Skip to main content
Back to top

I. Who is responsible for processing your data?

Responsible: DigiPen Institute of Technology Europe Bilbao S.L. N.I.F B95570339
Address: Ribera de Zorrotzaurre, 2. 48014 Bilbao (Bizkaia)
To contact the data protection delegate:

This privacy policy (hereinafter, the “Privacy Policy”) applies to all personal data that the user provides to DigiPen.

For the purposes of this Privacy Policy, “User” must be understood as any natural person interested in the Institution and the services that DigiPen offers through its web pages. DigiPen, as responsible for the processing, will request when necessary, prior to the provision of their personal data, the User’s consent to this Privacy Policy, along with any other aspect that requires prior authorization. The purpose of the DigiPen Privacy Policy is to provide transparency to the information on how we treat your data and protect the information on the Internet and the data that the user may enter on the web.

The User may contact DigiPen via the email with any doubt or necessity concerning data protection.

II. For what purpose do we process your personal data and with what legitimacy?

The User is hereby informed that DigiPen may process the personal data provided by the User through the online forms for the purposes indicated below, to the extent that there is a legal basis for each treatment as explained later:

  1. To manage the request for information in relation to the Institution’s activities.

    • The legal basis for the treatment of the data of users requesting information on the website is the consent.

  2. To manage applications for admission of new students, re-admission of former students and management of registered students who have a user profile on the website or in the Student Record System (SRS).

    • The legal basis for the processing of the data of potential students and current students is the execution of a contract with the interested party or for the application at the latter’s request of pre-contractual measures. It should also be considered that the processing is necessary for the fulfilment of a legal obligation applicable to the person responsible for the processing who must formalize the registrations based on data required by universities’ legislation.

  3. DigiPen maintains interest-relations with institutions, organizations related to the Institution, other universities, administrations, companies, suppliers and businesses in general in which natural persons work as contacts for legal entities. These contact persons represent a database registered in the DigiPen information systems.

    • The legal basis for the treatment of contact data is the legitimate interest that DigiPen has in maintaining the necessary commercial, institutional or protocol relationships. DigiPen considers the interests, rights and freedoms of those affected and weighs them to the extent required by the relevant law to ensure that due privacy is not affected by the application of legitimate interest.

  4. Managing the subscription to the Newsletter and promotional communications.

    • The legal basis for data processing is the consent of the interested parties.

    • DigiPen, at the time of registration, will collect and process personal data that is essential for student registration or to address their request or inquiry. Fields marked with an asterisk (*) are mandatory, without which DigiPen cannot fulfill your request correctly.

  5. Managing event registration and image processing.

    • The legal basis for data processing is the fulfillment of contractual obligations in the case of event subscription and the consent of interested parties in the case of granting authorization for the capture and dissemination of their image.

  6. Managing video surveillance cameras.

    • The legal basis for data processing is legitimate interest, in accordance with the provisions of Article 22 of the LOPDGDD (Spanish Data Protection Law).

DigiPen, at the time of registration, will collect and process the personal data essential for the registration of students or to attend their request or query. The fields marked with an asterisk or that indicate required are of obligatory fulfillment without which DigiPen will not be able to give correct fulfillment of its request.

III. How long do we keep your data?

DigiPen will keep the data of its students while their academic relationship with the Institution lasts and after that, the data will be kept according to the provisions of the filing and documentation regulations applicable to university degrees and academic records.

The data of contacts and potential students will be kept for the duration of the relationship of interest that binds him/her DigiPen until the corresponding deletion is requested or the consent is revoked when appropriate. In any case, they will be kept if they are necessary for the formulation, exercise or defence of potential claims and/or whenever the applicable legislation permits.

The data from the images captured by the surveillance cameras will be deleted within a maximum period of one month from their capture, except when they need to be retained to prove the commission of acts that threaten the integrity of individuals, property, or facilities.

IV. Who has access to your personal data?

By accepting this Privacy Policy, the User understands that DigiPen is an Institution whose headquarters are located in the US so the data provided on this website may be communicated to the US while maintaining the stated purpose. For more information about the above guarantees you can contact DigiPen through the means established in section I.

In addition to the foregoing, DigiPen may make transfers or communications of personal data to meet its obligations to the Public Administrations, in cases that are required, in accordance with the legislation in force at any time and, if applicable, to other bodies such as State Security Forces and Agencies and Judicial Bodies.

International Data transfers

DigiPen Institute of Technology Europe - Bilbao carries out international data transfers to DigiPen USA within the framework of its corporate relations. Specifically, communications of personal data identifying name, surname, telephone number and email are made for administrative management purposes in response to requests for information and enrollment and computer security and data backup. Communications through the firewall and VPN are protected by AES128 / SHA1 encryption.

In this way, data transfers are carried out between the entities that make up the DigiPen group based on the unequivocal will of the interested person to obtain information about the education activity or for the execution of contractual enrollment measures at the request of the interested person, in accordance with the provisions of articles 6.1 sections a) and b) and 49.1 sections a) and b) of the General Data Protection Regulation.

You can get additional information on the guarantees applied, as well as exercise the rights of access, rectification, deletion, opposition, limitation by sending a request to

V. What are the users’ rights?

DigiPen informs the User of their option to exercise the rights of access, rectification, opposition, deletion, portability and limitation of the processing of personal data collected by DigiPen.

Said rights may be exercised free of charge by the User, and in his case whoever represents him/her, by means of a written and signed request addressed to

In addition to the foregoing rights, the User shall have the right to withdraw the consent granted at any time through the procedure described above, without such withdrawal of consent affecting the lawfulness of the processing prior to its withdrawal. DigiPen may continue to treat the User’s data to the extent permitted by applicable law.

DigiPen reminds the User that they have the right to file a claim with the Spanish Data Protection Agency.

VI. Disabling the service of sending commercial communications

As mentioned in the previous section, the User has the right to revoke at any time the consent given to send commercial communications with the simple notification to DigiPen by which s/he informs that he does not wish to continue receiving commercial communications. For this, the User may either revoke his consent in the manner described in the previous section or click on the link included in each commercial communication, thus cancelling the sending of electronic commercial communications.

VII. What security measures are implemented?

DigiPen is committed to fulfilling its confidentiality obligations of personal data and its duty to save them, and will take the necessary measures to prevent any alteration, loss, or unauthorized access, in accordance with the provisions of applicable regulations.

DigiPen has implemented the technical and organisational security measures necessary to ensure the security of your personal data and prevent their alteration, loss and treatment and/or unauthorized access, taking into account the state of the technology, the nature of the stored data and the risks to which they are exposed, whether they come from human action or from the physical or natural environment, in accordance with the provisions of the applicable regulations.

VIII. Links

The DigiPen website may include hyperlinks to other sites that are not operated or controlled by DigiPen, such as some social networks. DigiPen does not guarantee, nor is responsible for the legality, reliability, usefulness, veracity and timeliness of the contents of such websites or their privacy practices. Please, before providing your personal information to these non-DigiPen websites, please note that compliance with data protection may differ from ours.

IX. Modification of the Privacy Policy

DigiPen may modify its Privacy Policy in accordance with the applicable legislation at any time. In any case, any modification of the Privacy Policy will be duly notified to the User so that s/he is informed of the changes made in the processing of his/her personal data and, in the event that the applicable regulations so require, the User may grant their consent.