Privacy Policy

Version: May 2026

FUNDACIÓ INSTITUT D’EDUCACIÓ CONTINÚNA regards your personal information as very important. As such, we deal with it in a confidential and secure way. We are committed to ensuring the privacy of personal data at all times and not to collect unnecessary information.

You do not have to register beforehand in order to access our website. In the event that you require more information, you can contact us through the form on our website, as long as you agree to our privacy policy, which you must accept in order to record your express consent of accepting the processing of data for the purposes indicated.

In accordance with Regulation (EU) 2016/679 of 27 April 2016 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, as well as Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights, we hereby provide you with information on the processing of your data by means of this Privacy Policy.

Who processes the data?

• Identity: FUNDACIÓ INSTITUT D’EDUCACIÓ CONTÍNUA
• NIF: G60414182
• Address: C/ Balmes 132, 08008 Barcelona, (Barcelona) SPAIN
• Email: rgpd@bsm.upf.com

Data Protection Officer

The Data Protection Officer (DPO) is the person who oversees compliance with our Data Protection Policy, ensuring that data is processed properly and that the rights of individuals are protected. The DPO's functions include replying to any questions, suggestions, complaints, or claims from the people whose data we process. You can contact the Data Protection Officer by writing to our postal address or directly to dpd@bsm.upf.com. Data Protection Officer contact details: dpd@bsm.upf.com.

What data processing do we carry out, for what purposes, and for how long?

Web Operation

• Purpose and legitimacy
  Manage the proper functioning of the website, as well as its use: personal data will be processed to the extent strictly necessary in order to provide and guarantee the security of the application and information, with the legitimate basis being the legitimate interest pursued by the controller, in accordance with Article 6.1.f) of the GDPR.
• Storage period
  The data will be kept for the time strictly necessary to comply with the purpose for which it was collected, and in all cases to determine the possible responsibilities that may arise from this purpose, taking into account the periods established in corresponding regulations.

Contact

• Purpose and legitimacy
  Respond to requests and/or queries made by the user, with the legitimacy of the processing being the express consent given in accordance with Article 6.1.a) of the GDPR.
• Storage period
  The data will be kept until the request has been resolved. In all cases, it may be kept to determine any possible responsibilities that may arise from this purpose.

Sending information communications from the institution, sending information about activities and newsletters

• Purpose and legitimacy
  Subscription to news, promotions and offers from the institution, with the legitimacy of the processing being the express consent given in accordance with Article 6.1.a) of the RPGD. In the event of a contractual relationship, commercial communications may be sent for products or services similar to those already contracted due to our legitimate interest in accordance with Article 6.1.f) of the GDPR.
• Storage period
  The data will be kept for the duration of the subscription to the Newsletter or until the data subject exercises their right of opposition or deletion of the data. In all cases, it may be kept to determine any possible responsibilities that might arise from this purpose.

Email Management

• Purpose and legitimacy
  The purposes of the data processing are in response to queries received, as well as the management of any commercial and/or professional relationship, with the legal basis being the contractual relationship between the data controller and the data subject, in accordance with Article 6.1.b) of the GDPR.
• Storage period
  The data will be kept for the time strictly necessary to comply with the purpose for which it was collected, and in all cases to determine the possible responsibilities that may arise from this purpose, taking into account the periods established in corresponding regulations.

CV Management

• Purpose and legitimacy
  The data will be processed in order to meet your request and analyse your profile in order for you to participate in selection processes for personnel. The basis that legitimises the processing of personal data is express consent, in accordance with Article 6.1.a) of the GDPR. In the event that the institution publishes a job offer, the processing will be lawful when it is necessary for the application of pre-contractual measures at the request of the data subject, or for the intention of concluding a contract, in accordance with Article 6.1.b) of the GDPR.
• Storage period
  The data collected will not be kept longer than necessary its purposes, unless there is a legal obligation to do so. In which case, it will be kept for a maximum period of one year.

Client Companies

• Purpose and legitimacy
  The data of the companies that hire us for training in UPF-BSM for their employees or collaborators, will be processed for commercial purposes, with the legal basis being the contractual relationship between the data controller and the data subject, in accordance with Article 6.1.b) of the GDPR.
• Storage period
  The data will be kept for the time strictly necessary to comply with the purpose for which it was collected, and in all cases to determine the possible responsibilities that may arise from this purpose, taking into account the periods established in corresponding regulations.

Collaborators/Suppliers

• Purpose and legitimacy
  The data of academic collaborators, speakers, lecturers, and service providers of any kind, will be processed for the purpose of managing the provision established in the contract, including the planning of activities and the administration of remuneration and other relevant benefits for the collaborator or supplier, with the legal basis being the contractual relationship between the data controller and the data subject, in accordance with Article 6.1.b) of the GDPR.
• Storage period
  The data will be kept for the time strictly necessary to comply with the purpose for which it was collected, and in all cases to determine the possible responsibilities that may arise from this purpose, taking into account the periods established in corresponding regulations.

Students

• Purpose and legitimacy
  The data of individuals enrolled in the academic programs organized and taught by the UPF-BSM, directly and/or in collaboration with third parties (whether they are other educational institutions in higher education, or institutions of any kind with activities related to the program or with the field of knowledge that the program deals with), using any channel (open training or in-company training) and in any modality (face-to-face, blended or online), will be processed in order to provide the requested service, in accordance with Article 6.1b) of the GDPR. In order to provide student data to national and international accrediting bodies and/or bodies specializing in rankings that are indicated in their corresponding informational clauses with the aim of contacting you through any of the usual communication channels for the purposes of corroborating and/or validating the information provided by UPF-BSM and to validate your experience with the School, in accordance with Article 6.1.a) of the GDPR.
• Storage period
  The data will be kept for the time strictly necessary to comply with the purpose for which it was collected, and in all cases to determine the possible responsibilities that may arise from this purpose, taking into account the periods established in corresponding regulations.

Alumni Portal

• Purpose and legitimacy
  For the management of the Alumni portal, with the legal basis of the processing being the execution of the contractual or business obligations assumed by the alumni and the UPF Barcelona School of Management.
• Storage period
  As long as the contractual or business relationship between the student and the UPF Barcelona School of Management is maintained. And once this period is completed, it must also be kept for the time required to comply with applicable legal obligations.

Donations

• Purpose and legitimacy
  For the management of and compliance with the legal obligations derived from donations, with the legitimate basis of the processing being a legal obligation in accordance with the provisions of Article 6.1.c) of the GDPR.
• Storage period
  The data will be kept for the time strictly necessary to comply with the purpose for which it was collected, and in all cases to determine the possible responsibilities that may arise from this purpose, taking into account the periods established in corresponding regulations.

Surveys

• Purpose and legitimacy
  For conducting surveys in order to carry out quality controls in relation to the services provided, in accordance with Article 6.1.f) of the GDPR.
• Storage period
  The data will be kept for the time strictly necessary to comply with the purpose for which it was collected, and in all cases to determine the possible responsibilities that may arise from this purpose, taking into account the periods established in corresponding regulations.

Grants and Financial Aid

• Purpose and legitimacy
  For the management of grants and financial aid for our university community, with the legitimate basis of the processing being compliance with a legal obligation in accordance with Article 6.1.c) of the GDPR.
• Storage period
  The data will be kept for the time strictly necessary to comply with the purpose for which it was collected, and in all cases to determine the possible responsibilities that may arise from this purpose, taking into account the periods established in corresponding regulations.

Event Registration and Related Communications

• Purpose and legitimacy
  To manage registrations and send information relating to the event (reminders, changes, etc.) via the contact channels provided by the data subject, such as email, telephone and/or WhatsApp, the lawful basis being the consent of the data subject in accordance with Article 6(1)(a) of the GDPR.
• Storage period
  The data will be kept for the time strictly necessary to comply with the purpose for which it was collected, and in all cases to determine the possible responsibilities that may arise from this purpose, taking into account the periods established in corresponding regulations.

To whom will the data be communicated?

In accordance with the provisions of the processing purposes indicated in the previous section, the personal contact data of users of the Website and Electronic Resources, students, Alumni, collaborators/suppliers, and client companies will be communicated to the Pompeu Fabra University and/or the educational authorities and/or regional, state and/or international quality agencies, as well as national or international accreditation agencies or institutions, always in execution of the contractual or pre-contractual obligations assumed between said data subjects and UPF-BSM or in compliance with the legal obligations imposed on UPF-BSM as a centre attached to a public university in accordance with the regulations in force at all times. You can consult the details of these third parties by requesting them from rgpd@bsm.upf.edu.

Regarding the personal data of users who may make donations in favour of UPF-BSM, such data will be provided to the Tax Agency in compliance with UPF-BSM's tax obligations, as well as to appropriate control authorities or bodies, if deemed necessary or when imperatively required to do so by the regulations on the prevention of money laundering.

With regards to the personal data of students and certain collaborators/suppliers, we may communicate their data to academic institutions collaborating in international or European programs to which the student has subscribed or in which the collaborator/supplier participates. This communication must be made based on the program's own management and execution.

Likewise, we inform you that your personal data may be consulted by third parties acting on behalf of UPF-BSM, provided that access to and processing of that data is essential for the provision of a specific service to the Foundation. Under this scenario, UPF-BSM will sign a corresponding data controller contract with each of these third parties, who will process this data exclusively for the purposes that UPF-BSM determines in each case.

Regarding the personal data of users who may make donations in favour of UPF-BSM, such data will be provided to the Tax Agency in compliance with UPF-BSM's tax obligations, as well as to appropriate control authorities or bodies, if deemed necessary or when imperatively required to do so by the regulations on the prevention of money laundering.

Is the data transferred internationally?

For the sending of commercial communications, we may use the Mailchimp platform, which implies transferring the user's data to a data controller located in the United States, namely The Rocket Science Group, LLC d/b/a Mailchimp, the company that owns this platform. Likewise, Mailchimp collects connection data (including your email address and IP address) through its tracking technologies, which may also be transferred. However, this entity is registered in the Data Privacy Framework List, and consequently guarantees an adequate level of protection of personal data. In addition, the standard contractual clauses approved by the European Commission that regulate the processing of data are available.

What rights do you have as a user and how can you exercise them?

Right to access
As a user, you can ask us to explain what we do with your personal data.
In addition, you can request information about the purpose of the processing of your personal data, how long we keep your data, what rights you have as a user, whether your data has been transmitted to a third country or to an international organization, the existence of automated decisions or whether there is profiling on the website, among other things.

Right to rectification
If the personal data you have made available to us is inaccurate or incomplete, you have the right to rectify or complete it. Get in touch with us and we will rectify any data you request.

Right to restrict processing
As a user, you can ask to restrict the processing of your personal data:

• When you dispute the accuracy of your personal data, for a period that allows us to verify its accuracy.
• If the processing is unlawful and you oppose the deletion of your personal data and, instead of deleting it, you ask for its use to be restricted.
• If we no longer need your data for the purposes of the processing, but you need it to make, exercise or defend against claims. 

Right to deletion
You can request that we delete your personal data immediately. We are obliged to delete this data immediately, when the data is not necessary for the purposes collected. In addition, you can ask us to delete your data, when you change your mind about consent, when you oppose processing and there are no justified reasons for it, when your data is processed incorrectly, when it must be deleted to comply with a legal obligation or when your data is obtained in relation to a legal offer.

Right to information
If you have exercised your right to rectification, deletion or restriction, we are obliged to inform all recipients to whom your personal data has been communicated about this rectification, deletion or restriction of processing, unless this is impossible or involves a disproportionate effort.

As a user, you have the right to be informed by the controller about who these recipients are.

Right to data portability
You have the right to receive the personal data you have provided us with in a structured, commonly used and machine-readable format. In addition, you have the right to transmit this data to another controller without us being able to prevent it.

Right to opposition
As a user, you have the right to object at any time, for reasons derived from your particular situation, to our use of the personal data made available to us.

We will stop processing your personal data unless we have compelling legitimate reasons to use it, which outweigh your interests, rights and freedoms or the processing is intended to make, exercise or defend against claims.

Right to revoke the declaration of consent with respect to data protection
As a user, you have the right to change your declaration of consent with respect to data protection at any time. This change of decision regarding consent will not affect the legality of the processing that took place based on the consent given before its revocation.

Automated individual decisions, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on the User or similarly significantly affects you.

Right to file a complaint with a supervisory authority

As a user, you have the right to file a complaint with a supervisory authority, in particular in the Member State where you reside, where your place of work is or where the infringement took place, if you believe that the processing of your personal data is in violation of the GDPR.

Where can you exercise your rights?

You can request the exercise of your rights using the following email: rgpd@bsm.upf.com.

Is it mandatory to provide all the information requested in the data collection forms?

For the forms on the Website, you must complete those fields marked as "required". Failure to complete the required personal data or to do so partially may mean that FUNDACIÓ INSTITUT D’EDUCACIÓ CONTÍNUA is unable to carry out your requests and that consequently FUNDACIÓ INSTITUT D’EDUCACIÓ CONTÍNUA will be exempt from all liability for the non-provision or incomplete provision of the services requested.

The personal data that the user provides to FUNDACIÓ INSTITUT D’EDUCACIÓ CONTÍNUA must be current so that the information in the records is up-to-date and error-free. The user is responsible for the veracity of the data provided.

What safety measures do we have in place?

We hereby inform you that we take care of and use your personal data following the current regulations on data protection and information society services.

We have implemented all necessary technical and organizational security measures to guarantee the security of the User's personal data and prevent its alteration, loss, processing and/or unauthorized access in accordance with the state of the technology, the nature of the data stored and the risks to which they are exposed, whether they come from human action or the physical or natural environment, in accordance with the provisions of current regulations.