Terms and conditions for data collection

The person responsible for the processing of personal data is San Antonio Management Company, S.L. Your personal data will be processed for the management of information and counseling activities, attention to your inquiry and sending promotional communications and services related to the Institution. The legal basis of the treatment is your consent. Your data will be kept indefinitely until you request its cancellation. You can find more information about the Privacy Policy at www.spainhousing.es. You have the right to access this information, rectify it, cancel it, and other rights under the LOPD and EU Regulation 2016/679 by writing to info@spainhousing.es.

Spain Student Housing as controller of personal data processing

Preamble

Being SAN ANTONIO MANAGEMENT COMPANY, S.L Unipersonal (hereinafter, SAN ANTONIO MANAGEMENT) the entity RESPONSIBLE FOR THE PROCESSING, will collect and process the necessary personal data, in addition to making the necessary notifications for the proper processing of the real estate leasing operation. 

For this reason, and in compliance with Article 28 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR), SAN ANTONIO MANAGEMENT undertakes to act on the basis of the following. 

Clauses

FIRST - Purpose of the processing order. 

The processing will consist of: collecting and managing the personal data of interested parties who request information about the academic offer of SAN ANTONIO MANAGEMENT, in order to carry out the corresponding processing of real estate leasing operations agreed between both parties (SAN ANTONIO MANAGEMENT and the interested party). 

Likewise, SAN ANTONIO MANAGEMENT will use such data for the proper supervision and verification of compliance with the regulations established by the University on the behavior and coexistence within the spaces managed by the same. 

SECOND - Identification of the affected information. 

For the execution of the services deriving from the fulfillment of the object of this assignment, the PRINCIPAL makes available to the RESPONSIBLE the following information concerning the data subject: 

  • Name. 
  • Last name. 
  • National Identity Card or equivalent. 
  • Image of face proving the veracity of the information identified in the National Identity Card or equivalent. 
  • Date of birth. 
  • Address. 
  • Country of origin. 
  • Contact e-mail address. 
  • Contact telephone number. 
  • Identification of the main emergency contact. 
  • Main emergency contact telephone number.
  • Primary emergency contact e-mail address. 
  • Secondary emergency contact identification. 
  • Secondary emergency contact phone.
  • Secondary emergency contact e-mail. 

THIRD - Duration. 

This agreement has a duration equal to the duration of the specific agreement or contract that regulates the provision of the main service between SAN ANTONIO MANAGEMENT and the lessee. 

FOURTH - Obligations of the PERSON RESPONSIBLE FOR THE PROCESSING.

1. To use the personal data being processed, or those collected for inclusion, only for the purpose of this order. Under no circumstances may you use the data for your own purposes.

2. To maintain the duty of secrecy with respect to the personal data to which it has had access by virtue of the present assignment, even after the end of its object.

3. Ensure that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed. 

4. It is the responsibility of the data controller to provide the right to information at the time of data collection.

5. Assist the interested party in responding to the exercise of the rights of: 

  1. Access, rectification, suppression and opposition.
  2. Limitation of treatment.
  3. Data portability.
  4. Not to be subject to automated individualized decisions (including profiling).

6. Notification of data security breaches. The TREATMENT CONTROLLER shall notify data security breaches to data subjects as soon as possible, when the breach is likely to result in a high risk to the rights and freedoms of natural persons. The communication must be made in clear and plain language and shall, as a minimum:

  1. Explain the nature of the data breach. 
  2. Indicate the name and contact details of the data protection officer or other point of contact where further information can be obtained. 
  3. Describe the possible consequences of a breach of personal data security. 
  4. Describe the measures taken or proposed by the CONTROLLER OF PROCESSING to remedy the breach of security of personal data, including, if applicable, measures taken to mitigate possible negative effects. 

7. Implement the necessary technical and organizational security measures to:

  1. Ensure the ongoing confidentiality, integrity, availability and resilience of treatment systems and services.
  2. Restore availability and access to personal data quickly in the event of a physical or technical incident.
  3. Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.
  4. Pseudonymize and encrypt personal data, if applicable.

8. Once the service has been completed, and unless the data subject requests its return, the CONTROLLER OF THE PROCESSING undertakes to destroy that information containing personal data that has been transmitted by the data subject or to which he/she has had access in any other way on the occasion of the provision of the service. To this end, it will apply the appropriate physical and logical measures to ensure that the personal data incorporated into the various media are irretrievable.

Notwithstanding the provisions of the preceding paragraphs, the CONTROLLER OF PROCESSING may keep the personal data and information processed, duly blocked, in the event that liabilities may arise from its relationship with the data subject.

Once the statute of limitations period for the actions that motivated the conservation of personal data has elapsed, the CONTROLLER OF THE PROCESSING shall proceed to their destruction in the manner set forth in the preceding paragraphs.

FIFTH - Transfer of data to service providers. 

In order to provide the RESPONSIBLE with the necessary platform for the registration and recording of the information requests, as well as for the completion of the procedures related to the lease, SAN ANTONIO MANAGEMENT will have the auxiliary service of external collaborators that offer the resolution to such needs. 

SIXTH - Legislation and jurisdiction. 

The RESPONSIBLE shall be governed by the stipulations contained therein, failing which by the provisions of the RGPD and the rest of personal data protection regulations, as well as by the provisions of the Civil Code and the Commercial Code.

The parties, expressly waiving any other jurisdiction that may correspond to them, in all matters relating to the interpretation, application or performance of this contract submit to the Courts and Tribunals of Madrid. 

Spain Student Housing as personal data processor

Preamble

Being SAN ANTONIO MANAGEMENT COMPANY, S.L Unipersonal (hereinafter, SAN ANTONIO MANAGEMENT) the TREATMENT MANAGER, will receive from the collaborating entity, who holds the function of TREATMENT CONTROLLER, certain personal data for the provision of the service that is regulated by specific agreement. 

For this reason, and in compliance with Article 28 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR), both parties freely agree to regulate the commissioning of processing in accordance with the following.

Clauses

FIRST - Purpose of the processing order. 

The treatment will consist of: managing the personal data of interested parties who request information about the real estate offer of SAN ANTONIO MANAGEMENT, in order to contact them, as well as to collect their personal information for the proper processing of the lease transaction between the TREATMENT CONTROLLER and the applicant.

Likewise, SAN ANTONIO MANAGEMENT will use such data for the proper supervision and verification of compliance with the regulations established by the University on the behavior and coexistence within the spaces managed by the same.

SECOND - Identification of the affected information. 

For the execution of the services deriving from the fulfillment of the object of this assignment, the PRINCIPAL makes available to the RESPONSIBLE the following information concerning the data subject:

  • Name. 
  • Last name. 
  • National Identity Card or equivalent. 
  • Image of face proving the veracity of the information identified in the National Identity Card or equivalent. 
  • Date of birth. 
  • Address. 
  • Country of origin. 
  • Contact e-mail address. 
  • Contact telephone number. 
  • Identification of the main emergency contact. 
  • Main emergency contact telephone number.
  • Primary emergency contact e-mail address. 
  • Secondary emergency contact identification. 
  • Secondary emergency contact phone.
  • Secondary emergency contact e-mail. 

THIRD - Duration. 

This agreement has a duration equal to the duration of the specific agreement or contract that regulates the provision of the main service between SAN ANTONIO MANAGEMENT and the collaborating entity. 

FOURTH - Obligations of the TREATMENT CONTROLLER.

The TREATMENT CONTROLLER and all its personnel are obliged to: 

  1. Use the personal data being processed, or those collected for inclusion, only for the purpose of this order. Under no circumstances may you use the data for your own purposes.
  1. Treat the data in accordance with the TREATMENT CONTROLLER's instructions. If the TREATMENT CONTROLLER considers that any of the instructions infringes the GDPR or any other data protection provisions of the Union or the Member States, it shall immediately inform the CONTROLLER.
  1. Keep, in writing, a record of all categories of processing activities carried out on behalf of the controller, containing: 
  • The name and contact details of the processor(s) and of each controller on whose behalf the processor is acting and, where appropriate, of the representative of the controller or processor and of the data protection officer. 
  • The categories of processing carried out on behalf of each person in charge. 
  • Where applicable, transfers of personal data to a third country or international organization, including the identification of such third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, documentation of appropriate safeguards. 
  • An overview of the appropriate technical and organizational security measures you are implementing.
  1. To support the TREATMENT CONTROLLER in carrying out data protection impact assessments, where appropriate.
  2. Not to communicate the data to third parties, except with the express authorization of the CONTROLLER OF PROCESSING, in the legally admissible cases. If the CONTROLLER must transfer personal data to a third country or to an international organization, pursuant to applicable Union or Member State law, the CONTROLLER shall inform the data controller of this legal requirement in advance, unless such law prohibits it for important reasons of public interest.
  3. Not to subcontract any of the services that are part of the object of this contract that involve the processing of personal data, except for auxiliary services necessary for the normal operation of the services of the person in charge. Should it be necessary to subcontract any processing, this fact must be previously communicated in writing to the RESPONSIBLE, at least fifteen working days in advance, indicating the processing to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details. The subcontracting may be carried out if the CONTROLLER does not express its opposition within the established period. The subcontractor, who will also have the status of PROCESSOR, is also obliged to comply with the obligations established in this document for the PROCESSOR and the instructions issued by the CONTROLLER. It is up to the initial processor to regulate the new relationship in such a way that the new processor is subject to the same conditions (instructions, obligations, security measures...) and with the same formal requirements as him/her, as regards the adequate processing of personal data and the guarantee of the rights of the data subjects. In the event of non-compliance by the sub-processor, the initial PROCESSOR shall remain fully liable to the RESPONSIBLE for the fulfillment of the obligations. 
  4. Maintain the duty of secrecy with respect to the personal data to which it has had access by virtue of the present assignment, even after the end of its object.
  5. Ensure that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed. 
  6. To keep at the RESPONSIBLE PARTY'S disposal the documentation accrediting compliance with the obligation established in the previous section. 
  7. Ensure the necessary training in personal data protection for persons authorized to process personal data. 
  8. Assist the CONTROLLER OF THE PROCESSING in the response to the exercise of the rights of: 
  • Access, rectification, suppression and opposition.
  • Limitation of treatment.
  • Data portability.
  • Not to be subject to automated individualized decisions (including profiling).

When the affected persons exercise their rights of access, rectification, deletion and opposition, limitation of processing, data portability and not to be subject to automated individualized decisions, before the PROCESSOR, the latter must communicate it by e-mail to the CONTROLLER OF THE PROCESSING.

  1. It is the responsibility of the person in charge to provide the right to information at the time of data collection.
  1. Notification of data security breaches. The PERSON IN CHARGE OF PROCESSING shall notify the PERSON IN CHARGE OF PROCESSING, without undue delay, and in any case before the maximum term of 24 hours, and by means of a reliable written communication, the security breaches of the personal data under his/her charge of which he/she becomes aware, together with all the relevant information for the documentation and communication of the incidence. Notification shall not be required when such security breach is unlikely to constitute a risk to the rights and freedoms of natural persons. If available, at least the following information shall be provided:
  • Description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
  • The name and contact details of the data protection officer or other point of contact where further information can be obtained.
  • Description of the possible consequences of a breach of personal data security.
  • Description of the measures taken or proposed to be taken to remedy the personal data security breach, including, where appropriate, measures taken to mitigate the possible negative effects. If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided in a phased manner without undue delay.

It is incumbent upon the PROCESSING CONTROLLER to communicate, in the shortest possible time, data security breaches to data subjects, when the breach is likely to result in a high risk to the rights and freedoms of natural persons. The communication should be in clear and plain language and shall, as a minimum:

  • Explain the nature of the data breach. 
  • Indicate the name and contact details of the data protection officer or other point of contact where further information can be obtained. 
  • Describe the possible consequences of a breach of personal data security. 
  • Describe the measures taken or proposed by the CONTROLLER OF PROCESSING to remedy the breach of security of personal data, including, if applicable, measures taken to mitigate possible negative effects. 

  1. Make available to the RESPONSIBLE all information necessary to demonstrate compliance with its obligations, as well as for the performance of audits or inspections carried out by the RESPONSIBLE or another auditor authorized by it. 
  1. Implement the necessary technical and organizational security measures to:
  • Ensure the ongoing confidentiality, integrity, availability and resilience of treatment systems and services.
  • Restore availability and access to personal data quickly in the event of a physical or technical incident.
  • Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.
  • Pseudonymize and encrypt personal data, if applicable.
  1. If a data protection officer is appointed, his/her identity and contact details will be communicated to the RESPONSIBLE.
  1. Once the provision of the service has been completed and unless the TREATMENT CONTROLLER requests its return, the TREATMENT CONTROLLER undertakes to destroy any information containing personal data that has been transmitted by the CONTROLLER or to which it has had access in any other way in connection with the provision of the service. To this end, it will apply the appropriate physical and logical measures to ensure that the personal data incorporated in the various media are irretrievable.

Once destroyed, it will issue a certificate of destruction to the CONTROLLER OF PROCESSING, listing the information, hardware and documentation subject to destruction.

In the event that the PERSON IN CHARGE OF PROCESSING requires the PERSON IN CHARGE OF PROCESSING to return the personal data, the latter shall return the information containing such personal data to the PERSON IN CHARGE OF PROCESSING or to the person determined by the latter.

Such return shall involve the delivery or making available of the personal data in a commonly used format and in such a way that, once the return is completed, the CONTROLLER OF PROCESSING has no dependence on the systems or tools of the PROCESSOR OF PROCESSING. 

At the end of the return process, the CARRIER shall proceed to the destruction of the personal data present on the computer equipment and other media used by the CARRIER.

Notwithstanding the provisions of the preceding paragraphs, the TREATMENT CONTROLLER may keep the personal data and information processed, duly blocked, in the event that liabilities may arise from its relationship with the TREATMENT CONTROLLER.

Once the statute of limitations period for the actions that motivated the conservation of the personal data has elapsed, the TREATMENT CONTROLLER shall proceed to their destruction in the manner described in the preceding paragraphs.

FIFTH - Obligations of the PERSON RESPONSIBLE FOR THE PROCESSING.

  1. Communicate to the interested parties the transfer of their personal data to the CARRIER and obtain their consent in this regard. 
  2. To provide the CARRIER with the necessary data to be able to provide the service.
  3. Ensure, prior to and throughout the processing, compliance with the GDPR by the PROCESSOR.
  4. Supervise treatment.

SIXTH - Responsibilities.

The TREATMENT PROCESSOR undertakes to comply with the obligations set forth in this Agreement and in the regulations in force, in relation to this processing assignment. If the PROCESSOR breaches the provisions of the GDPR in determining the purposes and means of the processing, he/she shall be held liable with respect to such processing.

In addition, both parties undertake to notify the other party in case of receiving notification from any of the users of the service object of the contract that binds them, of termination of the transfer of personal data, at least within 15 days following the receipt of such request.

SEVENTH - Modifications.

Any modification of the contents of this contract shall only be effective if it is made by mutual agreement between the parties. To this effect, the party proposing the modification shall request the written agreement of the other party at least 15 days prior to the effective date of modification, and the latter must reply in writing within 15 days of receipt of the request. The lack of reply to the modification request or the reply outside the term foreseen to do so, shall be understood as a non-acceptance to the same.

EIGHTH - Legislation and jurisdiction.

This Agreement shall be governed by the stipulations contained herein, failing which by the provisions of the RGPD and the rest of the personal data protection regulations, as well as by the provisions of the Civil Code and the Commercial Code.

The contracting parties, expressly waiving any other jurisdiction that may correspond to them, in all matters relating to the interpretation, application or performance of this contract submit to the Courts and Tribunals of Madrid.

Whatssapp Icon