Personal data protection policy concerning students, their parents and prospects
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter ‘GDPR’) sets out the legal framework applicable to the processing of personal data.
The GDPR strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.
As part of its business activity, CESI is required to process personal data concerning its students, their parents and its prospects.
For a clear understanding of this policy, it is specified that:
- ‘Data controller’ refers to CESI;
- ‘Data processor’ refers to any natural or legal person who processes personal data on behalf of CESI;
- ‘Data subjects’ refers to CESI students (this term refers to learners at CESI under a student status as well as apprentices and trainees taking professional training), their parents and/or prospects;
- ‘Data recipients’ refers to natural or legal persons who receive personal data from CESI. Therefore, data recipients may include CESI employees as well as external entities (speakers, partners, banking institutions, IT service providers, etc.).
Article 12 of the GDPR requires data subjects to be informed of their rights in a concise, transparent, understandable and easily accessible way.
This policy aims to comply with the obligation to provide information to which CESI is bound and to formalise the rights and obligations of CESI students, their parents and prospects with regard to the processing of their personal data.
This policy is applicable to all processing of personal data relating to CESI students, their parents and/or prospects.
CESI does everything in its power to ensure that data is processed as part of a precise internal governance. That being said, this policy only concerns processing for which CESI is the data controller and therefore does not cover processing that would be created or operated outside the governance rules set out by CESI (the so-called shadow IT processing).
Personal data processing may be directly managed by CESI or through a data processor specifically appointed by CESI.
This policy is independent of any other document that may apply within the contractual relationship between CESI and its students, their parents and/or its prospects.
Non-technical data
Data concerning students:
- Identification details (last name, first name, civil status, National Student Identification number, social security number, date of birth, etc.)
- Contact details (postal address, email address, telephone number, etc.)
- Private and/or professional life (academic and professional career, motivations and professional goals, driver’s license, interests)
- Photography/image
- Economic and financial information (bank details, IBAN, etc.), if applicable
- Information on any special arrangements required to accommodate people with a disability, if applicable
- Recognition of disabled worker status (RQTH), if applicable
Data concerning students’ parents:
- Identification details (last name, first name, civil status, etc.)
- Contact details (postal address, email address, telephone number, etc.)
- Professional life (employment status, socio-professional category)
- Economic and financial information (bank details, IBAN, etc.)
Data concerning prospects:
- Identification details (last name, first name, civil status, etc.)
- Contact details (postal address, email address, telephone number, etc.)
Technical data
Data concerning students, their parents and prospects:
- Connection data (IP address, logs, etc.)
- Browsing data (cookies, trackers, audience measurement, clicks, etc.)
Data relating to students, their parents and/or prospects is generally collected directly from them (direct collection) by CESI.
Data can also be collected indirectly by purchasing prospect files through partners.
Depending on the case, CESI processes your data for the following purposes and based on the following legal grounds:
| Purposes | Comments | Legal grounds |
|---|---|---|
| Pre-contractual information exchanges | CESI processes data concerning people who interact with it in order to obtain information about training programs and the application process. | Enforcement of pre-contractual measures |
| Training follow-up | CESI processes data concerning its students and their parents as part of the students’ training follow-up. | Enforcement of contractual measures |
| Invoicing, payments and accounting | CESI processes data concerning its students and their parents as part of invoicing. | Enforcement of contractual measures |
| Event organisation | CESI processes data concerning its students, their parents and prospects when CESI invites them to events it organises. | CESI’s legitimate interest in promoting its business activity |
| Sending newsletters and managing unsubscribe requests | CESI sends its students, their parents and prospects newsletters from which they can unsubscribe. | CESI’s legitimate interest in promoting its business activity (students and their parents) Consent (prospects) |
| Service improvement and satisfaction surveys | CESI is likely to process data concerning its students, their parents and prospects for the purpose of improving its services, in particular through satisfaction surveys. | CESI’s legitimate interest in improving its services |
| Behaviour analysis and audience measurement | CESI is likely to process data for the purpose of analysing the behaviour of its students, their parents and prospects and monitoring their online traffic. | CESI’s legitimate interest in analysing the behaviour of data subjects or consent when necessary |
| Community management | CESI collects and processes data concerning its students for the purpose of managing its online communities, particularly on social media. | CESI’s legitimate interest in promoting its business activity |
| Video surveillance | Certain specific areas of CESI’s premises and campuses are covered by a video surveillance system. | CESI’s legitimate interest in ensuring property and people safety |
| Carrying out surveys during training and after training | CESI conducts surveys at the request of the French Ministry of Higher Education and Research, the Commission of Engineering Certifications (CTI), the French association Conférence des Grandes Écoles (CGE) and the institution France Compétences. | CESI’s legitimate interest in carrying out surveys on its business activity Or legal obligation, if applicable |
| Production of statistics | CESI is likely to produce statistics regarding its students’ data. | CESI’s legitimate interest in knowing its students better |
| Technical audits | CESI is required to audit the activity on its digital environments and is likely to produce technical statistics regarding its students’ data. | CESI’s legitimate interest in knowing its students better |
| Provision of a medical teleconsultation service to students | Some CESI campuses provide students with a telemedicine service allowing them to talk to a healthcare professional free of charge. | Consent |
Where data processing is based on consent, students, their parents and prospects have the right to withdraw their consent at any time.
CESI makes sure that data is only accessible to authorised internal or external data recipients.
Internal data recipients
- authorised staff from the departments responsible for handling student affairs and prospecting, administrative services, logistics and IT, departments that manage authorisations and accreditations, as well as their line managers.
External data recipients
- external speakers;
- partner universities and higher education institutions, which may be located in the EU or outside the EU;
- the Erasmus+ France agency;
- companies likely to enter into an apprenticeship or professional training contract or an internship agreement with students;
- the CESI ALUMNI association;
- funding organisations (example: Opco);
- professionals who take part in juries;
- authorisation/accreditation bodies (CTI, CGE);
- authorised staff from data processors.
All recipients of personal data concerning students, their parents and/or prospects within CESI are bound by an obligation of confidentiality.
CESI decides which recipient will have access to which data according to an authorisation policy.
All accesses related to processing of personal data concerning students, their parents and/or prospects are subject to traceability measures.
Furthermore, personal data may be transmitted to any authority legally entitled to know said data. In this case, CESI is not responsible for the conditions under which the staff from these authorities have access to and use the data.
The data retention period is defined by CESI in view of its legal and contractual constraints and, failing that, depending on its needs and in particular according to the following principles:
| Data processing | Data retention period |
|---|---|
| Contracts | 6 years from the date the contract is entered into for contracts signed by hand and 10 years from the date the contract is entered into for contracts signed electronically. |
| Training-related data | For the entire training period and 6 years after the training program completion. |
| Copies of diplomas and certificates of achievement | 10 years from the diploma issue date. |
| Accounting and invoicing management | 10 years from the end of the financial year. |
| Data processed for prospecting purposes | For former students: 3 years from the completion date of their training program or the last contact made by the former student. For prospects: 3 years from the date their data was collected or the last contact made by the prospect (request for documentation, clicking on a link included in an email, etc.). |
| Footage from video surveillance cameras | For a maximum period of one month and for as long as required in the event of an incident and possible criminal proceedings. |
| Technical data | 1 year from its collection. |
Once these scheduled deadlines have elapsed, the data is either erased or kept after being rendered anonymous, in particular for statistical purposes. Said data can be kept in case of pre-litigation and litigation.
Please note that data erasure or anonymisation are irreversible operations and that CESI is subsequently no longer able to restore such data.
CESI reserves the right to choose whether or not to carry out cross-border flows for the personal data it collects and processes.
In the event personal data is transferred to a country outside the European Economic Area (EEA) or to an international organisation, CESI will make sure that the rights of data subjects are properly safeguarded.
If necessary, CESI undertakes to sign one or more contracts to govern cross-border data flows.
Students, their parents and prospects have the right to ask CESI to confirm whether or not data concerning them is being processed.
Students, their parents and prospects also have a right of access, which is subject to compliance with the following rules:
- the request comes from the data subject himself or herself; and
- is made in writing to the following address: dpo@cesi.fr.
Students, their parents and prospects have the right to request a copy of their personal data being processed from CESI. However, in the event of a request for an additional copy, CESI may require students, their parents and/or prospects to bear the cost.
If students, their parents and/or prospects submit their request for a copy of data electronically, the requested information will be provided to them in a commonly used electronic format, unless otherwise requested.
Students, their parents and prospects are informed that this right of access does not apply to confidential information or data, or to data for which transmission is not authorised by law.
The right of access must not be exercised in an abusive manner, i.e. carried out on a regular basis with the sole aim of disturbing the department concerned.
CESI fulfils requests for updates upon written request from the data subject himself/herself, who may be required to prove his/her identity.
The right to erasure that students, their parents and/or prospects have will not be applicable in cases where data processing is implemented to comply with a legal obligation.
Apart from this situation, students, their parents and/or prospects may ask for their data to be erased in the following limited cases:
- the personal data is no longer necessary regarding the purposes for which it has been collected or is processed in a different way;
- when the data subject withdraws his/her consent on which the processing is based and there is no other legal ground for data processing;
- the data subject objects to a data processing that is required for the purpose of the legitimate interests sought by CESI and there are no overriding legitimate grounds for data processing;
- the data subject objects to his/her personal data being processed for prospecting purposes, including profiling;
- the personal data has been illegally processed.
In accordance with legislation on personal data protection, CESI students, their parents and/or prospects are informed that this is an individual right which can only be exercised by the data subject in relation to his/her own information: for security reasons, the department concerned may therefore verify the data subject’s identity in order to avoid any transmission of confidential information concerning him/her to another person.
CESI students, their parents and/or prospects have the right to obtain restriction of processing when one of the following applies:
- the data subject challenges the accuracy of the personal data for a period of time that allows CESI to check whether the personal data is accurate;
- the data processing is illegal and the data subject objects to its erasure, demanding instead that its use be restricted;
- CESI no longer needs personal data for processing purposes, but said data is still necessary for the data subject to establish, exercise or defend his/her rights in court;
- the data subject has objected to a data processing during the verification as to whether the legitimate grounds sought by CESI prevail over those of the data subject.
CESI grants the right to data portability in the specific case of data transmitted by students, their parents or prospects themselves, on online services offered by CESI itself and for purposes based solely on the consent given by data subjects. In this case, the data will be transmitted in a structured, commonly used and machine-readable format.
Students, their parents and prospects have the right to object to any commercial prospecting by post, telephone or electronic means, including profiling insofar as it is connected with such prospecting.
In the specific case of prospecting by electronic means, students, their parents and/or prospects will be able to object at any time by clicking on the link included in the email sent. By text message, it is possible to object to any prospecting by sending ‘stop’ to the number stated in the message received.
CESI does not make automated individual decisions.
Students, their parents and prospects are informed that they have the right to give instructions concerning retention, erasure and transmission of their post-mortem data. Specific post-mortem instructions and the exercise of their rights are sent by email to the address dpo@cesi.fr.
Students, their parents and prospects are informed of the mandatory or optional nature of their answers on each personal data collection form by means of an asterisk.
Students, their parents and/or prospects grant CESI the right to use and process their personal data for the purposes set out above.
However, the enhanced data, which is the result of processing and analysis work done by CESI, remains CESI’s exclusive property (use analysis, statistics, etc.).
CESI informs students, their parents and prospects that it may engage any processor it chooses to process their personal data.
In this case, CESI makes sure that the processor complies with its obligations under the GDPR.
CESI undertakes to sign a contract in writing with all its data processors. In addition, CESI reserves the right to conduct an audit of its data processors in order to ensure compliance with the provisions of the GDPR.
CESI is responsible for defining and implementing the technical, physical or logical security measurements it deems fit to prevent the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of data.
These measures mainly include:
- managing authorisations for data access;
- regular audits to ensure compliance with data security and protection;
- using a protocol or security solutions.
In the event of a personal data breach, CESI undertakes to notify the CNIL, the French Data Protection Authority, under the conditions prescribed by the GDPR.
If said breach poses a high risk to students, their parents and/or prospects, CESI will:
- warn the students, their parents and/or prospects concerned;
- provide students, their parents and/or prospects concerned with the necessary information and recommendations.
CESI has appointed a Data Protection Officer.
The contact details for the Data Protection Officer are as follows:
- Last name: Mr. Eric Barbry;
- Email address: dpo@cesi.fr.
In the event of further personal data processing, CESI will first refer the matter to the Data Protection Officer.
If students, their parents and/or prospects wish to obtain information or ask a specific question, they will be able to refer the matter to the Data Protection Officer, who will give them an answer within a reasonable timeframe with regard to the information requested or the question asked.
CESI, as data controller, undertakes to keep an up-to-date record of all processing activities carried out.
This record is a document or application that is used to list all processing operations carried out by CESI, as data controller.
CESI undertakes to provide the supervisory authority, on first request, with information enabling said authority to check that the processing complies with the data protection regulations in force.
Students, their parents and prospects affected by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they consider that the processing of their personal data does not comply with European data protection regulations, at the following address:
CNIL – Complaints department
3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Tel.: 01 53 73 22 22
CESI may be required to modify this policy, in particular in the event of changes in legislation, case law, decisions and recommendations made by the CNIL or usage.
Any new version of this policy will be notified to students, their parents and/or prospects by any means defined by CESI, including electronic means (dissemination by email or online, for example).
This version was updated on 15 December 2023.
For any further information, you can contact the DPO: dpo@cesi.fr.
For more generic information on personal data protection, you can visit the CNIL website www.cnil.fr.