This Privacy Policy explains how Nebrija University processes your personal data and protects your privacy and the information you provide.

Below, you will find the key information about how we handle personal data, organized in a question-and-answer format.

Who is responsible for processing your data?

Entity: Universidad Antonio de Nebrija, hereinafter “Nebrija University”
Registered office: Life Sciences Campus, La Berzosa, 28248 Hoyo de Manzanares, Madrid, Spain
Phone: +34 91 452 11 00
Email: lopd@nebrija.es

Who is the Data Protection Officer and how can they help you?

The Data Protection Officer, or DPO, is legally responsible for advising the University on its data protection obligations and monitoring compliance with applicable regulations.

The DPO also acts as the point of contact for any questions, concerns, or requests related to the processing of personal data.

You may contact the DPO at: DPO@nebrija.es

Why do we process your personal data?

We process the personal data you provide in order to manage requests related to doctoral studies, including:

• Applications for admission to doctoral programs
• Requests to formalize co-supervision agreements for doctoral theses
• Supervision and monitoring commitments related to doctoral research
• Temporary withdrawal requests
• Requests for extensions to submit doctoral theses
• Requests to submit a thesis as a compilation of publications
• Waivers from co-authors whose work is included in a thesis
• Annual renewal requests related to predoctoral contracts
• Submission and defense of doctoral theses
• Confidentiality requests for doctoral theses
• Communication or assignment licenses for doctoral theses
• Fee exemption requests
• Applications for predoctoral contract funding
• Participation in predoctoral contract calls and assessment of candidate merits
• Funding requests for short research stays
• Scholarship and grant applications
• Requests for academic equivalence at doctoral level
• Extraordinary Doctorate Award applications
• Academic services and any other request related to doctoral studies

Providing the requested data is necessary in order to process the relevant request. Without it, the University may not be able to manage the application or service.

How long will we keep your data?

We retain your personal data only for as long as necessary to fulfill the purpose for which it was collected, comply with legal obligations, and address any potential liabilities.

Data related to doctoral students will be kept throughout the doctoral studies and, afterward, for the period required by applicable law or until any possible liabilities arising from the relationship with the doctoral student or doctor have expired.

Data related to doctoral program coordinators, tribunal members, thesis supervisors, and members of the Doctoral School will be kept for as long as their contractual relationship with the University remains in effect. Once that relationship ends, the data may be retained for the legally required period and until any related liabilities have expired.

What is the legal basis for processing your data?

The legal basis for processing your data is the performance of the contractual relationship between the doctoral student or doctor and Nebrija University, as well as the adoption of pre-contractual measures.

This legal basis also applies to the processing of data belonging to doctoral program coordinators, tribunal members, thesis supervisors, and members of the Doctoral School when their data is processed for the purposes described above.

Who may receive your data?

Your data may be shared with:

• Competent public authorities, including courts and tribunals, where required by law
• Financial institutions involved in payment management, where awards, scholarships, or grants are processed
• The University website, where applicants or recipients of awards, grants, research stays, or similar calls may be published for transparency purposes
• Public repositories or platforms where doctoral theses may be published in accordance with applicable regulations, including Royal Decree 99/2011

Third-party service providers may also access your data when acting on behalf of the University. These providers process the data strictly under our instructions, may not use it for other purposes, and are required to maintain full confidentiality and comply with applicable data protection regulations.

What rights do you have regarding your personal data?

You have the right to know whether Nebrija University is processing your personal data.

You may also request:

• Access to your personal data
• Correction of inaccurate data
• Deletion of your data when it is no longer necessary
• Restriction of processing
• Data portability
• Objection to processing in certain circumstances
• Withdrawal of consent, where processing is based on consent
• Not to be subject to decisions based solely on automated processing, where applicable

You may exercise these rights free of charge, unless the request is clearly unfounded or excessive.

Requests will generally be answered within one month. This period may be extended by two additional months when necessary due to the complexity or number of requests.

You can exercise your rights through the contact details listed above or by using the forms available at:

https://www.nebrija.com/general/formularios.php

You must provide proof of identity, such as a copy of your ID card, passport, or equivalent document. If a representative acts on your behalf, documentation proving their authority must also be provided.

If you believe your rights have been violated, especially if you are not satisfied with the response received, you may file a complaint with the Spanish Data Protection Authority at:

www.aepd.es

How do we protect your personal data?

Nebrija University is strongly committed to protecting the personal data it processes.

We apply appropriate physical, organizational, and technological measures designed to preserve the integrity, security, and confidentiality of your data.

All personnel with access to personal data receive appropriate training and are aware of their obligations regarding data protection.

Our contracts with service providers include confidentiality obligations and require them to implement technical and organizational security measures to ensure the confidentiality, integrity, availability, and resilience of data processing systems and services.

These measures are reviewed periodically to ensure they remain appropriate and effective.

However, no security system can be guaranteed to be completely impenetrable. If personal data under our control is compromised due to a security breach, we will take appropriate steps to investigate the incident, notify the supervisory authority, and, where required, inform affected individuals so they can take appropriate measures.

What are your responsibilities as a data subject?

By providing personal data, you confirm that you are over 14 years of age and that the information provided is accurate, complete, truthful, and up to date.

You are responsible for ensuring that the data you provide reflects your current situation and for any false or inaccurate information submitted, as well as for any direct or indirect damages that may result.

If you provide personal data belonging to third parties, you are responsible for informing them in advance of the matters set out in Article 14 of the General Data Protection Regulation.