Privacy Policy


The Universidad Politécnica de Madrid (UPM) is an institution that is fully committed to the respect of fundamental rights and public freedoms.

The entry into force of Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on Personal Data Protection and Guarantee of Digital Rights (GDPR) in 25 May 2018 was an important step forward with respect to the recognition of everybody’s right to the protection of their personal data, gives us
occasion to update our privacy policy and inform you of its key points as follows:

Who is responsible for your personal data processing?

At the UPM, we are responsible for any personal data that we process and undertake to publish and regularly update a Personal Data Processing Register including the information specified in Article 30 of the GDPR.

How are your personal data processed at the UPM?

At the UPM, we ensure that your personal data are processed in strict compliance with the obligations arising out of the applicable regulations on data protection with a policy that is underpinned by the principle of proactive responsibility set  out in the GDPR. Based on this commitment, your personal data will be:

  • Processed legally, lawfully and transparently. 
  • Collected for definite, specified and legitimate purposes and will not be  processed later on for other incompatible purposes. 
  • Appropriate, applicable and limited to what is necessary for the purposes  for which they are processed. 
  • Accurate and, if necessary, updated, taking all reasonable measures to  assure that any personal data that are unsuitable for the data processing  purposes are deleted or rectified without delay. 
  • Kept in such a manner as the interested parties can be identified for no  longer than is strictly necessary for the data processing purposes.

    Processed in such a manner as to guarantee appropriate security,  including the application of adequate technical or organizational  measures to protect against unauthorized or illicit processing and against  their accidental loss, destruction or harm.

Adequate technical or organizational security measures will be applied both when determining how the data are to be processed and during the processing itself in accordance with data protection by design principle. Similarly, the abovementioned measures will be applied with a view to guaranteeing that, by default, only the personal data that are strictly necessary for each specific purpose are processed and, particularly, that access to personal data is not granted to an indiscriminate number of persons without human intervention.

For which purposes do we process your personal data?

The ultimate aim underlying personal data processing at UPM would be to  comply with any of the functions at the service of society with which we are  entrusted under the Universities Law 6/2001 concerning the provision of the  essential public higher education service. 

All data are processed for a specific purpose, which is established and disclosed to the interested party during personal data collection. Additionally, all data processing purposes are set out in the Personal Data Processing Activities Register.

Is the UPM’s personal data processing system lawful?

Every time we process personal data, we satisfy at least one of the conditions  stipulated in Article 6 of the GDPR for data processing to be considered  legitimate. Our Personal Data Processing Activities Register expressly sets out the legitimate basis for each data processing activity, which, in most cases, is because it is necessary to comply with a legal obligation or a mission in the public interest  or the exercise of public powers conferred on the UPM. Other conditions that  render personal data processing lawful are also provided for, including consent by  the interested party, the performance of a contract of which the interested party is  a signatory or the application of pre-contractual measures at the interested party’s  request that require data processing, the protection of vital interests or the  satisfaction of legitimate interests. 

Pursuant to the principle of proactive responsibility, the UPM must be able to  demonstrate, where processing is based on consent, that you agreed to your data being processed. Consent is defined in the GDPR as “any manifestation of free,  specific, informed and unambiguous will by which the data subject accepts, by a  declaration or by a clear positive act, that personal data relating to him or her may  be processed.” 

Were you to give your consent as part of a written declaration that also refers to  other issues, our request for consent will be formulated intelligibly and  straightforwardly using plain and simple language in such a manner as it is clearly distinguishable from the other issues. If any part of the declaration constitutes a  breach of the GDPR, it will not be binding.

Which recipients can we disclose your personal data to?

Some processing activities require the UPM to disclose personal data to different  public or private institutions, authorities or organizations to comply with legal  provisions or because the recipient is the data controller. The possibility of  international data transfer is also provided for within some specific processing  activities, subject to the legally stipulated guarantees. 

In any case, any potential international personal data disclosures and/or transfers  (referred to generally as data disclosures) are stipulated in our Data Processing  Activities Register, and the interested party is given all the information in this  regard when his or her personal data are collected. 

Where data processing provides for the possibility of voluntary data disclosure,  you will be informed of this option so that you can decide on whether or not you  give your consent to the proposed data disclosure.

How long will we keep your data for?

In compliance with Article 5.1.e) of the GDPR, we will not keep your personal data  for any longer than is necessary for the purposes for which they were processed or than it takes to determine any responsibilities that may ensue. We may keep  them for longer periods if there are any specific regulations to this effect or  whenever they are processed exclusively for archiving in the public interest, for  scientific or historical research or for statistical purposes, whereby we undertake to apply the appropriate technical and organizational measures to protect your rights and freedoms. 

Before collecting your data, we will inform you of the period during which they  will be kept or, failing this, the criteria that will be used to determine the  abovementioned period.

What are your rights with respect to the personal data provided?

Under the terms and subject to the constraints established in Chapter III of the  GDPR, you are entitled to:

  • Be informed of how your data will be processed at the time they are  collected. 
  • Be given confirmation of whether or not your personal data are being  processed and, if so, be granted access to the data.
  • Get, without undue delay, any inaccurate personal data rectified, or any missing personal data added. 
  • Get, without undue delay, your personal data deleted. 
  • Get data processing constraints applied. 
  • Get personal data portability subject to the constraints provided in Article  20 of the GDPR. 
  • Object to your personal data being processed.

    Not to be subject to a single decision based exclusively on automated personal data processing, including profiling, which may have legal or  similarly significant effects, save in legally authorized cases.

In compliance with Article 19 of the GDPR, we undertake to notify each of the  recipients to which your data have been disclosed of any rectification or deletion  of personal data or of any processing constraint, unless this is impossible or  requires disproportionate effort.

How can you exercise your rights concerning the personal data that you  have provided?

You can get more information about data processing and how to exercise your  rights with respect to your personal data through the contact details that are  provided in the information concerning each processing activity. 

You can also query and/or exercise your rights in this respect by contacting the  Data Delegate appointed by the UPM at the following email address:  @ 

Should you not be able to satisfactorily exercise your rights, you are entitled to  submit a complaint to the Spanish Data Protection Agency:

Is the UPM’s privacy policy revised and updated?

The UPM will revise its data protection policy on a regular basis and whenever it  is necessary to adapt it to any modification of the applicable regulatory  framework that is in force. 

This version of the highlights of our privacy policy was approved on 27  September 2018.