Skip to main content

Legal notice

Data Protection Policy

“Proxecto Nós” is a project from the Regional Government of Galicia which was entrusted to the CiTIUS (literally in English, “Singular Centre for Research in Intelligent Technologies”) and the ILG (literally in English, the “Galician Language Institute”). Both institutions belong to the University of Santiago de Compostela (hereinafter USC), which protects and guarantees the fundamental right to data protection and is particularly sensitive to safeguarding the privacy of individuals. Data processing is carried out in accordance with the European Union Regulation 2016/679 of 27th of April on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and with the Spanish "Ley Orgánica 3/2018 de 5 de Diciembre de Protección de Datos Personales y garantía de los derechos digitales." Thus, this treatment responds to the principles of lawfulness, loyalty, transparency, purpose limitation, data minimisation, accuracy, limitation of conservation, integrity, confidentiality and proactive responsibility. 

The register of data processing activities carried out by the USC can be consulted at 

In any case, the USC will maintain a dynamic understanding of this matter in order to adapt to new developments, whether in regulations, jurisprudence, decisions of the supervisory authorities or practices in this field. This may make it advisable to modify this privacy and data protection policy, which will be communicated in due course. 


The overall responsible of data processing is the University of Santiago de Compostela, domiciled for these purposes at the Rectorado de la USC, Praza do Obradoiro s/n, 15782- Santiago de Compostela (Spain). The telephone number is 881811000. Informal online contact can be established through

Specific applications must be made through the USC's "Sede Electrónica" through

The USC, as the overall responsible, is embodied, depending on the particular processing, in the General Secretariat, in the Vice-rectorates or in the Directorate, as it appears in the particular information of each data processing operation. 

Data Protection Officer 

The data protection officer is Marcos Almeida Cerreda, and his email account is dpd [at] (dpd[at]usc[dot]es) 

Basis of legitimacy 

The main legitimacy for USC's processing is the provision of the public service of higher education. The consent given by the data subjects may also be the basis for processing in those cases where they so authorise. 

In other processing operations, the basis of legitimacy is the need to conclude contracts, to comply with certain legal provisions, or to carry out a task undertaken in public interest or in the exercise of official authority. All these conditions follow Article 6.1 of the European Regulation. 

Purposes of the processing 

The purpose of the processing of personal data by the USC is the fulfilment of its obligations and responsibilities in the field of teaching, study and research, including the management of the administrative services of a public university administration and the management of requests for information and actions of an academic nature and institutional dissemination. Each specific processing operation specifies these purposes. 

Source, use and data retention 

The source of the personal data is the data subjects themselves, obtained through various means, such as applications, forms and digital or physical questionnaires. For this, the expression of consent will be free, specific, informed and unequivocal. In some cases the data is obtained from other educational administrations. 

The processing of special categories of data will be carried out taking into account the specific data protection measures in Article 9 of the European Regulation. 

Exceptions and transfers of personal data may be made on an exceptional basis in the framework of university exchange and academic collaboration programmes, as well as to public administrations with educational authority. In any case, transfers shall comply with the provisions of articles 44 et seq. of the European Regulation. Likewise, in accordance with the regulations, data will be transferred to the overall responsibles and in the event of legal obligations. 

The data may also be used for statistical or incident management purposes and, preferably pseudonymised, for research purposes. 

Personal data provided will be kept for as long as the purpose for which it was collected is carried out, or as long as necessary to comply with legal obligations. Once the purpose has been fulfilled, the data will be blocked until the applicable statute of limitations has expired. 


Data subjects have the right to transparency of information, access to their personal data, rectification of inaccurate data, erasure where possible, restriction of processing, portability, objection, the right not to be subject to a decision based solely on automated processing which significantly affects them, the right to withdraw consent at any time and the right to lodge a complaint with the Spanish Data Protection Agency. These rights may be exercised before the data controller, after identification of the applicant through the USC Electronic Headquarters. The USC will facilitate their exercise by means of an electronic form at

In addition, the interested parties also have rights that give access to administrative and judicial means of guarantee, provided for in the legal system for this purpose. 


The USC proactively adopts all the technical and organisational measures necessary to guarantee the processing of data and the privacy of individuals. It thus assumes a total commitment to guaranteeing fundamental rights, which includes data protection by design and by default. 

Thus in accordance with Article 32 of the European Regulation these security measures will include pseudonymisation and encryption of personal data, the ability to ensure the confidentiality, integrity, availability and ongoing resilience of processing systems and services, the ability to promptly restore the availability of and access to personal data in the event of an incident and a process of regular verification, evaluation and assessment of the effectiveness of technical and organisational measures. 

These measures comply with the legally established obligations, taking into account the state of the art, the costs of implementation, and the nature, context and purposes of the processing. The specific risks in terms of severity and likelihood that each type of processing poses to the rights and freedoms of individuals must also be taken into account. 

Breaches of security of personal data shall be reported to the supervisory authority and, where appropriate, to the data subjects in accordance with Article 34 of the European Regulation. 

The USC provides a communication channel for data protection incidents at