Privacy and personal data protection policy

Statemen

The Fundación Centro de Estudios Interamericanos (“CEDEI” or the “Foundation”), in its commitment to respecting and protecting the personal data of its students, legal representatives, staff, suppliers, and the general public, hereby establishes this Privacy and Personal Data Protection Policy.

This Policy is based on compliance with Ecuador’s Organic Law on Personal Data Protection (Ley Orgánica de Protección de Datos Personales – LOPDP), its General Regulation, and the resolutions and guidelines issued by the Personal Data Protection Superintendence (Superintendencia de Protección de Datos Personales – SPDP). The lawful and transparent processing of personal data is an essential pillar to fulfill our educational and cultural mission.

Personal data belongs to each individual. When you provide your data to our organization, you entrust it to us. Our commitment is to process it lawfully, fairly, transparently, and above all, confidentially.

We process personal data under conditions of equality, without discrimination or distinction based on race, color, sex, language, religion, political opinion, national or social origin, economic status, birth, or any other condition; and without distinction regarding the legal or international status of the country or territory to whose jurisdiction a person belongs.

Our organization ensures that individuals can access and control their personal data at all times.

1. Identification of the Data Controller
The Fundación Centro de Estudios Interamericanos – CEDEI, headquartered in the city of Cuenca, Republic of Ecuador, is the Data Controller of personal data, in accordance with the Organic Law on Personal Data Protection.

CEDEI determines the purposes and means of processing the personal data it collects and processes in the course of its educational, academic, administrative, employment, technological, and institutional activities.

2. Applicable Legal Framework
The processing of personal data carried out by CEDEI is governed by:

Organic Law on Personal Data Protection (LOPDP).
General Regulation to the LOPDP.
Regulations and resolutions issued by the Personal Data Protection Superintendence.
CEDEI’s internal policies, procedures, and guidelines.

3. Definitions
For the purposes of this Policy, the following definitions apply, in accordance with the Organic Law on Personal Data Protection:

Personal Data: Any information that identifies or makes a natural person identifiable, directly or indirectly.
Sensitive Personal Data: Personal data that affects the individual’s privacy or whose misuse may give rise to discrimination, such as data related to ethnic or racial origin, health status, biometric data, sexual orientation, religious, philosophical, or political beliefs, among others defined by law.
Data Subject: The natural person to whom the personal data relates.
Processing: Any operation or set of operations performed on personal data, such as collection, storage, use, access, transmission, disclosure, deletion, or destruction.
Data Controller: A natural or legal person, public or private, who decides on the purposes and means of processing personal data. In this case, CEDEI.
Data Processor: A natural or legal person who processes personal data on behalf of the Data Controller, in accordance with its instructions.
Transfer of Personal Data: Communication of personal data to a third party, whether or not a data processor.
Record of Processing Activities (RPA): The document containing information related to personal data processing activities carried out by the Data Controller.
Data Protection Officer (DPO): A person designated by the Data Controller to supervise compliance with personal data protection regulations and to act as a point of contact with data subjects and the supervisory authority.

4. Principles Governing Personal Data Processing
CEDEI ensures that personal data processing is carried out in accordance with the following principles established in the LOPDP:

Lawfulness: Processing shall only be carried out when there is a valid legal basis provided by applicable regulations.
Fairness: Personal data shall be processed fairly, without deception or abuse of the data subject’s trust.
Transparency: The data subject shall be clearly, accessibly, and comprehensibly informed about the processing of their personal data.
Purpose Limitation: Personal data shall be collected for specific, explicit, and legitimate purposes and shall not be processed in a manner incompatible with those purposes.
Data Minimization: Only personal data strictly necessary to fulfill the purpose of processing shall be processed.
Proportionality: Processing shall be adequate, relevant, and limited to what is necessary in relation to the purposes pursued.
Accuracy: Personal data shall be accurate and, where necessary, kept up to date.
Security: Appropriate technical, organizational, and administrative measures shall be applied to protect personal data.
Proactive Accountability: CEDEI adopts measures to ensure and demonstrate compliance with personal data protection regulations.
Best Interests of Children and Adolescents: When processing involves personal data of minors, their best interests shall prevail, applying enhanced protection measures.

5. Categories of Data Subjects
CEDEI processes personal data of the following categories of data subjects:

Students and participants in academic programs.
Host families.
Faculty members, coordinators, and academic staff.
Applicants (administrative and teaching staff).
Employees and former employees.
Suppliers.
Clients and institutional representatives.
Prospective clients and business contacts.
Users of technological platforms and the institutional website.

6. Categories of Personal Data Processed
According to the activities registered in the Record of Processing Activities (RPA), CEDEI may process the following categories of personal data:

6.1. Personal Data

Identification data.
Contact data.
Academic and professional data.
Personal characteristics.
Health data.
Economic, financial, and insurance data.
Family data and legal representation data.
Employment data.
Financial and billing data.
Technical browsing and IT data.

6.2. Sensitive Data
CEDEI will only process sensitive personal data when there is an enabling legal basis and when it is strictly necessary to fulfill a legitimate purpose, applying enhanced security measures.

7. Purposes of Processing
Personal data shall be processed exclusively for the following purposes:

Management of educational, academic, and training processes.
Administration of admissions, enrollment, evaluations, and certifications.
Administrative, financial, and accounting management.
Marketing management.
Human resources management and compliance with labor obligations.
Compliance with legal and regulatory obligations.
Technological management, information security, and operational continuity.
Institutional communication related to CEDEI’s activities.

8. Legal Basis for Processing
The processing of personal data carried out by CEDEI is based on one or more of the following legal grounds, as applicable to each activity registered in the RPA:

Consent of the data subject or their legal representative.
Performance of an educational, contractual, or employment relationship.
Compliance with a legal obligation.
Legitimate institutional interest duly assessed.

9. Retention of Personal Data
Personal data shall be retained:

For the time necessary to fulfill the purpose of processing.
While an educational, contractual, or employment relationship exists.
For the periods required by applicable regulations.
In accordance with CEDEI’s Data Retention and Deletion Policy.

10. Recipients and Transfers
Personal data may be disclosed, when applicable, to:

Data processors and service providers.
Competent public authorities.

CEDEI shall not carry out international data transfers without appropriate legal safeguards.

11. Data Processors
Data processors shall act under contracts or agreements that establish confidentiality, security, and compliance obligations with the documented instructions issued by CEDEI, in accordance with the LOPDP.

12. Security Measures
CEDEI applies appropriate technical, organizational, and administrative measures to protect personal data, based on the level of risk identified in the Record of Processing Activities and the corresponding impact assessments.
When personal data of children and adolescents is involved, enhanced protection measures shall be applied.

13. Rights of Data Subjects
Data subjects have the right to:

Access
Rectification
Updating
Deletion
Objection
Portability
Suspension of processing

In the case of minors, these rights may be exercised by their legal representative.

14. Procedure for Exercising Rights
Requests must be submitted through CEDEI’s official institutional channels.
Data subjects may file complaints with the Personal Data Protection Superintendence

15. Data Protection Officer (DPO)
CEDEI has appointed a Data Protection Officer in accordance with the regulatory requirements of the Supervisory Authority.
Contact details:

Position: Data Protection Officer
Entity: CEDEI
Address: Cuenca, Ecuador
Email: dpo@cedei.org
Channel: Official institutional channels

16. Data Processing of Children and Adolescents
The processing of personal data of children and adolescents shall be carried out:

In accordance with their best interests.
For educational, academic, and institutional purposes.
With the consent of the parent or legal representative, when required.
Applying enhanced security measures.

CEDEI shall not use minors’ data for purposes other than those informed or for unauthorized uses.

17. Use of Cookies and Similar Technologies
The processing of personal data through cookies or other digital technologies is governed by CEDEI’s Cookies Policy, published on its official digital channels.

18. Policy Updates
CEDEI may update this Policy when there are regulatory changes or changes in its processing activities.

19. Effective Date
This Policy shall enter into force as of its institutional approval.