GDPR Policy | École de Management Appliqué

Collection and Processing of Personal Data

Privacy Policy

1. Introduction

  1. In the course of its activities, EMA – École de Management Appliqué, a member of the GEDU Group, collects and processes personal data.
  2. Committed to fostering innovation while building a lasting relationship of trust based on respect for individuals’ rights and freedoms, the Institution strives to implement the necessary technical and organizational measures to protect the personal data it processes.
  3. The primary objective of this policy is to provide concise, transparent, understandable, and easily accessible information regarding the data processing activities, enabling you to understand under which conditions your data is processed, your rights in this regard, and to present the Institution’s commitments.

2. Who Are We?

  1. École de Management Appliqué (hereinafter “the Institution”) is a school belonging to the private higher education group Global Education (hereinafter “GEDU Group”).
  2. EMA – École de Management Appliqué is a company with a share capital of €1 644 900, registered with the Paris Trade and Companies Register under SIREN number [440 145 183], with its registered office located at: 98 Rue Didot 75014 PARIS

3. Data Protection Officer and Contact Person

  1. The GEDU Group has appointed a shared Data Protection Officer (DPO) for all entities and schools within the GEDU Group, whose contact details are: dpo@gedu.global
  2. To liaise with the DPO, the Institution has also appointed an internal data protection contact person (“DPO delegate - DDPO”) whose contact details are ddpo@ema.education
    The DPO and the Institution’s data protection contact person are responsible for advising, informing, and monitoring compliance with data protection regulations.

4. Fair and Transparent Collection

  1. In the interest of transparency, the Institution takes care to inform the data subjects of each processing activity that concerns them.
  2. Data is collected fairly. No data collection is performed without the knowledge and consent of the data subjects.

5. Purpose Limitation Principle

  1. When the Institution processes data, it does so for specific purposes: each data processing activity pursues a legitimate, determined, and explicit purpose.

6. Proportional Data Processing

  1. For each processing activity implemented, the Institution commits to collecting and using only data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
  2. The Institution ensures that data is updated when necessary and implements procedures to allow the deletion or correction of inaccurate data.

7. Personal Data We Process

  1. In the context of personal data processing for the purposes described below, the Institution primarily collects and processes the following categories of data:
  • Identification data such as names, first names, date of birth, nationality;
  • Training-related data such as training paths or data related to training projects;
  • Economic and financial information such as financing arrangements;
  • Personal data such as home address, phone number, email address;
  • Potentially, professional data such as profession, employer, professional contact details, and work experience.
  1. Generally, the Institution does not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to uniquely identify a person, sexual life, or sexual orientation.
  2. However, exceptionally, the Institution may collect health data, particularly concerning disabilities, to adapt practical arrangements for training services, or biometric data for access control management.

8. Origin of the Data We Process

8.1 Self-Provided Personal Data

  1. This refers to personal data that you primarily provide during:
  • Your interactions with the Institution, including at fairs, high school forums, or open days;
  • The conclusion of a contract with the Institution;
  • The submission of an application file to the Institution;
  • Surveys conducted with data subjects.
  1. This data is mainly collected via our forms, paper or electronic questionnaires.

8.2 Personal Data from Third Parties or Other Services

  1. Personal data may also come from:
  • Your browsing on the schools’ websites;
  • Other schools within the GEDU Group or partner institutions;
  • Lead providers;
  • Your employer, if applicable;
  • Public bodies.

9. Legal Bases and Purposes of Our Data Processing

  1. The processing activities conducted by the Institution, and more broadly by the GEDU Group, are necessary for the execution of a contract or pre-contractual measures at the data subject’s request. Such processing pursues the following purposes:
  • Management and monitoring of registration for competitions or training;
  • Management and monitoring of training; for this purpose, and within the framework of blended learning, classes may be filmed and broadcast to all students attending remotely and may be recorded;

·       Recording and processing of training services;

·       Administrative and financial monitoring of training.

  1. Processing that pursues the following purposes is implemented to comply with legal and regulatory obligations incumbent on the Institution, namely:

·       Training-related activities;

·       Necessary adaptations of training for persons with disabilities;

·       Implementation of data subjects’ rights under data protection regulations;

·       Accounting and tax management.

  1. Processing pursuing the following purposes is carried out to fulfill the Institution’s legitimate interests, particularly the management, smooth operation, and development of its activities:

·       Prospecting management for the Institution or any other school within the GEDU Group;

·       Conducting marketing studies and internal statistics;

·       Promotion of training programs offered by the Institution.

22. The Institution obtains the consent of the data subjects for processing purposes that do not rely on legal bases such as legitimate interest, legal and regulatory obligations, or the execution of contracts.

10. Recipients of Your Data

23. The personal data we collect, as well as any data collected subsequently, are intended for us in our capacity as data controller.
24. The following categories of recipients also receive your data:

Members of the staff of the Institution, other schools within the GEDU Group, and GEDU Group personnel, notably for managing prospective candidates, and, where applicable, staff of partner institutions;

Our potential subcontractors;

Public or other organizations to fulfill our legal obligations;

Ranking organizations to promote the school’s reputation.
25. We ensure that only authorized individuals have access to this data. The Institution applies strict authorization policies so that data is only shared with persons authorized to access it.

11. Transfers of Your Data

26. The personal data processed by the Institution may, in certain cases, be transferred to countries inside or outside the European Union.
27. In the case of processing outside the European Union, including remote access, the Institution commits to implementing safeguards to ensure the protection and security of this information in accordance with applicable regulations.
28. You may request the list of transfers and the safeguards in place by contacting the DPO at dpo@gedu.global

12. Data Retention Periods

29. The Institution ensures that data is only kept in an identifiable form for as long as necessary for the purposes for which it is processed.
30. The retention periods applied to your personal data are proportionate to the purposes for which they were collected.
31. Specifically, our data retention policy is organized as follows:

Data collected for prospect management: maximum 3 years;

Data collected and processed within the scope of educational training: maximum 10 years;

Data processed related to diplomas: 50 years.
The Institution reserves the right to retain your data beyond these periods when necessary due to judicial or regulatory obligations.

13. Security of Your Data

32. The GEDU Group places particular importance on the security of personal data.
33. Appropriate technical and organizational measures are implemented to ensure data protection against accidental loss, destruction, or damage that could compromise confidentiality or integrity.
34. When designing, selecting, or using tools that allow personal data processing, the Institution ensures they provide an optimal level of data protection.
35. The Institution implements measures respecting data protection principles by design and by default. Accordingly, it may use pseudonymization or encryption techniques where possible and/or necessary.

14. Subcontracting

36. When engaging a service provider, the Institution only communicates personal data after obtaining commitments and guarantees from the provider regarding their ability to meet security and confidentiality requirements.
37. We conclude contracts with our subcontractors that specify the conditions and modalities of personal data processing in compliance with legal and regulatory obligations.
38. Likewise, the GEDU Group carries out audits of its own services and those of its providers to verify compliance with data security rules.

15. Your Rights

39. The Institution is particularly attentive to respecting the rights granted to you under the data processing it carries out, ensuring fair and transparent processing considering the circumstances and context in which your personal data is processed.

15.1 Your Right of Access

40. You have the right to confirm whether your personal data is processed, and if so, to request a copy and information regarding:

The purposes of the processing;

The categories of personal data concerned;

The recipients or categories of recipients, including, where applicable, any international organizations to which data has been or will be disclosed, especially recipients in third countries;

Where possible, the envisaged retention period or, if not possible, the criteria used to determine that period;

The existence of the right to request rectification, erasure, restriction of processing, or objection to processing;

The right to lodge a complaint with a supervisory authority;

Information on the data source if not collected directly from you;

The existence of automated decision-making, including profiling, and where relevant, meaningful information about the logic involved and the significance and envisaged consequences of such processing.

15.2 Your Right to Rectification

  • 41. You may request that your personal data be corrected or completed if inaccurate, incomplete, ambiguous, or outdated.
  • 15.3 Your Right to Erasure
  • 42. You may request the deletion of your personal data when one of the following grounds applies:
  • The data is no longer necessary for the purposes for which it was collected or processed otherwise;
  • You withdraw your consent;
  • You object to the processing where there is no overriding legitimate interest;
  • The processing is unlawful under applicable legislation.
    Deletion is not a general right and will only be granted if a valid legal basis applies.
    43. Otherwise, the Institution may refuse your request, for example if retention is required by law or for the establishment, exercise, or defense of legal claims.

15.4 Your Right to Restrict Processing

44. You may request restriction of processing under applicable laws and regulations.

15.5 Your Right to Object

45. You have the right to object at any time, for reasons related to your particular situation, to processing based on the Institution’s legitimate interest.
46. If you exercise this right, we will stop processing your personal data unless we can demonstrate compelling legitimate grounds that override your interests, or if processing is necessary for legal claims.
47. You may object to direct marketing and related profiling.
48. Regarding direct marketing, you may refuse postal or telephone prospecting from the Institution.
49. For email or SMS marketing, the Institution may contact you only if you have consented at data collection; you may later object via an unsubscribe link or by sending “stop” to the number provided.

15.6 Your Right to Data Portability

50. You have the right to data portability, which only applies to automated processing, excluding manual or paper records.
51. This right applies only to processing based on your consent or contract execution/pre-contractual measures.
52. It excludes derived or inferred data created by the Institution or GEDU Group.
53. It applies only to your personal data, excluding anonymized data or data not relating to you, and covers both declared and operational personal data as described above.
54. This right cannot infringe on the rights and freedoms of others, such as trade secrets.
55. You may request data portability specifying whether you want to receive your data or, if technically feasible, that we transmit it directly to another controller.
56. In the latter case, please provide the exact name of the recipient, their contact details, and the service or person who should receive the data.

Here’s the English translation of the text you provided:

 

15.7 Your Right to Withdraw Consent

57. When the data processing we carry out is based on your consent, you may withdraw it at any time. We will then stop processing your personal data without affecting the lawfulness of any processing carried out prior to your withdrawal.

15.8 Your Right to Lodge a Complaint

58. You have the right to lodge a complaint with the CNIL (3 Place de Fontenoy, 75007 Paris) in France, without prejudice to any other administrative or judicial remedy.

15.9 Your Right to Define Post-Mortem Directives

59. You may set specific directives regarding the retention, deletion, and disclosure of your personal data after your death with our services, according to the procedures outlined below. These specific directives will only apply to processing carried out by us and will be limited to that scope.
60. You may also designate a person empowered to set general directives for the same purposes once they have been appointed by the executive power.

15.10 How to Exercise Your Rights

61. All the rights listed above may be exercised by providing proof of identity and contacting the Institution’s Data Protection Officer (DPO), the person responsible for personal data protection.
62. The DPO will communicate any rights requests received to the GEDU Group’s DPO.

15.11 Modification of This Document

63. We invite you to regularly review this policy on our website, as it may be updated from time to time.