PRIVACY POLICY
1. Purpose and Scope of the Policy
The primary purpose of this Privacy Policy is to establish a transparent framework for the collection, processing, and protection of personal data belonging to students, faculty, staff, leads, and partners of SBS Swiss Business School Spain. The scope of this policy extends to all data processing activities conducted by the Madrid and Barcelona campuses, encompassing digital interactions through our websites (sbs.madrid and sbs.barcelona), physical interactions at campus facilities, and activities within our educational technology ecosystems. This document is designed to ensure strict adherence to the General Data Protection Regulation (EU) 2016/679 (GDPR), the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and the Organic Law 2/2023 on the University System (LOMLU).
2. Who We Are: Identification of the Data Controller
In compliance with Article 13 of the GDPR and Article 10 of the LSSICE, the user is informed that the data controller is the legal entity corresponding to the campus of enrollment, inquiry, or contractual relationship. Both entities (jointly referred to as “SBS Spain”) operate as authorized licensees of SBS Swiss Business School (Zurich).
|
Campus Location |
Legal Entity Name |
NIF (Tax ID) |
Registered Office Address |
|
SBS Madrid |
IBEA Educational Group Madrid S.L. |
B56817679 |
Calle Gran Vía 4, Planta 3, 28013 Madrid, Spain |
|
SBS Barcelona |
International Business Education Alliance S.L. |
B09672429 |
Carrer de Pamplona 96, 08018 Barcelona, Spain |
Data Protection Officer (DPO): The institution has appointed a central DPO to oversee compliance across all Spanish operations. For any inquiry regarding the exercise of privacy rights or the technical details of data processing, you may contact: gdpr-spain@sbs.madrid. SBS Madrid and SBS Barcelona have executed a Joint Controller Agreement establishing that both legal entities share a central DPO and a unified CRM.
3. Whose Personal Data Do We Collect?
SBS Spain processes data from several distinct categories of natural persons to fulfill its educational and operational mission:
A. Current and Former Students (Alumni): Individuals enrolled in BBA, MSc, or Foundation programs.
B. Prospective Students (Leads): Individuals who have requested information via web forms, participated in educational fairs, or interacted with our recruitment agents.
C. Faculty and Academic Staff: Including regular professors, guest speakers, and external consultants or collaborators involved in program delivery.
D. Administrative Staff and Job Applicants: Individuals employed by or seeking employment with SBS Spain.
E. Ambassadors and Content Creators: Students participating in the “Student & Content Ambassador Reward Pack”.
F. Suppliers and Service Collaborators: Representatives of entities providing facilities management, marketing, consultancy, or IT services.
4. The Personal Data We Collect
The categories of personal data processed are restricted to those strictly necessary for the purposes of providing higher education services and institutional administration (the Principle of Data Minimization).
A. Identification and Demographic Data: Full name, gender, nationality, date of birth, and ID/Passport number.
B. Contact Information: Primary and secondary email addresses, mobile phone numbers, and permanent physical addresses.
C. Academic History and Qualifications: Previous degrees, language proficiency certifications, transcripts, and portfolios.
D. Professional Records: CVs, employment history, job roles, and professional achievements.
E. Financial and Invoicing Data: Bank account numbers (for SEPA direct debits), payment history, scholarship records, and tax-relevant identifiers.
F. Sensitive Categories: Only where strictly required by law or for health and safety, such as medical insurance details, disability-related educational needs, or emergency health conditions.
G. Image and Audio-Visual Data: Photographs and video recordings captured during campus activities (subject to explicit consent) and security footage from campus CCTV systems.
5. Website Data Processing and Interaction Metadata
When you navigate sbs.madrid or sbs.barcelona, we automatically process technical identifiers to ensure website security, performance, and accessibility. This includes your IP address, browser type, time zone settings, operating system, and the “user agent” string.
We also collect “Clickstream Data,” which includes the Full Uniform Resource Locators (URL) of your journey through our site, products or programs viewed, page response times, download errors, and interaction data such as scrolling, clicks, and mouse-overs. This information is processed primarily for troubleshooting and research purposes to enhance the user experience.
6. Cookies and Tracking Technologies
In accordance with the AEPD “Guide on the Use of Cookies” (updated 2024), we provide a layered consent mechanism. Our first-layer cookie banner offers users the ability to “Accept,” “Reject,” or “Configure” cookies with equal prominence and visibility.
Cookie Classification Table
|
Category |
Definition |
Retention |
Requirement |
|
Technical |
Strictly necessary for the basic functioning of the website and security features. |
Session/Persistent |
No Consent Needed |
|
Personalization |
Remembers user choices such as language or currency. |
Up to 12 months |
Technical if user-chosen |
|
Analytical |
Measures audience metrics and website performance anonymously. |
Up to 13 months |
Explicit Consent |
7. Use of Your Personal Data: Academic and Marketing AI Processing
Personal data is processed for specific, explicit, and legitimate purposes as outlined below.
A. Academic Delivery and Student Management
We process data to manage the application and enrollment lifecycle, deliver the curriculum, and maintain academic records. For joint programs, data may be shared with our academic collaborators to ensure official accreditation and credit awarding.
B. Artificial Intelligence in Academic Evaluation
SBS Spain incorporates AI systems to maintain high standards of learning integrity and pedagogical success:
1. Integrity Monitoring: We utilize AI tools to process submission metadata and content. The Logic Involved includes comparative analysis against global academic databases and the identification of statistical patterns associated with AI-generated text.
2. Predictive Success Models: AI algorithms evaluate historical and real-time attendance and grading data to predict student success. The Purpose is to provide early intervention and personalized learning support for at-risk students.
3. Human Guarantee: Pursuant to Article 22 of the GDPR, we guarantee that no decision with significant legal or academic consequences (e.g., expulsion, failure of a course, or denial of a degree) is made solely by an AI system. All AI reports are reviewed by a human instructor or the Academic Director before a final decision is reached. The Academic Director and instructors mentioned are formally trained on how to “review” AI reports to avoid “automation bias,” where the human simply agrees with the AI without independent thought. This training is documented as a Technical and Organizational Measure (TOM).
C. AI for Institutional Marketing
To optimize our outreach to prospective students, we employ AI for the following:
1. Predictive Lead Scoring: Processing interaction data from the CRM to identify the likelihood of enrollment.
2. Programmatic Ad Targeting: Using audience data to serve personalized content to prospective students who have shown interest in specific programs and/or specializations.
3. Institutional Data Sovereignty: We ensure that all creative assets, audience segments, and pixel data generated through AI-driven marketing services remain the exclusive property of SBS Spain.
8. Who We Can Share Your Personal Data With
Your data may be shared with the following categories of recipients when a valid legal basis exists:
A. The Licensor (SBS Swiss Business School Zurich): For degree validation, quality assurance audits, and mandatory progression tracking for foundation students.
B. Public Administrations: Including the Spanish Tax Agency (AEAT), Social Security (TGSS), and the Ministry of Education to fulfill statutory duties.
C. Collaborators and Accreditors: Academic collaborators for students seeking official Spanish accreditation.
D. Technological and Service Processors: Including CRM and Marketing Automation for managing inquiries and student relationships; cloud infrastructure and productivity suites for data storage and collaboration; academic integrity and AI tools for plagiarism detection and academic support; enterprise resource planning (ERP) and accounting for financial and administrative management, and specialized marketing agencies under formal Data Processing Agreements (DPA).
9. International Data Transfers
As an international institution, data flows occur between Spain and third countries.
A. Transfers to Switzerland: Data shared with our licensor in Zurich is protected by the European Commission’s Adequacy Decision regarding Switzerland, which recognizes the Swiss legal system as providing an equivalent level of data protection to that of the EU.
B. Other Third Countries: Transfers to countries without an adequacy decision (e.g., certain US-based cloud services) are strictly governed by Standard Contractual Clauses (SCCs) and enhanced security measures to ensure compliance with the “Schrems II” standards.
10. Legal Basis for the Treatment of Your Personal Data
In accordance with Article 6 of the GDPR and Article 8 of the LOPDGDD, SBS Spain relies on the following legitimizing bases:
A. Contractual Necessity (Art. 6.1.b): To manage enrollment agreements, facilitate learning delivery, and provide internship support.
B. Legal Obligation (Art. 6.1.c): To comply with Spanish educational regulations (LOMLU), tax laws, and Social Security mandates for student interns and staff.
C. Legitimate Interest (Art. 6.1.f): For campus security via CCTV, fraud prevention in financial transactions, and sending institutional updates to existing students about similar academic programs.
D. Explicit Consent (Art. 6.1.a): For marketing profiling, subscription to non-academic newsletters, and the use of individual image rights for promotional content.
11. How Long Do We Process Personal Data? (Retention and Blocking)
SBS Spain follows the Principle of Storage Limitation, ensuring data is kept only as long as necessary for the purpose for which it was collected.
A. Academic Records: Transcripts and degree certifications are retained indefinitely as required by the LOMLU to allow for lifelong verification of qualifications.
B. Administrative and Financial Data: Retained for 5 to 10 years following the end of the student’s relationship with the school to satisfy Spanish Civil and Tax statutes of limitations.
C. Prospective Student Data (Leads): Deleted or anonymized after 2 years of inactivity, unless consent is renewed.
D. Video Surveillance (CCTV): Footage is automatically deleted within a maximum of 30 days, except where required for legal investigation.
Upon the expiration of these periods, data is “Blocked” (Limitation of Processing). This means the data is technically restricted from active use and is only accessible for the purpose of making it available to judges, courts, the public prosecutor’s office, or competent public administrations to address potential legal liabilities arising from the processing.
12. What Are Your Rights?
Under the GDPR and LOPDGDD, you are entitled to exercise the following rights:
1. Access: To obtain confirmation of whether we are processing your data and a copy of such data.
2. Rectification: To correct inaccurate or incomplete information.
3. Erasure (Right to be Forgotten): To request data deletion when it is no longer needed for its original purpose or when you withdraw consent.
4. Restriction: To limit the processing of your data during accuracy verification or as an alternative to erasure.
5. Portability: To receive your data in a structured, commonly used electronic format and transfer it to another controller.
6. Objection: To stop processing based on legitimate interest or for direct marketing purposes.
7. Rights regarding Automated Decisions: To obtain human intervention, express your point of view, and contest any decision made solely by AI that significantly affects you.
13. How to Exercise Your Rights and Contact Details
To exercise any of the aforementioned rights, you must send a written request to the SBS Spain Central DPO: gdpr-spain@sbs.madrid.
In accordance with the AEPD guidelines, to exercise your rights, please contact our DPO. We may request a copy of your identity document (DNI or equivalent) only when necessary to verify your identity. We will respond to your request within a period of one month. If you believe your rights have not been adequately addressed, you have the right to file a claim with the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.
14. Changes to This Privacy Policy
This policy was last updated on April 22, 2026. SBS Spain reserves the right to modify this document to adapt to legislative changes, judicial rulings, or institutional restructuring. Material changes will be communicated via the email address provided in your student file or through a prominent notice on our website.
15. Technical and Organizational Security Measures (TOMs)
The security of personal data at SBS Spain is governed by the Principle of Accountability (Article 5.2 GDPR) and the National Security Scheme (Esquema Nacional de Seguridad – ENS), as regulated by Real Decreto 311/2022.
In compliance with the ENS, SBS Spain has conducted a formal security categorization of its information systems. For systems handling Academic Management and AI-driven Analytics, we apply security measures commensurate with the identified risk levels (Low, Medium, or High), ensuring the ongoing confidentiality, integrity, and availability of student data through advanced encryption, multi-factor authentication (MFA), and periodic vulnerability assessments.
A. Encryption at Rest and in Transit: All academic databases and financial records are encrypted using industry-standard protocols.
B. Granular Access Control: Access to sensitive student data is limited to authorized administrative and academic personnel on a “need-to-know” basis.
C. CRM as the “Single Source of Truth”: To eliminate the risk of data fragmentation and inaccuracies, all student financial and academic records are consolidated into a unified CRM environment with strict audit logging.
D. AI Guardrails: Regular bias audits and performance checks are conducted on AI modules used for plagiarism detection and lead scoring to prevent discriminatory outcomes.
16. Managing the Data of Minors and Digital Rights
As per Organic Law 3/2018 (LOPDGDD), the age of consent for data processing in Spain is 14 years. For any prospective student under this age, SBS Spain requires the verifiable consent of a parent or legal guardian.
Furthermore, SBS Spain honors the “Digital Charter of Rights” by ensuring that:
A. Digital Disconnection: Academic and administrative communications are scheduled during standard business hours, protecting the rest periods of faculty and staff.
B. Privacy of Remote Learning: When utilizing digital platforms for distance education, we implement “Privacy by Design” to ensure that video and audio recording is limited to what is strictly necessary for evaluation purposes.
17. Institutional Data Ownership and Third-Party Agreements
A critical second-order insight derived from the analysis of marketing service revisions is the institutional necessity for absolute data ownership. In collaboration with consultant agencies, SBS Spain mandates that all ad accounts, audience data generated by AI, and pixel information remain the exclusive property of SBS Spain. This prevents “vendor lock-in” and ensures that if a contract is terminated, the school retains the ability to continue its marketing efforts without losing historical data.
This principle is also applied to academic collaborators.