Skip to content



Data Privacy Policy – GDPR

This document explains the data protection policy of the Instituto Químico de Sarriá CETS Fundación Privada and its associated entities (IQS Tech Transfer SA and the IQS Business Foundation). It is based upon the principles of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation). We fully embrace the spirit of this European Regulation in strengthening rights and giving greater guarantees to individuals regarding the processing of their data. This objective fully coincides with our aim to constantly improve our educational services. This document summarizes the fundamental aspects of our data protection policy.

  • Who is the personal data controller?
  • What role does the Data Protection Officer have?
  • For what purposes do we process your data?
  • What are the legal grounds for the processing of your data?
  • To whom is your data disclosed?
  • How long do we store your data?
  • What rights do data subjects have regarding the data we process?
  • How can you exercise or defend your rights?
  • Specific data protection policies.

Who is the personal data controller?

The Data Controller is the Instituto Químico de Sarriá CETS Fundación Privada (IQS), with registered office at Via Augusta, 390, 08017, Barcelona, TIN G58022849, tel. (+34) 93 267 20 00, email, registered in the Government of Catalonia Foundations Registry under number 88.

IQS has created the following institutions that complement its services and operations. These institutions include:

  • IQS Tech Transfer SA, TIN A58010901, with registered office at Vía Augusta 390, 08017, Barcelona, Spain, email address, and telephone number (+34) 93 267 20 00.
  • IQS Business Foundation, TIN G08283459, with registered office at Vía Augusta 390, 08017, Barcelona, Spain, email address, and telephone number (+34) 93 267 20 00.

IQS is a higher education institution and a founding member of Ramon Llull University.

What role does the Data Protection Officer have?

The Data Protection Officer (DPO) is the person who oversees compliance with our data protection policy, ensuring that data are processed properly and protecting the rights of data subjects. The DPO’s duties include responding to the questions, suggestions, complaints, or claims of data subjects. All three institutions share the same Data Protection Officer, who can be contacted by writing our postal address, calling by telephone, or emailing

For what purposes do we process your data?

We process personal data proportionally, always considering the rights of data subjects. In all cases, this means that we process the data that are adequate, relevant, and limited in relation to the purposes for which they are processed. We solely process the data necessary to enable us to provide the educational services that are part of our mission. In some cases, further data may be requested, such as when we seek opinions or ratings of our services. The responses are processed statistically and not associated with the identifying data of the individual responding.

IQS processes personal data primarily for the following purposes:

  1. Teaching, workforce participation, and supporting business activities.
  2. Administrative, economic, and commercial management.
  3. Responding to inquiries and requests.
  4. Carrying out quality control regarding our activities, products, and services.
  5. Sending personal communications and newsletters about activities, products, and services.
  6. Conducting opinion surveys to participate in rankings and compile statistics.
  7. Complying with regulations on the prevention of money laundering and terrorist financing.

The data received will not be used for any purpose that is inconsistent with the purposes listed above.

What are the main purposes of data processing?

Academic administration. IQS stores the data of individuals who pre-register and subsequently formalize their enrolment to make a record of this and to provide higher education academic services on that basis. The data provided and data from academic records enable us to review and evaluate applications. The most relevant data processing is our handling of a student’s academic record. Student data are also used for administrative purposes, to identify them as users of the services, to enable them to access these services, to send them relevant information, to process and issue degrees, and to track workforce participation (more information about this processing and purpose).

Contact. We process data to respond to inquiries from people who use the contact forms on our website. Data are only used to send information related to this purpose.

Personnel selection. We collect and store the curricula vitae sent to us by individuals interested in working with us. We also process personal data during personnel selection processes in order to analyse the suitability of a candidate’s profile based on job openings or newly created positions. Our policy is to store the data of individuals who do not end up being hired by us for a maximum period of one year in case a new job opening or a new position matching their profile is created in the short term. However, in the latter case, we immediately delete the data if a data subject requests that we do so.

Information on activities and services. With explicit authorization from each student, we use their contact data to send information about our services and activities once they have graduated. We also send students information, with their authorization, about activities or services of other institutions in our group. Such information is also sent to individuals who request it, even if they have not enrolled at IQS.

Customer service. We register new customers who pay for our services and process the additional data that may be generated as a result of the business relationship with these customers. In the contracting process, essential data are requested, which must include bank details (checking account or credit card number) that will be communicated to banking entities that handle payments (data can only be used for this purpose). This relationship involves other processing, such as incorporating data into accounting and invoicing or sending information to the tax authorities.

Information for our customers. As long as there is a contractual relationship with our clients, we use their contact information to share information related to this relationship. Such information may also be sent once the contractual relationship has ended if the client has agreed to receive it.

Data processing of our suppliers. We store and process the data of the suppliers from whom we obtain services or goods. This can include data on individuals who are self-employed as well as data on representatives of legal entities. We obtain the essential data to maintain the commercial relationship. We use the data solely for the purposes inherent to this type of relationship.

Video surveillance. When accessing our facilities, individuals are informed, where appropriate, of the existence of video surveillance cameras through approved signs. The cameras record images only at the points in which doing so is justified to ensure the safety of people and property and the images are used only for this purpose.

Users of our website. The browsing system and the software that enables the operation of our website compiles data that are generally produced when using internet protocols. This data category includes, among others, the IP address or domain name of the computer used by the party accessing our website. This information is not associated with specific users and is used for the sole purpose of obtaining statistical information on the use of the website. Our website uses cookies that facilitate browsing and provide us with information about our users and their interests (more information about the cookies policy).

Other data collection channels. We also obtain data through face-to-face relationships and other channels such as receiving emails, participation on our blogs with comments, signing up to the blog, or through our profiles on social networks. In all cases, the data are intended only for the purposes related to those justifying their collection and processing.

How do we obtain your data?

The previous section refers to some of the origins of the data that we process. In most cases, data come directly from the data subjects, and we obtain them mainly through the forms provided for this purpose. We also obtain data during open houses, in the information sessions that we hold at educational centres, and through participation in fairs where we present the services we offer.

To support our relationship with students, teachers, and service providers, other data are generated that are incorporated into IQS systems.

A more limited volume of data may come from public higher education authorities or from other academic institutions.

What are the legal grounds for the processing of your data?

The data processing we carry out has different legal grounds depending on the nature of the processing. We classify the main data processing that we carry out pursuant to the lawfulness of processing established in Article 6.1 of the General Data Protection Regulation.

To provide educational services. Once admitted, our students obtain educational services from IQS. Providing services to students constitutes a contractual relationship, with each party being bound to certain obligations, the student’s right to receive a good education, and the right and obligation of IQS to process their data. The legal grounds for this processing are established in Organic Law 6/2001, of 23 December, on Universities, and in Law 1/2003, of 19 February, on universities in Catalonia, and their implementing regulations.

To fulfil a pre-contractual relationship. This is the case of data from data subjects interested in the educational offer at IQS. For other reasons but with similar legal grounds, we process the data of potential clients or suppliers with whom we have a relationship prior to the formalization of a contractual relationship. This is also the case for the data processing of individuals who have sent us their curriculum vitae or who participate in selection processes.

To fulfil a contractual relationship. This involves relationships with our clients and suppliers and any processing and use of the data that these business relationships entail.

To comply with legal obligations. Providing higher education services means that we must comply with various standards that involve data processing. In this sense, IQS communicates the data of its students with the Ramon Llull University Foundation for the degree recognition and issuance procedures corresponding to the studies taken. To comply with legal obligations (tax regulations), we also communicate data to the tax authorities. Communicating data to judicial bodies or security forces and bodies if we were required to do so would also fall under compliance with legal obligations.

Based on consent. We use contact information with explicit consent from the party who will receive it when we send information about our activities or services. We also obtain consent for obtaining data from individuals who browse our website, which may be revoked at any time by uninstalling cookies.

Legitimate interest. The images we obtain with video surveillance cameras are processed in the legitimate interest of our institution to safeguard our property and facilities. Our legitimate interest also justifies the processing of data we obtain from contact forms, as well as data from individuals who register to comment on the blog.

To whom is your data disclosed?

As a general standard, we only disclose data to comply with legal obligations. In the above sections, we have explained the transmission of data in communications with our students, necessary to enable the provision of educational services, and with our clients and suppliers, in supporting economic and commercial relationships. Student contact data may be communicated to other institutions in our group provided that the student has authorized it.

Data transfers are made beyond the European Union (international transfers) to handle international student mobility and to respond to job offers from non-European companies. In both cases, the processing is based upon the student’s consent.

Likewise, we contract the services of companies or individuals who provide us with experience and specialization for certain tasks, for which personal data must be accessed at times. Pursuant to the terms in the General Data Protection Regulation, this is not a data transfer, but a processing of data. Services are only contracted with companies that guarantee compliance with these regulations. Their confidentiality obligations are formalized when the contract is drawn up and their performance is monitored. This may apply to data hosting services on servers, computer support services, or legal, accounting, or tax consultancies. Detailed information on the identity of these companies can be obtained by emailing

How long do we store your data?

The data storage time is determined by different factors. Data storage times are primarily affected by the fact that the data are still necessary to meet the purposes for which they have been collected in each case. Secondly, they are stored in view of IQS’s potential data processing responsibilities and to comply with any demand from public authorities or judicial bodies.

Consequently, the data will be stored for the time necessary to preserve their legal or informational value and to prove compliance with legal obligations, but not for a period longer than necessary for the purposes of the processing (“storage limitation” requirement in the General Data Protection Regulation). Regarding information that accredits the education received by students, the data are stored permanently to preserve their rights.

In certain cases, such as data contained in accounting and invoicing documentation, tax regulations require the data to be stored until the statute of limitations for these responsibilities expires. The regulations governing foundations specify that certain accounting data shall be stored for ten years (pursuant to Law 10/2010, of 28 April).

Regarding data that are processed exclusively based on the consent of the data subject, they are kept until the data subject withdraws consent.

Finally, images obtained by video surveillance cameras are stored for a maximum of one month. However, in the case of justifying incidents, data will be stored for the time necessary to facilitate action by security forces and bodies or judicial bodies.

The regulations governing the storage of public documentation, and the rulings of examination boards, are a determining reference when deciding to store or erase data.

What rights do data subjects have regarding the data we process?

Pursuant to the General Data Protection Regulation, the data subjects whose data we process have the following rights:

To be informed if their data are being processed. Everyone is entitled to know if we are processing their data, regardless of whether a relationship has been established beforehand.

To be informed when data are collected. When personal data are collected from a data subject, they must be given clear information about the purposes for which the data will be used, who will be the controller of the processing, and the main aspects derived from this processing.

To access. The right to access is broad, including knowing precisely what personal data is subject to processing, what is the purpose for which it is processed, disclosures to other parties that will be made (if any), the right to obtain a copy, or the right to know the envisaged storage period.

To request rectification. This is the right to rectify inaccurate data that may be processed by us.

To request erasure. In certain circumstances, data subjects can request the erasure of their data when, among other reasons, the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

To request the restriction of processing. In certain circumstances, the right to request the restriction of data processing is also recognized. In this case, data will no longer be processed and shall only be stored for the exercise or defence of claims, in accordance with the General Data Protection Regulation.

Portability. In the cases established in the General Data Protection Regulation, data subjects have the right to obtain the data concerning them in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller should the data subject so decide.

To object to the processing. A data subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them to the extent or degree to which they may be harmful, except for the exercise or defence of legal claims.

To not receive information. We immediately respond to requests from data subjects no longer wishing to continue receiving information about our activities and services when sending such information was based solely on the consent of the data subject who is the recipient.

How can you exercise or defend your rights?

The rights listed above can be exercised by addressing IQS at our postal address or through the other contact information indicated above.

If a data subject has not obtained a satisfactory response in exercising their rights, they may lodge a complaint with the Catalan Data Protection Authority through the forms or other channels accessible on its website (

In all cases, whether to lodge complaints, request clarifications, or make suggestions, our Data Protection Officer can be contacted by email at