Data Protection Policy - Istec

Data Protection Policy

Foreword

Istec attaches great importance to privacy and compliance with applicable regulations.

In the course of its activities, Istec collects and processes personal data related to contacts, prospects, clients, service providers, and partners.

The main objective of this document is to provide you with concise, transparent, understandable, and easily accessible information about the data processing activities carried out, enabling you to understand the conditions under which your data is processed.

Through this policy, Istec commits to comply with the EU Regulation No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”), which has been applicable since 25 May 2018, and the French Data Protection Act No. 78-17 of 6 January 1978, as amended, relating to information technology, files, and freedoms.

General Principles

In accordance with the provisions of Article 5 of the General Data Protection Regulation (GDPR), the collection and processing of your personal data adhere to the following principles:

  • Lawfulness, fairness, and transparency: The collection and processing of personal data can only be based on a pre-established legal basis (performance of a contract, legal obligation, consent, legitimate interest, protection of vital interests).
  • Purpose limitation: The collection and processing of personal data are carried out for specific and legitimate purposes.
  • Data minimization: Only data strictly necessary for the proper execution of the pursued objectives are collected.
  • Limited data retention: Personal data retention periods are defined to meet the needs of processing activities and our legal obligations.
  • Security of collected and processed data: The data controller is committed to ensuring the integrity and confidentiality of the collected data.

Who Are We?

L’istec Business School Paris, école supérieure de commerce et de marketing, agit en qualité de responsable de traitement concernant les activités décrites ci-après.

Processed Personal Data

Category Example
Civil status, identity, identification data Name, First name, Civil status
Personal life Address, email, phone
Professional life Occupation, employer, workplace, email, work phone number
Economic information Bank account details, payment data
Connection data IP address, event logs
Cookies, trackers Audience measurement, social networks

Persons Concerned

This policy applies to all individuals who come into contact with Istec, and each processing activity specifies the individuals concerned.

Data Processing

The processing activities carried out by Istec have the following purposes:

    1. Contact Management

    Objectives

    The processing aims to manage requests made on the istec.fr website.

    It allows Istec to:

    • Manage requests
    • Manage the follow-up to requests

    Data Category

    • Personal information, identity
    • Contact details (email, phone, etc.)
    • Manage the follow-up to requests

    Data Subjects

    • Any user of the website (applicant, parents, candidate, student, learner, etc.) who submits a request via a contact form, email address provided on the website, or the Chatbot.
    • Members and staff of Istec

    Legal Basis

    Article 6(1)(f) of the General Data Protection Regulation (GDPR)
    Istec’s legitimate interest in fostering contacts to develop its business.

    2. Event Registration Management

    Objectives

    Manage registrations for Istec events:

    • Management of invitations, registrations, and logistical organization of events
    • Quality evaluation and statistics related to events

    Data Category

    • Personal information, identity
    • Contact details (email, phone, etc.)
    • Educational level
    • Desired program of study
    • Manage the follow-up to requests

    Data Subjects

    • Any user of the website (applicant, parents, candidate, student, learner, etc.) who submits a request via a contact form, email address provided on the website, or the Chatbot.
    • Members of Istec services involved in the request

    Legal Basis

    Article 6(1)(f) of the General Data Protection Regulation (GDPR)
    Istec’s legitimate interest in conducting communication actions to develop its business.

    3. Entrance Exam Registration Management

    Objectives

    Manage registrations for various entrance exams at Istec:

    • Management of follow-up to registrations
    • Management of exam notifications, registrations, and organization

    Data Categories

    • Identity, contact details (email address, phone)
    • Disability status
    • Last obtained diploma
    • Current educational situation

    Data Subjects

    • Anyone wishing to register for an Istec entrance exam
    • Members of Istec services involved

    Legal Basis

    Article 6(1)(b) of the General Data Protection Regulation (GDPR)

    Contractual and pre-contractual measures necessary for pre-registration for entrance exams

    4. Newsletter Management

    Objectives

    Objectives Management of sending the Istec newsletter following subscription on the istec.fr website:

    • Management of subscriptions
    • Compilation of statistics related to these subscriptions

    Data Categories

    • Identity for personalized communications
    • Email address
    • Subscription date
    • Statistics related to the newsletter service

    Data Subjects

    The data processing concerns individuals who wish to receive the Newsletter.

    Legal Basis

    Legal Basis Article 6(1)(a) of the General Data Protection Regulation (GDPR)

    Consent of the individual validated by sending the subscription request through the dedicated form or by selecting the appropriate option during contact.

    5. Data Analysis

    Objectives

    Objectives Obtain statistical reports on the activity of website users in order to improve our business proposition.

    Data Categories

    • Data related to website visitors (unique visitor identifier, IP address, technical data, browsing data, etc.)
    • Data related to transactions made on the Istec website (order number, total amount, etc.)

    Data Subjects

    • Any user of the website.
    • Istec agency
    • Istec Communication department

    Legal Basis

    Legal Basis Your consent (you have the right to withdraw your consent at any time).

    6. Payment Management

    Objectives

    Process a transaction related to Istec registration.

    Data Categories

    Personal data provided during a transaction (billing/delivery address, email, name, surname, banking information, etc.)

    Data Subjects

    • Any candidate who has received a positive eligibility result at Istec
    • ISTEC Admissions Department.
    • ISTEC Accounting Department.

    Legal Basis

    A contractual obligation.

    Payment

    Objectives

    Performing a transaction related to registration at Istec.

     

    Data Category

    Personal data provided during a transaction (billing/delivery address, email, name, surname, banking information, etc.).

     

    Persons Concerned

    • Any candidate who has received a positive eligibility result from Istec.
    • ISTEC Admissions Department.
    • ISTEC Accounting Department.

     

    Legal Basis

    A contractual obligation.

Sharing and Storage of Your Data

Data retention period

The data is kept for a period of 3 years from the processing of the request.

The data related to our electronic communications is stored until the recipient of the communications withdraws consent through the link provided for this purpose in each message.

Recipients & sharing of your data

ISTEC does not sell the collected personal data to third parties. This data is shared solely for the needs related to its activities. They are thus shared:

  • Internally, with authorized services responsible for carrying out these tasks.
  • With suppliers and subcontractors. ISTEC requires them to sign contracts with clauses ensuring a level of data protection, confidentiality, and security in accordance with regulatory standards and state-of-the-art practices.

Your data may be communicated to competent public authorities upon their requests, in compliance with regulations, particularly for the purpose of investigating offenses.

Transfer of data outside the EU

Istec uses subcontractors and suppliers under conditions that involve data transfers, including to the United States.

Security of Personal Data

Istec attaches particular importance to the security of personal data.

We have implemented technical and organizational measures appropriate to the degree of sensitivity of personal data to ensure the integrity and confidentiality of data and protect them against any malicious intrusion, loss, alteration, or disclosure to unauthorized third parties.

However, the security and confidentiality of personal data depend on everyone’s good practices. Therefore, the data subject is invited to remain vigilant on this matter. In this regard, you can visit the website cybermalveillance.gouv.fr, especially the best practices section.

Your Rights

Istec is particularly concerned with respecting the rights granted to you in the context of the data processing it implements, in order to guarantee fair and transparent processing given the particular circumstances and context in which your personal data are processed.

    Right of Access

    In this regard, you have the right to confirm whether or not your personal data are being processed, and if so, you have the right to request a copy of your data and the following information:

    • The purposes of the processing.
    • The categories of personal data involved.
    • The recipients or categories of recipients, including, where applicable, any international organizations to which the personal data have been or will be disclosed, particularly recipients established in third countries.
    • Where possible, the envisaged retention period for personal data or, if not possible, the criteria used to determine that period.
    • The existence of the right to request the rectification or erasure of your personal data, the right to request the restriction of their processing, and the right to object to such processing.
    • The right to lodge a complaint with a supervisory authority.
    • Information about the source of the data if they were not collected directly from the data subjects.
    • The existence of automated decision-making, including profiling, and in such cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subjects.
    Right to Rectification

    You may request the rectification, completion, or updating of your personal data if they are inaccurate, incomplete, ambiguous, or outdated.

     

    Right to Erasure

    You may request the erasure of your personal data in cases provided for by legislation and regulations.

    We draw your attention to the fact that the right to erasure of data is not an absolute right and can only be granted if one of the grounds provided for in the applicable regulations is present.

    Right to Restriction of Processing

    You may request the restriction of the processing of your personal data in cases provided for by legislation and regulations.

    Right to object to data processing

    You have the right to object, on grounds relating to your particular situation, to the processing of your personal data when the legal basis for the processing is the legitimate interest pursued by the data controller.

    In case of exercising such a right to object, we will ensure that we no longer process your personal data in the context of the relevant processing, unless we can demonstrate that we have legitimate and compelling grounds for the continuation of such processing. These grounds must outweigh your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

    Right to Data Portability

    You have the right to data portability for your personal data. This is not a general right. Not all data is portable, and this right only applies to automated processing, excluding manual or paper-based processing.

    This right is limited to processing based on your consent or the performance of pre-contractual measures or a contract.

    This right only applies to data provided by you and does not include derived or inferred data.

    Right to Withdraw Consent

    If the processing of data is based on your consent, you can withdraw it at any time. We will then cease processing your personal data without affecting the lawfulness of processing based on consent before its withdrawal.

    Right to Lodge a Complaint

    You have the right to lodge a complaint with the CNIL (3 place de Fontenoy, 75007 Paris) in France, without prejudice to any other administrative or judicial remedy.

    Right to Define Post-Mortem Directives

    You can determine the fate of your digital personal data after your death.

Right to Object to Processing

For any information or exercise of your rights regarding data processing managed by Istec, you can contact the Data Protection Officer (DPO):

  • Through the “Contact the DPO” form
  • Or by mail (including a copy of your identification document when exercising your rights, unless the information provided in your request allows us to identify you with certainty) at the following address:

Istec Business School Paris

Data Protection Officer

128 quai de Jemmapes

75010, Paris

If you are dissatisfied with the way your personal data or your requests under the GDPR or the Data Protection Act are handled, you can file a complaint with the supervisory authority (CNIL).

Glossary

Personal Data: Any information relating to an identified or identifiable person, which can directly (e.g., name and surname) or indirectly (e.g., cookies) identify them.

Processing of Personal Data: Any operation or set of operations (automated or non-automated) applied to personal data, such as collection, recording, organization, storage, transmission of data, etc.

Data Controller: An entity that determines the purposes and means of data processing.

Data Processor: An entity that processes personal data on behalf of and under the instructions of the data controller.

Modification of this Policy

We encourage you to regularly review this policy on our website as it may be updated.

Last update date: 15/05/2023