Legal Notice


The University of Santiago de Compostela (USC) protects and guarantees the fundamental right to data protection and is particularly sensitive to the safeguarding of people’s privacy. Data processing is done in accordance with European Union Regulation 2016/679 of 27 April on the protection of individuals with regard to the processing of personal data and the free movement of such data. Thus, this treatment responds to the principles of legality, loyalty, transparency, limitation of purpose, minimization of data, accuracy, limitation of storage time, integrity, confidentiality and proactive responsibility.

The USC’s record of treatment activities can be found at:

In any case, the USC will maintain a dynamic understanding of this issue in order to adapt it to new developments, whether in legislation, case law, decisions of supervisory authorities or practices in this field. This may make it advisable to amend this privacy and data protection policy, which will be announced in good time.



The generic responsibility for data processing lies with the University of Santiago de Compostela, with the address of these effects at the Rectorate of the USC, Praza do Obradoiro s/n, 15782- Santiago de Compostela (Spain). The telephone number is 881811000. Informal on-line contact can be established through:

Specific requests must be made through the USC Electronic Headquarters.


The USC as generic responsible is specified, according to the treatment, in those responsible for each treatment: the General Secretariat, in the Vice-rectorates or in the Management, as stated in the particular information of each treatment.


The Data Protection Delegate is José Julio Fernández Rodríguez, and his email account is


The primary legitimate basis for USC’s treatment is the provision of the public service of higher education. The consent given by the persons concerned in cases where they so authorize may also be the basis of the treatment.

In other treatments the basis of legitimacy is the need in the execution of contracts, the fulfillment of concrete legal provisions, or the fulfillment of a mission carried out in the public interest or in the exercise of public powers. All these conditions are in line with Article 6.1 of the European Regulation.

Processing purposes

The purpose of processing personal data by the USC is to fulfil its obligations and responsibilities in the field of teaching, study and research, which includes the management of the administrative services of a university public administration and the management of requests for information and actions of academic and institutional dissemination. Each specific treatment specifies these purposes.

Origin of data, use and storage

The origin of the personal data is in the interested persons themselves, obtained by various means, such as applications, forms and digital or analogical questionnaires. For these purposes, the expression of consent will be free, specific, informed and unequivocal. In some cases the data are obtained from other educational administrations.

The processing of special categories of data will take into account the specific data protection measures in Article 9 of the European Regulation.

Exceptional transfers and transfers of personal data may be made under the auspices of university exchange and academic collaboration programmes, as well as with public administrations with educational responsibilities. In any case, transfers shall comply with the provisions of Articles 44 et seq. of the European Regulation. Also, in accordance with the regulations, data are transferred to those in charge of processing and in cases of legal duties.

Likewise, the data may be used for statistical purposes or for incident management and, preferably pseudonymised, for research purposes.

The personal data provided will be kept for the period in which the purpose for which they were collected is carried out, or for the time necessary to comply with legal obligations. Once the purpose has been fulfilled, the data will be blocked until the applicable limitation periods have elapsed.



Interested parties have the right to transparency of information, access to their personal data, rectification of inaccurate data, deletion of data where possible, limitation of processing, portability, opposition, the right not to be the subject of a decision based solely on automated processing that significantly affects them, the right to withdraw consent at any time and the right to file a complaint with the Spanish Data Protection Agency. These rights may be exercised before the data controller, after identifying the applicant through the USC’s Electronic Headquarters.

The USC will facilitate the exercise of these rights by means of an electronic form at


Además, las personas interesadas también poseen los derechos que dan acceso a las vías administrativas y judiciales de garantía, contempladas en el ordenamiento jurídico con esa finalidad.


The USC, from a proactive position, adopts all technical and organizational measures necessary to ensure the processing of data and the privacy of individuals. Thus, it assumes a total commitment to the guarantee of fundamental rights, which includes data protection from design and by default.

Thus, these security measures, and in accordance with Article 33 of the European Regulation, will include the pseudonymisation and encryption of personal data; the ability to ensure the confidentiality, integrity, availability and continued resilience of processing systems and services; the ability to restore the availability of and access to personal data quickly in the event of an incident; and a process of regular verification, evaluation and assessment of the effectiveness of technical and organisational measures.

These measures respond to legally established duties, depending on the state of the art, implementation costs, and the nature, context and purposes of the processing. Similarly, account must be taken of the specific risks of seriousness and probability that each type of processing poses to the rights and freedoms of individuals.

Security breaches and breaches of personal data will be communicated to the supervisory authority and, where appropriate, to the persons concerned on the basis of Article 34 of the European Regulation.

The USC make available a channel of communication of incidents in the matter of data protection in: