Personal data

Date of last update: 14/10/2020

1. Introduction

1. In the course of its activities, Paris School of Business, a member of the Galileo Global Education Group, collects and processes personal data.

2. With a view to fostering innovation while building a lasting relationship of trust based on respect for the rights and freedoms of individuals, the company is committed to putting in place the technical and organizational means necessary to protect the personal data it processes.

3. The main aim of this policy is to provide you with concise, transparent, comprehensible and easily accessible information on the data processing operations carried out, so that you can understand the conditions under which your data is processed, what your rights are in this respect, and to present you with the Etablissement’s commitments.

2. Who are we?

4. Paris School of Business (hereinafter referred to as the “School”) is a school belonging to the private higher education group Galileo Global Education France (hereinafter referred to as the “Galileo Group”).

5. Paris School of Business is a company with share capital of €13,267,469, registered in the PARIS Trade and Companies Register under SIREN number 752 535 476 RCS, with its head office at 35 Avenue Philippe Auguste – 75011 Paris 11th arrondissement.

3. Data protection delegate and contact person

6. The Galileo Group has appointed a Data Protection Officer (DPO) for all Galileo Group entities and schools, whose contact details are as follows: 41 rue Saint Sébastien, 75011 PARIS, Délégué à la protection des données ou DPO, adresse mel : dpo@ggeedu.fr.

7. In order to liaise with the DPO, the Establishment has also appointed an in-house personal data protection officer (“DPO delegate – DDPO”) whose contact details are dpo@psbedu.paris.

The establishment’s DPO and personal data protection officer are responsible for advising, informing and monitoring compliance with data protection regulations.

4. Fair and transparent collection

8. In the interests of transparency, the Establishment takes care to inform the persons concerned of each processing operation that concerns them.

9. This data is collected fairly. No data is collected without the knowledge or consent of individuals.

5. The principle of purpose

10. When the Establishment processes data, it does so for specific purposes: each data processing operation pursues a legitimate, specific and explicit purpose.

6. Proportionate data processing
11. For each processing operation, the Establishment undertakes to collect and use only data that is adequate, relevant and limited to what is necessary for the purposes for which it is processed.

12. The Etablissement ensures that data is, if necessary, updated and implements procedures to enable the deletion or rectification of inaccurate data.

7. The personal data we process

13. In connection with the processing of personal data, the purposes of which are set out below, the Establishment collects and processes mainly the following categories of data:

  • personal identification data such as surname(s), first name(s), date of birth, nationality of the persons concerned;
  • data relating to training, such as training path or in relation to training projects;
  • economic and financial information, such as financing arrangements;
  • personal data such as home address, telephone number, e-mail address;
  • where applicable, data relating to professional status, such as occupation, employer, professional contact details and professional experience;

14. In general, the Establishment does not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, nor does it process genetic data, biometric data for the purpose of uniquely identifying a natural person, or the sex life or sexual orientation of a natural person.

15. However, in exceptional cases, the Establishment may need to collect health data, in particular data relating to a disability, in order to adapt the practical details of the training services provided, or biometric data for the management of access controls.

8. The origin of the data we process

8.1 Declarative personal data
16. This concerns personal data that you provide mainly in the context of :

  • your exchanges with the school, particularly at trade fairs, high school forums and open days;
  • the conclusion of a contract with the Establishment ;
  • the creation of a file with the Establishment ;
  • surveys of the people concerned.

17. This data is mainly collected via our forms and paper and electronic questionnaires.

8.2 Personal data from third parties or other services
18. Personal data may also come from :

  • of your navigation on the school websites;
  • other Galileo Group schools or
  • of partner establishments ;
  • lead providers ;
  • if concerned by your employer ;
    public bodies ;

9. Legal basis and purposes of our data processing operations

19. The processing carried out by the Establishment and more generally by the Galileo Group is necessary for the performance of a contract or the execution of pre-contractual measures taken at the request of the data subject. This applies to processing for the following purposes:

  • managing and monitoring registration for a competition or training course;
  • training management and follow-up; for this purpose, and in the context of so-called bimodal training, courses can be filmed and broadcast to all students attending the distance learning course. They may also be recorded.
  • registration and processing of training services;
  • administrative and financial monitoring of the training program;

20. Processing for the following purposes is carried out to meet the legal and regulatory obligations incumbent on the Establishment, namely :

  • training-related actions ;
  • the necessary adaptations to training courses for people with disabilities;
  • implement the rights of data subjects under personal data regulations;
  • accounting/tax management ;

21. Processing for the following purposes is carried out to meet the legitimate interests of the Establishment, in particular the management, smooth running and deployment of its business:

  • canvassing for the school or any other Galileo Group school;
  • marketing studies and internal statistics;
  • promoting the training courses offered by the company;
  • survey management ;
  • event organization ;
  • analysis and measurement of site traffic;
  • alumni management and development of the school’s network;
  • in this context, as a former student, you may be the subject of solicitations.

22. The Establishment obtains the consent of data subjects for processing purposes that are not based on legitimate interests, legal and regulatory obligations or necessary for the performance of contracts.

10. Recipients of your data

23. The personal data we collect, as well as those collected subsequently, are intended for us in our capacity as data controller.

24. The following categories of recipients also receive your data:

  • staff members of the school, of other Galileo Group schools, Galileo Group staff, particularly for managing prospective candidates, and, where applicable, staff members of partner schools;
  • any subcontractors;
  • public or private bodies in order to meet our legal obligations;
  • ranking organizations to promote the school’s reputation;

25. We ensure that only authorized persons have access to this data. The company applies strict authorization policies to ensure that the data it processes is transmitted only to persons authorized to access it.

11. Transfer of your data

26. Personal data processed by the Company may, for certain operations, be transferred to countries inside or outside the European Union.

27. In the case of processing carried out outside the European Union, including remote access, the company undertakes to put in place safeguards to ensure the protection and security of such information, in accordance with the applicable regulations.

28. You can obtain a list of transfers and the guarantees taken by contacting the DPO at dpo@ggeedu.fr.

12. How long we keep your data

29. The Establishment shall ensure that data is only kept in a form that allows identification of the persons concerned for as long as is necessary for the purposes for which it is processed.

30. The retention periods we apply to your personal data are proportionate to the purposes for which they were collected.

31. In particular, we organize our data retention policy as follows:

Data collected for prospect management: maximum 3 years

  • Data collected and processed for training purposes: 10 years maximum
  • Data processed for graduation purposes: 50 years
  • L’Etablissement reserves the right to retain your data beyond the time limits set out above in the event of legal or regulatory obligations.

13. The security of your data

32. The Galileo Group attaches particular importance to the security of personal data.

33. Appropriate technical and organizational measures are implemented to ensure that data is processed in such a way as to guarantee its protection against accidental loss, destruction or damage which could undermine its confidentiality or integrity.

34. When developing and designing, or selecting and using, the various tools that enable personal data to be processed, the Establishment ensures that they provide an optimum level of protection for the data processed.

35. The Establishment thus implements measures that respect the principles of protection by design and protection by default of processed data. To this end, the Etablissement may use pseudonymization or encryption techniques whenever possible and/or necessary.

14. Subcontracting

36. When it has recourse to a service provider, the Establishment only communicates personal data to the latter after having obtained a commitment and guarantees on its ability to meet these security and confidentiality requirements.

37. In compliance with our legal and regulatory obligations, we enter into contracts with our subcontractors which precisely define the terms and conditions under which they process personal data.

38. The Galileo Group also carries out or commissions audits of its own services and those of its service providers, in order to verify the application of data security rules.

15. Your rights

39. The Establishment is particularly concerned about respecting the rights granted to you in connection with the data processing it implements, in order to guarantee fair and transparent processing taking into account the particular circumstances and context in which your personal data is processed.

15.1 Your right of access

40. As such, you have the confirmation that your personal data are or are not processed and when they are, you have the right to request a copy of your data and information concerning :

  • the purposes of the processing ;
  • the categories of personal data concerned;
  • the recipients or categories of recipients and, where appropriate, if such communications are to be made, the international organizations to which the personal data have been or will be communicated, in particular recipients established in third countries;
  • where possible, the intended retention period for personal data or, where this is not possible, the criteria used to determine this period ;
  • the existence of the right to ask the data controller to rectify or erase your personal data, the right to request a restriction on the processing of your personal data, the right to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • information on the source of the data when it is not collected directly from the data subjects;
  • the existence of automated decision-making, including profiling, and in the latter case, useful information concerning the underlying logic, as well as the importance and expected consequences of this processing for the data subjects.

15.2 Your right to rectify your data

41. You can ask us to rectify or complete your personal data if it is inaccurate, incomplete, ambiguous or out of date.

15.3 Your right to erasure of your data

42. You can ask us to delete your personal data if one of the following reasons applies:

the personal data is no longer required for the purposes for which it was collected or otherwise processed;
you withdraw the consent previously given ;
you object to the processing of your personal data if there are no compelling legitimate grounds for the processing;
the processing of personal data does not comply with applicable laws and regulations.
The right to data deletion is not a general right, and can only be exercised if one of the reasons provided for in the applicable regulations is present.

43. Failing this, the Etablissement will not be able to respond favorably to your request; this will be the case if it is required to retain the data due to a legal or regulatory obligation or for the establishment, exercise or defense of legal rights.

15.4 Your right to limit data processing

44. You may request the restriction of the processing of your personal data in the cases provided for by legislation and regulations.

15.5 Your right to object to data processing

45. You have the right to object at any time, for reasons relating to your particular situation, to the processing of your personal data for which the legal basis is the legitimate interest pursued by the data controller (see article above on the legal basis for processing).

46. In the event of the exercise of such a right of objection, we will ensure that we no longer process your personal data in connection with the processing concerned unless we can demonstrate that we have compelling legitimate grounds for continuing such processing. These reasons must outweigh your interests and your rights and freedoms, or the processing must be justified for the establishment, exercise or defense of legal claims.

47. You have the right to object to commercial canvassing as well as to profiling insofar as it is linked to such canvassing.

48. With regard to commercial canvassing, you are reminded that you may refuse to receive canvassing by post or telephone from the Establishment.

49. In the case of canvassing by electronic mail (Email, SMS, MMS), the Establishment may use this method if you have given your consent at the time of collection. You may object at any time by clicking on the link in the e-mail sent to you, or by sending stop to the number given in the message.

15.6 Your right to data portability

50. You have the right to the portability of your personal data. This is not a general right. It only concerns automated processing, to the exclusion of manual or paper processing.

51. This right is limited to processing operations whose legal basis is your consent or the performance of pre-contractual measures or a contract.

52. It does not include derived or inferred data, which are personal data created by the Establishment or the Galileo Group.

53. The data on which this right may be exercised are :

  • only your personal data, which excludes anonymized personal data or data that does not concern you;
  • declarative personal data and the personal operating data mentioned above.

54. The right to portability may not infringe the rights and freedoms of third parties, such as those protected by business secrecy.

55. You may request data portability in accordance with the procedure set out below, specifying whether you wish to receive the data yourself or, if it is technically possible for us, for us to pass it on directly to another data controller.

56. In the latter case, please let us know the exact name and contact details of the person responsible, as well as the department or person to whom the information should be sent. To facilitate the exercise of this right, you must inform the recipient of your request to our services.

15.7 Your right to withdraw your consent

57. Where our data processing operations are based on your consent, you may withdraw it at any time. We will then stop processing your personal data without affecting any previous operations for which you have given your consent.

15.8 Your right to make a complaint

58. You have the right to lodge a complaint with the Cnil (3 place de Fontenoy 75007 Paris) on French territory, without prejudice to any other administrative or legal remedy.

15.9 Your right to define post-mortem directives

59. You have the possibility of defining particular directives relating to the conservation, the erasure and the communication of your personal data after your death with our services according to the methods hereafter defined. These specific directives will only concern the processing carried out by us and will be limited to this scope.

60. Once this person has been designated by the Executive, you will also be able to define general directives for the same purposes.

15.10 How to exercise your rights

61. All the rights listed above may be exercised by providing proof of your identity to the DDPO of the Establishment, who is responsible for the protection of personal data.

62. The latter will be responsible for notifying the Galileo Group’s DPO of requests for rights made to him.

15.11 Amendments to this document

63. We invite you to consult this policy regularly on our website. It may be updated from time to time.