Personal Data Protection

Pour lire les mentions en français, cliquez ici.

Version française de notre politique de confidentialité disponible ici.

Quick Links:
I. Our commitment to data protection
II. Glossary of terms used in this policy
III. Scope of this policy
IV. Updates to this policy
V. Purposes: why do we process your personal data?
VI. Categories of personal data processed by KEDGE BS: what data do we process?
VII. Retention period for your personal data: how long do we keep your data?
VIII. Categories of recipients of your data: to whom do we disclose your data?
IX. Security of your data
X. What are your various rights to control your data?

I. Our Commitment to Data Protection

KEDGE Business School (KEDGE BS) is a multi-specialist management school, drawing on areas of expertise with high added value for all its stakeholders, and in particular for its students, graduates and partner companies.

KEDGE BS is a leading French management school present on 4 national campuses (Paris, Bordeaux, Marseille and Toulon), 4 associated campuses in France (Avignon, Bastia, Bayonne, Mont-de-Marsan) and 5 associated international campuses (2 in China in Shanghai and Suzhou, 2 in Africa in Dakar and Abidjan and 1 in India in Mumbai).

KEDGE BS attaches great importance to the protection of your personal data. We have formalised our commitments in this regard through this present policy. You will also find a reminder of the essential provisions of this Policy in the various documents and application tools we provide to you. For example, information notices on the protection of personal data are available on the Virtual Campus and on the websites published by KEDGE BS (https://kedge.edu/ or https://www.kedgebs-alumni.com/fr/diplome/), employee contracts at KEDGE BS, etc.

Through its commitments and its network of experts, KEDGE BS participates in the evolution of higher education whilst respecting your privacy and personal data.

We ensure that questions regarding the protection of personal data and security are a major concern in everything we undertake.

We are committed to providing you with transparency regarding the way we process your personal data and we endeavour to meet your requests in compliance with applicable regulations.

The personal data protection framework deployed within KEDGE BS complies with applicable regulations on personal data protection, in particular Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR") and the French Data Protection Act (Loi Informatique et Libertés) of 6 January 1978.

We have implemented a data protection framework which includes in particular:

• The appointment of a Data Protection Officer specialising in this area and trained contacts. If you have any questions regarding your personal data or this policy, we invite you to contact him/her by email or by post. His/her email address is protectiondesdonnees@kedgebs.com. His/her postal address is KEDGE BUSINESS SCHOOL att: Direction Juridique - DPO Domaine de Raba, 680 Cours de la Libération, 33405 Talence, Cédex France.
• The adoption of internal policies and procedures aimed at ensuring compliance with regulations concerning the protection of personal data.
• The implementation of appropriate technical and organisational measures to apply data protection principles.

To further explain our commitments to personal data protection, our policy sets out in particular the purposes for which we process your data, the different types of personal data we process, the parties with whom we may share them, as well as the rights you benefit from in accordance with applicable regulations.

It should be noted that you may not be affected by all the situations covered by this policy, whose objective is to provide a comprehensive overview for all types of relationships that KEDGE BS may maintain (learners, graduates, employees, external service providers, etc.).

II. Glossary of Terms Used in This Policy

In this policy, the terms below have the following definitions:

• CNIL (Commission Nationale de l'Informatique et des Libertés): the independent administrative authority responsible in France for ensuring compliance with applicable personal data protection regulations. The CNIL publishes a website www.cnil.fr which provides precise information on the applicable legal framework.
• Data Protection Officer (DPO): the email address of KEDGE BS's DPO is protectiondesdonnees@kedgebs.com. His/her postal address is KEDGE BUSINESS SCHOOL att: Direction Juridique - DPO Domaine de Raba, 680 Cours de la Libération, 33405 Talence, Cédex France.
• Personal data (or personal information): any information relating to an identified or identifiable natural person; a natural person is deemed to be "identifiable" if that person can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
• Data subject or "You": the natural person to whom the personal data processed by the Controller (for example, KEDGE BS students, graduates, service providers) relates.
• Controller or "We" or "KEDGE BS": the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data. In this document, the Controller is the Groupe Kedge Business School association, a French association (loi de 1901) whose registered office is located at Domaine de Raba, 680 cours de la Libération 33405 Talence cedex – France (SIREN 514005123). KEDGE BS reception is reachable on +33 5 56 84 55 55.
• Processor: the natural or legal person, public authority, service or other body that processes personal data on behalf of the Controller.

III. Scope of This Policy

KEDGE BS collects and processes personal data to the extent that:

• such data is necessary for the performance of KEDGE BS's public interest mission, which benefits from the EESPIG label (Private Higher Education Institution of General Interest) awarded by the Ministry of Higher Education and Research; or
• such data is necessary for the performance of a contract to which you are a party; or
• such data is necessary for the performance of pre-contractual measures; or
• such data is necessary for compliance with legal obligations to which KEDGE BS is subject; or
• such data has been collected with your consent; or
• such data is collected in KEDGE BS's legitimate interest (in particular the safety of persons, premises and resources provided by the association as well as the promotion of the school).

When processing personal data requires your consent, we implement a dedicated mechanism to collect such consent in an unambiguous, specific, free and informed manner.

For each purpose described in Section V, we have endeavoured to indicate the legal basis on which we rely.

The categories of persons covered by this policy are essentially as follows, without this list being exhaustive:

• Candidates for registration in a KEDGE BS training programme
• KEDGE BS learners (whether in initial or continuing education)
• Persons who have acted as guarantors or financial sponsors for the payment of learners' tuition fees
• KEDGE BS graduates (alumni)
• Persons serving as contact points in companies from which KEDGE BS collects the apprenticeship levy
• Persons serving as contact points in companies where KEDGE BS learners undertake internships or are on work placements
• Persons offering internship and/or job offers ("recruiters") to learners and graduates
• KEDGE BS employees as well as temporary workers and trainees
• Job applicants applying to KEDGE BS
• External contributors whom KEDGE BS may call upon to provide services linked to its educational mission, such as for example the provision of teaching services, participation in competition juries, joint research, etc.
• Service providers whom KEDGE BS may call upon to provide services linked to its operations, such as for example IT providers, cleaning companies, catering companies, etc.
• Third parties who access the public part of learners' and/or graduates' profiles on websites/applications provided by KEDGE BS
• Persons who may be interested in a KEDGE BS programme or are recipients of promotional activities carried out by KEDGE BS

IV. Updates to This Policy

This policy is intended to be reviewed and updated regularly to take into account in particular the evolution of our personal data processing activities, the introduction of new tools or new regulations.

V. Purposes: Why Do We Process Your Personal Data?

In the context of KEDGE BS human resources management

Recruitment

• Management of recruitment
  Basis: Performance of pre-contractual measures
• Constitution of a CV database (job applicants)
  Basis: Our legitimate interest or your consent where required by applicable law
• Collection of criminal record extract for administrator or professor roles (collected before hire or within one month of contract signature depending on contract type)
  Basis: Compliance with legal obligations

Administrative staff management

• Administrative management of staff (for example, type of driving licence held or emergency contact details)
  Basis: Performance of contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform contractual measures
• Management of professional file
  Basis: Performance of contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform contractual measures
• Production of statistical reports or employee lists to meet administrative management needs
  Basis: Our legitimate interest
• Management of internal directories and organisational charts
  Basis: Our legitimate interest or your consent where required by applicable law (photograph)
• Management of individual allocations of supplies, equipment, payment cards, etc.
  Basis: Performance of contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform contractual measures
• Management of professional elections
  Basis: Compliance with legal obligations
• Management of meetings of staff representative bodies
  Basis: Compliance with legal obligations

Career management

• Professional appraisal and career interviews
  Basis: Performance of contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform contractual measures
• Management of internal professional skills
  Basis: Our legitimate interest
• Management of professional mobility
  Basis: Performance of pre-contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform pre-contractual measures
• Management of remote working
  Basis: Performance of contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform contractual measures
• Management of disciplinary interviews and sanctions
  Basis: Our legitimate interest for data that exceeds what is strictly necessary to perform contractual measures

Remuneration management

• Payroll (establishment, budgeting, etc.)
  Basis: Compliance with legal obligations or performance of contractual measures for data that exceeds what is strictly necessary to comply with legal obligations
• Management of working time (including in particular the management of absences and leave, monitoring of rest periods…)
  Basis: Compliance with legal obligations or performance of contractual measures for data that exceeds what is strictly necessary to comply with legal obligations
• Provision of an electronic safe
  Basis: Our legitimate interest

Organisation of work and training

• Management of professional calendars
  Basis: Our legitimate interest
• Management of staff tasks and assignments
  Basis: Our legitimate interest
• Monitoring of training requests and organisation of training sessions
  Basis: Performance of pre-contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform contractual measures
• Evaluation of training and knowledge
  Basis: Our legitimate interest
• Management of personal training account
  Basis: Compliance with legal obligations

Management of social benefits

• Management of social action funded by the employer
  Basis: Our legitimate interest

Miscellaneous

• Monitoring of occupational health
  Basis: Compliance with legal obligations
• Management of accident records and sick leave, work accidents, commute accidents or occupational diseases
  Basis: Compliance with legal obligations or our legitimate interest for data that exceeds what is strictly necessary
• Management of company vehicle fleet and parking fines
  Basis: Our legitimate interest or compliance with legal obligations
• Conducting satisfaction surveys/surveys
  Basis: Our legitimate interest or your consent where required by applicable law
• Communication of information for the maintenance of accreditations issued by competent bodies
  Basis: Our legitimate interest
• Lifting of confidentiality of the listening and psychological support system in situations of "crisis"
  Basis: Our legitimate interest

In the context of KEDGE BS teaching activities

Recruitment

• Administrative management of candidates for programmes and training offered by KEDGE BS
  Basis: Performance of pre-contractual measures or exercise of our public interest mission
• Management of competitions, including competition organisation and monitoring of candidate evaluations, their admissibility and admission
  Basis: Performance of pre-contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform pre-contractual measures

Management of the educational curriculum

• Administrative management of learners (initial training, continuing education, in-company training, short-term programmes, etc.)
  Basis: Exercise of our public interest mission or our legitimate interest for data that exceeds what is strictly necessary to exercise our public interest mission
• Management of learners' training curriculum
  Basis: Exercise of our public interest mission or performance of the contract binding us for data that exceeds what is strictly necessary to exercise our public interest mission or our legitimate interest for data that exceeds what is strictly necessary to perform our contractual relationships
• Monitoring of registrations, attendance, periods of leave and absences from training programmes
  Basis: Performance of contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform contractual measures
• Management of graduation
  Basis: Exercise of our public interest mission
• Management of remote examinations
  Basis: Exercise of our public interest mission
• Management of examinations, evaluations and learner grades
  Basis: Performance of contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform contractual measures
• Online dissemination of content created by persons concerned
  Basis: Your consent or our legitimate interest
• Management of learner internships
  Basis: Performance of contractual measures
• Management of work placements (apprenticeships/professional development contracts)
  Basis: Performance of contractual measures
• Administrative management of natural or legal persons where KEDGE BS learners undertake internships or are on work placements
  Basis: Our legitimate interest
• Monitoring of internship and work placement offers posted on KEDGE BS partner platforms (access to CVs)
  Basis: Our legitimate interest
• Management and monitoring of faculty assignments and timetable management
  Basis: Our legitimate interest
• Management of learners' specific needs (in particular during examinations and evaluations)
  Basis: Our legitimate interest or your consent where required by applicable law
• Management of disputes and disciplinary sanctions
  Basis: Our legitimate interest
• Organisation and management of training undertaken at foreign educational institutions, partners of KEDGE BS
  Basis: Performance of contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform contractual measures
• Evaluation of teaching, self-evaluation and peer evaluation
  Basis: Our legitimate interest

Management of partnerships with partner universities and KEDGE BS's foreign campuses

• Management of partnerships
  Basis: Our legitimate interest
• Management of registrations and selection of candidates for incoming and outgoing students
  Basis: Performance of pre-contractual or contractual measures
• Management of evaluations and graduation
  Basis: Performance of pre-contractual or contractual measures or our legitimate interest for data that exceeds what is strictly necessary to exercise our public interest mission

Specific schemes

• Management and monitoring of the WELLNESS scheme
  Basis: Our legitimate interest or your consent where required by applicable law
• Management and monitoring of mentoring
  Basis: Our legitimate interest
• Management and monitoring of tutoring
  Basis: Our legitimate interest
• Selection for the Pro-Act Entrepreneurs scheme
  Basis: Performance of pre-contractual measures or our legitimate interest
• Management and monitoring of the Action Project scheme
  Basis: Performance of contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform contractual measures
• Selection for the Business Nursery scheme
  Basis: Performance of pre-contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform pre-contractual measures
• Management and monitoring of the Business Nursery scheme
  Basis: Performance of contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform contractual measures or our legitimate interest
• Selection for the Business Accelerator scheme
  Basis: Performance of pre-contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform pre-contractual measures
• Management and monitoring of the Business Accelerator scheme
  Basis: Performance of contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform contractual measures

Implementation of the sexual harassment prevention scheme

Basis: Our legitimate interest

• Management of eloquence competitions (such as for example literary chronicle competitions, eloquence competitions, etc.)
  Basis: Performance of contractual measures

Management and monitoring of the Entrepreneurial School

Basis: Our legitimate interest or exercise of a public interest mission

• Management of the Be-U scheme and their presentation
  Basis: Our legitimate interest
• Management of directories
  Basis: Our legitimate interest or your consent
• Management of category B driving licence support for apprentices
  Basis: Performance of contractual measures

Management of social schemes (grants, etc.)

• Attribution of social schemes (grants and aid offered by competent administrative bodies or by KEDGE BS)
  Basis: Performance of pre-contractual measures
• Management and monitoring of social schemes awarded
  Basis: Performance of contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform contractual measures
• Monitoring of regional social funds intended for apprentices
  Basis: Our legitimate interest

Management of graduates

• Administrative management of graduates
  Basis: Compliance with legal obligations or our legitimate interest for data that exceeds what is strictly necessary to comply with legal obligations
• Connecting graduates and learners for the purposes of finding internships or employment
  Basis: Our legitimate interest
• Management of donations and contributions
  Basis: Our legitimate interest
• Animation of the graduate network
  Basis: Our legitimate interest
• Constitution and management of directories
  Basis: Our legitimate interest or your consent
• Monitoring of participation in events and services offered to the Graduate Network
  Basis: Performance of contractual measures or our legitimate interest or our legitimate interest for data that exceeds what is strictly necessary to perform contractual measures

Management of research and publications and chairs

• Management of research and publications, including the recording and monitoring of research work and publications as well as research valorisation
  Basis: Exercise of our public interest mission or performance of the contract binding us for data that exceeds what is strictly necessary to exercise our public interest mission or our legitimate interest for data that exceeds what is strictly necessary to perform our contractual relationships
• Management and monitoring of chairs
  Basis: Performance of contractual measures or our legitimate interest for data that exceeds what is strictly necessary to perform contractual measures

Promotion of KEDGE BS and improvement of its services

• Promotion of the school (for example, the dissemination of directories, videos)
  Basis: Our legitimate interest or your consent where required by applicable law
• Management of image rights
  Basis: Your consent
• Conducting prospecting activities towards persons concerned
  Basis: Our legitimate interest or your consent where required by applicable law
• Gathering of preferences for the purposes of building commercial offers
  Basis: Our legitimate interest or performance of pre-contractual measures
• Management of internet navigation data (cookies from websites published by KEDGE BS)
  Basis: Your consent
• Conducting satisfaction surveys and questionnaires
  Basis: Our legitimate interest or your consent where required by applicable law
• Management of accreditations/certifications, surveys and audits relating to them
  Basis: Your consent, compliance with a legal obligation or our legitimate interest

Miscellaneous

• Fulfilment by KEDGE BUSINESS SCHOOL of its reporting and information obligations to administrative authorities (in particular its accounting and tax obligations)
  Basis: Compliance with legal obligations
• Conducting satisfaction surveys/questionnaires and polls (on student living conditions, by France Compétences, etc.)
  Basis: Compliance with legal obligations or our legitimate interest depending on the survey
• Management of international events and seminars
  Basis: Our legitimate interest
• Management of room and company car bookings
  Basis: Our legitimate interest

In the context of KEDGE BS operations

Security

• Management of security and logistics, in particular the management of badges and KEDGE BS resources (classrooms, meeting rooms, projection equipment, etc.)
  Basis: Our legitimate interest
• Security of premises and persons, in particular through video surveillance
  Basis: Our legitimate interest
• Control of access to premises by badge
  Basis: Our legitimate interest
• KEDGE BS Safety scheme and management of major incidents during international mobility of learners
  Basis: Our legitimate interest or your consent in the event of processing sensitive data

Management of KEDGE BS IT resources

• Monitoring and maintenance of IT equipment park, ticket management (support) and remote control of workstations
  Basis: Our legitimate interest
• Management of authorisations and management of access to applications and networks
  Basis: Our legitimate interest
• Monitoring of the use of resources provided by KEDGE BS
  Basis: Our legitimate interest
• Management of electronic messaging and collaborative tools (such as Teams)
  Basis: Our legitimate interest or your consent for recording meetings
• Management of access to websites/applications operated by KEDGE BS and management of IT backups and technical maintenance
  Basis: Our legitimate interest
• Management of access to the electronic library
  Basis: Our legitimate interest
• Management of the Intranet and Extranet
  Basis: Our legitimate interest
• Production of statistical reports
  Basis: Our legitimate interest
• Use of electronic signatures and dematerialisation of documents
  Basis: Our legitimate interest

Apprenticeship levy

• Monitoring and management of the collection of the apprenticeship levy
  Basis: Our legitimate interest
• Administrative management of natural or legal persons from which KEDGE BS collects the apprenticeship levy
  Basis: Our legitimate interest

Miscellaneous

• Fulfilment by KEDGE BS of its reporting and information obligations to administrative authorities (in particular its accounting and tax obligations)
  Basis: Compliance with legal obligations
• Communication on cancellation of teaching
  Basis: Our legitimate interest
• Geolocation in the event of a crisis situation
  Basis: Your consent
• Management of requests to exercise GDPR rights
  Basis: Compliance with legal obligations
• Monitoring of first aid interventions
  Basis: Our legitimate interest
• Management of KEDGE BS association governance
  Basis: Compliance with legal requirements
• Management of legal secretariat and delegation of powers
  Basis: Our legitimate interest

Management of contracts

• Management of contracts concluded with persons concerned, including the management and monitoring of billing and payments and any disputes
  Basis: Performance of contractual measures or our legitimate interest for data that exceeds what is strictly necessary to exercise our public interest mission
• Management and monitoring of guarantee agreements entered into on behalf of KEDGE BS
  Basis: Performance of contractual measures
• Evaluation of third parties and compliance with due diligence obligations
  Basis: Compliance with legal obligations
• Management and processing of alerts and reports
  Basis: Compliance with legal obligations or our legitimate interest
• Evaluation of external contributors'/service providers' performance
  Basis: Our legitimate interest

VI. Categories of Personal Data Processed by KEDGE BS: What Data Do We Process?

KEDGE BS's compliance with GDPR principles

The GDPR and the Data Protection Act provide that data must be:

• Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (principle of data minimisation);
• Accurate and, where necessary, kept up to date.

Sources: From whom do we collect your data?

The bulk of data is collected by KEDGE BS directly from the persons concerned. However, your data may have been transmitted to it by third parties, including:

• Recruitment specialists and competition organisation partners regarding data of candidates for programmes and training offered by KEDGE BS;
• Foreign educational institutions regarding data of learners following programmes/curricula involving such institutions;
• Partners specialising in processing data made public by persons concerned and from social networks;
• Partners specialising in recruitment of job candidates (headhunters) regarding data of job candidates;
• KEDGE BS employees (co-optation) regarding data of job candidates;
• Partners specialising in temporary work regarding temporary workers;
• Any user of the sexual harassment prevention scheme who would issue an alert against you;
• Partners specialising in transparency and anti-corruption matters regarding service providers/external contributors.
• Colleagues or partners responsible for assessing the skills of persons concerned (teachers, juries, line managers, etc.).

What categories of personal data do we process?

The categories of data processed vary depending on the purposes for which they are processed. When your data is collected by KEDGE BS via a questionnaire/form, we take care to indicate with an asterisk the information collected that is essential ("mandatory") and without which we may not be able to provide the service concerned.

In general, the data processed by KEDGE BS are as follows:

Candidates for programmes and training offered by KEDGE BS

• Name and identification data
• Postal, telephone and electronic contact details
• Nationality
• Billing and payment data
• Qualifications obtained and recognition of prior learning
• Languages spoken
• Training/programme preferences within KEDGE BS
• Specific needs (in particular during competitions and evaluations)
• Positions held and employer contact details

Learners

• Name and identification data
• Postal, telephone and electronic contact details
• Nationality
• Billing and payment data (including the existence of guarantees)
• Qualifications obtained, validated credits and recognition of prior learning
• Languages spoken
• Positions held and employer contact details (for professional training)
• Personal data relating to training undertaken within KEDGE BS: timetables, curricula followed, marking sheets and transcripts, examination records, attendance sheets, absences, dissertations, etc.
• Data relating to internships undertaken (dates, duration, company contact details, etc.)
• Data relating to work placements (dates, duration, company contact details, remuneration elements, etc.)
• Social difficulties in the context of the award of scholarships
• Grant applications or other assistance scheme applications
• Learners' specific needs (in particular during examinations and evaluations)
• Identification and login details for IT resources provided by KEDGE BS
• Results of non-anonymous surveys and questionnaires, testimonies
• Functions within student associations intervening in connection with KEDGE BS
• Your participation in KEDGE BS schemes (Business Nursery, Business Accelerator, etc.) and partnership programmes with foreign universities
• Disciplinary sanctions
• Facts reported in the context of the sexual harassment prevention scheme
• Participation in events
• Financial data

Guarantors of learners and financial sponsors

• Name and identification data
• Postal and telephone contact details
• Relationship with the guaranteed party/candidate
• Billing and payment data (bank account details, bank department) in the event of payment by direct debit
• Guarantor information sheet (family situation, marital regime, employment situation, owner/tenant, place of work address, rental amount, income, number of dependent children)
• Spouse information sheet (in the event of marriage under the community regime)

KEDGE BS graduates (alumni)

• Name and identification data
• Postal, telephone and electronic contact details
• Personal and professional situation
• Payment data for contributions and donations
• Qualifications obtained from KEDGE BS
• Academic career
• Groups the person has joined within the alumni network
• Your CV
• Identification and login details for the Kedge Alumni website
• Results of non-anonymous surveys and questionnaires
• Your participation in alumni network events
• Your participation in KEDGE BS schemes (Business Accelerator, Pro-Act Entrepreneurs, Entrepreneurial School, etc.)
• Data relating to further studies (name and country of institution) and certifications obtained

Persons serving as contact points in companies from which KEDGE BS collects the apprenticeship levy

• Name and identification data
• Postal, telephone and electronic contact details
• Functions and company contact details

Persons serving as contact points in companies where KEDGE BS learners undertake internships or work placements

• Name and identification data
• Postal, telephone and electronic contact details
• Functions and company contact details
• Data relating to the internship or work placement (dates, duration, company contact details, remuneration elements, etc.)

Persons offering internship and/or job offers ("recruiters") to learners and graduates

• Name and identification data
• Postal, telephone and electronic contact details
• Functions and company contact details

KEDGE BS employees, temporary workers and trainees

• Name and identification data
• Family situation
• Postal, telephone and electronic contact details
• Social security number
• Bank account details
• Remuneration elements and payslips
• Elements relating to work authorisation (foreign workers outside the EU and minor workers)
• Employee health data within the strict framework of occupational health, social security and social protection: medical fitness certificates issued by occupational health, work stoppages, work accident declarations, etc.
• Family situation and detailed household composition, in particular within the framework of the company's mandatory health insurance
• Mandates (for elected representatives to staff representation bodies)
• Identification and login details for IT resources provided by KEDGE BS
• Annual or multi-annual interview forms
• Appraisals
• Disciplinary sanctions
• Teaching assignments, timetables, teaching provided
• Research and publication work
• Marking sheets and transcripts of learners, examination/evaluation records for learners
• Facts reported in the context of the sexual harassment prevention scheme
• Results of non-anonymous surveys and questionnaires, testimonies
• Data relating to remote working (locations, wishes expressed, remote working agreement, etc.)
• CV, professional career and training

Job applicants

• Name and identification data
• Postal, telephone and electronic contact details
• Nationality
• University education
• Positions held
• Professional references
• Qualifications
• Languages spoken
• Job preferences within KEDGE BS

External contributors whom KEDGE BS may call upon to provide services linked to its educational mission, such as teaching services, participation in competition juries, joint research, etc.

• Name and identification data
• Postal, telephone and electronic contact details
• Billing and payment data
• Qualifications, accreditations and languages spoken
• Identification and login details for IT resources provided by KEDGE BS
• Evaluation elements
• Teaching assignments, timetables, teaching provided
• Marking sheets and transcripts of learners, examination/evaluation records for learners
• Research and publication work carried out in connection with KEDGE BS
• Facts reported in the context of the sexual harassment prevention scheme
• Results of non-anonymous surveys and questionnaires, testimonies
• Financial data

Service providers whom KEDGE BS may call upon to provide services linked to its operations, such as IT providers, cleaning companies, catering companies, etc.

• Name and identification data
• Postal, telephone and electronic contact details
• Billing and payment data
• Languages spoken
• Identification and login details for IT resources provided by KEDGE BS
• Evaluation elements within the framework of KEDGE BS's regulatory obligations
• Facts reported in the context of the sexual harassment prevention scheme
• Results of non-anonymous surveys and questionnaires, testimonies

VII. Retention Period for Your Personal Data: How Long Do We Keep Your Data?

Data is retained for the period necessary to fulfil KEDGE BS's legal and contractual obligations.

It should be noted that anonymised data falls outside the scope of personal data protection regulations and may be retained indefinitely. This is the case for example of statistical data such as it cannot be linked to natural persons.

Retention periods for human resources management

Generally, data is retained for the duration of employment plus 5 years. For further precision, we invite you to consult our dedicated Charter.

Recruitment

Candidate information (e.g. CV)
Retention period: duration of examination of the application or 2 years

Security

Data relating to access to premises (badge, parking, etc.)
Retention period: 3 months
Starting point: Recording

Logs of connections to IT equipment for employees
Retention period: between 6 and 12 months
Starting point: Recording
Basis: CNIL doctrine

Video surveillance
Retention period: 1 month
Starting point: Recording

Whistleblowing scheme (sexual harassment)

Data concerning an alert
We invite you to consult the dedicated procedure.

Retention periods relating to KEDGE BS's activities

Generally, data is retained in accordance with Circular No. 2005-003 of 22 February 2005 from the Minister of National Education, Higher Education and Research. A copy of this circular is accessible at https://www.education.gouv.fr/bo/2005/24/MENA0501142J.htm

• Data relating to learners' administrative and educational file is retained for 10 years
• Teaching schedules and timetables are retained for one academic year
• Examination/evaluation papers are retained for one year after publication of results, except where there is a dispute
• Marking sheets and transcripts are retained for one year
• Room booking schedules are retained for one academic year
• Trainee reports are retained for one year after the end of the learner's education
• Examination attendance sheets are retained for five years
• Thesis defence records (pre-assessment reports from professors, lists of jury members, etc.) are retained for 5 years
• Examination records are retained for 50 years
• Registers of persons admitted to examinations and thesis defence registers are retained for 50 years
• Unsuccessful scholarship applications are retained for 2 years
• Scholarship award notices are retained for 5 years
• Contract management data is retained for the entire duration of the contract plus 5 years
• Data relating to non-payment is retained until amicable settlement of the dispute or, failing that, until prescription of legal action
• Invoices are retained for 10 years
• Data relating to guarantees is retained for the duration of the contractual relationship plus the limitation period

VIII. Categories of Recipients of Your Data: To Whom Do We Disclose Your Data?

Within KEDGE BS

• Services in charge of Programmes and academic and educational management
• Services in charge of learner admissions
• Services in charge of finance and procurement
• Staff members involved in the implementation of various existing schemes (Wellness, etc.)
• Services in charge of graduate and business relations
• Human resources services
• KEDGE BS information systems services
• Persons responsible for security of premises and reception within KEDGE BS
• Other KEDGE BS employees within the framework of directories and organisational charts
• Management personnel authorised to access or line managers of KEDGE BS employees
• Persons involved in the recruitment process who may access a candidate's information
• Staff representative bodies in the exercise of their duties
• The service responsible for monitoring compliance with internal procedures
• Members of KEDGE BS governance
• The CFA service
• Members of juries (staff or external) for examinations, competitions, etc.
• Kedge Online
• The SAO
• The Student Office
• The employed psychologists of KBS
• The General Secretariat

Externally

Personal data may be transmitted by KEDGE BS to the following entities:

• The Kedge BS Alumni association, whose purpose is to bring together a structured network of graduates who have studied in one of KEDGE BS's programmes
• Foreign educational institutions which are KEDGE BS partners and where the persons concerned undertake training
• KEDGE BS educational institutions in China and Senegal within the framework of inter-campus relations and exchanges
• External service providers responsible for teaching and/or educational missions
• The Fondation de France for scholarships awarded via the KEDGE BS Foundation
• Competent Regions for local social schemes
• KEDGE BS's partners for contract management needs: organisations for the recovery of non-payment, the catering service concessionaire at KEDGE BS premises, printing companies, mailing companies, student card printing, etc.
• KEDGE BS's partners for the needs of KEDGE BS's academic accreditations management
• RTM for schemes for reducing the cost of subscriptions to Marseille urban transport
• KEDGE BS's technical and IT subcontractors, in particular those responsible for maintenance and hosting of SaaS platforms used by KEDGE BS in the context of the schemes it deploys
• The electronic signature service provider
• Organisations specialising in conducting surveys and statistics (in particular for rankings of educational institutions)
• Partners responsible for security and access to KEDGE BS's premises
• To the Regional Education Authority (Rectorat) and, in general, to any institution under the supervision of the Ministry of National Education (such as for example the Centre for Studies and Research on Qualifications)
• To the European Commission for the management of grants awarded within the framework of the Erasmus programme and more generally to competent bodies for managing grants offered by authorities (CROUS, CNOUS, etc.)
• To other learners and graduates within the framework of their curriculum and directories of persons who have undertaken training at KEDGE BS and connection actions
• To KEDGE BS's partners who manage student associations, clubs and other schemes under KEDGE BS's patronage (Business Accelerator, etc.)
• To recruiters who have chosen to pay for access to the KEDGE Alumni database for recruitment purposes
• To provident organisations, health insurance and collective savings bodies for the purpose of affiliating KEDGE BS employees
• To administrations informed of the hiring of KEDGE BS employees (for example: unemployment insurance, sickness insurance, pension, health insurance...)
• To the various subsidiaries of KEDGE BS
• To KEDGE BS's partners for work relationship needs: certification bodies and auditors, statutory auditors, lawyers, etc.
• To KEDGE BS's partners responsible for occupational health
• To partners involved in the organisation of events held by KEDGE BS (gala evenings, etc.)
• To KEDGE BS's partners who manage calls received within the framework of the KEDGE BS Safety scheme

To Authorised Third Parties and Administrations

Where KEDGE BS must meet its legal obligations or upon the request of any judicial or administrative entity with authority.

Outside the European Union

Controllers may transfer data outside the European Union (EU) and the European Economic Area (EEA) provided they ensure an adequate and appropriate level of data protection. They must frame these transfers using the various legal tools defined in the GDPR and the Data Protection Act.

In the event that the data of persons concerned were transferred outside the European Union or the European Economic Area, KEDGE BS will ensure that:

• Personal data is transferred to countries recognised by the European Commission as offering an adequate level of protection (such as for example Argentina, Japan or New Zealand); or
• Personal data is transferred to entities certified under the Privacy Shield. The list of entities from the United States of America or Switzerland that have subscribed to the Privacy Shield is accessible at https://www.privacyshield.gov; or
• Recourse is made to one of the mechanisms ensuring appropriate safeguards as provided for by applicable regulations, and in particular the adoption of standard contractual clauses drawn up by the European Commission.

In practice, the bulk of personal data transfers outside the European Union and the European Economic Area concern either foreign educational institutions where the persons concerned undertake training, or KEDGE BS campuses in China and Senegal, or companies where the persons concerned undertake internships.

You can contact the Data Protection Officer of KEDGE BS to obtain further information on these matters as well as a copy of the relevant documents.

IX. Security of Your Data

We attach great importance to protecting your personal data and take all reasonable precautions to this end. We require trusted third parties who manage your personal data on our behalf to do the same, and this through contractual arrangements.

We constantly do everything possible to protect your personal data. Upon receipt of your data, we apply strict security procedures and measures to prevent any alteration, disclosure or unauthorised access.

We define and implement physical, organisational, technical and software security measures taking into account the nature of the data and the risks presented by the processing in question in order to ensure an appropriate level of security.

The measures we deploy are in particular articulated around the following elements:

• User awareness through the implementation of an IT Charter
• Authentication of users via identification and passwords
• Access authorisation registers which underpin an access control policy
• Installation of firewalls and regularly updated anti-virus software
• Security of access to IT servers
• Supervision of IT maintenance operations
• Contracting with sub-processors offering guarantees
• Etc.

X. What Are Your Various Rights to Control Your Data?

The GDPR and the Data Protection Act strengthen the rights of persons concerned. We have endeavoured to provide a synthetic presentation of your rights before reminding you of the means of exercising them.

All these rights are exercised in the conditions and any limitations provided by applicable regulations.

The right of access

You have the right to access the personal data we hold about you. This communication must take place in an understandable format.

The right to rectification

You have the right to require that your personal data be rectified if it is inaccurate or incomplete.

The right to erasure/right to be forgotten

You have the right to obtain the erasure, within the shortest possible time, of personal data concerning you.

You have the right to request the erasure of your data for the reasons provided by applicable regulations and in particular when:

• Data is no longer necessary in relation to the purposes for which it was collected or processed;
• You have withdrawn the consent on which the processing is based, and there is no other legal basis for the processing;
• You object to the processing and there is no overriding legitimate reason for the processing;
• You consider that your data has been processed unlawfully;
• Your data must be erased to comply with a legal obligation.

The right to object (general)

You have the right to object, at any time, for reasons relating to your particular situation, to the processing of personal data concerning you based on legitimate interest.

We will no longer process this personal data, unless there are compelling legitimate reasons for the processing which override your interests and rights and freedoms, or for the establishment, exercise or defence of legal claims.

The right to object to direct marketing

Where personal data is processed or used for the purposes of direct marketing, in an advertising, commercial or promotional context, you have the right to object at any time to the processing of such data without having to justify your reason.

Therefore, you will find an unsubscribe link at the bottom of each of our newsletters.

The right to withdraw consent at any time

You may withdraw your consent to the processing of your data if that processing is based on consent.

The right to restrict processing

You have the right to ask us to temporarily freeze the use of some of your data. This right means that we may retain this data, but not use or process it.

This right applies in particular circumstances provided by the GDPR:

• You dispute the accuracy of data concerning you (and we proceed with verification steps);
• You consider that the processing is unlawful and you object to the erasure of your data;
• The data concerned is still necessary to you for the establishment, exercise or defence of legal claims although we no longer need it;
• You have exercised your right to object and we are verifying whether overriding legitimate reasons prevail over your rights.

The right to data portability

You have the right to receive the personal data concerning you that you have provided to us, in a structured, commonly used and machine-readable format, and to transmit such data to another organisation without us being able to prevent this, when:

• The processing is based on consent or on the performance of contractual measures;
• The processing is carried out using automated means.

The right to issue post-mortem directives

You have the right to issue specific directives concerning the retention, erasure and communication of your personal data after death.

The right to lodge a complaint with a supervisory authority

You have the right to submit and lodge a complaint with the data protection authority of your country to challenge KEDGE BS's practices regarding the protection of personal data and respect for privacy. You will find under this link information on the procedure for contacting the CNIL. https://www.cnil.fr/fr/agir

How to exercise your rights?

The aforementioned rights may be exercised:

• By email to: protectiondesdonnees@kedgebs.com

or

• By post to: KEDGE BUSINESS SCHOOL att: Direction Juridique, Risque et Conformité - DPO Domaine de Raba, 680 Cours de la Libération, 33405 Talence, Cédex France

If the request made is admissible, KEDGE BS will respond within one month of receipt of the complete request, and will provide the information requested or implement the rights invoked within the aforementioned period.

If, in view of the complexity of the request or the number of requests received, the aforementioned period cannot be met, KEDGE BS will inform you, before the expiry thereof, of an extension of a maximum of two months of its decision.

If KEDGE BS has reasonable doubts about your identity, we may ask you to attach any document enabling you to prove your identity, for example to prevent identity fraud.

Furthermore, and as indicated previously, each person concerned has, in any event, the right, if they consider they have been harmed, to lodge a complaint with the Supervisory Authority. In France, for further information, you can consult the "Need help?" section of the CNIL website (www.cnil.fr) or call the legal helpline on +33 1 53 73 22 22.