Privacy policy

1. Legal notice and information

This Legal Notice regulates the use of the website service owned by JOVIAT FOUNDATION, educational centre 08020036, registered office at Carrer Rubió i Ors, 5, Manresa, Postal Code 08241, province of Barcelona, CIF G-60374022 and makes it accessible to Internet users.

The use of the website attributes the condition of user of the website (hereinafter, “User”) and implies full and unreserved acceptance of each and every one of the provisions included in this privacy policy from the moment the User accesses the website. Consequently, the User must read this text carefully each time they intend to consult the website, since the content of the website may undergo modifications.

2. Object

This website, owned by JOVIAT FOUNDATION, has been created and designed to make us known: who we are, what we do and how we do it, and to allow general access to all Internet users.

Anyone who accesses and/or uses the website is attributed the condition of user and the acceptance, without reservations of any kind, of each and every one of these general conditions, as well as any other particular conditions that, where appropriate, dictate the use of the Portal or the services linked to it.

In this regard, the right to make any modification or update of the contents and services is reserved. Any modification or update of these provisions of access and use and, in general, of any elements that make up the design and configuration of the website could be made at any time and without prior notice.

3. Website access conditions

The purpose of the website is to establish a channel of information and communication between the organization and its clients or interested parties through the Internet, i.e. through the website.

4. Website uses

The User agrees to use the website in accordance with Law 15/1999 of December 13, Royal Decree 1720/2007 of December 21, Law 34/2002 of July 11 and other complementary regulations, as well as with generally accepted morals, good manners and public order.

The User agrees not to use the information about activities or services that appear on the website to develop activities contrary to law, morality or public order and, in general, to make a use of it in accordance with these general conditions to that effect. The User will refrain from using any of the contents for illicit purposes, prohibited in this text, harmful to the rights and interests of third parties, or that in any way may damage, disable, overburden, impair or impede the normal use of the contents, other users or any Internet user (hardware and software).

Users will be liable for damages of any kind that the company that owns the website may suffer, directly or indirectly, as a result of breach of any of the obligations arising from the use of the website and this privacy policy.

In particular, and for a purely indicative and non-exhaustive purpose, the User agrees not to transmit, disseminate or make available to third parties, information, data, content, messages, graphics, drawings, sound and/or image files and photographs of the web.

4.1 Use of the source code

The source code, graphic designs, images, photographs, animations, software, text, information and content that are collected on the website are protected by Spanish legislation, and partial or total reproduction of the portal, or its computer processing, is not permitted without the prior written permission of their owners.

5. Website contents

JOVIAT FOUNDATION makes the website contents available to the User, as its own information or, where appropriate, that of third parties. Thus, JOVIAT FOUNDATION will use all reasonable means at its disposal to ensure that the contents included in the website are accurate and up to date.

The User agrees to use the contents on the website, meaning, but not limited to, texts, photographs, graphics, images, icons, technology, software, links and other audiovisual or sound contents, as well as its graphic design and source codes, in accordance with the law, this Privacy Policy and other notices, regulations of use and instructions made known to them, as well as with morality and good manners generally accepted and public order.

Therefore, its use for commercial purposes, distribution, modification, alteration or decompilation is strictly prohibited.

6. Links

The website may include within its contents links to sites owned and/or managed by third parties, available through the Internet.

The website takes no responsibility derived from the existence of links to external content on this site. These links or mentions have a purpose that does not imply support, approval, marketing or relationship between the page and the persons or entities that own the sites where they are found.

7. Data Protection

In accordance with the current legislation on Personal Data Protection, JOVIAT FOUNDATION informs the user of the existence of automated files of personal data created by the entity and under its responsibility. The purpose is to perform the maintenance and management work of the contractual relationship with its customers, they themselves have the possibility of exercising, in accordance with the provisions of this regulation, the rights of access, rectification, cancellation, opposition, portability and forgetfulness, by writing to JOVIAT FOUNDATION with address at Carrer Rubió i Ors, 5, Postal Code 08241, Manresa, province of Barcelona, providing a photocopy of their ID card or alternative documentation proving their identity.

JOVIAT FOUNDATION may receive personal data via e-mail for the management of job applications. In this case, the organization is committed to fulfilling its obligation of secrecy regarding personal data, its duty to keep them and to destroy them, adopting the security measures imposed by current legislation to prevent their alteration, loss, treatment or unauthorized access. The User who provides their personal data by sending an e-mail with their curriculum vitae, grants their consent to JOVIAT FOUNDATION to receive communications, always related to the organization’s services. If the user does not wish to receive any of these communications, they may inform it to the address indicated in paragraph 1 of this clause, by a writing in which appears the date and the original signature.

8. Intellectual and industrial property

All trademarks, trade names or distinctive signs of any kind that appear on the website are property of JOVIAT FOUNDATION or authorized third parties, without it being understood that the use or access to the website attributes to the User any right over the aforementioned trademarks, trade names and/or distinctive signs. Likewise, the contents are the intellectual property of JOVIAT FOUNDATION or third parties, and cannot be understood to be transferred to the User, by virtue of what is established in this privacy policy. Therefore, the transfer of intellectual property rights on this website is explicitly forbidden.

9. Advertising

The website may have advertising or sponsored content. Advertisers or sponsors are solely responsible for ensuring that the material submitted to be added on the website complies with the laws that may be applicable in each case. Our organization will not be responsible for any error, inaccuracy or irregularity that may contain advertising content or sponsors.

10. Responsibility

The User will be liable for damages of any kind that may be caused as a result of the breach of any of the obligations to which they are subject by this Privacy Policy, by law, or if pertinent, by the particular conditions that may be applicable.

10.1 Responsibility for accessing the Portal

JOVIAT FOUNDATION is not responsible for damages of any kind caused to the User as a result of failures or disconnections in the telecommunications networks that cause the suspension, cancellation or interruption of the website service during the provision of the same or beforehand.

10.2 Responsibility for the quality of service and content

Access to the website does not imply any obligation on JOVIAT FOUNDATION to control the absence of viruses, computer worms or any other harmful computer element. It is up to the User, in any case, to obtain the adequate tools for the detection and removal of harmful computer programs.

JOVIAT FOUNDATION is not responsible for any damage caused to computer equipment, documents and/or files of users or third parties during the provision of the Portal service.

10.3 Responsibility for links

The access service to the website may include technical linking devices that allow the User to access other Internet pages and portals. In these cases, JOVIAT FOUNDATION is not aware of the contents and services of the links and, therefore, is not responsible for damages caused by the illegitimacy, quality, outdatedness, unavailability error and uselessness of the contents and/or services of the links or for any other damage.

11. Applicable Law

This Privacy Policy is dictated in each and every one of its aspects by Spanish legislation. For the resolution of any conflict that may arise from accessing the website, the User and JOVIAT FOUNDATION expressly agree to submit to the courts and tribunals of the city of Barcelona, renouncing any other general or special jurisdiction that may correspond to them.

In the present conditions, Law 34/2002 of July 11, 2002 on Information Services and Electronic Mail shall also apply to them.

12. Exercise of rights

If you would like to make a complaint about how we have treated your personal data, you should contact the security supervisor of personal data, by sending an email to dosi@joviat.cat or by writing to Rubió i Ors, 5, 08241, Manresa. Our person responsible for personal data security will analyse their complaint and work with you to resolve the problem.

If you believe that your personal data has not been properly processed in accordance with the law, you can contact our Data Protection Officer (DPO) at dpd@joviat.cat and the Spanish Agency for Data Protection and file a complaint.

13. Purpose, scope and users

JOVIAT FOUNDATION, aims to comply with applicable laws and regulations related to the protection of personal data in the countries where it operates.

The purpose of this document is to establish the information security policy, based on the requirements set forth in the GDPR (General Data Protection Regulation) and the LOPD (Organic Law on Personal Data Protection), this policy establishes the basic principles by which the Company treats the personal data of students, families, consumers, clients, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its business departments and employees while treating personal data.

This policy applies to the Company and its directly or indirectly controlled subsidiaries that conduct business within the European Economic Area (EEA) or process personal data of the interested subjects within the EEA.

The users of this document are all employees, permanent or temporary, and all contractors working on behalf of the Company, students, families and interested persons.

A fundamental point of the policy is the implementation, operation and maintenance of its own ISMS (Information Security Management System).

Basic features of the Company’s security policy:

  • To ensure the confidentiality, integrity and availability of information.
  • To comply with all applicable legal requirements.
  • To define the tasks of the security supervisor, in charge of the ISMS.
  • To guarantee a decent use of the personal information that the Company manages.
  • To train, raise awareness and inform all employees of their tasks and obligations in relation to information security.
  • To properly manage all incidents that occur.
  • To have a continuity plan that allows recovering from a disaster in the shortest possible time.
  • To continuously improve the ISMS and therefore, the organization’s information security.

14. Reference documents

The GDPR EU 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC) and the Organic Law 3/2018, of 5 December, on the Personal Data Protection and guarantee of digital rights.

15. Definitions

The following definitions of terms used in this document are taken from Article 4 of the General Data Protection Regulation (GDPR) of the European Union:

15.1 Personal data

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data includes a natural person’s email address, telephone number, biometric information (such as fingerprint), location data, IP address, health care information, religious beliefs, social security number, marital status, and so on.

15.2 Sensitive personal data

Personal data that are particularly sensitive in relation to fundamental rights and freedoms, as the disclosure of such data could result in physical harm, financial loss, reputation damage, identity theft or fraud or discrimination, etc. Sensitive personal data typically includes, but is not limited to, disclosure of personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (fingerprints), data intended to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientations.

15.3 Processing

An operation or set of operations upon personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure or destruction of data.

The data will be stored within the space of the European Union, in the centre’s premises and its own servers and those contracted to third parties.

15.4 Data controller

The natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing.

15.5 Anonymisation

Irreversible remove the identification of personal data so that it is not possible to link this data directly or indirectly with a natural person.

15.6 Supervisory authority

The Spanish Agency for Data Protection is, as defined by the GDPR in Article 4(21), the independent public authority established by a Member State in accordance with the provisions of Article 51.

16. General principles for the processing of personal data

16.1 Lawfulness, impartiality and transparency

Personal data must be processed lawfully, impartially and transparently in relation to data subjects.

16.2 Purpose limitation

Personal data of data subjects must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. The data will be stored for a time period necessary to perform the services offered.

16.3 Data minimisation

Personal data of data subjects must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The security supervisor should apply anonymisation or pseudonymisation to personal data if possible to reduce the risk concerning the data subjects.

16.4 Accuracy

Personal data of data subjects must be accurate and, where necessary, kept up to date; all reasonable measures will be taken to ensure that personal data which are inaccurate in relation to the purposes for which they are processed are erased or rectified without delay.

16.5 Limitation of the retention period

Personal data should not be kept longer than necessary for the purposes for which the personal data is processed, in accordance with the GDPR.

16.6 Integrity and confidentiality

Taking into account the state of technology and other available security measures, the cost of implementation and the likelihood and severity of risks, appropriate technical or organisational measures should be implemented to process personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

16.7 Proactive responsibility

Data controllers shall be responsible for compliance with the principles described above and shall be able to demonstrate it.

17. Security Policy

17.1 Objectives

The security policy of JOVIAT FOUNDATION aims to establish the high-level guidelines to be followed so that all processing of personal data is carried out securely and only by authorised personnel, as well as to protect the organisation’s information against possible loss of confidentiality, integrity and/or availability.

17.2 Scope

The scope of this policy is limited to all departments of JOVIAT FOUNDATION.

17.3 Planning

The necessary actions to comply with the statement of the security policy include the implementation, operation and maintenance of an ISMS (Information Security Management System), which is at all times aligned with this policy.

The planning phase includes, as a fundamental point, a study of the company’s security through a risk and impact analysis and the establishment of the corresponding plan for the treatment of risks not accepted by the organisation.

The implementation of the ISMS is the main responsibility of the person in charge of treatment (or ISMS manager) supported at all times by technical staff and with the full support of management.

Based on the results obtained in the planning phase, certain security controls are implemented, in addition to operating the ISMS procedures to comply with the GDPR and LOPD.

17.4 Review

The information security policy and ISMS are reviewed regularly at planned intervals or if significant changes occur to ensure continuing suitability, effectiveness and efficiency. Generally, they are reviewed annually in conjunction with the ISMS internal audit processes.

There are monitoring procedures that provide information on the proper performance of the ISMS.

Management also plays an important role in reviewing the system, conducting an in-depth analysis of the system and identifying possible improvements and deficiencies.

With all this input, an overall review is carried out by the data protection committee.

17.5 Improvements

Possible improvements to the information security policy and the ISMS are established either during the review phases or on the basis of contributions that are considered interesting from both company personnel and external personnel.

These improvements are evaluated and once their viability has been studied, they are implemented, operated and maintained. The entire ISMS is framed within the Deming cycle (PDSA cycle), its implementation and operation, its review and subsequent improvement. All of this is applied to information security.

18. Processing guidelines

Personal data shall only be processed when explicitly authorised by the Company.

18.1 Notice to data subjects

At the time of collection or before collecting personal data for any type of activities, the data subjects must be informed about:

  • Legitimation (what data we collect).
  • Purpose (for what intention).
  • Retention (how long the data will be kept).
  • User rights (What are the rights and how to exercise them).
  • Where the data will be stored.
  • Complaints (where and how to lodge complaints).

When personal data is shared with a third party, we will notify the data subject by means of a privacy notice and that the third party complies with the provisions of the GDPR.

18.2 Obtaining consent

At the time of collection or before collecting personal data for any type of activities, explicit consent must be sought from the data subject for each of the purposes of the processing.

This will be done whenever possible, by means of a form in which each of the purposes of the processing will be reflected together with check boxes, where the data subject must indicate “yes” or “no” to the request for consent. In the event that the User does not affirm, clearly indicating the option “yes”, it will be understood that they do not consent to the collection and processing.

19. Organisation and responsibilities

Responsibility for ensuring the proper processing of personal data lies with all employees of the Company, as well as third parties involved in such processing.

The data protection committee and the management of the Company shall take decisions and approve the general strategies of the Company in matters of personal data protection and may delegate specific tasks to third parties with the aim of guaranteeing adequate processing.

20. Cross-border processing of personal data

There is no cross-border processing of personal data.

21. Supplier Management

The department contracting a new supplier will have to take into account the possible security risks derived from the service provided, for which it will be required to comply with the GDPR.

In the event that this supplier is to carry out personal data processing tasks, it must sign a personal data processing contract “PROVISION OF SERVICES AND PERSONAL DATA PROCESSING CONTRACT”.

22. Incident Management

All security incidents must be reported in accordance with the established procedure. Said notification shall be made immediately to the hierarchical superior or to the person responsible for information security or whoever delegates in their name. Once it has been received, they shall be responsible for following it up, completing the notifications established in the corresponding procedure and establishing the actions for its correction.

23. Legal Compliance

Any type of non-compliance with the laws or legal, regulatory or contractual obligations and security requirements that affect the Company’s information systems and personal data shall be avoided, such as the current teaching regulations, the regulations of Catalan foundations, the GDPR and the Law 34/2002 of 11 July 2002 on Information Services and Electronic Mail.

24. Exercise of rights

If you would like to make a complaint about how we have treated your personal data, you should contact the security supervisor of personal data, by sending an email to rdgp@joviat.cat or by writing to Rubió i Ors, 5, 08241, Manresa. Our person responsible for personal data security will analyse their complaint and work with you to resolve the problem.

If you believe that your personal data has not been properly processed in accordance with the law, you can contact our Data Protection Officer (DPO) at dpd@joviat.cat and the Spanish Agency for Data Protection and file a complaint.