Pour lire les mentions en français, cliquez ici.
I. Our commitment to data protection
KEDGE Business School (KEDGE BS) is a multi-specialist management school, drawing on expertise with high added value for all of its stakeholders, particularly students, alumni and partner companies. Our model French school is present on four campuses in France (Paris, Bordeaux, Marseille and Toulon), two in China (Shanghai and Suzhou) and one in Senegal (Dakar).
KEDGE BS attaches great importance to the protection of your personal data. We have formalised our commitments in this regard in this policy. You may also have a reminder of the essential terms of this Policy in the various application documents or tools that we provide to you. For example, personal data protection notices are available on the Virtual Campus and on websites published by KEDGE BS (https://kedge.edu/ or https://www.kedgebs-alumni.com/fr/diplome/ ), the employment contracts of KEDGE BS employees, etc.
Through its commitments and its network of experts, KEDGE BS participates in the development of higher education while respecting your privacy and personal data.
We ensure that personal data protection and security issues are a key consideration in everything we do.
We are committed to ensuring transparency in how we process your personal data and we strive to meet your demands in terms of regulatory compliance.
The personal data protection system deployed at KEDGE BS complies with applicable regulations on the protection of personal data, and in particular European Regulation No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and the French Data Protection Act of 6 January 1978, as amended several times.
We have put in place a data protection system, which incorporates the strict principles laid down by the GDPR and the French Data Protection Act. This system includes, in particular:
- The appointment of a Data Protection Officer specialised in this area and trained intermediaries. If you have any questions about your personal data or this policy, we invite you to contact him by email or post: protectiondesdonnees@kedgebs.com - KEDGE BUSINESS SCHOOL Direction Juridique, Risque et Conformité - DPO Domaine de Raba, 680 Cours de la Libération, 33405 Talence, Cédex, France
- The adoption of internal policies and procedures to ensure compliance with personal data protection regulations;
- Implementing appropriate technical and organisational measures to apply data protection principles.
In order to further outline our commitments to the protection of personal data, our policy covers the purposes for which we process your data, the different types of personal data we process, the actors with whom we can share them, how we keep them secure, and your rights under the regulations.
It should be noted that you may not be affected by all the scenarios referred to in this policy. Its purpose is to provide a comprehensive overview for all types of relationships that KEDGE BS might have (such as learners, graduates, employees, external service providers, etc.).
II. Glossary of terms used in this policy
In this policy, the following terms are defined as follows:
- CNIL (French National Data Protection Commission): an independent administrative authority responsible for compliance with the applicable personal data protection regulations in France. The CNIL has a website www.cnil.fr, which provides specific information on the applicable legal framework.
- Data Protection Officer (DPO): protectiondesdonnees@kedgebs.com - KEDGE BUSINESS SCHOOL Direction Juridique, Risque et Conformité - DPO Domaine de Raba, 680 Cours de la Libération, 33405 Talence, Cédex, France
- Personal data: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Data Protection Act: French Act No. 78-17 on information technology, files and freedoms of 6 January 1978, as amended several times.
- Data subject or “You”: the natural person to whom the personal data processed by the Controller relate (e.g. students, graduates and service providers of KEDGE BS).
- Controller or “We” or “KEDGE BS”: the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. In this document, the Controller means the KEDGE Business School Group, a non-profit organisation under the French Association Act of 1901, whose registered office is located at Domaine de Raba, 680 cours de la Libération 33405 Talence cedex – France (SIREN 514005123). The KEDGE BS reception desk can be contacted on 05 56 84 55 55.
- GDPR: European Regulation No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
- Processing of personal data: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
III. Scope of this policy
KEDGE BS is required to collect and process personal data to the extent that:
- these data are necessary for the performance of the public interest mission of KEDGE BS, which holds EESPIG (Private Higher Education Institution of General Interest) accreditation granted by the French Ministry of Higher Education and Research, or
- such data are necessary for the performance of a contract to which the data subject is party, or
- these data are necessary in order to implement pre-contractual measures, or
- these data are necessary for compliance with the regulatory obligations to which KEDGE BS is subject, or
- there data were collected with the consent of the data subject, or
- these data are collected in the legitimate interest of KEDGE BS (including the safety of persons, the premises and the resources made available by the association, and the promotion of the school).
When the processing of personal data is based on your consent, we implement a dedicated system to collect this consent where it is considered to have been given freely and in an unambiguous, specific, and informed manner.
For each purpose described in Chapter V, we have endeavoured to indicate the legal basis on which we rely.
This policy covers the processing of your personal data, whether this is done by computer or on paper.
The following categories of persons are covered by this policy:
- applicants for a KEDGE BS training programme,
- KEDGE BS learners (whether in initial training or continuing education),
- persons who have provided security for the payment of the tuition fees of learners,
- KEDGE BS graduates (alumni),
- persons serving as contact points in companies from which KEDGE BS collects apprenticeship tax,
- persons serving as contact points in companies where KEDGE BS learners carry out an internship or are on work-study programmes,
- persons offering internships and/or jobs (“recruiters”) to learners and graduates,
- KEDGE BS employees, as well as temporary workers and trainees,
- job candidates applying to KEDGE BS,
- external stakeholders who KEDGE BS may use in order to perform services related to the teaching mission of KEDGE BS, such as the provision of teaching services, participation in competition panels, joint research work, etc.
- service providers that KEDGE BS may use in order to perform services related to its operation, including IT service providers, cleaning and catering companies, etc.
- third parties who access the public part of the profiles of learners and/or graduates on the websites/applications made available by KEDGE BS.
IV. Update of this policy
This policy is intended to be reviewed and updated regularly to take into account developments in our personal data processing, the introduction of new tools or new regulations.
For the sake of transparency, we endeavour to provide you with regularly updated information, both within the framework of this policy and as part of the information we send to you in various documents available in paper format, on the Extranet, on the intranet or in the application tools we provide to you.
V. Purposes: why do we process your personal data?
In order to enhance the readability of this policy, we set out the various forms of processing in table format, broken down into the following areas:
1. Purposes within the framework of human resources management at KEDGE BS
2. Purposes within the framework of the teaching activities of KEDGE BS
3. Purposes within the framework of running KEDGE BS
V.1. Purposes within the framework of human resources management at KEDGE BS
Recruitment
Recruitment management
Legal basis: Implementation of pre-contractual measures
Creation of a CV library
Legal basis: Our legitimate interest or consent if required by regulation
Administrative management of staff
Administrative management of staff (for example, type of driving licence held or contact details of people to be informed in the event of an emergency)
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Management of professional records
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Preparation of statistical reports or lists of employees to meet administrative management needs
Legal basis: Our legitimate interest
Management of internal directories and organisational charts
Legal basis: Our legitimate interest or consent if required by regulation (photographs)
Management of individual allocation of supplies, equipment, payment cards, etc.
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Management of staff elections
Legal basis: Compliance with regulatory obligations
Management of meetings of staff representative bodies
Legal basis: Compliance with regulatory obligations
Career management
Professional evaluation
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Management of internal professional skills
Legal basis: Our legitimate interest
Management of professional mobility
Legal basis: Implementation of pre-contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Teleworking management
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Disciplinary sanctions
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Payroll management
Payroll, especially management of salary slips, expenses, accounts, monthly statements (DSN) or any related statements Legal basis: Compliance with regulatory obligations or implementation of contractual measures for data beyond what is strictly necessary for the fulfilment of regulatory obligations
Management of working hours (including management of absences and leave, monitoring of rest hours etc.)
Legal basis: Compliance with regulatory obligations or implementation of contractual measures for data beyond what is strictly necessary for the fulfilment of regulatory obligations
Organisation of work and training
Management of work schedules
Legal basis: Our legitimate interest
Management of staff tasks and assignments
Legal basis: Our legitimate interest
Follow-up of training requests and organisation of training sessions
Legal basis: Implementation of pre-contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Assessment of training and skills
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Management of the personal training account
Legal basis: Compliance with regulatory obligations
Management of social assistance
Management of social action taken by the employer
Legal basis: Our legitimate interest
Other
Occupational health reporting
Legal basis: Compliance with regulatory obligations
Management of accidents and sick leave, workplace or commuting accidents or occupational diseases
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Conducting of satisfaction surveys/specific polls
Legal basis: Our legitimate interest or consent if required by regulation
V.2. Purposes within the framework of the teaching activities of KEDGE BS
Recruitment
Administrative management of candidates on the courses and training provided by KEDGE BS
Legal basis: Implementation of pre-contractual measures
Management of competitive examinations, in particular their organisation and the monitoring of candidates’ assessments, their eligibility and their admission
Legal basis: Implementation of pre-contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Management of the teaching curriculum
Administrative management of learners (e.g. initial training, continuing education, in-company training, short-term programme, etc.)
Legal basis: Fulfilling our public interest mission or our legitimate interest for data that exceed what is strictly necessary for the fulfilment of our public interest mission
The management of students’ course curriculum
Legal basis: Fulfilling our public interest mission or the performance of the contract between us for data which would exceed what is strictly necessary for the performance of our public interest mission or our legitimate interest in data beyond what is strictly necessary for the performance of our contractual relationship
Monitoring enrolments, attendance and absences for training programmes
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Management of students’ exams and assessments
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Management of students’ internships
Legal basis: Implementation of contractual measures
Management of work-study programmes (apprenticeships/vocational training contracts)
Legal basis: Implementation of contractual measures
Administrative management of natural or legal persons with which KEDGE BS students carry out an internship or a work-study programme
Legal basis: Our legitimate interest
Management and monitoring of teaching staff assignments
Legal basis: Our legitimate interest
Management of students’ specific needs (particularly during exam and assessment periods)
Legal basis: Our legitimate interest or consent if required by regulation
Management of disciplinary action handed down by KEDGE BS disciplinary bodies
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Organisation and monitoring of training courses followed with foreign education institutions, partners of KEDGE BS
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Specific systems
Management and monitoring of the WELLNESS system
Legal basis: Our legitimate interest or consent if required by regulation
Management and monitoring of mentoring
Legal basis: Our legitimate interest
Management and monitoring of tutoring
Legal basis: Our legitimate interest
Selection for the Pro-Act Entrepreneurs system
Legal basis: The implementation of pre-contractual measures or our legitimate interest
Management and monitoring of the Pro-Act Entrepreneurs system
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Selection for the Business Nursery system
Legal basis: Implementation of pre-contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of pre-contractual measures
Management and monitoring of the Business Nursery system
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Selection for Business Accelerator system
Legal basis: Implementation of pre-contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of pre-contractual measures
Management and monitoring of the Business Accelerator system
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Implementation of the mechanism for combating sexual harassment
Legal basis: Our legitimate interest
Contract management
Management of contracts concluded with the data subjects, including the management and monitoring of billing, payments and potential disputes
Legal basis: Implementation of contractual measures
Management and monitoring of guarantee agreements taken out for the benefit of KEDGE BS
Legal basis: Implementation of contractual measures
Management of social welfare (payments, etc.)
Allocation of social welfare
Legal basis: Implementation of pre-contractual measures
Management and monitoring of social welfare allocated
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Management of graduates
Administrative management of graduates
Legal basis: Compliance with regulatory obligations or our legitimate interest for data beyond what is strictly necessary for compliance with regulatory obligations
Connecting graduates and students for the purposes of finding an internship or job
Legal basis: Our legitimate interest
Coordination of the alumni network
Legal basis: Our legitimate interest
Constitution and management of the KEDGE BS alumni directory
Legal basis: Our legitimate interest
Follow-up of participation in events and services offered to the Alumni Network
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Management of works (research, publications) and chairs
Management of research and publications, particularly identification and monitoring of research and publications as well as the use of research work
Legal basis: Fulfilling our public interest mission or the performance of the contract between us for data which would exceed what is strictly necessary for the performance of our public interest mission or our legitimate interest in data beyond what is strictly necessary for the performance of our contractual relationship
Management and monitoring of chairs
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Promoting KEDGE BS and improving its services
Promotion of the school (e.g. the distribution of directories)
Legal basis: Our legitimate interest or consent if required by regulation
Carrying out marketing activities with data subjects
Legal basis: Our legitimate interest or consent if required by regulation
Management of internet browsing data (cookies of KEDGE BS websites)
Legal basis: Your consent
Carrying out satisfaction surveys and polls.
Legal basis: Our legitimate interest or consent if required by regulation
Teaching evaluation
Legal basis: Our legitimate interest or consent if required by regulation
Other
Fulfilment by KEDGE BUSINESS SCHOOL of its reporting obligations and obligations to provide information to administrative authorities (notably its accounting and tax obligations)
Legal basis: Compliance with regulatory obligations
Carrying out satisfaction surveys and polls at the initiative of academic authorities
Legal basis: Compliance with regulatory obligations
V.3 Purposes within the framework of running KEDGE BS
Security
Security and logistics management, including management of KEDGE BS badges and resources (e.g. classrooms, meeting rooms, projection devices, etc.)
Legal basis: Our legitimate interest
Security of the premises and individuals, particularly via video surveillance
Legal basis: Our legitimate interest
Management of KEDGE BS IT resources
Monitoring and maintenance of the IT equipment
Legal basis: Our legitimate interest
Management of access permissions for applications and networks
Legal basis: Our legitimate interest
Controlling the use of resources made available by KEDGE BS
Legal basis: Our legitimate interest
Email management
Legal basis: Our legitimate interest
Managing access to websites/applications operated by KEDGE BS
Legal basis: Our legitimate interest
Management of the Intranet
Legal basis: Our legitimate interest
Management of the Extranet
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Production of statistical reports
Legal basis: Our legitimate interest
Apprenticeship tax
Monitoring and managing of apprenticeship tax collection
Legal basis: Our legitimate interest
Administrative management of natural or legal persons from which KEDGE BS collects the apprenticeship tax
Legal basis: Our legitimate interest
Management of contracts with service providers and external stakeholders
Administrative management of external stakeholders and service providers
Legal basis: Implementation of contractual measures
Management of contracts concluded with external stakeholders/service providers, including the management and monitoring of billing, payments and potential disputes
Legal basis: Implementation of contractual measures or our legitimate interest for data that exceed what is strictly necessary for the implementation of contractual measures
Evaluation of external stakeholders/service providers in accordance with applicable transparency and anti-corruption regulations
Legal basis: Compliance with regulatory obligations
Evaluation of the services of external stakeholders/service providers
Legal basis: Our legitimate interest
Other
Fulfilment by KEDGE BS of its reporting obligations and obligations to provide information to administrative authorities (notably its accounting and tax obligations)
Legal basis: Compliance with regulatory obligations
Management of teaching cancellations
Legal basis: Our legitimate interest
Use of the electronic signature
Legal basis: Our legitimate interest
Geolocation in the event of a crisis
Legal basis: Your consent
VI. Categories of personal data processed by KEDGE BS: what data do we process?
VI.1. Compliance of KEDGE BS with GDPR principles
The GDPR and the French Data Protection Act provide that the data must be:
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (the data minimisation principle);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
In other words, your data should be used only for the purposes defined at the time of collection. As a specific example, collecting information on the work situation of a job applicant's family is not relevant to data processing for recruitment purposes.
The GDPR and the French Data Protection Act also introduce a strengthened protection system for certain types of personal data that have a high level of sensitivity. These include:
- Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership of a natural person,
- Genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning the health of a natural person,
- Data concerning a natural person's sex life or sexual orientation,
- Criminal convictions and offences or related security measures related to a natural person,
- The Social Security number (registration number in the national identification register of natural persons),
- Data relating to a child under 15 years of age collected as part of a direct offer of information society services.
The processing of these data requires compliance with specific requirements which vary depending on the data in question. These requirements may involve obtaining the consent of the data subject (for data relating to the sexual life or sexual orientation of a natural person, for example) or the existence of regulations providing for the collection of the data in question (e.g. for the Social Security number).
In any case, KEDGE BS is committed to complying with these various principles at all stages of the processing of your personal data.
VI.2. Sources: who do we collect your data from?
Most of the data are collected by KEDGE BS directly from the data subjects. However, it is possible that your data have been transmitted to KEDGE BS by third parties, including:
- Partners specialised in the recruitment and organisation of admission exams, as regards the data of candidates for the courses and training provided by KEDGE BS;
- Foreign educational institutions as regards the data of learners on programmes/courses involving such institutions;
- Partners specialised in the processing of data made public by the data subjects and taken from social networks;
- Partners specialising in the recruitment of job candidates (head-hunters) as regards the data of job candidates;
- Employees of KEDGE BS (co-optation) as regards the data of job candidates;
- Partners specialised in temporary postings as regards temporary workers;
- Any user of the mechanism to combat sexual harassment who reports you;
- Partners specialised in transparency and anti-corruption as regards service providers/external stakeholders.
VI.3 What categories of personal data do we process?
The categories of data processed vary depending on the purposes for which they are processed. When your data are collected by KEDGE BS by means of a questionnaire/form, we take care to indicate with an asterisk the required (“obligatory”) information, without which we may not be able to provide the service concerned.
In general, the data processed by KEDGE BS includes the following:
Candidates on the courses and training provided by KEDGE BS
- Civil status and identification data
- Personal contact details - address, phone number and email
- Nationality
- Billing and payment details
- Diplomas obtained and validation of achievements
- Languages spoken
- The desired training/courses at KEDGE BS
- Specific needs (particularly during exams and assessments)
-Jobs held and contact details of the employer (for vocational training)
Learners
- Civil status and identification data
- Personal contact details - address, phone number and email
- Nationality
- Billing and payment details (including any guarantees)
- Diplomas obtained and validation of achievements
- Languages spoken
- Jobs held and contact details of the employer (for vocational training)the personal data related to the courses followed within KEDGE BS: timetables, courses followed, marking slips and statements, exam/assessment reports, attendance sheets, absences, dissertations, etc.
- Data relating to internships (dates, duration, company contact details, etc.)
- Data relating to work-study programmes (dates, duration, company contact details, pay information etc.)
- Social difficulties within the framework of granting scholarships
- The specific needs of students (particularly during exams and assessments)
- Identification and connection data for computer resources provided by KEDGE BS
- The results of non-anonymous surveys and polls, testimonials
- The functions of student associations involved with KEDGE BS
- Your participation in KEDGE BS systems (Business Nursery, Business Accelerator, etc.)
- Disciplinary measures
- Events reported within the framework of the mechanism for combating sexual harassment
Learners’ guarantees
- Civil status and identification data
- Personal contact details - address and phone number
- The link with the guarantor
- Billing and payment details
KEDGE BS graduates (alumni)
- Civil status and identification data
- Personal contact details - address, phone number and email
- Personal and work situation
- Data on the payment of contributions
- Diplomas obtained with KEDGE BS
- Academic background
- The Groups that the person has joined within the alumni network
- Your CV
- Identification and login data for the KEDGE Alumni website
- The results of non-anonymous surveys and polls
- Your participation in alumni network events
- Your participation in KEDGE BS systems (Business Accelerator, Pro-Act Entrepreneurs, etc.)
Persons serving as contact points in companies from which KEDGE BS collects apprenticeship tax
- Civil status and identification data
- Contact details - address, phone number and email
- Company functions and contact details
Persons serving as contact points in companies where KEDGE BS learners carry out an internship or are on work-study programmes
- Civil status and identification data
- Contact details - address, phone number and email
- Company functions and contact details
- Data relating to internship or work-study programmes (dates, duration, company contact details, pay items, etc.)
Persons offering internships and/or jobs (“recruiters”) to learners and graduates
- Civil status and identification data
- Contact details - address, phone number and email
- Company functions and contact details
KEDGE BS employees, as well as temporary workers and trainees
- Civil status and identification data
- Family situation
- Personal contact details - address, phone number and email
- Social security number
- Bank details
- Items relating to work permits (foreign workers from outside the EU and minors)
- Employee health data strictly within the framework of occupational healthcare, social security and social protection: certificates of medical fitness issued by occupational healthcare services, work stoppages, workplace accident reports, etc.
- The family situation and the detailed composition of the home, in particular in the context of the mandatory welfare insurance of the company
- Terms of office (for elected members of staff representative bodies)
- Identification and connection data for computer resources provided by KEDGE BS
- Annual or multi-year interview forms
- Assessments
- Disciplinary measures
- Teacher placements, timetables, lessons taught
- Research and publications
- Learners’ notes and grade transcripts, learners’ examination/assessment reports
- Events reported within the framework of the mechanism for combating sexual harassment
- The results of non-anonymous surveys and polls, testimonials
Job candidates
- Civil status and identification data
- Personal contact details - address, phone number and email
- Nationality
- University training
- Jobs held
- Professional references
- Languages spoken
- Job expectations at KEDGE BS
External stakeholders that KEDGE BS may use in order to perform services related to its teaching mission, such as the provision of teaching services, participation in competition panels, joint research work, etc.
- Civil status and identification data
- Contact details - address, phone number and email
- Billing and payment details
- Diplomas, accreditations and languages spoken
- Identification and connection data for computer resources provided by KEDGE BS
- Evaluation elements
- Teacher placements, timetables, lessons taught
- Learners’ notes and grade transcripts, learners’ examination/assessment reports
- Research and publications carried out in connection with the KEDGE BS
- Events reported within the framework of the mechanism for combating sexual harassment
- The results of non-anonymous surveys and polls, testimonials
Service providers that KEDGE BS may use in order to perform services related to its operation, including IT service providers, cleaning and catering companies, etc.
- Civil status and identification data
- Contact details - address, phone number and email
- Billing and payment details
- Languages spoken
- Identification and connection data for computer resources provided by KEDGE BS
- Evaluation elements within the framework of the regulatory obligations of KEDGE BS
- Events reported within the framework of the mechanism for combating sexual harassment
- The results of non-anonymous surveys and polls, testimonials
VII. Storage period of your personal data: how long do we keep your data?
The data are stored for the duration necessary for KEDGE BS to meet its legal and contractual obligations.
It should be noted that anonymised data do not fall within the scope of the personal data protection regulations and there is no limit on storage. This is the case, for example, of statistical data, where they cannot be linked to natural persons.
VII.1. Periods regarding human resource management
Employees’ Data are deleted one year after the end of the contract of employment.
The Data relating to the execution of the contract of employment, such as data relating to the employee’s identification, the monitoring of working time, the reasons for absence, the payroll deductions and the employee’s pay slips are, however, retained for the purpose of proof for a variable period from the end of the contract of employment.
RECRUITMENT
Applicant information (e.g.: CV)
Storage period: 2 years (Longer storage period permitted only with the applicant's formal consent)
Starting point: Last contact with the applicant
Basis: CNIL doctrine
SECURITY
Data relating to accessing the premises (badge, parking, etc.)
3 months
Registration
CNIL simplified standard NS-042
Management of travel abroad (function, passport information, emergency contacts, etc.)
duration of employment
N/A
CNIL doctrine
Computer connection logs for employees
6 months
Registration
CNIL doctrine
Telephony data
1 year
Data recording
CNIL doctrine
Video surveillance
1 months
Registration
CNIL doctrine
REMUNERATION
Payslips
5 years
Date of issue of the payslip
Article L.3243-4 of the French Labour Code
Pay items
5 years (except components necessary for calculating retirement benefits, see below)
Date of issue of the payslip
Article L.3243-4 of the French Labour Code and CNIL Exception DI-002
Catering: data relating to the payment of meals
3 months for money-related data, 5 years in case of payment by salary deduction
Payment date or Date of issue of the payslip
CNIL simplified standard NS-042
STAFF REPRESENTATIVE BODIES
Electronic voting data
Exhaustion of time limits for litigation appeals
Voting operations
CNIL Decision No. 2010-371
Terms of office of staff representatives
6 months
After the term of office has ended
Article L.425-1 of the French Labour Code, Article L.2411-5 of the French Labour Code
WORKING HOURS
Grounds for absence
5 years
Date of issue of the payslip
CNIL exemption DI-003
Data relating to the control of working time
5 years
Registration
CNIL simplified standard NS-042
WHISTLEBLOWING SYSTEM (SEXUAL HARASSMENT)
Data concerning a report
2 months if the report is not followed by disciplinary or judicial proceedings or Otherwise, until all appeal channels are exhausted
Closure of the investigation
CNIL doctrine
TAXES AND CHARGES
Documents relating to social security expenditure
3 years
End of the calendar year for which the charges are due
Article L.244-3 of the French Social Security Code
Documents requested as part of the fight against undeclared work
5 years
Date on which the employment relationship ends
Time limit under ordinary law
Documents on employee taxation
3 years
Start of the year following that in which the tax is due
Article L.169 A of the French Tax Procedures Book
Individual profit-sharing and incentive scheme sheet
20 years
Last day of the fifth month after the end of the financial year
Articles D.3313-11 and L.3314-9 of the French Labour Code, Article L.312-20 of the French Monetary and Financial Code
HEALTH
Workplace accident reports to the primary health insurance fund, Observation or formal notice to the labour inspectorate, Inspection by the Occupational Health, Safety and Working Conditions Committee (CHSCT)
5 years (except for influencing factors in personal injury proceedings with a 10-year limitation period)
End of the year in question
Article D.4711-3 of the French Labour Code
REGISTER
Entries in the single staff register
5 years
Date of employee’s departure
Article R.1221-26 of the French Labour Code
PENSIONS
Information necessary for calculating retirement benefits
No limitation period
N/A
CNIL exemption DI-002
VII.2. Periods relating to KEDGE BS activities
In general, the data are stored in accordance with Circular No. 2005-003 of 22 February 2005 of the Minister for National Education, Higher Education and Research. A copy of this circular is accessible at https://www.education.gouv.fr/bo/2005/24/MENA0501142J.htm
- Data to access the premises is stored for 3 months after they are recorded;
- Video surveillance data are stored for 1 month after it is recorded;
- The data related to students’ administrative and academic file are stored for 10 years;
- Connection data ("traffic data") generated by the use of electronic communication networks are stored for one year;
- Lesson scheduling and timetables are stored for the school year;
- Copies of exams/assessments are stored for one year after publication of the results, unless disputed;
- Marking slips and statements are stored for one year;
- The room booking schedule is kept for one school year;
- Student reports are kept for one year after the learners complete their course;
- Examination attendance sheets are kept for five years;
- Thesis examination records (pre-reports by teachers, lists of panel members, etc.) are kept for 5 years;
- The examination reports are kept for 50 years;
- Records of exam admissions and thesis examination records are kept for 50 years;
- Records of refused scholarships are kept for 2 years;
- Notices of granted scholarships are kept for 5 years;
- Contract management data are stored for the entire period of the contract plus 5 years;
- The data related to outstanding debts are stored until amicable settlement of the dispute or, otherwise, until legal action is time-barred;
- Invoices are stored for 10 years;
- Data concerning reports issued under the mechanism to combat sexual harassment are stored for 2 months when it is not followed by disciplinary or judicial proceedings or, otherwise, until the appeal channels are exhausted;
- Data related to guarantees are stored for the duration of the contractual relationship plus the limitation period.
VIII. Categories of recipients of your data: who do we send your data to?
VIII.1. Within KEDGE BS
- to the departments responsible for the programmes and academic and pedagogical management;
- to the department responsible for learner admissions;
- to the departments responsible for finance and accounts;
- to the departments responsible for coordinating graduates;
- to the human resources departments;
- to the departments responsible for KEDGE BS IT systems;
- to the persons responsible for the security of the premises and the reception at KEDGE BS.
- to other employees of KEDGE BS for directories and organisational charts
- to authorised management staff or hierarchical superiors of KEDGE BS employees
- to the people involved in the recruitment process who can access an applicant’s information;
- to the elected officials and union delegates as part of the performance of their duties.
VIII.2. Externally
The personal data may be passed on by KEDGE BS to the following entities:
- The KEDGE BS Alumni Association, the aim of which is to bring together a structured network of graduates who have studied on one of the KEDGE BS programmes
- Foreign education institutions that are partners of KEDGE BS and at which the data subjects are studying a course;
- KEDGE BS educational institutions in China and Senegal as part of inter-campus relations and exchanges;
- The Fondation de France for scholarships granted via the KEDGE BS Foundation;
- The Regions responsible for local social welfare systems;
- The partners of KEDGE BS for the purposes of managing contracts: debt collection agencies, catering franchise on the premises of KEDGE BS, printing and mailing companies, etc.
- KEDGE BS partners for the purposes of managing KEDGE BS academic accreditations;
- RTM for discounted Marseille urban transport passes;
- KEDGE BS technical and computer subcontractors;
- The service provider for electronic signatures;
- Bodies specialising in surveys and statistics (particularly for ranking education institutions);
- The local education authority and, in general, any institution under the supervision of the Ministry of Education (such as the Centre for Studies and Research on Qualifications);
- The European Commission for the management of scholarships awarded under the Erasmus programme;
- Other learners and graduates in the directories of persons who have completed a training course at KEDGE BS;
- KEDGE BS partners that run student associations, clubs and other schemes under the auspices of KEDGE BS (Business Accelerator, etc.);
- Recruiters who have chosen to pay to access KEDGE Alumni's database for recruitment purposes;
- Welfare or complementary health and group savings organisations for the purposes of membership of KEDGE BS employees;
- The authorities that are informed of the hiring of KEDGE BS employees (e.g.: unemployment, sickness, retirement and welfare insurance, etc.);
- The various subsidiaries of KEDGE BS;
- KEDGE BS partners for the purposes of the working relationship: statutory auditors, lawyers, etc.;
- KEDGE BS partners responsible for occupational health;
- Partners involved in the organisation of events held by KEDGE BS (gala evenings, etc.).
VIII.3. Authorised third parties and authorities
When KEDGE BS is required to meet its legal obligations or at the request of any authorised legal or administrative entity.
In particular, to meet its obligations regarding declaration, KEDGE BS, as the employer, sends nominative information to the social welfare organisations:
- On hiring: KEDGE BS drafts the Declaration Prior to Hiring (DPAE) for the URSSAF which will forward the information to the Primary Health Insurance Fund of the employee’s home address.
- Every month and for every event (employment stoppage, end of employment contract): KEDGE BS transmits all the social information necessary to exercise the employee's rights via the Nominative Social Declaration (DSN) mechanism.
Every employee has the right to access and rectify personal data, in accordance with the French Data Protection Act, from the various organisations to which he or she reports by sending them a request directly (addresses to be found on the website http://www.dsn-info.fr). The letter must include the Social Security number, the employer or employers affected by the request and the duration(s) concerned, as well as a photocopy of an identity document.
VIII.4. Outside of the European Union
Data controllers may transfer data outside the European Union (EU) and the European Economic Area (EEA) provided that there is sufficient and appropriate data protection. They must manage these transfers using the various legal tools defined in the GDPR and the French Data Protection Act.
If the data subjects’ data are transferred outside of the European Union or the European Economic Area, KEDGE BS will ensure that:
- The personal data are transferred to countries recognised by the European Commission as providing an adequate level of protection (such as Argentina, Japan or New Zealand) or
- The personal data are transferred to entities certified under the Privacy Shield. The list of entities in the United States of America or Switzerland that have joined the Privacy Shield is available on the website https://www.privacyshield.gov , or
- One of the mechanisms is used that ensures appropriate safeguards as provided for by the applicable regulations, and in particular the adoption of standard contractual clauses by the European Commission.
In practice, most of the transfers of personal data outside the European Union and the European Economic Area concern foreign educational institutions in which the persons concerned undergo training, KEDGE BS campuses in China and Senegal or companies in which the persons concerned undergo an internship.
You may contact the KEDGE BS Data Protection Officer to obtain further information on these topics as well as a copy of the relevant documents.
IX. Specific provisions for minors under 15 years of age
We wish to draw your attention to the fact that the GDPR and the French Data Protection Act provide that, for information society services (social networks, platforms, newsletters, etc.), the processing of a child's personal data based on consent is lawful, in principle, only if the child is aged 15 or over.
Where the child is under 15 years of age, processing is lawful if consent is given by the holder of parental authority.
In other words, children aged 15 or over may consent by themselves to the processing of their data on the basis of consent in the context of information society services. For children under 15 years old, the French Data Protection Act requires the collection of the joint consent of the child and the holder of parental authority.
In any event, where consent is required, the data subject must have the opportunity to withdraw consent at any time, through a simple method equivalent to that used to obtain consent (for example, if it was obtained online, he or she must be able withdraw it online).
X. Terms of use of our websites
We run several websites, including:
- https://kedge.edu/
- https://www.kedgebs-alumni.com/fr/diplome/
Each of these sites has a section entitled "Legal Notices" which contains the contact information of our Association, the director of publication and the service providers responsible for hosting these sites.
In addition, each of these sites has a section entitled "Personal Data Protection" which sets out the essential provisions of this Policy. Finally, you have the option to change all or some of the cookie settings at any time via a preference management tool.
XI. Contact details of the Controller
The Controller is the KEDGE Business School Group, a non-profit organisation under the French Association Act of 1901, whose registered office is located at Domaine de Raba, 680 cours de la Libération 33405 Talence cedex – France (SIREN 514005123).
The KEDGE BS reception desk can be contacted on 05 56 84 55 55.
The DPO (Data Protection Officer) of KEDGE BS can be contacted: protectiondesdonnees@kedgebs.com - KEDGE BUSINESS SCHOOL Direction Juridique, Risque et Conformité - DPO Domaine de Raba, 680 Cours de la Libération, 33405 Talence, Cédex, France
The Data Protection Officer is primarily responsible for:
• Informing, advising and supporting the controller in order to ensure compliance with the European Regulation and national law on personal data protection;
• Making the controller aware of issues related to the protection of the personal data of data subjects;
• Overseeing internal audits on personal data protection;
• Advising the manager on the need to conduct a privacy impact assessment and overseeing its implementation;
• Receiving and responding to any questions or complaints relating to data protection;
• Cooperating with the supervisory authority (the CNIL in France) and serving as its point of contact for the controller.
XII. Security of your data
We attach great importance to the protection of your personal data, and we take all reasonable precautions to this end. We contractually require trusted third parties who manage your personal data on our behalf to do the same.
We are constantly doing everything possible to protect your personal data. Upon receipt of your data, we will apply strict security procedures and measures to prevent unauthorised alteration, disclosure or access.
We define and implement physical, organisational, technical and software security measures taking into account the nature of the data and the risks presented by the processing in question in order to ensure an appropriate level of security.
In particular, the measures we implement are structured around the following:
- Raising awareness of users through the implementation of an IT Charter,
- User authentication via usernames and passwords,
- Access authorisation logs that underlie an access control policy,
- Installation of a regularly updated firewall and anti-virus software,
- Securing access to computer servers,
- Supervision of IT maintenance operations,
- Signing contracts with processors that provide safeguards,
- Etc.
XIII. What rights allow you to control your data?
The GDPR and the French Data Protection Act strengthen the rights of data subjects. We have endeavoured to give a brief outline of your rights before reminding you of how to exercise them.
XIII.1. Reminder of your rights
Right to be informed
You have the right to obtain clear, transparent, understandable and easily accessible information about how we use your personal data, including:
- Why we collect your data
- What the goals or objectives, purposes and context are
- What the storage periods of your data are
- Who your data are sent to and why
- The legal basis and the legality of data processing
- The origin of your data (direct or indirect source)
This Policy is drafted and updated to enable you to have a comprehensive level of information.
Right to receive confirmation of processing
You have the right to know whether any data about you is being processed and to be informed of this.
This right is a component of the right of access mentioned below.
Right of access
You have the right to access the personal data that we have on you (subject to certain restrictions). This communication must be made in a comprehensible format.
Right to rectification
You have the right to demand the correction of your personal data if it is inaccurate or outdated (e.g. incorrect age or address) or incomplete (e.g. address without the apartment number).
We will be required to disclose the corrections to the other data recipients (unless such a disclosure would require disproportionate effort).
Right to erasure/right to be forgotten
You have the right to obtain the erasure of personal data concerning you without undue delay.
You have the right to request the erasure of your data for reasons provided for by applicable regulations and, in particular, where:
- The data are no longer necessary for the purposes for which they were collected or processed;
- You have withdrawn consent on which the processing is based and there is no other legal basis for the processing;
- You object to processing and there are no overriding legitimate grounds for processing;
- You consider that your data have been unlawfully processed;
- Your data must be erased for compliance with a legal obligation;
- Your data were collected when you were under 15 years of age as part of the information society's offer of services.
Right to object (general)
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you based on legitimate interest.
We will no longer process the personal data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
To determine whether our processing is based on legitimate interest, please refer to Chapter V of this policy detailing the legal basis for each type of processing.
Right to object to marketing
When the personal data are processed or exploited for marketing purposes, as part of advertising, sales or promotion, you have the right to object to the processing of data at any time without justification.
You will therefore find an unsubscribe link at the bottom of all our newsletters.
Right to withdraw consent at any time
You may withdraw your consent to the processing of your data if this processing is based on consent.
You have the right:
(i) to withdraw your consent at any time
(ii) to be informed of this right whenever you give consent
(iii) for withdrawal to be as simple as when you
gave your initial consent.
To determine whether our processing is based on consent, please refer to Chapter V of this policy detailing the legal basis for each type of processing.
Right to limitation of processing
You have the right to ask us to temporarily freeze the use of some of your data. This right means that we will be able to store these data, but not to use or process them.
This right applies in special circumstances provided for by the GDPR:
- you contest the accuracy of the data concerning you (and we carry out verification processes);
- you consider that the processing is unlawful and you oppose the erasure of your data;
- The data in question are still required by you for the establishment, exercise or defence of legal claims although we no longer need them;
- You have exercised your right to objection and we will verify whether the legitimate grounds override your rights.
Right to portability
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another body without hindrance from us, where:
- the processing is based on consent or the implementation of contractual measures,
- the processing is carried out by automated means.
To find out the legal basis for our processing, please refer to Chapter V of this policy.
Right to human intervention
You have the right not to be subject to a decision based solely on automated processing, which produces legal effects concerning you or significantly affecting you. You can ask for someone to take over your evaluation, and for the decision to be made by a human being.
Right to make instructions for after your death
You have the right to set out specific instructions regarding the storage, erasure and communication of your personal data after your death.
Right to change your cookie settings
You have the right to change all or some of the cookie settings on our websites.
If you want to change your cookie settings on our websites/applications, just go to the Cookie Management Policy which can be accessed on all our websites/applications.
Right to object to automatic profiling You have the right to know and verify the existence of automated decision-making, including profiling, and the significance and consequences
any such processing.
You have the right not to be the subject of a decision based solely on
automated processing, including profiling, with legal effects concerning you.
In such cases, you can ask for someone to take over your evaluation, and for the decision to be made by a human being.
Right to the delisting of published data
Where the controller has made the personal data public and it is obliged to erase the personal data, you have the right to demand, taking account of available technology and the cost of implementation, that we take reasonable steps, including technical measures, to inform the controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
This measure will not apply if the published data are necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation
(c) for reasons of public interest in the area of public health
(d) for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes,
insofar as this right is likely to render impossible or seriously impair
the achievement of the objectives of that processing
(e) for the establishment, exercise or defence of legal claims.
Right to lodge a complaint with a supervisory authority
You have the right to contact and lodge a complaint with the data protection authority in your country to challenge the practices of KEDGE BS in terms of personal data protection and respect for privacy. You will find information about the referral procedure provided by CNIL by following this link: https://www.cnil.fr/fr/agir
XIII.2. How to exercise your rights
The aforementioned rights may be exercised:
- by email to: protectiondesdonnees@kedgebs.com
or
- by post to: KEDGE BUSINESS SCHOOL att: Direction Juridique, Risque et Conformité - DPO Domaine de Raba, 680 Cours de la Libération, 33405 Talence, Cédex France
If the request made is admissible, KEDGE BS will respond within one month of receipt of the complete request, and will provide the information requested or implement the rights invoked within the aforementioned period.
If, given the complexity of the application or the number of applications received, the above-mentioned deadline cannot be met, KEDGE BS will, before the expiry of this deadline, inform about the postponement of its decision for a maximum of two months.
If KEDGE BS has reasonable doubts as to your identity, we may ask you to attach a document proving your identity to prevent identity theft, for example.
Furthermore, and as indicated above, all data subjects shall in any case have the right to lodge a complaint with the supervisory authority if they consider that their rights have been infringed. For further information in France, you can consult the “Help” section of the CNIL website (www.cnil.fr ) or call the legal department on 01 53 73 22 22.