Data Protection Officer

The Record of Processing Activities

Data protection must be applied to a significant number of administrative procedures, whose issues will be resolved through the consultations generated, and are reflected in the guidelines, and the guides prepared based on the needs that are detected; but there are at least two procedures that are specific to data protection; the exercise of GDPR rights, and the updating of the Record of Processing Activities, which is the subject of this section.

The Record of Processing Activities is an inventory of all personal data processing activities carried out by an institution. It serves as the basis for organizing the organizational and technical measures necessary to secure data, uphold the rights of data subjects, and generally comply with the GDPR and other applicable regulations. Inclusion in the record signifies that the processing is properly controlled by the organization's data controllers.

The RAT as the cornerstone of data protection in the organization

The existence, proper implementation, and management of the RAT are fundamental for:

  • When a citizen exercises their GDPR rights, for example, their right of access to their personal data, the unit responsible for processing their request must be able to identify which data processing activities (e.g., research conducted for a doctoral thesis in sociology using data collected through research questionnaires, medical research using their medical records, data related to their participation in summer courses, cultural activities, or as a student or service provider) contain data relating to that person. Without knowledge of the existence of such processing and the ability to identify the data subjects affected by each processing activity, the right of access, and indeed any other GDPR rights, cannot be exercised.
  • The University, with the appropriate specialized advice from the DPD, and coordinated with those responsible for security, can adapt the necessary means for each processing activity, assessing its risks to the freedom and rights of individuals, and taking the necessary organizational and technical measures.
  • It is possible to associate security incidents with specific treatments, improve their assessment, and allow for continuous security improvement.

Therefore, the RAT must be properly organized. No member of the university community should make a form accessible for a purpose not included in the RAT, nor without adopting or complying with the organizational and technical measures established for each type of processing. The following are the recommendations of this Data Protection Officer (DPO) regarding the RAT. To register procedures in the RAT, it is advisable to submit a report from this DPO to the GAP (Group of Academic Personnel), for which the following form must be completed: this form (includes instructions):

Prohibition of unregistered treatments

The performance of treatments not registered in the RAT is prohibited

All data processing carried out within the University of La Laguna, regardless of the entity responsible, must be registered beforehand in the Register of Processing Activities, for which authorization from the data controller is required. The data controller must request the inclusion of their processing activities in the Register electronically.

Application for registration in the RAT

To register with the RAT, the procedure described at the end of this page must be followed. Applications must be made according to the following rules:

Registration in the RAT must be requested by the responsible party.

The governing bodies must establish who is responsible for each type of data processing. Currently, this responsibility is assigned to the Management Office, but the heterogeneity of the data used by the University of La Laguna, and the wide range of purposes for which it is used, recommends that, to the extent agreed upon, the responsibility for its management be distributed according to whether it concerns research data, as defined by university regulations, falling to the Vice-Rector for Research; academic data, both in its administrative aspect and in teaching or research aspects, in the broadest sense of Article 20 of the Constitution, falling to the Vice-Rector for Teaching; student activity, for which the Vice-Rector for Students will be responsible; personnel data, which should remain under the responsibility of the Management Office; and organizational data and other administrative procedures, which should fall to the General Secretariat, depending on how the National Security Framework is specified at any given time.

Requests from data controllers should be addressed to the data controller.

This means that anyone intending to conduct research processing should request it, following the procedure outlined above, from the Vice-Rector for Research; if it involves processing of personnel data, from Management, etc. The person making the request must be, within the ENS framework, responsible for the information. Logically, these roles (responsible for processing and for the information) may overlap.

Treatments for scientific research purposes

Treatments for the purpose of scientific research

In the case of data processing carried out within the framework of research activities, the principal investigator, or if they are not affiliated with the University of La Laguna (ULL), the ULL-affiliated researcher who requests it, shall be considered the data controller. This same individual shall also be considered the security operator when using computer systems not under the direct control of the Information and Communications Technology Service (STIC). In this case, they must clearly and comprehensively explain the proposed technical solutions and follow the precise instructions provided by the Security Officer, as well as the ULL's general security policy regarding the processing carried out, and shall be directly responsible for any damages that may result from non-compliance. Any changes to the initial proposal or any incident that may occur must be reported immediately, without undue delay, to the Security Officer and, where applicable, to the Data Protection Officer.

For the start of the processing activity, as well as for its continuation, the person responsible for the information must submit to the authorization of the data controller, who, following the proposed model, will be the Vice-Rector or Vice-Rector of Research.

Any person with a connection to this University who participates in the processing of personal data and considers that it is not properly recorded in the Register of Processing Activities, should request the Data Protection Officer to initiate the procedures for registration, modification or cancellation of entries.

When the Ethics Committee of the University of La Laguna observes that research may have relevant considerations regarding the protection of personal data, it must seek the participation of the Data Protection Officer in its deliberations. It must also refer to the Data Protection Officer all instances in which certificates of compliance with data protection regulations are requested.

Permanent adjustment of treatments

Review of registered treatments
All data processing activities registered in the RAT (Registry of Data Subjects) through procedures prior to these rules must verify their compliance with these recommendations and request any necessary modifications. When the processing activity was registered at the request of a person or unit other than those referred to herein, the review must be initiated by the same unit or person who promoted or carried it out, without prejudice to notifying those responsible so that they may request its modification or cancellation if they deem it appropriate. In any case, they must adapt the processing activity to the terms under which it was registered.

Every two years, the data controller must prepare a report, which will be sent to the Data Protection Officer and filed with the processing documentation, regarding its suitability for the purposes of the processing, assessing the security measures implemented, and noting whether any new risks to the rights and freedoms of data subjects have been detected. This is without prejudice to any review that may be necessary in the event of a security incident or a technological or legislative change.

Organization and operation of the RAT

Organization and operation of the Registry

  1. Sections: The Register must be arranged in two sections so that one (Section A) contains the activities in which the University carries out the processing as the controller, and the other (Section B) contains those in which it does so as the processor, on behalf of another controller.
  2. The entries for Section A (ULL as responsible) must contain:
    1. Name and contact details of the data controller and the Data Protection Officer
    2. Identification of the treatment or treatments that are intended to be given to that data.
    3. Legal basis for the processing.
    4. Identification of the categories of interested parties and categories of personal data to be processed.
    5. Purposes of the treatment or treatments.
    6. Categories of recipients to whom data is communicated, including international data transfers and documentation of appropriate safeguards where applicable.
    7. Deletion deadlines for each data category.
    8. Technical and organizational security measures.
    9. Reference and link to the BOULL publication in which the processing is authorized.
  3. The entries for Section B (ULL as the responsible party) must contain:
    1. Name and contact details of the data processor and of each controller on whose behalf the processor acts, as well as their respective Data Protection Officers, if any, or an indication that they do not have one.
    2. Precise reference to the contract, agreement, accord or similar document that specifies the terms under which the ULL must carry out the processing, so that it is perfectly identifiable.
    3. Categories of treatments carried out on behalf of the controller.
    4. Data transfers to a third country and documentation of appropriate safeguards where applicable.
    5. Deletion deadlines for each data category.
    6. Technical and organizational security measures.
    7. Reference and link to the BOULL publication in which the processing is authorized.
  4. Internal Management of the Registry: Marginal Notes: It is recommended to make instrumental annotations, without publicity, that allow the University to better manage the supervision of treatments or facilitate the exercise of the rights of interested parties.
    1. For this purpose, the person responsible for the information, and failing that, the person in charge of the processing, must communicate and record it in this way
      1. The name and contact details of the person with the authority to decide on and authorize access to the data, who will be considered responsible for the information, for example, the principal investigator, when, based on an analysis of the research data flow, the decision falls to them, or the head of the service or section where the administrative procedures involving data processing are primarily handled. The person must be fully identified; simply referring to their position or title is insufficient.
      2. The name of the persons to whom the data controller has given access to the processed data, indicating the type of confidentiality clauses under which they access (ULL confidentiality level or specific clause according to letter f of this same number).
      3. The incidents and security breaches that occur in relation to the data being processed, and the technical, organizational or other measures that you propose to prevent them from happening again.
      4. The content of the information texts that it offers to interested parties, when they must differ from those contained by the University of La Laguna in a generic way for the type of treatments that it will carry out, and the reasons for said difference.
      5. The medium on which the consent of the interested parties is recorded, when it must be obtained, and its form of custody.
      6. The terms and confidentiality clauses that those who have access to the data are required to sign, when they are people outside the ULL or who do not have previously signed a sufficient confidentiality clause with the ULL, if said texts have to differ from those proposed by the ULL.
    2. The following notes will be mandatory for the head of the service managing the exercise of GDPR rights within the ULL:
      1. The exercise of GDPR rights, detailing the right exercised and the extent of its exercise, the motivation if known, and any other circumstance that may be useful to assess the need for review of the processing, or of the technical or organizational measures that guarantee its security.
      2. Security incidents and breaches that occur in relation to the data being processed.
    3. Security incidents and breaches that occur in relation to the data being processed will be considered mandatory entries for the Security Officer with respect to any processing carried out under systems or infrastructure on which he/she exercises his/her functions
    4. Those required to make marginal notes must record all information that they deem useful to assess the need for a review of the processing, or of the technical or organizational measures that guarantee its security.
    5. The Data Protection Officer, the Security Officer and the Service that manages the exercise of GDPR rights within the ULL may make any marginal notes they deem appropriate for the aforementioned purposes.
    6. The proposal for new technical, organizational or any other type of measures will be communicated to the data controller so that they can initiate the procedure for reviewing the authorization and registration of the processing, as well as to the Data Protection Officer and, where appropriate, to the Security Officer.
    7. A record must be kept of the storage media for registered data processing activities to ensure the effective exercise of rights and the monitoring of the correct application of applicable regulations. Both the Data Protection Officer (DPO) and the service responsible for addressing data protection rights for data subjects regarding processing activities carried out within the framework of the University of La Laguna (ULL) must have real-time access to research databases and any other databases containing registered data processing activities, at least to confirm the existence of data belonging to the data subject exercising their rights. To this end, a centralized search system will be established based on the national identity card (DNI), passport, foreign resident's card (NIE), and similar documents of data subjects, allowing, at a minimum, information on which systems and processing activities contain information relating to each data subject. This is without prejudice to the auditing powers of the relevant authorities and services, among others.
    8. New registrations must be reported by the Data Protection Officer (DPO). The time limit for issuing this report must be regulated, with one month being considered reasonable once all required information has been received. Every new entry will require a request for a marginal note from the person responsible for the information, as referred to in section a.1 of this same paragraph 4.
    9. Resolutions regarding registration, modification, or cancellation of personal data processing activities should be given enhanced publicity through their prior publication in the BOULL.
  5. Web advertising for treatments should be organized by Responsible Party and, within them, by type of services it serves, trying to adapt to the organizational structure of the University.
  6. In general, marginal notes, intended to aid internal work, will be made automatically upon notification by the authorized parties, except for items 4, 5, and 6 of section a of paragraph 4, which will require the authorization of the Data Controller, following a report from the Data Protection Officer. The data controller, or any third party with access to the processed information, will be obliged to request modifications regarding any discrepancies between the recorded information and the actual situation. This also applies to marginal notes made at the request of the data controller or the data processor.
  7. Anyone may inform the Data Protection Officer of the existence of processing activities not registered in the RAT, or carried out in a manner different from that contemplated therein. The DPO will be able to propose, with justification and directly to the data controller, any registration, modification, or addition of processing activities.

Procedure for registration in the Register of Processing Activities

The Data Protection Officer, in order to ensure the correctness of the formation of the Record of Processing Activities, and without prejudice to any instructions that may be issued by the competent bodies of this University, recommends that, for the purposes of registering a procedure in the RAT, the following procedure be followed (which summarizes the recommendations of the drop-down menus above):

  • The person under whose direction the data will be processed will have to fill out an application according to this form (in the future it will be at headquarters), and send it by any appropriate means to the DPD, clearly stating your ID, full name and relationship with the ULL (If it is not submitted signed by headquarters, the DPD will require the signature before the next step, which may be more convenient for users who are not comfortable with the institutional signature platform).
  • The Data Protection Officer (DPO) will review the request (currently, it requires submission to the DPO via email or any other means; their signature will be required later), and if everything is in order, will propose authorization to the Data Controller (the relevant Vice-Rector or Management). If any information or documentation is missing, the DPO will request it from the applicant. The DPO will also require their electronic signature if it is not already included in the request.

The decision of the Data Controller will be communicated to Management and the General Secretariat, who will agree to its inclusion in the ULL's Register of Processing Activities, instructing the Analysis and Planning Office to carry it out, and informing the applicant of the completion of the procedure. The decision of the General Secretariat, as the entity responsible for the information, will be communicated to the interested party, informing them that they must wait for confirmation of the effective inclusion in the Register of Processing Activities before processing the data, and any other relevant considerations.