In this policy, you will find all the information about how we process your personal data and the rights you may exercise to remain in control of it. Please read it carefully before providing any personal data.
You may exercise your rights under applicable data protection laws at any time, or contact us with any questions about how we process your data, by emailing gdpr@efclif.com.
Who is the data controller of your personal data?
Your personal data will be processed by the European Foundation for the Study of Chronic Liver Failure (EF CLIF), with NIF G-66519000 and registered office at Avinguda Diagonal 477, 11th floor, 08036 Barcelona, Spain. You can contact us at gdpr@efclif.com.
Our Data Protection Officer (DPO)
We have appointed a Data Protection Officer. You may contact the DPO with any questions about this Privacy Policy or about how we process your personal data at dpo@efclif.com.
What are the requirements to provide us with your personal data?
Minimum age
Although certain privacy laws allow children aged 13–16 to consent to the processing of their personal data (depending on the country), our contractual eligibility requirement is 18+. We do not knowingly collect personal data from individuals under 18. If we learn that we have collected such data, we will delete it and terminate the contractual relationship with you. If the age of majority in your jurisdiction is higher than 18, you must meet that higher age.
Accuracy
When you provide data, you warrant that the information is accurate, truthful, up to date, and relates to you, not to third parties. You must also inform us of any changes to the data provided. You are responsible at all times for the accuracy and correctness of the information supplied.
What data do we collect?
Identification and contact information
Name, surname, email address, telephone number, and postal address.
Employment details
Professional profile, position, and company or institution of employment.
Academic data
Information provided during the admission process and generated throughout your participation in the program, including academic background, degrees obtained, institutions attended, and also qualifications, transcripts, attendance records, participation in activities, evaluations, grades, assignments, certificates, and communications or interactions within the Master Program in the learning platform.
Optional profile information
Image, biography, social media profiles, and other personal information you voluntarily decide to include in your user profile.
Usage and technical data
We also collect certain technical and usage data, such as device type, browser, operating system, IP address (in truncated or pseudonymized form), connection times, and interaction logs within the platform.
What are the purposes of processing your personal data?
Management of your participation in the Master program
The main purpose of processing your personal data will be to manage your participation and progress within the Master program, which includes:
- Give you access to the Program’s learning platform, where all course materials and live/recorded sessions are available. This includes creating and maintaining your user account, enabling you to view content, join sessions, submit assignments and assessments, participate in forums/collaborative spaces, and communicate with instructors and other students. We also use your data to send essential service notifications (e.g., schedules, deadlines, platform maintenance), and provide academic support.
- Manage academic records, issue certificates/diplomas, administer scholarships or payments, and maintain internal records necessary for the Program’s operation.
Quality improvement
We may also process your personal data to send you anonymous surveys for quality improvement, evaluation, non-identifiable research or statistical analysis. Survey responses will always be anonymous and analysed in aggregate form so they cannot be linked to you. Participation is voluntary and does not affect your participation in the program or access to the platform.
We may also collect the usage and technical data of your device to understand how users engage with the learning platform, detect technical issues, and improve the platform’s functionality, performance, and user experience.
Ensure the security, integrity, and proper functioning of the learning platform
We may process your technical data to ensure security, including for preventing unauthorized access, misuse, or technical incidents; maintaining system backups; and applying updates or improvements necessary to guarantee service reliability and data protection.
Commercial communications
We may send you newsletters, updates, and promotional communications related to EF CLIF’s educational and research activities, future training programs, or events that may be of interest to you.
What is the lawful basis for processing your data? Is it mandatory to provide these data?
Contract performance
The primary legal basis for processing your personal data is the performance of the contract between you and EF CLIF.
All data requested and processed by EF CLIF for this purpose are essential for providing the Master program. This excludes optional information you may choose to provide, such as your profile photograph or links to your social media profiles. If you do not provide the required data, we will be unable to deliver the services or perform the related administrative tasks.
Consent
Within the platform, you may voluntarily complete your profile with additional personal information (photograph, biography, social media links, or other data). The publication of such information will be based on your consent, which you may withdraw at any time without affecting your participation in the Master’s program.
Where the technical and usage data is collected through cookies or similar tracking technologies, we will process it in accordance with our Cookies Policy and, where required by law, only after obtaining your consent.
Legitimate interest
EF CLIF may process certain personal data on the basis of its legitimate interests, in particular, where (i) the technical and usage data is used to ensure the platform security and integrity; or (ii) to produce aggregated usage statistics to improve functionality, performance, and user experience of the platform; and (ii) your contact information is used to send you newsletters and information on EF CLIF’s educational products and services similar to those you have previously contracted.
Whenever we rely on legitimate interests, we perform and document a balancing test to ensure that our processing is proportionate and respects your privacy expectations. You can ask more information about these balancing tests by contacting our DPO or us at gdpr@efclif.com.
Legal obligation
We also process and retains certain data to comply with applicable laws and regulations, which may include maintaining academic records, tax and accounting, responding to requests from competent authorities, courts, accreditation bodies, or data protection regulators.
Generally, fields and information marked with an asterisk (*) (or otherwise identified as “required”) are mandatory in order to process your request and/or provide access to the Master’s learning platform. If you do not provide this information, we may be unable to deliver the requested services or complete related administrative tasks. Any other fields are optional and their completion is voluntary; they are used to improve profile completeness, personalization, or communication
How long do we keep your information?
All personal data will be processed for the duration of the contractual relationship between the parties and, for data processed on the basis of consent, until such consent is withdrawn. Afterwards, EF CLIF will retain the data in a blocked state for the retention periods strictly necessary to address potential liabilities and to demonstrate compliance with legal obligations. Where you opt out of marketing, we will keep only the minimum data needed on a suppression list to ensure we do not contact you again.
To whom do we disclose your personal information?
In general, EF CLIF will not share your personal data with third parties. However, there may be circumstances where sharing is necessary to provide the Master’s program and related services, or where we are legally required to do so:
Instructors and other participants (within the platform)
For the proper delivery of teaching and collaborative activities, certain information will be visible to instructors and to other enrolled participants in your courses or groups, strictly to the extent necessary for academic purposes. This may include your name, username, profile photo/biography (if you choose to provide them), and content you actively share (e.g., forum posts, messages within collaborative spaces, group work materials, and assignment submissions where visibility is required by the course setup).
Instructors and participants must use such information solely for academic interaction and must not repurpose it for unrelated or commercial uses.
During live online sessions, if you activate your camera and/or microphone or share your screen, your image, voice, and shared content will be visible to the instructor and to other participants in that session. You may keep your camera and microphone disabled, subject to course requirements communicated by the instructor. If a session is recorded, we will inform you in advance and the recording will be used only for academic purposes and retained in accordance with this Privacy Policy (or applicable law).
Service providers and technology partners
We may share your data with service providers necessary to deliver the Master’s program (such as the provider of the online teaching platform or cloud hosting). Notwithstanding the foregoing, such entities act as data processors, are bound by confidentiality and data processing agreements and may only process your data according to our instructions.
Public bodies
We may disclose personal data to competent public administrative, or judicial authorities when there is a legal obligation to do so, or when necessary to prevent or prosecute misuse of the platform, academic misconduct, or fraudulent activities. In such cases, the personal data will be retained and made available to the relevant authorities in compliance with applicable laws.
In the event of a corporate transaction
In the event of a merger, acquisition, restructuring or sale of all or part of its assets, or any other type of corporate transaction involving a third party, we may share, disclose, or transfer user data to the successor entity (including during the pre-transaction phase) in accordance with applicable data protection laws and subject to appropriate safeguards.
To third parties after aggregation or anonymization
We may disclose or use aggregated or anonymized data (i.e., data that cannot be linked to an identified or identifiable natural person) for any purpose.
To third parties with the user’s consent or other legitimate basis
In the event that we wish to share data with third parties outside the scope of this Privacy Policy, we will, in all cases, request your consent or inform you of the same and its legitimate basis.
Are your personal data transferred to countries outside the European Economic Area (EEA)?
Some of our service providers are located in countries outside the European Economic Area (EEA).
Using those providers involves an international transfer of your personal data. To ensure an equivalent level of protection to that guaranteed under EU law, EF CLIF applies appropriate transfer safeguards in line with the GDPR, to ensure that such transfers do not result in a lower level of protection.
In particular, where a provider is located outside the EEA, we rely on one of the following mechanisms: (i) the provider is located in a country or territory that has been declared to have an adequate level of protection by the European Commission; in the case of US companies, they may be certified under the EU-US Data Privacy Framework (DPF) adequacy decision; or (ii) we have entered into the Standard Contractual Clauses (SCCs) adopted by the European Commission, together with supplementary technical and organizational measures where necessary (e.g., encryption, access controls, and data minimization).
On this basis, the use of these providers does not result in a lower level of protection for your personal data than would be the case with providers located in the European Union.
You can consult the content of the SCCs and the EU-US Data Privacy Framework Adequacy Decision at the following links:
Standard contractual clauses for controllers and processors in the EU/EEA 
Below, we list the international transfers carry out from EF CLIF:
| Name | Country | Transfer mechanism |
|---|---|---|
| Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, United States |
United States | Data Privacy Framework |
What rights can you exercise as a data subject?
You may exercise the rights granted by law in relation to the processing of your personal data by contacting our DPO or us via email at gdpr@efclif.com.
Any claim we receive will be responded as soon as possible and, in any event, within 1 month of receipt. In some cases, it may be necessary to ask for a copy of your ID or other identifying document if it is necessary to verify your identity.
The rights ts available to you are:
Right to withdraw consent
You may withdraw your consent for any processing based on consent at any time. However, withdrawal of consent will not affect the lawfulness of processing based on consent prior to withdrawal.
Right of access
You have the right to know whether we process your personal data and, if so, to obtain a copy, together with information on: the origin and recipients of the data; the purposes for which they are processed; whether there is an automated decision-making process, including profiling; the period of data retention; and the rights provided by law.
Right to rectification
You may request the correction of inaccurate personal data or the completion when they are incomplete.
Right to erasure
You may request the deletion of your personal data when, among other reasons, it is no longer necessary for the purpose for which it was collected or if we are no longer authorized to process them.
Right to data portability
Where processing is based on consent or contract and carried out by automated means, you may receive your personal data in a structured format, commonly used and and machine-readable format, and/or request that we transmit it to another controller where technically feasible.
Right to restriction of processing
You may request that we restrict processing in the following cases:
- while we verify the accuracy of data you have contested;
- when processing is no longer necessary but you need the data for the establishment, exercise, or defense of legal claims;
- when you believe we are not authorized to process your data and prefer restriction over erasure;
- when you have objected to processing based on legitimate interests, pending verification of whether our grounds override yours.
Right to object
You have the right to object at any time to the processing of your personal data based on our legitimate interest, including profiling.
You may object at any time to processing based on our legitimate interests, including profiling.
Opt-out of marketing communications
You can object to or unsubscribe from marketing at any time by emailing gdpr@efclif.com or by using the unsubscribe link included in each message. We will maintain a minimal suppression record to respect your choice.
Right to lodge a complaint with the Supervisory Authority
If you believe your data protection rights have been infringed, you may lodge a complaint with the competent authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD) .
How do we guarantee the security of your information?
The security of your personal data is a priority for us. Accordingly, EF CLIF implements appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of the personal data you provide. These measures include, among others, access controls, encryption in transit and at rest (where appropriate), secure development and deployment practices, logging and monitoring, regular backups, and staff confidentiality and training. We also require our service providers to implement equivalent security safeguards.
We comply with industry-standard security practices to protect your data. However, given the inherent nature of the Internet and the risk of unlawful actions by third parties, no system can be guaranteed to be 100% secure.
If we become aware of an incident that compromises your personal data, we will act promptly and diligently to mitigate its effects and, where required by law, notify you and the competent supervisory authority without undue delay.
Changes to this privacy policy?
We may update this Privacy Policy at any time to reflect changes in legislation, case law, or guidance from data protection authorities. Where changes are material, we will provide clear notice (e.g., via the platform or by email) before they take effect. The updated version will be identified by the “Last updated” date below.
We encourage you to review this Privacy Policy periodically to stay informed about how we process and protect your personal data, as well as your rights.
Last updated: 15 October 2025.
