Privacy Policy

The Polytechnic University of Madrid (UPM) is an institution firmly committed to respecting the fundamental freedoms and rights of individuals.

The implementation, since May 25, 2018, of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR), represents an important step forward in the recognition of the right that everyone has to the protection of their personal data, and gives us the opportunity to update our Privacy Policy and inform you of its main aspects through this statement:

Who is responsible for the processing of your personal data?

At the Universidad Politécnica de Madrid we are responsible for all processing of personal data that we carry out and we undertake to make public and keep updated a Register of Personal Data Processing Activities, with the information indicated in Article 30 of the RGPD.

How is your personal data handled at UPM?

At UPM we try to treat your personal data in strict compliance with the obligations arising from the Data Protection Regulations in force, adopting the principle of proactive responsibility, contained in the RGPD, as a fundamental pillar of our performance. Based on this commitment, your personal data will be:

  • Processed in a lawful, fair and transparent manner.
  • Collected for specified, explicit and legitimate purposes, and will not be further processed in a way that is incompatible with those purposes.
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accurate and, where necessary, kept up to date, taking all reasonable steps to ensure that personal data which are inaccurate in relation to the purposes for which they are processed are promptly deleted or rectified.
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing.
  • Processed in such a way as to ensure appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical or organizational measures.

Appropriate technical or organizational security measures shall be implemented both at the time of determining the means of processing and at the time of the processing itself, in line with the principle of data protection by design. The aforementioned measures shall also be implemented with a view to ensuring that, by default, only those personal data are processed which are necessary for each of the specific purposes of the processing and in particular that the personal data are not accessible, without the intervention of the individual, to an undetermined number of natural persons.

For what purposes do we process your personal data?

The ultimate purpose, which underlies the processing of personal data that we perform, would be the fulfillment of one of the functions, at the service of society, entrusted to us by the Organic Law 6/2001, of Universities in relation to the provision of the fundamental public service of higher education.

For each treatment that we carry out, we establish the specific purpose to be achieved and communicate it to the person concerned at the time of collection of their personal data. Likewise, the purposes of each processing are recorded in the Register of Personal Data Processing Activities.

Is the processing of your personal data by UPM lawful?

Each processing of personal data that we carry out meets at least one of the conditions set forth in Article 6 of the GDPR in order to be considered legitimate. This basis of legitimacy for each processing is expressly contemplated in our Register of Personal Data Processing Activities, and consists in most cases in its necessity for compliance with a legal obligation or a mission carried out in the public interest or in the exercise of public powers vested in the UPM. Other conditions for considering our processing operations lawful are also envisaged, such as the data subject’s consent; the necessity of the processing for the performance of a contract to which the data subject is a party or for the implementation at his or her request of pre-contractual measures; the protection of vital interests or the satisfaction of legitimate interests.

Where processing is based on your consent, and in application of the principle of proactive accountability, UPM must be able to demonstrate that you consented to such processing. Consent is defined in the GDPR as “any freely given specific, informed and unambiguous indication of his or her free, specific, informed and unambiguous agreement by which the data subject consents, either by a statement or by a clear affirmative action, to the processing of personal data relating to him or her”.

If consent is to be given in the context of a written statement that also relates to other matters, we will present our request for consent to you in a way that is clearly distinguishable from the other matters, in an intelligible and easily accessible form and using clear and plain language. Any part of the statement that constitutes a breach of the GDPR will not be binding.

To which recipients may we disclose your personal data?

There are cases of processing activities in which UPM must communicate personal data to different Institutions, Organizations or Entities, public or private, in compliance with any legal provision or due to the fact that the recipient of the data has the status of data processor. Within the scope of certain processing operations, the possibility of international data transfers is also contemplated with the appropriate guarantees provided for by law.

In any case, these possible communications and/or international transfers of personal data (also generically referred to as data transfers) are indicated in our Register of Processing Activities, providing the person concerned with all the information relating to this matter at the time when their personal data are obtained.

In those treatments in which possible transfers of your personal data of a voluntary nature are foreseen, we will inform you of this possibility so that you can decide whether or not to give your consent to the proposed transfer of data.

How long will we keep your personal data?

In accordance with Article 5.1.e) of the GDPR, we will keep your personal data for no longer than is necessary for the purposes of the processing and for determining any liability that may arise from that purpose. We may keep them for longer periods if this is provided for in any specific regulation or provided that they are processed exclusively for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, committing ourselves to apply, in these cases, the appropriate technical and organizational measures in order to protect your rights and freedoms.

Prior to the collection of your personal data, we will inform you of the period during which the data will be kept or, when it is not possible to specify it, of the criteria that will be used to determine such period.

What are your rights regarding the personal data provided?

Under the terms and with the limitations set out in Chapter III of the GDPR, you have the right to:

  • Be informed about the processing of your personal data at the time they are obtained.
  • Obtain confirmation of whether or not your personal data is being processed and, if so, the right of access to them.
  • Obtain without undue delay, the rectification of personal data that are inaccurate or to complete incomplete data.
  • Obtain without undue delay the deletion of your personal data.
  • Obtain the limitation of the processing of your personal data.
  • Obtain the portability of your personal data with the limitations provided for in Article 20 of the GDPR.
  • Oppose the processing of your personal data.
  • Not be subject to an individual decision based solely on automated processing of your personal data, including profiling, which produces legal effects on you or significantly affects you in a similar way, except in legally permissible cases.

In accordance with Article 19 of the GDPR, we undertake to communicate any rectification or erasure of personal data or restriction of processing to each of the recipients to whom the data has been communicated, unless this is impossible or would require a disproportionate effort.

How can you exercise your rights in relation to the personal data provided?

You can obtain more information about each processing and how to exercise your rights in relation to your personal data, through the contact details provided in the information corresponding to each processing activity.

You can also consult and/or exercise your rights in this area by contacting the Data Delegate designated by UPM, through the e-mail address:

In the event that you do not obtain satisfaction in the exercise of your rights, you may file a complaint with the Spanish Data Protection Agency:

Is the UPM Privacy Policy reviewed and updated?

UPM will periodically review its data protection policy and when necessary to adapt it to any changes in the current regulatory framework in this area.

The present update of these main aspects of our Privacy Policy has been approved on September 27, 2018.