IESE Confidentiality Policy and Terms and Conditions of Use of IT Services for IESE staff

The purpose of this guideline is to define the responsibilities of IESE staff regarding the use of IT services, corporate information and the processing of personal data contained therein, so that all users are aware of and consent to the purposes of use and the restrictions of IT services.

‘IT services’ are understood to be all information technology services (computers, tablets, smartphones, multifunction printers, photocopiers, peripherals, associated components and data storage media), any associated software (operating systems, system software and specific applications) and online services (emails, directories, Internet, Intranet, cloud services, videoconferences, audio, videos and similar elements).

All the IT services, as well as the information they contain, are the property of IESE, and their intention is to support the teaching, research and administrative tasks necessary for the operation of the school. IT services are considered an extremely valuable asset which must be protected and used in an appropriate way. Only users explicitly authorised by the company’s management are allowed to use these services.

Access and use of the IT services implies the full and unreserved acceptance of the terms and conditions of use of these services.

All the information to which users have access for the fulfilment of their employment obligations, as well as the IT services that contain said information, are the exclusive property of IESE, and shall be physically returned upon completion of the employment or business contracts with the school.

The staff member agrees to ensure, at all times, the confidentiality of all the information to which they have access, and, consequently, undertakes not to disclose to third parties or to publicly disclose, whether during their professional relationship with IESE or upon expiration or termination of it for any reason, any information relating to personal data, academic records, contracts, technical procedures, specifications, processes, computer programs, data, or technical, commercial or financial information pertaining to IESE to which they may have access during the employment relationship established between the parties.

The disclosure of any confidential information or breach of any of the security measures contained in this document may be deemed a criminal offence, with the employee being liable for any damages arising from their fraudulent or negligent safeguarding or disclosure of information.

IESE guarantees compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR) to all data subjects, as well as the implementation of all necessary security measures, which guarantee its confidentiality and integrity.

In addition, the GDPR establishes the obligation to implement the necessary measures so that all staff members are aware of the security rules which affect their jobs, as well as the consequences which could arise from their non-compliance.

Below is the information clause for the processing of personal data for IESE workers and staff members, as well as the main security obligations regarding personal data and the terms and conditions of use of the services (both general and service-specific).

For a more detailed description of the use of a specific service, please consult the user guides available in the IT Services section of the IESE Intranet.

Information clause for the processing of personal data

DATA CONTROLLER: IESE Universidad de Navarra (R-3168001J), Avenida Pearson 21, 08034 Barcelona.

PURPOSES: To manage the employment relationship with the staff member and the payment of salaries. Occupational risk prevention. Training. To assess, track and monitor the development of professional activities. Access and on-site controls. To record image and/or sound for internal publication in the staff directory, as well as on the website and social media profiles or other communication media to promote IESE services and activities and to keep a historic photographic archive. To send internal messages about IESE, activities and events.

LAWFUL BASIS: Collective Agreement and Workers’ Statute. Fulfilment of the employment contract. Consent of the staff member to have their photograph taken and published. Legitimate interest in keeping a historic photographic archive.

RECIPIENTS: IESE centres for the purposes of organisation and management of activities. Public entities and banking institutions for employment management and payment of salaries. Occupational social security companies, insurance companies and occupational risk prevention companies. Any institutions, customers and suppliers required to identify staff members. Training providers and companies processing tax allowances with the National Employment Foundation. Non-core services.

RETENTION: Data shall be retained for the duration of the employment contract and, upon completion, shall be kept blocked on file for the legally established time in order to respond to any possible liabilities. The company shall retain, on the basis of a clear legal interest, the names and surnames, job positions and dates as a historical log of staff members, and their images in the IESE historical archive.

RIGHTS: Every staff member has the right to request access, rectification, erasure, objection, restriction and portability of their data, by writing to their human resource manager or emailing the Data Protection Officer on InfoDat@iese.edu, indicating the specific processing and the right that they wish to exercise. In the event of any disagreement with the company regarding the processing of their data, employees may lodge a complaint with the Data Protection Authority (www.agpd.es).

Functions and duties of staff members with access to personal data

Personal data is any numerical, alphabetical, graphic, photographic, acoustic or other information concerning identified or identifiable individuals, for example: name and surname, address, telephone number, email, date and place of birth, ID number, photographs, videos, audio, physical descriptions, employment and training details (CV details, academic qualifications, tests and examinations in which the author may be identified, etc.), healthcare-related data, bank details, etc.

General rules

1. Staff members who have access to personal data are bound by professional secrecy, even after the employment or business relationship has ended.

2. Access only the personal data to which you are authorised to perform your job or, as the case may be, sales functions.

3. Lock the door, if you work in an office, at the end of the working day, or when you are temporarily absent, in order to prevent unauthorised access.

4. Take appropriate care of keys to offices, as well as to cupboards, filing cabinets or other elements which may contain forms or documents containing personal data.

5. Do not use personal data to which you have access for private purposes or for purposes unrelated to your role in the company. It is strictly forbidden to make copies of any type of file for private use.

6. Comply with the prohibition to disclose personal data or to share documents containing personal data with IESE staff members without authorised access or with external collaborators.

7. Exercise caution when using printers, photocopiers or fax machines to ensure that there are no documents containing personal data. Any documents found on such machines and which do not belong to you are confidential.

8. Deal with any request for access, rectification, erasure, objection, restriction and portability of personal data made by any data subject, and report it to InfoDat@iese.edu.

9. Report any incident which may affect the security of data, both on computers and on paper, to your manager and to the Data Protection Officer via the email address InfoDat@iese.edu. Your knowledge of and failure to report an incident may be considered a personal data security breach by the user.

10. The user is liable for the accuracy and updating of any information and personal data provided to IESE, which is exempt from any liability for its inaccuracy.

11. For any questions or comments about the GDPR, please email the IESE Data Protection Department on InfoDat@iese.edu.

Computer access

1. Choose hard-to-guess passwords and keep them secret.

2. Please make sure that the password:

a. It has a minimum of eight characters.
b. It is different from any of the ten previous passwords.
c. It does not contain part of your first name or surnames.
d. It contains characters from at least three of the following four groups (passwords are case-sensitive):

i. Capital letters, for example: A, B, C…
ii. Lowercase letters, for example: a, b, c…
iii. Numbers, for example: 0, 1, 2, 3…
iiii. Non-alphanumeric characters (special characters)

3. Lock your computer and your devices when they are not in your safekeeping.

4. Be vigilant with your computer and devices to prevent unauthorised persons from accessing information about personal data contained in them.

5. Contact the Help Desk in the event of loss, breakdown or theft of your computer or devices. Do not directly contact the supplier or manufacturer.

6. In the event of loss or theft, IESE reserves the right to claim compensation from the user for the value of the equipment.

7. The use of IT services provided by IESE is strictly professional, so personal use is not permitted.

8. When required by the Help Desk, please make your computer and devices available so that necessary maintenance tasks can be performed.

9. Comply with the prohibition to install or use software not authorised by the Help Desk. Check with the Help Desk before installing additional software or hardware on your computers and devices.

10. Observe the legislation on intellectual property which affects contracts on software licences and other materials accessible from the IESE network. It is strictly prohibited to copy software which is not in the public domain or is considered

11. It is not permitted to store specially protected or ‘sensitive’ data in the IT services.

‘Sensitive’ refers to any data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

12. It is strictly forbidden to make copies of personal data on any type of computer support (smartphones, tablets, USB sticks, external hard drives, DVDs or others) or cloud storage services, unless explicitly authorised by IESE or via Dropbox, following the security guidelines established for their use.

13. On the whole, users may not use local hard disks of computers for the processing of personal data owned by the company, unless explicitly authorised by the data controller.

14. The security measures included in this document shall also apply to the external use of laptops, tablets, smartphones or other mobile devices provided by IESE.

15. The certainty or suspicion that there has been an incident which may involve a risk to the security of confidential information and personal data, from the perspective of confidentiality, integrity and availability of data (system failures which enable access to unauthorised third parties, loss of information, loss or wrongful seizure of passwords, unprotected computer systems, extraction of information, etc.) shall be reported to the data controller and the Data Protection Officer by sending an email to InfoDat@iese.edu, who shall proceed to record it in the incident log.

16. All measures described shall also apply when accessed remotely from outside the workplace.

17. Only send mail to people who have given their explicit consent to receive it.

Mail includes newsletters, information about IESE events such as meetings, talks, webinars, conferences, etc., as well as information about courses.

18. Only use Salesforce-MKT to send IESE mail, as this controls the consent of data subjects, provides an unsubscribe option and displays all the corresponding legal clauses.

19. Observe the prohibition to send mail via Mail Merge, MailChimp or other tools. If necessary, for any justified reason, explicit authorisation will be required from the Secretary General of IESE and, if granted, please follow the instructions of the Data Protection Officer.

20. Make sure you have received consent to send mail on behalf of IESE to any database contacts which you may rent or buy. If in doubt, please check with the Data Protection Officer.

21. Do not load the databases which you may rent or purchase from Salesforce.

22. Contact the people included in rented or purchased databases personally and direct them to the course, event, etc. website to sign up or request information via the established channels.

23. Include the corresponding legal clause in mail to databases which you may rent or purchase. Check with the Data Protection Officer about which clause should be used.

24. Respect the terms and conditions of use on contacts specified in database contract which you may rent or buy; for example, the time of use of the database, the limit on the amount of mail, etc.

25. If you are authorised to purchase or rent commercial databases, please delete them upon completion of the contract which restricts their use. For example, if you rent a database that authorises you to send only two mails, you must delete it (and not save it) after both mails have been sent out.

26. All IESE mails shall contain an information clause which includes the purpose of the data processing, the postal or electronic address where the data subject’s rights of access, rectification, erasure or objection may be exercised, and the option to unsubscribe from commercial mailing lists. Check with the Data Protection Officer about which clause should be used.

27. All data collection forms shall include a clause informing the data subject about the purpose of collection, the recipients of the collected data and the details required for the data subject to exercise their rights. Check with the Data Protection Officer about which clause should be used.

28. Personal data may not be used for purposes other than those for which it was collected.

29. In emails addressed to several people, your own email address shall be included as the visible recipient, while the other recipients shall be included in the blind copy field (Bcc).

Paper-based access

1. Safeguard and file documents to prevent unauthorised access.

2. Do not throw away documents or papers containing personal data without taking the necessary measures to prevent them from being viewed.

3. Do not reuse documents which contain personal data.

4. It is strictly prohibited to remove documents that contain personal data from IESE facilities without proper authorisation.

General terms and conditions of use of IT services

Passwords

1. For security reasons, there may be maximum expiration periods for passwords.

2. Passwords may be changed via the IESE website (resetpassword.iese.edu), upon entering a username and password.

Exclusivity

1. The accounts which provide access to the IT services have been designed strictly for professional purposes, and are individual and non-transferable. The use of the accounts of these services by third parties, as well as their sale or loan, is completely prohibited.

2. IESE reserves the right to audit the data stored in the IT services for security reasons or for business needs, as well as to retrieve the information stored in the IT services if necessary and for any reason (job termination, temporary leave, holidays, etc.).

Good practice for the use of IT services

1. The user agrees to properly use the content and the IT services in accordance with current legislation, this confidentiality policy and the terms and conditions of use of IT services, thereby avoiding any illegal or harmful action to rights or interests of IESE, or third parties.

2. Any user of IT services undertakes to a having an appropriate attitude and to using respectful language in communications with other users, whether in public and private spaces, and not to send or post opinions or content which may be illegal, defamatory, offensive or threatening to the values and dignity of people.

3. Each user of the IT services undertakes to guarantee the confidentiality of private messages received and not to disclose to third parties any data obtained from directories or public spaces of IT services.

Intellectual property

The user acknowledges and accepts that all the industrial and intellectual property rights of the IT services belong to IESE, or to third parties which have been assigned rights. The user is authorised for educational purposes only, and in no way for profit-making purposes. Any other use or exploitation of any rights shall be subject to the prior and express authorisation specifically granted for that purpose by IESE, or the third-party holder of the rights in question.

Compliance with the terms and conditions of use of IT services

1. Access and use of the IT services implies the full and unreserved acceptance of these terms and conditions of use of these services.

2. Failure to comply shall grant IESE the right to deny, withdraw, suspend or block access and use of services.

3. Failure to comply with any of the obligations contained in this document shall entail the legal and employment-related consequences which may occur vis-a-vis IESE, as well as any third party affected as a result of non-compliance.

Specific terms and conditions of use of IT services

Email

IESE email accounts have been designed for a strictly professional and non-transferable use, including accounts for departmental or resource-related use. Their use by third parties inside or outside IESE is strictly forbidden.

The Office 365 email service does not provide backup copies, i.e. there is no possibility of recovering a mailbox in its previous state. Therefore, it is recommended to keep classified messages in folders and delete them selectively.

The use of these services for political, illegal or immoral purposes, or for reasons which may disturb public order, is strictly prohibited. The list of prohibited activities includes, but is not limited to, the following:

Sending mass unsolicited marketing communications (spam or serial messages), any type of malicious or harmful communication, or software components such as viruses, trojans, etc.

Disclosing IESE email addresses to third parties without the explicit consent of their owners.

Ignoring a data controller and a defined policy of use when working with mailing lists. In addition, by default, and to avoid compromised situations of the reception of spam, only messages from authorised users and internal divisions shall be accepted (for example, Human Resources Division, GEO, Help Desk, etc.).

Creating mailing lists which include external contacts.

Imitating, substituting or changing the identity of any person or their email address.

Distributing illegal, defamatory, obscene or threatening materials which violate the privacy of third parties or which may violate intellectual or industrial property rights, or any other right of third parties.

Storing or saving private emails or any with personal content in IESE mail managers.

Undertaking any behaviour which directly or indirectly causes or may cause damage, alteration or errors to the proper functioning of IESE email services or technological systems.

Undertaking any conduct which may violate the provisions contained in current laws, especially those contained in the Criminal Code, Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI, in its Spanish acronym), and the GDPR.

Emails and the Internet may be controlled by the company, so please note that emails may be checked for professional purposes and in order to control the proper use of the resources provided, the perpetration of illegal acts, and the sending of emails of a certain volume over the company’s network.

Inappropriate use or abuse of the email service may result in temporary or permanent deactivation of the account. In this sense, actions may be carried out in the event of incidents which may jeopardise the proper operation of the service.

The deactivation of the account entails the possible elimination of email messages, which at the time are in the server, and the impossibility of receiving new messages until the account is activated again.

Virtual Campus

Virtual Campus accounts have been designed for a strictly personal and non-transferable use. Their use by third parties inside or outside IESE is strictly forbidden.

The Virtual Campus for IESE lecturers and students aims to streamline the exchange of information, documents and communication between the different profiles of the Campus (students, course coordinators, lecturers, etc.), as well as to provide services to students and facilitate contact between members of the IESE community.

Directories and lists of IESE students and employees are designed to facilitate contact between members of the IESE community. Their commercial use is prohibited, as is their transfer to or access by unauthorised third parties.

Access to and processing of photographic material. IESE provides Virtual Campus users with access to the photographic directory of private and home events in which the members of the school take part. The images are considered private and do not belong to IESE data processing files.

The use of said images shall be limited exclusively to the private and home environment, so it is not permitted to use the images which IESE makes available for other purposes, including their transfer or publication in other media other than IESE media, without the consent of each person featured in the images.

Dropbox

IESE Dropbox accounts have been designed for a strictly personal and non-transferable use. Their use by third parties inside or outside IESE is strictly forbidden.

Save all your professional files in Dropbox, where they will have a backup copy. No backup copies shall be made of any files that are not stored in Dropbox.

It is the user’s responsibility to manage the access permissions to the folders and files that are in their Dropbox account, and to ensure that only the appropriate and authorised persons have access to information containing personal data, in accordance with the provisions of the GDPR.

Observe the following rules in relation to the Dropbox service:

Do not store data of a private nature.
Do not store data considered sensitive by the GDPR, namely:

– Data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

– Data derived from acts of gender violence.

Do not send messages, promotions, unwanted advertising or spam.

Do not publish or share materials which are inappropriate for IESE.

Do not store, publish or share material which is illegal, defamatory, offensive or threatening to the values and dignity of people.

Do not infringe the privacy or rights of other people.

Company mobile phones

Staff members with a company mobile phone shall at all times respect the functions and duties of personnel with access to personal data, especially those referring to computer access.

Updated handsets shall always be returned to IESE.

Upon completion of the employment relationship with IESE, the handover of the handset and associated lines shall be processed through the Human Resources Division.

Company laptops

Staff members with a company laptop shall at all times respect the functions and duties of personnel with access to personal data, especially those referring to computer access.

No backups of any folder or content shall be made on the hard drive of the laptop. It is the user’s responsibility to keep data stored in the services/applications provided for this purpose.

Upon completion of the employment relationship with IESE, the handover of the laptop and associated peripherals shall be processed through the Human Resources Division. In no case shall this material be assigned to the user for their personal use, nor shall a purchase option be offered.

Modifications to these terms and conditions

1. The terms and conditions of use shall remain effective dependent on their exposure and until they are modified by other duly published terms and conditions.

2. IESE reserves the right to unilaterally modify, without prior notice, the confidentiality policy and the terms and conditions of use of IT services established herein. It is the user’s responsibility to review the confidentiality policy, the terms and conditions of use and the legal notices whenever IESE informs them of any modification. You may access the information clause for the processing of personal data, as well as the confidentiality policy and terms of use of IT services, on the IESE Intranet (intranet.iese.edu).

This privacy policy and the terms and conditions of use of IT services were drafted on 25 May 2018.

IESE Confidentiality Policy and Terms and Conditions of Use of IT Services for IESE external staff and collaborators

The purpose of this guideline is to define the responsibilities of external staff and collaborators that work at IESE’s facilities regarding the use of IT services, corporate information and the processing of personal data contained therein, so that all users are aware of and consent to the purposes of use and the restrictions of IT services.

Access and use of the IT services implies the full and unreserved acceptance of the terms and conditions of use of these services.

The external staff member and collaborator agrees to ensure, at all times, the confidentiality of all the information to which they have access, and, consequently, undertakes not to disclose to third parties or to publicly disclose, whether during the employment or business relationship with IESE or upon expiration or termination of it for any reason, any information relating to personal data, academic records, contracts, technical procedures, specifications, processes, computer programs, data, or technical, commercial or financial information pertaining to IESE to which they may have access during the employment relationship established between the parties.

For a more detailed description of the use of a specific service, please consult the user guides available in the IT Services section of the IESE Intranet.

Information clause for the processing of personal data

DATA CONTROLLER: IESE Business School-Universidad de Navarra (R-3168001J), Avenida Pearson 21, 08034 Barcelona.

PURPOSES: To manage the business relationship with the professional and the payment of salaries. Access and on-site controls. Occupational risk prevention. Training. To assess, track and monitor the development of professional activities. Free use and publication of the collaborator’s image (photograph and video) in catalogues, calendars, website and/or social media profiles in order to promote and publicise the school.

LAWFUL BASIS: Performance of the business contract. Consent to the use and publication of images. Legitimate interest in keeping a historic photographic archive.

RECIPIENTS: Public authorities and banking institutions for payment of salaries. Occupational risk prevention companies. All institutions, customers and suppliers which need to identify their professionals, including for business coordination issues.

RETENTION: Data shall be retained for the duration of the business contract and, upon completion, shall be kept blocked on file for the legally established time in order to deal with any possible liabilities. The company shall indefinitely retain, based on legitimate interest, the service provided and the duration of the agreement as a historical log of employees, and their images in the IESE historical archive.

Functions and duties of staff members with access to personal data

General rules

1. External employees who have access to personal data are bound by professional secrecy, even after the employment or business relationship has ended.

2. Access only the personal data to which you are authorised to perform your job or, as the case may be, sales functions.

3. Lock the door, if you work in an office, at the end of the working day, or when you are temporarily absent, in order to prevent unauthorised access.

4. Take appropriate care of keys to offices, as well as to cupboards, filing cabinets or other elements which may contain forms or documents containing personal data.

6. Comply with the prohibition to disclose personal data or to share documents containing personal data with IESE staff members without authorised access or with external collaborators.

8. Deal with any request for access, rectification, erasure, objection, restriction and portability of personal data made by any data subject, and report it to InfoDat@iese.edu.

10. The user is liable for the accuracy and updating of any information and personal data provided to IESE, which is exempt from any liability for its inaccuracy.

11. For any questions or comments about the GDPR, please email the IESE Data Protection Department on InfoDat@iese.edu.

Computer access

1. Choose hard-to-guess passwords and keep them secret.

2. Please make sure that the password:

a. It has a minimum of eight characters.

b. It is different from any of the ten previous passwords.

c. It does not contain part of your first name or surnames.

d. It contains characters from at least three of the following four groups (passwords are case-sensitive):

i. Capital letters, for example: A, B, C…

ii. Lowercase letters, for example: a, b, c…

iii. Numbers, for example: 0, 1, 2, 3…

iiii. Non-alphanumeric characters (special characters)