Student Executive
You are looking for an under or graduate programme ?
You are an executive and want to achieve more in your career ?

Personal Data Protection

I.    Our commitment to data protection 

KEDGE Business School (KEDGE BS) is a multi-specialist management school, drawing on expertise with high added value for all of its stakeholders, particularly students, alumni and partner companies. Our model French school is present on four campuses in France (Paris, Bordeaux, Marseille and Toulon), two in China (Shanghai and Suzhou) and one in Senegal (Dakar). 

KEDGE BS attaches great importance to the protection of your personal data. We have formalised our commitments in this regard in this policy. You may also have a reminder of the essential terms of this Policy in the various application documents or tools that we provide to you. For example, personal data protection notices are available on the Virtual Campus and on websites published by KEDGE BS (https://kedge.edu/ or  https://www.kedgebs-alumni.com/fr/diplome/ ), the employment contracts of KEDGE BS employees, etc.  

Through its commitments and its network of experts, KEDGE BS participates in the development of higher education while respecting your privacy and personal data. 
We ensure that personal data protection and security issues are a key consideration in everything we do.

We are committed to ensuring transparency in how we process your personal data and we strive to meet your demands in terms of regulatory compliance.

The personal data protection system deployed at KEDGE BS complies with applicable regulations on the protection of personal data, and in particular European Regulation No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and the French Data Protection Act of 6 January 1978, as amended several times. 

We have put in place a data protection system, which incorporates the strict principles laid down by the GDPR and the French Data Protection Act. This system includes, in particular:

  • The appointment of a Data Protection Officer specialised in this area and trained intermediaries. If you have any questions about your personal data or this policy, we invite you to contact him by email or post. His email address is dpo@kedgebs.com . His postal address is Cabinet DPO-Avocats - DPO de l’Association KEDGE Business School - 11, rue Théodule Ribot - 75017 Paris.
  • The adoption of internal policies and procedures to ensure compliance with personal data protection regulations;
  • Implementing appropriate technical and organisational measures to apply data protection principles.

In order to further outline our commitments to the protection of personal data, our policy covers the purposes for which we process your data, the different types of personal data we process, the actors with whom we can share them, how we keep them secure, and your rights under the regulations. 

It should be noted that you may not be affected by all the scenarios referred to in this policy. Its purpose is to provide a comprehensive overview for all types of relationships that KEDGE BS might have (such as learners, graduates, employees, external service providers, etc.). 

II.    Glossary of terms used in this policy 

In this policy, the following terms are defined as follows:

-    CNIL (French National Data Protection Commission): an independent administrative authority responsible for compliance with the applicable personal data protection regulations in France. The CNIL has a website www.cnil.fr, which provides specific information on the applicable legal framework.

-    Data Protection Officer (DPO): the email address of the DPO of KEDGE BS is dpo@kedgebs.com. His postal address is Cabinet DPO-Avocats - DPO de l’Association KEDGE Business School - 11, rue Théodule Ribot - 75017 Paris.

-    Personal data: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

-    Data Protection Act: French Act No. 78-17 on information technology, files and freedoms of 6 January 1978, as amended several times.

-    Data subject or “You”: the natural person to whom the personal data processed by the Controller relate (e.g. students, graduates and service providers of KEDGE BS).

-    Controller or “We” or “KEDGE BS”: the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. In this document, the Controller means the KEDGE Business School Group, a non-profit organisation under the French Association Act of 1901, whose registered office is located at Domaine de Raba, 680 cours de la Libération 33405 Talence cedex – France (SIREN 514005123). The KEDGE BS reception desk can be contacted on 05 56 84 55 55.

-    GDPR: European Regulation No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

-    Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. 

-    Processing of personal data: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

III. Scope of this policy 

KEDGE BS is required to collect and process personal data to the extent that:
-    these data are necessary for the performance of the public interest mission of KEDGE BS, which holds EESPIG (Private Higher Education Institution of General Interest) accreditation granted by the French Ministry of Higher Education and Research, or
-    such data are necessary for the performance of a contract to which the data subject is party, or
-    these data are necessary in order to implement pre-contractual measures, or
-    these data are necessary for compliance with the regulatory obligations to which KEDGE BS is subject, or
-    there data were collected with the consent of the data subject, or 
-    these data are collected in the legitimate interest of KEDGE BS (including the safety of persons, the premises and the resources made available by the association, and the promotion of the school).

When the processing of personal data is based on your consent, we implement a dedicated system to collect this consent where it is considered to have been given freely and in an unambiguous, specific, and informed manner.

For each purpose described in Chapter V, we have endeavoured to indicate the legal basis on which we rely. 

This policy covers the processing of your personal data, whether this is done by computer or on paper.

The following categories of persons are covered by this policy: 

-    applicants for a KEDGE BS training programme, 
-    KEDGE BS learners (whether in initial training or continuing education),
-    persons who have provided security for the payment of the tuition fees of learners, 
-    KEDGE BS graduates (alumni), 
-    persons serving as contact points in companies from which KEDGE BS collects apprenticeship tax,
-    persons serving as contact points in companies where KEDGE BS learners carry out an internship or are on work-study programmes,
-    persons offering internships and/or jobs (“recruiters”) to learners and graduates,
-    KEDGE BS employees, as well as temporary workers and trainees,
-    job candidates applying to KEDGE BS,
-    external stakeholders who KEDGE BS may use in order to perform services related to the teaching mission of KEDGE BS, such as the provision of teaching services, participation in competition panels, joint research work, etc. 
-    service providers that KEDGE BS may use in order to perform services related to its operation, including IT service providers, cleaning and catering companies, etc.
-    third parties who access the public part of the profiles of learners and/or graduates on the websites/applications made available by KEDGE BS. 

IV. Update of this policy 

This policy is intended to be reviewed and updated regularly to take into account developments in our personal data processing, the introduction of new tools or new regulations. 

For the sake of transparency, we endeavour to provide you with regularly updated information, both within the framework of this policy and as part of the information we send to you in various documents available in paper format, on the Extranet, on the intranet or in the application tools we provide to you.

V. Purposes: why do we process your personal data?

In order to enhance the readability of this policy, we set out the various forms of processing in table format, broken down into the following areas: 
1.    Purposes within the framework of human resources management at KEDGE BS
2.    Purposes within the framework of the teaching activities of KEDGE BS 
3.    Purposes within the framework of running KEDGE BS

V.1.  Purposes within the framework of human resources management at KEDGE BS 

Recruitment    

Recruitment management     
Legal basis: Implementation of pre-contractual measures 

Creation of a CV library
Legal basis: Our legitimate interest or consent if required by regulation

Administrative management of staff

Administrative management of staff (for example, type of driving licence held or contact details of people to be informed in the event of an emergency)    
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Management of professional records    
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Preparation of statistical reports or lists of employees to meet administrative management needs     
Legal basis: Our legitimate interest

Management of internal directories and organisational charts     
Legal basis: Our legitimate interest or consent if required by regulation (photographs)

Management of individual allocation of supplies, equipment, payment cards, etc.     
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Management of staff elections    
Legal basis: Compliance with regulatory obligations

Management of meetings of staff representative bodies     
Legal basis: Compliance with regulatory obligations 

Career management     

Professional evaluation     
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Management of internal professional skills     
Legal basis: Our legitimate interest

Management of professional mobility     
Legal basis: Implementation of pre-contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Teleworking management    
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Disciplinary sanctions    
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Payroll management   

Payroll, especially management of salary slips, expenses, accounts, monthly statements (DSN) or any related statements   Legal basis: Compliance with regulatory obligations or implementation of contractual measures for data beyond what is strictly necessary for the fulfilment of regulatory obligations

Management of working hours (including management of absences and leave, monitoring of rest hours etc.)      
Legal basis: Compliance with regulatory obligations or implementation of contractual measures for data beyond what is strictly necessary for the fulfilment of regulatory obligations

Organisation of work and training    

Management of work schedules     
Legal basis: Our legitimate interest

Management of staff tasks and assignments    
Legal basis: Our legitimate interest

Follow-up of training requests and organisation of training sessions     
Legal basis: Implementation of pre-contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Assessment of training and skills     
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Management of the personal training account     
Legal basis: Compliance with regulatory obligations 

Management of social assistance  

Management of social action taken by the employer     
Legal basis: Our legitimate interest

Other 

Occupational health reporting    
Legal basis: Compliance with regulatory obligations

Management of accidents and sick leave, workplace or commuting accidents or occupational diseases     
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Conducting of satisfaction surveys/specific polls     
Legal basis: Our legitimate interest or consent if required by regulation

V.2.  Purposes within the framework of the teaching activities of KEDGE BS 

Recruitment    

Administrative management of candidates on the courses and training provided by KEDGE BS 
Legal basis: Implementation of pre-contractual measures 

Management of competitive examinations, in particular their organisation and the monitoring of candidates’ assessments, their eligibility and their admission     
Legal basis: Implementation of pre-contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Management of the teaching curriculum

Administrative management of learners (e.g. initial training, continuing education, in-company training, short-term programme, etc.)     
Legal basis: Fulfilling our public interest mission or our legitimate interest for data that exceed what is strictly necessary for the fulfilment of our public interest mission

The management of students’ course curriculum     
Legal basis: Fulfilling our public interest mission or the performance of the contract between us for data which would exceed what is strictly necessary for the performance of our public interest mission or our legitimate interest in data beyond what is strictly necessary for the performance of our contractual relationship

Monitoring enrolments, attendance and absences for training programmes    
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Management of students’ exams and assessments    
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Management of students’ internships    
Legal basis: Implementation of contractual measures

Management of work-study programmes (apprenticeships/vocational training contracts)    
Legal basis: Implementation of contractual measures

Administrative management of natural or legal persons with which KEDGE BS students carry out an internship or a work-study programme    
Legal basis: Our legitimate interest 

Management and monitoring of teaching staff assignments 
Legal basis: Our legitimate interest

Management of students’ specific needs (particularly during exam and assessment periods)
Legal basis: Our legitimate interest or consent if required by regulation

Management of disciplinary action handed down by KEDGE BS disciplinary bodies      
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Organisation and monitoring of training courses followed with foreign education institutions, partners of KEDGE BS   
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Specific systems

Management and monitoring of the WELLNESS system    
Legal basis: Our legitimate interest or consent if required by regulation 

Management and monitoring of mentoring     
Legal basis: Our legitimate interest

Management and monitoring of tutoring    
Legal basis: Our legitimate interest

Selection for the Pro-Act Entrepreneurs system    
Legal basis: The implementation of pre-contractual measures or our legitimate interest    

Management and monitoring of the Pro-Act Entrepreneurs system
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Selection for the Business Nursery system    
Legal basis: Implementation of pre-contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of pre-contractual measures

Management and monitoring of the Business Nursery system    
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Selection for Business Accelerator system     
Legal basis: Implementation of pre-contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of pre-contractual measures

Management and monitoring of the Business Accelerator system     
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Implementation of the mechanism for combating sexual harassment 
Legal basis: Our legitimate interest 

Contract management    

Management of contracts concluded with the data subjects, including the management and monitoring of billing, payments and potential disputes    
Legal basis: Implementation of contractual measures

Management and monitoring of guarantee agreements taken out for the benefit of KEDGE BS     
Legal basis: Implementation of contractual measures

Management of social welfare (payments, etc.)    

Allocation of social welfare     
Legal basis: Implementation of pre-contractual measures 

Management and monitoring of social welfare allocated    
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Management of graduates    

Administrative management of graduates    
Legal basis: Compliance with regulatory obligations or our legitimate interest for data beyond what is strictly necessary for compliance with regulatory obligations

Connecting graduates and students for the purposes of finding an internship or job    
Legal basis: Our legitimate interest

Coordination of the alumni network    
Legal basis: Our legitimate interest

Constitution and management of the KEDGE BS alumni directory    
Legal basis: Our legitimate interest

Follow-up of participation in events and services offered to the Alumni Network    
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Management of works (research, publications) and chairs

Management of research and publications, particularly identification and monitoring of research and publications as well as the use of research work    
Legal basis: Fulfilling our public interest mission or the performance of the contract between us for data which would exceed what is strictly necessary for the performance of our public interest mission or our legitimate interest in data beyond what is strictly necessary for the performance of our contractual relationship

Management and monitoring of chairs     
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Promoting KEDGE BS and improving its services    

Promotion of the school (e.g. the distribution of directories)    
Legal basis: Our legitimate interest or consent if required by regulation

Carrying out marketing activities with data subjects     
Legal basis: Our legitimate interest or consent if required by regulation

Management of internet browsing data (cookies of KEDGE BS websites)    
Legal basis: Your consent 

Carrying out satisfaction surveys and polls.    
Legal basis: Our legitimate interest or consent if required by regulation

Teaching evaluation     
Legal basis: Our legitimate interest or consent if required by regulation

Other    

Fulfilment by KEDGE BUSINESS SCHOOL of its reporting obligations and obligations to provide information to administrative authorities (notably its accounting and tax obligations)    
Legal basis: Compliance with regulatory obligations

Carrying out satisfaction surveys and polls at the initiative of academic authorities    
Legal basis: Compliance with regulatory obligations 

V.3 Purposes within the framework of running KEDGE BS 

Security     

Security and logistics management, including management of KEDGE BS badges and resources (e.g. classrooms, meeting rooms, projection devices, etc.)     
Legal basis: Our legitimate interest

Security of the premises and individuals, particularly via video surveillance    
Legal basis: Our legitimate interest 

Management of KEDGE BS IT resources

Monitoring and maintenance of the IT equipment      
Legal basis: Our legitimate interest

Management of access permissions for applications and networks     
Legal basis: Our legitimate interest

Controlling the use of resources made available by KEDGE BS     
Legal basis: Our legitimate interest

Email management     
Legal basis: Our legitimate interest

Managing access to websites/applications operated by KEDGE BS     
Legal basis: Our legitimate interest

Management of the Intranet     
Legal basis: Our legitimate interest

Management of the Extranet     
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Production of statistical reports     
Legal basis: Our legitimate interest

Apprenticeship tax

Monitoring and managing of apprenticeship tax collection    
Legal basis: Our legitimate interest 

Administrative management of natural or legal persons from which KEDGE BS collects the apprenticeship tax    
Legal basis: Our legitimate interest

Management of contracts with service providers and external stakeholders

Administrative management of external stakeholders and service providers     
Legal basis: Implementation of contractual measures 

Management of contracts concluded with external stakeholders/service providers, including the management and monitoring of billing, payments and potential disputes  
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures

Evaluation of external stakeholders/service providers in accordance with applicable transparency and anti-corruption regulations     
Legal basis: Compliance with regulatory obligations

Evaluation of the services of external stakeholders/service providers    
Legal basis: Our legitimate interest 

Other     

Fulfilment by KEDGE BS of its reporting obligations and obligations to provide information to administrative authorities (notably its accounting and tax obligations)    
Legal basis: Compliance with regulatory obligations

Management of teaching cancellations     
Legal basis: Our legitimate interest 

Use of the electronic signature     
Legal basis: Our legitimate interest

Geolocation in the event of a crisis     
Legal basis: Your consent

VI. Categories of personal data processed by KEDGE BS: what data do we process? 

VI.1. Compliance of KEDGE BS with GDPR principles 

The GDPR and the French Data Protection Act provide that the data must be:

-    adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (the data minimisation principle); 
-    accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. 

In other words, your data should be used only for the purposes defined at the time of collection. As a specific example, collecting information on the work situation of a job applicant's family is not relevant to data processing for recruitment purposes.

The GDPR and the French Data Protection Act also introduce a strengthened protection system for certain types of personal data that have a high level of sensitivity. These include: 

-    Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership of a natural person,
-    Genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning the health of a natural person,
-    Data concerning a natural person's sex life or sexual orientation,
-    Criminal convictions and offences or related security measures related to a natural person,
-    The Social Security number (registration number in the national identification register of natural persons),
-    Data relating to a child under 15 years of age collected as part of a direct offer of information society services.

The processing of these data requires compliance with specific requirements which vary depending on the data in question. These requirements may involve obtaining the consent of the data subject (for data relating to the sexual life or sexual orientation of a natural person, for example) or the existence of regulations providing for the collection of the data in question (e.g. for the Social Security number). 

In any case, KEDGE BS is committed to complying with these various principles at all stages of the processing of your personal data. 

VI.2. Sources: who do we collect your data from? 

Most of the data are collected by KEDGE BS directly from the data subjects. However, it is possible that your data have been transmitted to KEDGE BS by third parties, including: 

-    Partners specialised in the recruitment and organisation of admission exams, as regards the data of candidates for the courses and training provided by KEDGE BS; 
-    Foreign educational institutions as regards the data of learners on programmes/courses involving such institutions; 
-    Partners specialised in the processing of data made public by the data subjects and taken from social networks;
-    Partners specialising in the recruitment of job candidates (head-hunters) as regards the data of job candidates; 
-    Employees of KEDGE BS (co-optation) as regards the data of job candidates;
-    Partners specialised in temporary postings as regards temporary workers;
-    Any user of the mechanism to combat sexual harassment who reports you;
-    Partners specialised in transparency and anti-corruption as regards service providers/external stakeholders. 

VI.3 What categories of personal data do we process? 

The categories of data processed vary depending on the purposes for which they are processed. When your data are collected by KEDGE BS by means of a questionnaire/form, we take care to indicate with an asterisk the required (“obligatory”) information, without which we may not be able to provide the service concerned.

In general, the data processed by KEDGE BS includes the following:

Candidates on the courses and training provided by KEDGE BS

- Civil status and identification data 
- Personal contact details - address, phone number and email
- Nationality 
- Billing and payment details
- Diplomas obtained and validation of achievements
- Languages spoken
- The desired training/courses at KEDGE BS 
- Specific needs (particularly during exams and assessments)
 -Jobs held and contact details of the employer (for vocational training)

Learners    

- Civil status and identification data 
- Personal contact details - address, phone number and email
- Nationality 
- Billing and payment details (including any guarantees)
- Diplomas obtained and validation of achievements
- Languages spoken
- Jobs held and contact details of the employer (for vocational training)the personal data related to the courses followed within KEDGE BS: timetables, courses followed, marking slips and statements, exam/assessment reports, attendance sheets, absences, dissertations, etc.
- Data relating to internships (dates, duration, company contact details, etc.)
- Data relating to work-study programmes (dates, duration, company contact details, pay information etc.)
- Social difficulties within the framework of granting scholarships
- The specific needs of students (particularly during exams and assessments)
- Identification and connection data for computer resources provided by KEDGE BS
- The results of non-anonymous surveys and polls, testimonials
- The functions of student associations involved with KEDGE BS
- Your participation in KEDGE BS systems (Business Nursery, Business Accelerator, etc.)    
- Disciplinary measures 
- Events reported within the framework of the mechanism for combating sexual harassment

Learners’ guarantees    

- Civil status and identification data 
- Personal contact details - address and phone number 
- The link with the guarantor
- Billing and payment details

KEDGE BS graduates (alumni)

- Civil status and identification data 
- Personal contact details - address, phone number and email
- Personal and work situation
- Data on the payment of contributions
- Diplomas obtained with KEDGE BS 
- Academic background
- The Groups that the person has joined within the alumni network
- Your CV
- Identification and login data for the KEDGE Alumni website
- The results of non-anonymous surveys and polls
- Your participation in alumni network events 
- Your participation in KEDGE BS systems (Business Accelerator, Pro-Act Entrepreneurs, etc.)    

Persons serving as contact points in companies from which KEDGE BS collects apprenticeship tax

- Civil status and identification data 
- Contact details - address, phone number and email
- Company functions and contact details

Persons serving as contact points in companies where KEDGE BS learners carry out an internship or are on work-study programmes

- Civil status and identification data 
- Contact details - address, phone number and email
- Company functions and contact details
- Data relating to internship or work-study programmes (dates, duration, company contact details, pay items, etc.)

Persons offering internships and/or jobs (“recruiters”) to learners and graduates    

- Civil status and identification data 
- Contact details - address, phone number and email
- Company functions and contact details

KEDGE BS employees, as well as temporary workers and trainees

- Civil status and identification data
- Family situation
- Personal contact details - address, phone number and email
- Social security number
- Bank details
- Items relating to work permits (foreign workers from outside the EU and minors)
- Employee health data strictly within the framework of occupational healthcare, social security and social protection: certificates of medical fitness issued by occupational healthcare services, work stoppages, workplace accident reports, etc.
- The family situation and the detailed composition of the home, in particular in the context of the mandatory welfare insurance of the company
- Terms of office (for elected members of staff representative bodies)
- Identification and connection data for computer resources provided by KEDGE BS
- Annual or multi-year interview forms 
- Assessments 
- Disciplinary measures
- Teacher placements, timetables, lessons taught 
- Research and publications 
- Learners’ notes and grade transcripts, learners’ examination/assessment reports 
- Events reported within the framework of the mechanism for combating sexual harassment
- The results of non-anonymous surveys and polls, testimonials

Job candidates

- Civil status and identification data 
- Personal contact details - address, phone number and email
- Nationality 
- University training
- Jobs held 
- Professional references
- Languages spoken
- Job expectations at KEDGE BS 

External stakeholders that KEDGE BS may use in order to perform services related to its teaching mission, such as the provision of teaching services, participation in competition panels, joint research work, etc.

- Civil status and identification data 
- Contact details - address, phone number and email
- Billing and payment details
- Diplomas, accreditations and languages spoken 
- Identification and connection data for computer resources provided by KEDGE BS
- Evaluation elements 
- Teacher placements, timetables, lessons taught 
- Learners’ notes and grade transcripts, learners’ examination/assessment reports
- Research and publications carried out in connection with the KEDGE BS
- Events reported within the framework of the mechanism for combating sexual harassment
- The results of non-anonymous surveys and polls, testimonials

Service providers that KEDGE BS may use in order to perform services related to its operation, including IT service providers, cleaning and catering companies, etc.    

- Civil status and identification data 
- Contact details - address, phone number and email
- Billing and payment details
- Languages spoken 
- Identification and connection data for computer resources provided by KEDGE BS
- Evaluation elements within the framework of the regulatory obligations of KEDGE BS
- Events reported within the framework of the mechanism for combating sexual harassment
- The results of non-anonymous surveys and polls, testimonials

VII. Storage period of your personal data: how long do we keep your data? 

The data are stored for the duration necessary for KEDGE BS to meet its legal and contractual obligations. 

It should be noted that anonymised data do not fall within the scope of the personal data protection regulations and there is no limit on storage. This is the case, for example, of statistical data, where they cannot be linked to natural persons.  

VII.1. Periods regarding human resource management 

Employees’ Data are deleted one year after the end of the contract of employment.


The Data relating to the execution of the contract of employment, such as data relating to the employee’s identification, the monitoring of working time, the reasons for absence, the payroll deductions and the employee’s pay slips are, however, retained for the purpose of proof for a variable period from the end of the contract of employment.


    Types of data     Storage period     Starting point     Basis 
RECRUITMENT    Applicant information (e.g.: CV)

    
2 years

(Longer storage period permitted only with the applicant's formal consent)    Last contact with the applicant    CNIL doctrine
SECURITY
    Data relating to accessing the premises (badge, parking, etc.)    3 months 
    Registration    CNIL simplified standard NS-042
    Management of travel abroad (function, passport information, emergency contacts, etc.)     duration of employment    N/A    CNIL doctrine
    
Computer connection logs for employees    6 months    Registration    CNIL doctrine
    Telephony data 
    1 year     Data recording    
CNIL doctrine
    Video surveillance     1 months      Registration    CNIL doctrine  
REMUNERATION    Payslips     5 years     Date of issue 
of the payslip    Article L.3243-4
of the French Labour Code
    Pay items     5 years 

(except components necessary for calculating retirement benefits, see below)    Date of issue 
of the payslip    Article L.3243-4
of the French Labour Code 
and
CNIL Exception DI-002 
    Catering: data relating to the payment of meals    3 months for money-related data 

5 years in case of payment by salary deduction     Payment date

or

Date of issue 
of the payslip    CNIL simplified standard NS-042
STAFF REPRESENTATIVE BODIES    Electronic voting data     Exhaustion of time limits for litigation appeals     Voting operations     CNIL Decision No. 2010-371  
    Terms of office of staff representatives     6 months    After the term of office has ended    Article L.425-1 
of the French Labour Code 

Article L.2411-5 
of the French Labour Code 
 
WORKING HOURS    Grounds for absence     5 years     Date of issue 
of the payslip    CNIL exemption DI-003
    Data relating to the control of working time     5 years     Registration    CNIL simplified standard NS-042
WHISTLEBLOWING SYSTEM (SEXUAL HARASSMENT)    Data concerning a report     2 months if the report is not followed by disciplinary or judicial proceedings

or

Otherwise, until all appeal channels are exhausted     Closure of the investigation    CNIL doctrine 
TAXES AND CHARGES    Documents relating to social security expenditure     3 years      End of the calendar year for which the charges are due    
                Article L.244-3 of the French Social Security Code 
 
    Documents requested as part of the fight against undeclared work    5 years      Date on which the employment relationship ends    Time limit under ordinary law
    Documents on employee taxation    3 years     Start of the year following that in which the tax is due    Article L.169 A 
of the French Tax Procedures Book
    Individual profit-sharing and incentive scheme sheet     20 years      Last day of the fifth month after the end of the financial year    Articles D.3313-11 and L.3314-9 
of the French Labour Code 

Article L.312-20 
of the French Monetary and Financial Code
HEALTH    Workplace accident reports to the primary health insurance fund 

Observation or formal notice to the labour inspectorate 

Inspection by the Occupational Health, Safety and Working Conditions Committee (CHSCT)    5 years 

(except for influencing factors in personal injury proceedings with a 10-year limitation period)    End of the year in question    Article D.4711-3 
of the French Labour Code
REGISTER    Entries in the single staff register     5 years     Date of employee’s departure    Article R.1221-26 
of the French Labour Code
PENSIONS    Information necessary for calculating retirement benefits    No limitation period     N/A    CNIL exemption DI-002 

VII.2. Periods relating to KEDGE BS activities 

In general, the data are stored in accordance with Circular No. 2005-003 of 22 February 2005 of the Minister for National Education, Higher Education and Research. A copy of this circular is accessible at https://www.education.gouv.fr/bo/2005/24/MENA0501142J.htm 

-    Data to access the premises is stored for 3 months after they are recorded; 
-    Video surveillance data are stored for 1 month after it is recorded;
-    The data related to students’ administrative and academic file are stored for 10 years; 
-    Connection data ("traffic data") generated by the use of electronic communication networks are stored for one year;
-    Lesson scheduling and timetables are stored for the school year;
-    Copies of exams/assessments are stored for one year after publication of the results, unless disputed;
-    Marking slips and statements are stored for one year;
-    The room booking schedule is kept for one school year;
-    Student reports are kept for one year after the learners complete their course;
-    Examination attendance sheets are kept for five years;
-    Thesis examination records (pre-reports by teachers, lists of panel members, etc.) are kept for 5 years;
-    The examination reports are kept for 50 years;
-    Records of exam admissions and thesis examination records are kept for 50 years;
-    Records of refused scholarships are kept for 2 years; 
-    Notices of granted scholarships are kept for 5 years;
-    Contract management data are stored for the entire period of the contract plus 5 years;
-    The data related to outstanding debts are stored until amicable settlement of the dispute or, otherwise, until legal action is time-barred;
-    Invoices are stored for 10 years;
-    Data concerning reports issued under the mechanism to combat sexual harassment are stored for 2 months when it is not followed by disciplinary or judicial proceedings or, otherwise, until the appeal channels are exhausted;
-    Data related to guarantees are stored for the duration of the contractual relationship plus the limitation period.

VIII. Categories of recipients of your data: who do we send your data to?

VIII.1.     Within KEDGE BS

-    to the departments responsible for the programmes and academic and pedagogical management;
-    to the department responsible for learner admissions;
-    to the departments responsible for finance and accounts;
-    to the departments responsible for coordinating graduates;
-    to the human resources departments; 
-    to the departments responsible for KEDGE BS IT systems;
-    to the persons responsible for the security of the premises and the reception at KEDGE BS. 
-    to other employees of KEDGE BS for directories and organisational charts 
-    to authorised management staff or hierarchical superiors of KEDGE BS employees 
-    to the people involved in the recruitment process who can access an applicant’s information;
-    to the elected officials and union delegates as part of the performance of their duties. 

VIII.2.    Externally


The personal data may be passed on by KEDGE BS to the following entities:

-    The KEDGE BS Alumni Association, the aim of which is to bring together a structured network of graduates who have studied on one of the KEDGE BS programmes
-    Foreign education institutions that are partners of KEDGE BS and at which the data subjects are studying a course;
-    KEDGE BS educational institutions in China and Senegal as part of inter-campus relations and exchanges;
-    The Fondation de France for scholarships granted via the KEDGE BS Foundation;
-    The Regions responsible for local social welfare systems;
-    The partners of KEDGE BS for the purposes of managing contracts: debt collection agencies, catering franchise on the premises of KEDGE BS, printing and mailing companies, etc.
-    KEDGE BS partners for the purposes of managing KEDGE BS academic accreditations;
-    RTM for discounted Marseille urban transport passes;
-    KEDGE BS technical and computer subcontractors;
-    The service provider for electronic signatures;
-    Bodies specialising in surveys and statistics (particularly for ranking education institutions);
-    The local education authority and, in general, any institution under the supervision of the Ministry of Education (such as the Centre for Studies and Research on Qualifications);
-    The European Commission for the management of scholarships awarded under the Erasmus programme;
-    Other learners and graduates in the directories of persons who have completed a training course at KEDGE BS;
-    KEDGE BS partners that run student associations, clubs and other schemes under the auspices of KEDGE BS (Business Accelerator, etc.);  
-    Recruiters who have chosen to pay to access KEDGE Alumni's database for recruitment purposes;
-    Welfare or complementary health and group savings organisations for the purposes of membership of KEDGE BS employees;
-    The authorities that are informed of the hiring of KEDGE BS employees (e.g.:  unemployment, sickness, retirement and welfare insurance, etc.);
-    The various subsidiaries of KEDGE BS;
-    KEDGE BS partners for the purposes of the working relationship: statutory auditors, lawyers, etc.;
-    KEDGE BS partners responsible for occupational health;
-    Partners involved in the organisation of events held by KEDGE BS (gala evenings, etc.).  

VIII.3.    Authorised third parties and authorities


When KEDGE BS is required to meet its legal obligations or at the request of any authorised legal or administrative entity.

In particular, to meet its obligations regarding declaration, KEDGE BS, as the employer, sends nominative information to the social welfare organisations:

-    On hiring: KEDGE BS drafts the Declaration Prior to Hiring (DPAE) for the URSSAF which will forward the information to the Primary Health Insurance Fund of the employee’s home address.
-    Every month and for every event (employment stoppage, end of employment contract): KEDGE BS transmits all the social information necessary to exercise the employee's rights via the Nominative Social Declaration (DSN) mechanism.

Every employee has the right to access and rectify personal data, in accordance with the French Data Protection Act, from the various organisations to which he or she reports by sending them a request directly (addresses to be found on the website http://www.dsn-info.fr). The letter must include the Social Security number, the employer or employers affected by the request and the duration(s) concerned, as well as a photocopy of an identity document.

VIII.4.     Outside of the European Union

Data controllers may transfer data outside the European Union (EU) and the European Economic Area (EEA) provided that there is sufficient and appropriate data protection. They must manage these transfers using the various legal tools defined in the GDPR and the French Data Protection Act. 
If the data subjects’ data are transferred outside of the European Union or the European Economic Area, KEDGE BS will ensure that: 
-    The personal data are transferred to countries recognised by the European Commission as providing an adequate level of protection (such as Argentina, Japan or New Zealand) or
-    The personal data are transferred to entities certified under the Privacy Shield. The list of entities in the United States of America or Switzerland that have joined the Privacy Shield is available on the website https://www.privacyshield.gov, or
-    One of the mechanisms is used that ensures appropriate safeguards as provided for by the applicable regulations, and in particular the adoption of standard contractual clauses by the European Commission.
In practice, most of the transfers of personal data outside the European Union and the European Economic Area concern foreign educational institutions in which the persons concerned undergo training, KEDGE BS campuses in China and Senegal or companies in which the persons concerned undergo an internship. 
You may contact the KEDGE BS Data Protection Officer to obtain further information on these topics as well as a copy of the relevant documents.

IX. Specific provisions for minors under 15 years of age  

We wish to draw your attention to the fact that the GDPR and the French Data Protection Act provide that, for information society services (social networks, platforms, newsletters, etc.), the processing of a child's personal data based on consent is lawful, in principle, only if the child is aged 15 or over.

Where the child is under 15 years of age, processing is lawful if consent is given by the holder of parental authority.

In other words, children aged 15 or over may consent by themselves to the processing of their data on the basis of consent in the context of information society services. For children under 15 years old, the French Data Protection Act requires the collection of the joint consent of the child and the holder of parental authority.

In any event, where consent is required, the data subject must have the opportunity to withdraw consent at any time, through a simple method equivalent to that used to obtain consent (for example, if it was obtained online, he or she must be able withdraw it online).

X. Terms of use of our websites 

We run several websites, including: 
-    https://kedge.edu/ 
-    https://www.kedgebs-alumni.com/fr/diplome/).

Each of these sites has a section entitled "Legal Notices" which contains the contact information of our Association, the director of publication and the service providers responsible for hosting these sites. 

In addition, each of these sites has a section entitled "Personal Data Protection" which sets out the essential provisions of this Policy. Finally, you have the option to change all or some of the cookie settings at any time via a preference management tool. 

XI. Contact details of the Controller 

The Controller is the KEDGE Business School Group, a non-profit organisation under the French Association Act of 1901, whose registered office is located at Domaine de Raba, 680 cours de la Libération 33405 Talence cedex – France (SIREN 514005123). 

The KEDGE BS reception desk can be contacted on 05 56 84 55 55.

The DPO (Data Protection Officer) of KEDGE BS is the DPO-Avocats law firm. It can be contacted by email at:     dpo@kedgebs.com or by post at the following address:                  Cabinet DPO-Avocats - att: DPO de l’Association KEDGE Business School - 11, rue Théodule Ribot - 75017 Paris.

The Data Protection Officer is primarily responsible for: 
•    Informing, advising and supporting the controller in order to ensure compliance with the European Regulation and national law on personal data protection;
•    Making the controller aware of issues related to the protection of the personal data of data subjects;
•    Overseeing internal audits on personal data protection;
•    Advising the manager on the need to conduct a privacy impact assessment and overseeing its implementation;
•    Receiving and responding to any questions or complaints relating to data protection;
•    Cooperating with the supervisory authority (the CNIL in France) and serving as its point of contact for the controller.

XII. Security of your data 

We attach great importance to the protection of your personal data, and we take all reasonable precautions to this end. We contractually require trusted third parties who manage your personal data on our behalf to do the same. 

We are constantly doing everything possible to protect your personal data. Upon receipt of your data, we will apply strict security procedures and measures to prevent unauthorised alteration, disclosure or access. 

We define and implement physical, organisational, technical and software security measures taking into account the nature of the data and the risks presented by the processing in question in order to ensure an appropriate level of security. 

In particular, the measures we implement are structured around the following: 

-    Raising awareness of users through the implementation of an IT Charter,
-    User authentication via usernames and passwords,
-    Access authorisation logs that underlie an access control policy, 
-    Installation of a regularly updated firewall and anti-virus software,
-    Securing access to computer servers,
-    Supervision of IT maintenance operations, 
-    Signing contracts with processors that provide safeguards,
-    Etc.     

XIII. What rights allow you to control your data? 

The GDPR and the French Data Protection Act strengthen the rights of data subjects. We have endeavoured to give a brief outline of your rights before reminding you of how to exercise them.

XIII.1. Reminder of your rights 

Your rights    What this means


Right to be informed    You have the right to obtain clear, transparent, understandable and easily accessible information about how we use your personal data, including: 
- Why we collect your data 
- What the goals or objectives, purposes and context are 
- What the storage periods of your data are 
- Who your data are sent to and why 
- The legal basis and the legality of data processing 
- The origin of your data (direct or indirect source)  
This Policy is drafted and updated to enable you to have a comprehensive level of information. 


Right to receive confirmation of processing
    
You have the right to know whether any data about you is being processed and to be informed of this. 
This right is a component of the right of access mentioned below.

Right of access    
You have the right to access the personal data that we have on you (subject to certain restrictions). This communication must be made in a comprehensible format. 

Right to rectification    You have the right to demand the correction of your personal data if it is inaccurate or outdated (e.g. incorrect age or address) or incomplete (e.g. address without the apartment number). 
We will be required to disclose the corrections to the other data recipients (unless such a disclosure would require disproportionate effort).


Your rights    What this means


Right to erasure/right to be forgotten    
You have the right to obtain the erasure of personal data concerning you without undue delay. 

You have the right to request the erasure of your data for reasons
provided for by applicable regulations and, in particular, where: 
-    The data are no longer necessary for the purposes for which they were collected or processed; 
-    You have withdrawn consent on which the processing is based and there is no other legal basis for the processing; 
-    You object to processing and there are no overriding legitimate grounds for processing; 
-    You consider that your data have been unlawfully processed; 
-    Your data must be erased for compliance with a legal obligation;
-    Your data were collected when you were under 15 years of age as part of the information society's offer of services.


Right to object (general)    
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you based on legitimate interest. 

We will no longer process the personal data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

To determine whether our processing is based on legitimate interest, please refer to Chapter V of this policy detailing the legal basis for each type of processing. 


Your rights    What this means

Right to object to marketing    When the personal data are processed or exploited for marketing purposes, as part of advertising, sales or promotion, you have the right to object to the processing of data at any time without justification.
You will therefore find an unsubscribe link at the bottom of all our newsletters. 

Right to withdraw consent at any time
    You may withdraw your consent to the processing of your data if this processing is based on consent. 

You have the right: 
 (i) to withdraw your consent at any time 
 (ii) to be informed of this right whenever you give consent 
 (iii) for withdrawal to be as simple as when you 
gave your initial consent.  
To determine whether our processing is based on consent, please refer to Chapter V of this policy detailing the legal basis for each type of processing. 

Right to limitation of processing    
You have the right to ask us to temporarily freeze the use of some of your data. This right means that we will be able to store these data, but not to use or process them.  
This right applies in special circumstances provided for by the GDPR: 
-    you contest the accuracy of the data concerning you (and we carry out verification processes); 
-    you consider that the processing is unlawful and you oppose the erasure of your data; 
-    The data in question are still required by you for the establishment, exercise or defence of legal claims although we no longer need them;
-    You have exercised your right to objection and we will verify whether the legitimate grounds override your rights. 

Your rights    What this means

Right to portability    
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another body without hindrance from us, where: 
-    the processing is based on consent or the implementation of contractual measures, 
-    the processing is carried out by automated means.
To find out the legal basis for our processing, please refer to Chapter V of this policy. 

Right to human intervention    You have the right not to be subject to a decision based solely on automated processing, which produces legal effects concerning you or significantly affecting you. You can ask for someone to take over your evaluation, and for the decision to be made by a human being.

Right to make instructions for after your death
    
You have the right to set out specific instructions regarding the storage, erasure and communication of your personal data after your death.

Right to change your cookie settings    You have the right to change all or some of the cookie settings on our websites.  

If you want to change your cookie settings on our websites/applications, just go to the Cookie Management Policy which can be accessed on all our websites/applications. 

Right to object to automatic profiling    You have the right to know and verify the existence of automated decision-making, including profiling, and the significance and consequences 
any such processing. 
You have the right not to be the subject of a decision based solely on 
automated processing, including profiling, with legal effects concerning you. 
In such cases, you can ask for someone to take over your evaluation, and for the decision to be made by a human being.

Your rights    What this means

Right to the delisting of published data    Where the controller has made the personal data public and it is obliged to erase the personal data, you have the right to demand, taking account of available technology and the cost of implementation, 
that we take reasonable steps, including technical measures, to inform the controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data. 
This measure will not apply if the published data are necessary: 
(a) for exercising the right of freedom of expression and information; 
(b) for compliance with a legal obligation 
(c) for reasons of public interest in the area of public health 
(d) for archiving purposes in the public interest, scientific or historical 
research purposes or statistical purposes, 
insofar as this right is likely to render impossible or seriously impair 
the achievement of the objectives of that processing 
(e) for the establishment, exercise or defence of legal claims.

Right to lodge a complaint with a supervisory authority    You have the right to contact and lodge a complaint with the data protection authority in your country to challenge the practices of KEDGE BS in terms of personal data protection and respect for 
privacy. You will find information about the referral procedure provided by CNIL by following this link: https://www.cnil.fr/fr/agir

XIII.2. How to exercise your rights

The aforementioned rights may be exercised:

-    by email to:     dpo@kedgebs.com
or
-    by post to:          Cabinet DPO-Avocats
att: DPO de l’Association KEDGE Business School

11, rue Théodule Ribot - 75017 Paris

If the request made is admissible, KEDGE BS will respond within one month of receipt of the complete request, and will provide the information requested or implement the rights invoked within the aforementioned period.

If, given the complexity of the application or the number of applications received, the above-mentioned deadline cannot be met, KEDGE BS will, before the expiry of this deadline, inform about the postponement of its decision for a maximum of two months.
If KEDGE BS has reasonable doubts as to your identity, we may ask you to attach a document proving your identity to prevent identity theft, for example.

Furthermore, and as indicated above, all data subjects shall in any case have the right to lodge a complaint with the supervisory authority if they consider that their rights have been infringed. For further information in France, you can consult the “Help” section of the CNIL website (www.cnil.fr) or call the legal department on 01 53 73 22 22. 

Back to top