Cookie usage policy

The website of the University Carlos III of Madrid use its own cookies and third-party cookies to improve our services by analyzing their browsing habits. By continuing navigation, we understand that it accepts our cookie policy. "Usage rules"

Data Protection

Public administrations and private companies have always used personal data to be able to carry out their work.  Because of the use of computers and new technologies, it has become necessary to create laws and organizations that guarantee privacy and the proper use of these data.

Data protection is going through a pivotal time marked by constant challenges and demands.  As a result, the European Union has launched Regulation 2016/679 relative to the protection of natural persons with regard to the processing and free circulation of personal data.  This regulation is commonly known as the General Data Protection Regulation, or GDPR.

The GDPR is a directly applicable regulation which does not require internal regulations of transposition or, in most cases, regulations of development or application.

All organizations have files with personal data and must comply with the obligations of the GDPR.  If they do not, they risk being sanctioned for non-compliance.

What are personal data?

Personal data are units of information about persons used by administrations or companies.  Some examples of personal data are one’s name and surnames, address, occupation, photograph, education and level of studies, and income.

There are some data that are especially protected: one’s ideology and beliefs, labor union membership, race, health and sex life, etc.

How must personal data be used?

It is necessary to find out how the data are going to be used. Administrations or companies that use them MUST:

  • Request consent if there is no legal standard that authorizes it
  • Request only the necessary and appropriate data to fulfill the purpose for which they are requested
  • Make their employers and employees maintain professional secrecy
  • Use technical and organizational measures to guarantee the security of the personal data

What rights do users have?

  • Obtain background information about the motive for requesting the data. Know what data is kept for it.
  • Modify or eliminate data when they are inaccurate or incomplete.
  • Contest decisions that are based only on data that evaluate aspects of one’s personality and would affect them significantly.
  • Oppose processing in certain circumstances.
  • Support from data protection agencies to safeguard your rights
  • More information about rights and claims:
    Know your rights

What laws protect users?

La utilización de datos de carácter personal está limitada por las leyes para garantizar el buen uso de éstos y la intimidad de las personas, las principales normativas de aplicación

The use of personal data is limited by laws that guarantee the proper use of the data and the privacy of persons.  The main applicable regulations are:

  • The Charter of Fundamental Rights of the European Union
  • Regulation 2016/679 relative to the protection of natural persons with regard to the processing and free circulation of personal data
  • The Spanish Constitution
  • Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights.

How does this affect university personnel?

  1. Compliance with the GDPR is their responsibility.
  2. If they use or have a file that contains personal data, the file is subject to the application of the GDPR.
  3. IT IS EASY to comply with the GDPR by following a few basic guidelines.  The university will help you.  Follow our instructions and it will be easier for you.

What must BE DONE?

1. Attend at least one informational session about data protection.

2. Send the information about  the instances of processing that you think might be subject to the application of the GDPR.

3. Immediately follow the basic guidelines below:

  • Do not release files with personal data to anyone from outside the university.
  • Do not enable these files to be accessible via the Internet by linking them on web pages or similar media.
  • Do not send these files by e-mail if they contain especially protected data. Always keep the computer on which you have them stored turned off and use a screen saver with a password.
  • Make sure the interface of the program that you are using to access the data is not left on your screen if you are not in front of your computer.
  • Have a backup copy of these files saved in a locked drawer or cabinet (or a copy made by the Computing Service).
  • If you request information with personal data from third parties (students, professors, persons from outside the university, etc.) by means of a form and save these data on a file, make sure you include the pertinent clauses on these forms.
  • Never request more information than is essential.
  • Collect all the paper or electronic forms you normally use in your daily work and check whether they include the appropriate clauses according to the model. If they do not, make others that include them.
  • Never publish lists of grades on paper or web pages unless it is part of a process in which there is competitive concurrence (state exams, applications, etc.).
  • Do not put personnel directories on paper or the Internet indiscriminately, if they can be freely accessed, or if they will not be monitored.
  • Keep documents that might contain personal data locked.
  • Destroy paper and media that contain personal data.
  • Print or photocopy only the personal data that are necessary. Always retrieve them yourself and destroy them once they are used.
  • Follow the recommendations about computer security contained in the guide “Computer Security is Also Up to You,” which can be downloaded via this link.

If you have any doubts, write to e-mail

Can we be sanctioned?

Anticipating the violations that can be committed in terms of data protection, the GDPR establishes a series of sanctions whose repercussions depend directly on the gravity of the infractions committed by those directly responsible and by those in charge of the processing of the files that store the personal data.

Protocol for Response to Breaches of Personal Data Security


The EU Regulation 2016/679, of 27April 2016, relative to the protection of natural persons with regard to the processing of personal data and the free circulation of these data (General Data Protection Regulation, hereafter GDPR)establishes in Article 33 the obligation to notify the appropriate supervisory authority of breaches of personal data which might put the rights and freedoms of natural persons at risk. Likewise, Article 34 of the GDPR establishes the obligation of data controller to communicate personal data breaches to the natural persons affected when the breaches are likely to entail high risks to their rights and freedoms. Articles 33 and 34 reveal the need for organizations to incorporate into their information policy a process for managing breaches of personal data which specifies how the organization will meet its obligations with respect to the breaches. This protocol responds to that need.


The GDPR broadly defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.” Security breaches that affect the rights of data subjects whose data the university processes as data controller or processor must be detected early. If you suspect there has been a breach of personal data security, immediately contact the university Data Protection Officer at e-mail address or telephone number 608881858.


The following agents are involved in the detection and management of a security breach: The data controller of the processing (the university) is responsible for applying the appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the processing is in compliance with the GDPR. Where appropriate, it must guarantee that the personal data breach is communicated without undue delay to the appropriate authority, and also to those affected when necessary.

The data controller of the processing must have the assessment of the Data Protection Officer and of experts on the subject of security, like the organization’s Chief Information Security Officer or its IT services, or such services it might have outsourced. For the detection and management of security incidents, it is essential, key, and indispensable to have the active involvement and participation of the processors of the personal data (employees and other persons connected to the university).

The data processor (the university) is responsible for notifying the data controller of personal data breaches without undue delay if they affect processing orders,regardless of the additional obligations it may have assumed by virtue of the processing order contract.

The information sent to the data processor must include details which will enable the data controller to meet its obligations, in particular, evaluating the risk of the personal data breach and, where appropriate, notifying the supervisory authority or communicating the breach to those affected.

For the detection and management of security incidents, it is essential, key, and indispensable to have the active involvement and participation of the data processors of the personal data (employees and other persons connected to the university).

Data Protection Officer (DDP): The DDP will have a very important role in the process of managing breaches.

The GDPR entrusts the Data Protection Officer with the function of informing and advising the data controller or the data processor about obligations which apply to them. These include obligations related to the management and notification of the personal data breaches and cooperating with the supervisory authority, serving as a point of contact for matters related to the processing. As such, the DDP must inform and advise the data controller/processor about the processing with regard to:

  • implementing a process for managing personal data breaches at the organization
  • evaluating the risk and the consequences that a personal data breach might entail for the rights and freedoms of the persons
  • appropriate actions that must be taken to mitigate the effects of the personal data breach on the persons affected
  • the need to communicate the personal data breach to the supervisory authority and, where applicable, the data subjects affected
  • in the case of data processors, the need to notify the data controller of the personal data breach

The data controller and the data processor, where applicable, must provide the DDP with the means and information needed to carry out his/her functions. Nonetheless, the responsibility inevitably falls on the data controller and the data processor with regard to the obligations of each one.


As mentioned, it is necessary to contact the DDP urgently and immediately to provide him/her all the information related to the security breach, the following in particular:

  • Identification of the processing affected (Registry of Processing Activities)
  • Description of the nature of the personal data security breach, whether it affects confidentiality, integrity or availability. Confidentiality: A breach affects confidentiality when the personal data of a processing have been accessed by third parties without permission, including when the data are exfiltrated. This includes, for example, cases of hacking into information systems with access to or exfiltration of personal data, the sending of personal data by mistake, the loss of devices or documents with personal data, malware like ransomware with data exfiltration, etc. It is important to know whether the personal data affected were (totally or partially) securely encrypted, anonymized or protected in order to render them unintelligible to whomever accessed them or could access them in the future. In this case, the consequences of the breach of confidentiality are largely mitigated, reducing or even eliminating the risks derived from the incident. Availability: A breach affects the availability of personal data when they have been inaccessible temporarily or permanently to whomever is lawfully entitled to process or access them. This situation might arise from events that affect the personal data themselves, or from events that affect the systems used. Integrity: A breach affects the integrity of personal data when the data have been unlawfully altered and the processing of those data might cause harm to those affected. For example, a third party modifies information in a company data base related to employee bank details that are used for issuing paychecks, or a student changes the grades in data base of their school.
  • The categories and approximate number of data subjects affected (with special focus on minors and other particularly vulnerable groups).
  • The categories and approximate number of records of personal data affected; the type of data affected; identification details; especially protected data.
  • Basic details: name, surname(s) or date of birth of those affected.
  • Contact details: telephone number, e-mail address or postal address of persons.
  • Images (photo or video): individual or group images of the persons affected.
  • Identification document: national ID card, residence card, passport, social security number or any other identifier at the national or extranational level.
  • Economic or financial data, data that refer to paychecks, bank statements, economic studies or any other information that might reveal economic information about those affected.
  • Location information: data on the location of the person at a specific moment or during a period of time.
  • Positioning data, coordinates or habitual addresses (non- residential) of the affected persons.
  • Means of payment (credit card or bank account numbers): information that refers to affected persons’ payment methods like bank card numbers, bank accounts, on-line payment methods like Paypal, bitcoins, etc.
  • Access or identification credentials: user names, passwords, whether clear-text, hashed, or encrypted, and data like coordinate cards or two-factor authentication.
  • Profile data: user profiles in networks or psychosocial data profiling or data which enables the profiling of natural persons.
  • Sexual life: data related to sexual health, habits, orientation or sexual tendencies, and information that makes it possible to infer them.
  • Religion or beliefs: the religion exercised by those affected and information about religious, agnostic or atheistic postures.
  • Racial or ethnic origin: information that reflects or makes it possible to establish one’s racial origin or belonging to a specific ethnicity.
  • Employee health data: information, such as from discharge forms or health reports, about the health of employees or persons who hold a working relationship with the supervisor that processes the data.
  • Patient health data which forms part of the records of health sector officials.
  • Political opinion: information that reflects or allows one to discover the political opinions or tendencies of persons.
  • Genetic data: a natural person’s inherited or acquired genetic traits that provide unique information about the physiology or health of the person, especially when the data is obtained from the analysis of biological samples.
  • Data about convictions and criminal offenses: certificates of criminal records or certificates of sexual crimes.
  • Biometric data: the physical, physiological or behavioral characteristics by which a natural person is identified.
  • Data which details a person’s membership in or affiliation with a trade union.
  • Possible consequences of the personal data security breach. The impossibility of exercising a particular right or accessing a service. Usurpation of identity. Being a target of phishing or spamming campaigns. Financial losses.

Damage to one’s reputation. Loss of confidentiality of data affected by professional secrecy. Psychological or physical damage. Loss of control over one’s personal data.

  • Proposal of measures to adopt by the university to resolve the personal data security breach, including, where applicable, measures adopted to mitigate possible negative effects. It is necessary to implement measures to ensure the breach does not occur a second time.

For illustrative purposes, the following link shows the content of the Spanish Data Protection Agency’s electronic form that must be completed in order to report a security breach:



The supervisory authority to which the university must report, when applicable, a security breach is the Spanish Data Protection Agency (SDPA). The Data Protection Officer, in coordination with the CISO, will oversee proceedings at the university to manage the personal data security breach. He/she will be in charge of i) collecting additional specific information; ii) informing the university about the breach (whether or not it affected personal data, infringements of the rights of the data subjects, communicating, if necessary, the breach to the SDPA, corrective measures to adopt, the appropriateness of notifying the data subjects, etc.); iii) obtaining, where applicable, authorization for communication of the security breach to the SDPA; and iv) carrying out said communication. Likewise, the DDP will advise the data controller about contacting the data subjects and the means and way to do it, and will obtain authorization from the university for this. These communications will be carried out primarily via e-mail to the institutional e-mail address of the university.

MORE INFORMATION: deberes/cumple-tus-deberes/medidas-de- cumplimiento/brechas-de-datos-personales- notificacion

SDPA guide on reporting personal data security breaches: 09/guia-brechas-seguridad.pdf


The records of processing activities contains all the processing of personal data that the university does.  In the register, all of the information that the university must provide data subjects about the processing it does can be consulted.  More information.

Access to the list of processing:

Forms for the declaration of processing:

Preguntas frecuentes

Do you want to cooperate on research and teaching activities?

The university carries out numerous activities of research (research projects) and teaching (doctoral theses, bachelor’s and master’s dissertations, internships) which require the participation of persons for, for example, completing a survey, conducting an interview, or carrying out a particular activity.   

In the university community, you can cooperate on these activities by signing up for them on a generic e-mail list.  When the university needs volunteers to carry out an activity, the university will inform the people on this list that, if they wish, they can cooperate on the activity in question.

To this end, the university has created a volunteer membership list named “cooperation on research / teaching activities,” which you can add your name to at the following address of the university web page:

If you would like to cooperate on these activities, you can add your name to the list to receive information by means of e-mail notifications.

Information about the reception of the newsletter in corporate accounts

Both employees and students form part of the university community, and with this comes a series of rights and obligations.

For the exercise of rights and the fulfillment of obligations, the university provides each member of the university community an institutional e-mail account.

For this reason, mailouts of informational notices for the university community related to university activities are sent to the corporate account of the community members, and their reception in this account is not optional.

Nonetheless, if the account holder does not wish to receive these e-mails, filters can be established on Google to treat the institutional e-mails individually.

More information at

This way, the user has the ability to decide what to do with the messages and change their treatment independently.

To conclude, it should be noted that, relative to the mailing of the newsletter to the university’s institutional e-mail addresses, the Spanish Agency for Data Protection has reached a decision, through a settlement  (which can be consulted at the following URL: It rules that “it is not possible to request that the information that arrives be “a la carte,” which would be like requesting a personalized filter for an institutional e-mail, a disproportionate measure that lacks sense.”

May this information be useful.

Data Protection Officer

The GDPR establishes that the data subjects can contact the delegate for data protection for issues related to the processing of their personal data and the exercise of their rights.

You can contact the delegate for data protection by e-mail at the address