At ESSEC, respect for personal data is one of the cornerstones of the relationship of trust that we have built with our entire community. In keeping with the values of humanism, responsibility and innovation that guide us, we have established a personal data protection policy designed to underpin the all-round excellence that ESSEC offers its students, participants, staff and partners.
In order to ensure that it operates smoothly, ESSEC is required to implement and use personal data processing relating to its prospects, candidates, graduates and partners. By logging on to the ESSEC website, downloading a brochure, applying for a programme or in the context of your relations, you authorise ESSEC to collect and process your personal data.
ESSEC undertakes that your data will be processed in accordance with the legislation on the protection of personal data, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (RGPD) and Law 78-17 of 6 January 1978 (Loi Informatique et Libertés), amended.
Data controller
The data controller is the Association Groupe ESSEC, 3, Avenue Bernard Hirsch - 95000 Cergy Pontoise Cedex, represented represented by its Dean and President Vincenzo VINZI ESPOSITO.
Essec has appointed a Data Protection Officer who can be contacted by e-mail at dpd@essec.edu or by post at ESSEC's address.
Definitions
- “Personal data" means any information relating to an identified or identifiable natural person (surname, first name, photo, e-mail, BID, data obtained by cross-checking anonymous information) ;
- “Processing" means any operation involving personal data, regardless of the process used (automated or not (paper)) ;
- "Controller" means the natural or legal person who determines the purposes and means of processing personal data. For the purposes of this policy, the controller is ESSEC ;
- "Processor" means any natural or legal person who processes personal data on behalf of the controller. In practice, these are the service providers with whom ESSEC works and who deal with personal data ;
- "Data subject" means any natural person whose personal data is processed by an organisation. At ESSEC, this includes prospects, candidates, students, participants, graduates, professors, staff, partners, etc ;
- "Recipients" refers to natural or legal persons who receive communication of personal data. For ESSEC, this includes both ESSEC departments or employees and external bodies (partners, social organisations, etc.) ;
- "Graduate" means any person who has followed an ESSEC training course and has obtained a validation of the end of his or her training ;
- "Prospect" means any person interested in an ESSEC course or event ;
- "Candidate" means a person who has started an application to an ESSEC programme ;
- "Partner" means any person or company acting as an external lecturer, customer, supplier, processor.
What data is collected?
- identity data (surname, first name)
- contact information (email, addresses, telephone numbers)
- identification data (IP address)
- connection and navigation data (login/password, login information, pages viewed, browser type, etc )
For prospects: service or documentation requests.
For applicants application file data (marital status, telephone number, addresses, bank details, parents' details, personal email, photo, diplomas obtained, curriculum vitae, language level in French (foreign students), motivated training project, information on previous schooling, etc).
For partners: partner identity data (surname, first name, position, company name, means of contact, partner reference number, history of the partnership relationship, company name, SIREN number, etc), data from the partnership contract or agreement (accounting identification code, means of payment, method of invoicing, etc), academic data (curriculum, professional experience, areas of expertise, etc).
For graduates: ESSEC email, position/function, cohort, academic history, etc.
How is it collected?
Collected directly from you through
- when you log on to the ESSEC website ;
- when you download a brochure or request information ;
- when applying for a programme ;
- during your academic programme ;
- during meetings at events (trade fairs, forums, etc.) ;
- when visiting institutions ;
- within the framework of contractual or partnership relations.
Indirect collection through
- of our partners (organisers of physical or virtual events for example) ;
- social networks (ESSEC refrains from exploiting data and information of a private nature without the prior consent of individuals, even if they are made public and disseminated by the latter on social networks or when they are provided by partners).
Why are they collected?
Depending on the case, ESSEC processes your personal data for the following purposes:
- to transmit a service or a requested document or to answer a question ;
- to promote ESSEC programmes and services ;
- to enable the candidate to create a user account in order to access the online application platform ;
- to help and direct the candidate to the right training and assist him/her during the application period ;
- to enable the selection of candidates to ESSEC through Parcoursup or any other means of application (in particular via the online application tool) ;
- to update your personal data ;
- to produce the official documents relating to the contractual or partnership relationship and enable its execution and monitoring ;
- to manage your participation in an ESSEC event ;
- to produce statistical reports or surveys ;
- to meet its legal obligations.
The purposes of processing presented above are based on the condition of lawfulness relating generally to your consent to the processing of your personal data by ESSEC and, specifically, to the performance of a mission of public interest in the context of Parcoursup (arrêté du 28 mars 2018) or to the contract for the execution of the relationship between you and ESSEC.
Who are the recipients of the data?
Depending on your profile, the recipients of your data may be:
- services in charge of processing the relationship with prospects or candidates ;
- services in charge of handling relations with partners ;
- the services in charge of event organisation ;
- educational, academic and research services ;
- administrative and accounting services ;
- logistics and IT services ;
- security and reception services ;
- services in charge of control (Purchasing, Management Control, etc.) ;
- the alumni association ;
- the ESSEC Foundation ;
- authorised partners (Ministries, Conférence des Grandes Ecoles, etc.) ;
- ESSEC's processors.
When necessary, ESSEC may transmit your data to its entities ESSEC Asia pacific (Singapore) and ESSEC Afrique Atlantique (Rabat).
In addition, your personal data may be communicated to any authority legally entitled to know them. In this case, ESSEC is not responsible for the conditions under which the staff of these authorities have access to and use the data.
How long is the data kept?
ESSEC defines the length of time that data is kept in accordance with legal and contractual constraints and, failing that, according to its needs.
ESSEC's commitments
In the event of a breach of your personal data
To notify the Cnil under the conditions prescribed by the RGPD.
If such a breach poses a high risk to prospects, candidates, graduates or partners, ESSEC will notify the prospects, candidates, graduates or partners concerned and provide them with the necessary information and recommendations.
In the event of outsourcing of your personal data
To ensure that the subcontractor complies with its obligations under the DPMR. ESSEC undertakes to sign a written contract with all its subcontractors and imposes the same data protection obligations on subcontractors as it does on itself.
In case of transfer of personal data to a third country outside the European Union or an international organisation
To inform the prospect, candidate, graduate or partner and ensure that their rights are properly respected in accordance with the requirements of the regulations on the protection of personal data.
What rights do you have over your data?
You have the following rights:
- right to information
- right of access
- right of rectification
- right of deletion (unless you have a current contract with ESSEC or ESSEC has legal or regulatory obligations)
- right of opposition
- right to portability
- right to limitation of processing
- right to withdraw your consent (where this is the legal basis for the processing operation)
If you consider that the processing of your personal data does not comply with the regulations on the protection of personal data, you have the right to lodge a complaint with the supervisory authority at the following address:
Cnil – Service des plaintes
3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
Tél : 01 53 73 22 22
How to exercise your rights?
ESSEC has appointed a data protection officer to whom you can exercise your rights. You can contact her by email at the following address: DPD@essec.edu or by post at the address of the data controller:
Association Groupe ESSEC
ESSEC Business School
3 avenue Bernard Hirsch
CS 50105 Cergy
91021 Cergy Pontoise Cedex - France
Modification of the data protection policy
This data protection policy may be modified or amended at any time in the event of legal, jurisprudential or usage changes.