Guidelines and legends
In this section you will find, on the one hand, guidelines (general, for all members of the university community; administrative; and related to teaching and research) and, on the other hand, the legends prepared by this DPD to be taken as a reference by the different services of the ULL in their ordinary operation, which must be adapted to the circumstances of the service.
General guidelines
Do not process personal data if such processing is not authorized and registered in the Record of Processing Activities of the ULL, or if you do not belong to the group or administrative unit that, according to said registration, carries out said treatment.
This should not impede the exercise of any right, but rather adapt its exercise to the privacy requirements of the information (e.g., warning of the purpose for which access is granted and the prohibition of any use other than the exercise of said rights, and keeping proof of said warning; or anonymizing the information provided as appropriate, keeping a record so that it is known to the recipient, and so that the measure taken can be proven). Any transfers of information must be included in the registration of the corresponding RAT (Registry of Data Subjects). Ensure that the technologies you use do not transfer data to third parties for processing other than that for which the data was collected, nor carry out unauthorized international data transfers (e.g.: collecting data on a website by adding an external traffic analysis counter; adding pre-designed buttons to share a specific page on social networks may transfer data for marketing purposes to the service provider; or using Google Forms, Dropbox, Google Drive, WhatsApp, Telegram, etc., all of which are networks with foreign servers and subject to their own privacy and data use policies, which do not necessarily coincide with or are compatible with that of the ULL).
Distinguish between privacy and security. Modern social networks usually have robust security mechanisms against third parties, but they themselves make intensive use of the personal data we provide them; they are not a suitable vehicle for guaranteeing privacy. Neither is email.See how to use it, (if applicable). If it is an administrative procedure, the most reasonable (and legally required) thing to do is to implement it on the electronic headquarters, make the notifications on headquarters, and use the institutional signature platform.
The personal data held by the ULL is for the purpose of fulfilling its research, teaching and study functions, through the services referred to in the Article 1 of the Organic Law of Universities. You may and should use this data to the extent that your affiliation with the University requires you to participate in the provision of these services, and the data is necessary or useful for achieving that purpose. However, you must limit your use of it to these purposes.
Comply with the safety procedures and internal rules that are communicated to you.
For example, ULL credential management, rules for using each service, use of devices not belonging to ULL on ULL networks,...
Gather and use the minimum information necessary (but all relevant) for the performance of the treatment, that is, to satisfactorily perform its function.
Use complex passwords that are difficult for third parties to guess, do not write them down, change them regularly, and do not reuse the same password on different services.
To increase randomness, it is desirable that they contain numbers, uppercase and lowercase letters, and some punctuation marks. You can protect them with a master password and generate secure random keys with a password manager. If you choose to write them down, do so in a place separate from the environment where they are used, and without it being obvious to a third party which service the password belongs to. The password for the centralized authentication service must be unique (do not use it for any other service, whether internal or external to the ULL).
Lock your device
Lock your computer when you leave it, and turn it off when you leave unless otherwise instructed (for example, to perform updates); close drawers and filing cabinets when not in use; do not name physical folders with personal data, use the file number; do not leave documents in plain sight, or in printers.
Do not bring documents
Do not take documents, digital media, or electronic devices containing personal data outside your workplace unless authorized to do so. Most procedures can be carried out remotely by connecting to ULL servers, which minimize the amount of personal data stored on your devices. If you exceptionally need to copy something temporarily, ensure that it is permanently deleted at the end of your session.
Destroy documents and media when you no longer need them
Do not throw away documents containing personal data, DVDs, USB drives, or other media without first destroying either the information they contain or the media itself, so that the information cannot be recovered. Use a document/media shredder or data erasure software (the standard "delete file" option is not sufficient).
If in doubt, Consult the Data Protection Officer.
Guidelines for administrative management
When an interested party in an administrative file requests a copy of it, in exercise of their right contained in the Article 53 LPA, and it is found that it contains personal data, the assessment indicated in the must be carried out report of this DPD 57/2018, In order to assess whether it is appropriate to initially grant the right of access, and after reviewing the documentation, please indicate the specific documents you are interested in and for what purpose. In any case, the delivery of any documentation containing personal data will be preceded by the signing of a document confirming that the interested party has been informed of the confidential nature of the information. It is also recommended that the documentation be stamped with the word "confidential." The text that must be signed and kept in the file should be based on the following template:
«"The interested party is hereby notified that the information provided is confidential and solely for the purpose of enabling them to exercise their rights within the framework of the procedure in which it is provided; and that said information includes personal data, which must be treated with the utmost care required, primarily in the General Data Protection Regulation and Organic Law 3/2018, on the Protection of Personal Data and the guarantee of digital rights. Therefore, the interested party is obliged to safeguard it with due diligence, to establish sufficient security measures to prevent access by third parties, and to destroy the media containing said information or return it to this Administration through the same channel when it is no longer useful for the purpose for which it was provided, that is, for the exercise of their rights within the framework of this procedure. Any other use, or inadequate safekeeping, may give rise to criminal, administrative, and/or financial liability.".
If the information to which access is deemed necessary has been limited, the following will be added:
«"You are hereby informed that the documentation provided to you [if applicable] has been amended, removing data irrelevant to the exercise of your rights, in accordance with your request. Likewise, the pages [specify] have been omitted, as they contain [describe], information irrelevant to the purposes stated by the interested party in their access request.".
These texts must be adapted by the corresponding administrative service.
The national identity card receives special treatment in the Additional Provision 7 of the LOPDGDD. The Spanish Data Protection Agency has carried out some recommendations Regarding its application. Taking all of this into account, it follows that:
Guidelines for teaching and research
All publications that form part of an administrative file (and student grades are part of an administrative file that culminates in the awarding of a degree, whether a bachelor's, master's, doctorate, etc.) must be made electronically. Furthermore, all notifications to students must be made electronically, and grades, in particular, are published to guarantee, among other things, the transparency and quality of teaching. The platform (linkIt allows the publication of final grades, while for partial exam grades, a publication method that reaches all students is necessary. Until a notice board is enabled for this purpose or the portal is adapted for the publication of intermediate grades (not limited to final grade reports), It is recommended to publish the list on the Virtual Campus, generating a PDF that, to comply with the requirements of an administrative document, must be signed before being published using the institutional signature holder (only accessible from the ULL network, or by connecting to it via VPN). When, as in this case, a single document of the different types offered by the institutional signature platform is uploaded, you must generate and download the one called "PAdES copy".
For more information on grade publication, please refer to this report.
Informative legends
The mere receipt of this message, subject to the ULL privacy policy Using email does not mean you have the right to reuse or make public the information it contains.
Recommended legend:
Description of this block. Use this space to describe your block. Any text is acceptable.
Legend for non-electronic media:
Description of this block. Use this space to describe your block. Any text is acceptable.
Short text, if there are space issues:
Description of this block. Use this space to describe your block. Any text is acceptable.
Data protection clauses
Source: Regulatory guide on staff recruitment. GN-001-19. Vers. 1.1 – 20180318.