “traveller record book” upon the rental of facilities with overnight stay must be retained for three years as of the data of the last page of the record in which it is included.
The data that may be obtained through video-surveillance of access points will be deleted after a month, according to that established in applicable private-security legislation.
In the case of data regarding candidates for job vacancies, data will not be transferred to third parties and will be stored by GSD until the post is filled or after a period of four years, unless the data subject has previously exercised their right to deletion, at any time.
The data provided for participation as a trainer within the institution or in activities or events organised by the latter will remain in force unless the data subject expressly requests its deletion.
3. Legitimate basis. What is the legitimate basis for the processing of your data?
GSD is legally entitled to process data corresponding to its educational function based on that established in the 23rd Additional Provision of Spanish Organic Law 2/2006, on Education (LOE), with this including health and guidance data required for students’ proper academic development. The latter are processed by professionals in each field, and form the basis for the application of appropriate safety measures, bearing in mind the state of technology, the data processed, and the purpose pursued in its processing.
For all other services and activities provided–complementary, extracurricular, cultural trips, exchanges, participation in activities or events, facilities rental, and other contractual relations–the legitimate basis is the performance of a contract or service requested/purchased by the data subject and/or their parents/legal guardians and, in the case of video-surveillance, in the entity’s legitimate interest for protection and the adoption of security measures.
The legitimate basis for the processing of images captured during extracurricular activities, camps, or school trips, activities, or events organised by the entity is the express authorisation given by the data subjects or their legal guardians/representatives, during the performance of the service contract established with the data subject or of the service, activity, or event requested by the latter.
4. Recipients. To whom will your data be communicated?
Usually, the data required is processed internally for the proper performance of the educational service or complementary services requested – extracurricular activities and services, etc. – internally communicated to all those involved in the development of the educational process and of the services requested, including for this purpose students undertaking internships and other people or entities who collaborate or who may be contracted for these purposes, as well as the Sports Club, Cultural Association and GSD Foundation. We require all of the above persons to comply with relevant data-protection measures and prohibit its transfer, except when legally necessary for compliance.
Health data is communicated and specifically processed by the medical office managed by professionals from IMENA, S. L., contracted for this purpose. Said data may be made available to the appropriate internal staff when their knowledge is strictly necessary, bearing in mind the vital interest of students.
We will also transfer data to educational administrative authorities, to other public bodies for the management of grants or aid, to insurance and health institutions, to banks for financial administration, to the public treasury, to judicial authorities and security forces when required, and to external service providers (management software, hosting, web development, and domains). Images obtained during video-surveillance of centre access points will not be transferred, except to the authorised staff and security company or, if applicable, public-order forces.
With regard to the data provided for the performance of extracurricular or complementary activities or national and international school trips, data will only be communicated to those persons, professionals, or entities strictly necessary for the proper performance of the purchased activity (such as banks, insurance institutions, and service providers, as necessary, including travel or transport agencies, airline companies, exchange educational centres, or similar) and those transfers necessary for administrative and billing management. In these cases, a request for authorisation will be specifically collected from the data subjects for the transfer of said data to those service providers that may be located abroad, undertaking to contractually require the application of the corresponding protection and confidentiality policies for the transferred data from said service providers, for which, among other requirements, the deletion of said data after the provision of the service will be required.
Occasionally, we may request authorisation for the capture and transfer of images taken during the performance of extracurricular activities, school trips, or camps.
For any other transfer or use we intend to undertake, we will request prior authorisation, providing all relevant information for these purposes.
Security measures. GSD, with the aim of ensuring the effectiveness and efficiency of its Data-Protection Policy, has adopted the necessary technical and organisational security measures to avoid the alteration, loss, abuse, unauthorised processing and access, or theft thereof, bearing in mind the state of technology. In exceptional cases where data is transferred outside of the European Economic Space, GSD guarantees that they will still be subject to the same controls. However, some countries have laws and policies that do not guarantee the same protection as the European Economic Space. In this case, we adopt all necessary and reasonable measures to guarantee the aforementioned privacy and security.
5. Rights. What are your rights when you provide your data?
Any person has to the right to obtain information about whether or not GSD is processing their personal data.
In certain circumstances and for reasons related to their particular situation, data subjects may oppose the processing of their data. GSD will stop processing the data, except in the case of mandatory legitimate reasons, or for the pursuit or defence of any possible claims.
To exercise your rights of access, rectification, opposition, deletion, portability, limitation of processing, or any other deemed necessary, you must contact the Data-Protection Officer (DPO) or the Data Controller indicated in section 1. To do so, a written request may be submitted, which must include the full name of the data subject, a copy of their ID document, passport or other valid identifying document (or of the person representing them, if applicable), the details of the request made, the address to which any notifications should be made, the date and the applicant’s signature, and any documents that may support the request if necessary.
You are also informed that if you believe you have not received a suitable response to the request made, you may contact the Spanish Data-Protection Agency through their digital platform.