General Privacy and Personal Data Protection Policy
1. OBJECTIVES AND SCOPE OF THE POLICY
NEOMA BS (hereafter referred to as the School) undertakes to ensure the protection of data obtained in the course of its activities and to comply with applicable laws and regulations on the Processing of Personal Data, and in particular with the European Regulation n° 2016/679 on the protection of personal data.
The main purpose of this Policy is to ensure that the School has in place appropriate governance structures, controls, methods and procedures to ensure compliance with applicable laws and regulations on the protection of Personal Data.
In this context, the Policy sets out the following minimum standards:
- Appointment of a Data Protection Officer (DPO) in charge of the supervision and application of this policy.
- Adoption of minimum requirements and standards for all personal data processing.
1.2. Policy Scope
The Policy applies to all NEOMA Business School employees and departments across all campuses.
It applies to all Personal Data collected, processed, shared by the School, both online and offline, including via:
- The NEOMA website
- The official NEOMA social media accounts
- The integrated management software [XXX]
- The CRM database
- Other tools and databases used within the School
- Emails exchanged within the school
- Conversations and correspondence
- Paper forms
- Adequate communication on the Policy must be carried out by the School in accordance with point VII “Awareness and Training” below.
In accordance with applicable labour law, its own internal rules and employment contracts, the School may take disciplinary action against its own employees, in particular in the event of non-compliance with the minimum standards of protection of Personal Data established by this Policy.
1.3. Application of the policy to third parties
Subject to any legislative or regulatory provisions to the contrary, this policy shall apply to Third Parties who have access to or to whom Personal Data of Students, Former Students, Professors, Speakers, Employees and any other persons whose Personal Data the School processes.
Each Data Controller shall ensure that contracts with Third Parties having access to School Personal Data contain, at a minimum, provisions on the following points:
- The scope of responsibility
- Data ownership
- Processing characteristics (purpose, duration, nature, data subjects concerned)
- International data transfers
- Compliance with guidelines and use of other subcontractors
- Policy for managing data subjects’ rights
- Data handling at the end of the contract
- Data security and confidentiality obligations
- Possibility for the Data Controller to audit the Third Party
- Data breach procedure
For the purposes of this Policy and the Annex, the following terms are defined in this section:
“Personal Data” means any information relating to an identified or identifiable individual (hereafter referred to as “Data Subject”).
An “identifiable individual” is defined to be an individual who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, identification number, identity document number, salary/payroll, health records, bank account information, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
The definition is intentionally very broad. Other information (e.g. address, place of work, telephone number, physical characteristics or occupation) together would typically be sufficient to clearly identify an individual.
“Sensitive Personal Data” refers to Personal Data such as but not limited to:
- Race or ethnic origin, political opinions or religious or philosophical beliefs of the Data Subject
- Membership in a trade union
- Physical and/or mental health or sexual habits/life of the Data Subject
- Data subject to specific regulations (financial data, medical data, etc.)
- Genetic and biometric data
- Alleged commission of an offence by the Data Subject
- Any prosecution for an offence committed or alleged to have been committed by the Data Subject, the bringing of such prosecution or the decision of any court in relation to such prosecution
“Data Subject” designates the individual whose “Personal Data” is held by NEOMA Business School and who can be identified or distinguished from others, directly or indirectly, in particular by reference to an identification number or to one or more specific elements, specific to his or her physical, physiological, mental, economic, behavioural, cultural or social characteristics. This includes students, employees, professors, prospects, guest lecturers, former students, etc.
“Data Controller” means a person who, alone or jointly, decides what Personal Data is collected, why and how it is collected and processed. In most cases, this will be the person or company who “possesses” the Data. Being the Data Controller does not mean that they own the data and can disclose or use it as they see fit.
Under the European Regulation on the protection of Personal Data, the Controller is defined in the general sense as the entity represented by its Director, and by express and written delegation of authority, the Heads of Departments or Business Units. These persons will be those responsible under the European Regulation.
However, for the purposes of this Policy, any employee who, alone or jointly, decides what Personal Data is collected, why and how it is collected and processed is responsible for implementing this Policy. The term “Data Controller” will refer to this employee.
“Subcontractor” refers to any person or company, not employed by the Data Controller, who processes Personal Data on behalf of the Data Controller and according to its directives (e.g. service providers or suppliers). The Controller must ensure that the same duty of care is maintained when a Subcontractor processes Personal Data on its behalf and for its account.
“Third Party” is any individual or legal entity, public authority, agency or any other body other than the Data Subject, the Data Controller, the Subcontractor and those persons who, under the direct authority of the Data Controller or Subcontractor, are entitled or authorised to process the Data. Corporate or institutional partners are Third Parties within the meaning of this policy. They may also be organisations that are required by law to receive data (social security organisations, insurance companies, etc.).
“Processing of Personal Data” means any operation or set of operations, whether or not carried out by automated means, applied to Data or sets of Personal Data, such as collecting, accessing, recording, copying, reproducing, transferring, searching, sorting, storing, separating, combining, merging, modifying, structuring, adapting, making available, using, disclosing, disseminating, communicating, extracting, recording, organising, adapting, disclosing by transmission or any other form of making available, concealing, moving, reconciling, linking, restricting, erasing, destroying and performing other actions on the Data, whether automatically, semi-automatically or otherwise. This list is not exhaustive.
“Recipient” means the individual or legal entity, public authority, department or any other body that receives Personal Data, whether or not it is a Third Party.
“Consent” of the Data Subject means any free, specific, informed and unambiguous expression of will by NEOMA Business School that the Data Subject accepts, by a declaration or by a clear positive act, that his/her personal data be processed.
“Breach of Personal Data” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise processed.
“Data Transfer” means any communication, copy or movement of Data via a network to a country outside the European Union, or any communication, copy or movement of such Data from one medium to another, regardless of the medium, to the extent that such Data is intended to be processed in the recipient country outside the European Union (e.g. Transfer to a service provider to digitalise data collection, an international IT platform, international IT maintenance, organisation of exchanges between partner schools and universities, international accreditation of professors, transmission to international press organisations for the ranking of French Grandes Ecoles, etc. ).
“Data Importer” means any Data Controller, Subcontractor or Third-Party processing Personal Data received from the Data Processor in the course of a Data Transfer.
“Data Exporter” means a Data Controller, Subcontractor or Third Party that transfers Personal Data from the country in which the School is located (either on its own behalf or on behalf of a Subcontractor or Third Party) to another country outside the European Union.
“Processing Purposes” refers to the objectives pursued by the Processing of Personal Data or the main objective of a computer application processing Personal Data. Examples of purposes: recruitment management, entrance exam registration management, student enrolment management, on-site CCTV surveillance, library loan management, etc.
“Binding Corporate Rules” or BCR refers to the internal rules relating to the protection of Personal Data applied by the Data Controller established on the territory of a Member State of the European Union for transfers or for a set of transfers of Personal Data to a Data Controller or to a Subcontractor established in one or more countries outside the European Union within a group of companies, or a group of companies engaged in a joint economic activity.
3. MINIMUM STANDARDS AND REQUIREMENTS
The collection and processing of Personal Data must respect the minimum principles detailed below:
- 1. Transparency
- 2. Minimisation and adequacy
- 3. Compliance with processing purposes
- 4. Lawfulness and consent
- 5. Data transfer
- 6. Data storage period
- 7. Rights of data subjects
- 8. Data security
- 9. Privacy by design & by default
- 10. Relationship with subcontractors
- 11. Accountability
- 12. Register of processing operations
- 13. Additional requirements
All Personal Data collected shall be collected and processed lawfully, fairly and transparently with regard to the Data Subject.
3.1.1. What information should be provided to data subjects?
The following information must be systematically provided to the persons whose Personal Data is processed by the School and must appear on the website operated by NEOMA Business School:
- The identity and contact details of NEOMA Business School as Data Controller
- All processing purposes
- The contact information for the Data Protection Officer (DPO)
- The legal basis for the processing (see section 3.4), where applicable, the legitimate interests pursued
- The length of time for which the data will be stored or the criteria for determining that length of time
- Where applicable, the recipients or types of recipient;
- Data Subjects’ rights
- Lodging a complaint with the CNIL
- Where applicable, the existence of a transfer of data outside the European Union as well as the information and guarantees relating thereto
- If applicable, the fact that the provision of the Data depends on a regulatory or contractual requirement
- If applicable, the fact that the provision of the Data is a condition for the conclusion of a contract
- The obligation of the Data Controller to provide a copy of the Data to the Data Subject upon request
- The consequences of not providing a copy of the Data
- Where applicable, the right to withdraw consent to consent-based processing
- Where applicable, the existence of an automated decision-making process and associated information
- Where applicable, the existence of a subsequent Processing for another Purpose and associated information
3.1.2. When to inform people?
At the time of collection of Personal Data, information about the Data Processing must be communicated to Data Subjects in a concise, transparent, understandable and easily accessible manner, in clear and simple terms.
- Employees and professors may be informed through a clause in the employment contract or in the internal regulations
- Students may be informed through a clause on the NEOMA BS application form (online or paper)
- Those registered for entrance examinations may receive this information via the NEOMA Business School entrance examination registration form (online or on paper)
In general, an information notice must appear on all Personal Data collection forms, online or on paper. An information notice must also be available on the School website.
In the event that the School does not collect Personal Data directly from Data Subjects (e.g. emailing campaign using data provided by institutional partners, etc.), the information in 3.1.1 must be provided at the latest at the time of the first communication with the Data Subject (e.g. when the first email is sent to the Data Subject). However, if this first communication occurs more than one month after the Personal Data was obtained, the Data Subjects should be informed before the expiry of this one-month period. The following additional information must be provided:
- The categories of Personal Data collected
- The source of the Personal Data, including whether the source is public or non-public
- Has received the Consent of the Data Subject, or
- Is necessary for the fulfilment of the contract with the Data Subject, or
- Is necessary to comply with a legal obligation, or
- Is necessary to satisfy the legitimate interests of the School.
- Where the consent is requested in writing and also relates to other matters, the consent request must be presented separately from those other matters
- The written consent request must be in an understandable, easily accessible manner, formulated in clear and simple terms
- The consent request should not be formulated in a way that is burdensome to the Data Subject
- Consent must be freely given, in particular where the fulfilment of a contract is conditional on the Data Subject’s consent to the Processing of his or her Personal Data, even though such Processing would not be necessary for the performance of that contract.
- The implementation of Binding Corporate Rules (BCR) to govern exchanges between NEOMA Business School Campuses
- Application of an approved Code of Conduct by the Data Controller
- Certification of the Data Controller by an approved certification scheme
- The Data Subject has given his or her explicit consent to the proposed Transfer, after having been informed of the risks that the Transfer may entail for him or her due to the lack of an adequate decision and appropriate safeguards
- The Transfer is necessary for the fulfilment of a contract between the Data Subject and the Controller or for the implementation of pre-contractual measures taken at the request of the Data Subject
- The Transfer is necessary for the conclusion or fulfilment of a contract entered into in the interest of the Data Subject between the Controller and another natural or legal person
- The Transfer is necessary for important reasons of public interest
- The Transfer is necessary for the establishment, exercise or defence of legal claims
- The Transfer is necessary to protect the vital interests of the Data Subject or of other persons, where the Data Subject is physically or legally incapable of giving consent
- The Transfer is made from a register which, in accordance with Union law or the law of a Member State, is intended to provide information to the public and is open to consultation by the public in general or by any person who can demonstrate a legitimate interest, but only insofar as the conditions laid down for consultation in Union law or the law of the Member State are met in the case in question.
- Legal obligations
- Recommendations from the Data Protection Authority
- Fulfilment of a contract or the application of pre-contractual measures
- Business needs
- To be informed when Personal Data is first collected by the Data Controller for its own purposes, unless such information is not necessary due to legal exceptions
- To request information about the collected Personal Data, including information about the source of the data
- To request the Recipients or categories of Recipients to whom the data is transferred
- To request the purpose for which the data is stored
- To request access to their data, via a list provided in writing or by electronic means
- To request rectification of the data, where it is inaccurate
- To request the deletion of data where legally possible
- To limit the Processing of their Personal Data where legally possible
- To object to the Processing of their Personal Data by the School
- To request the portability of their Personal Data
- To obtain any other information related to the Processing that may be required by law
- Prevent unauthorised persons from gaining access to information systems to process or use Personal Data (access control)
- Ensure that only persons authorised to access the Data can access it within the limits of the Purpose for which the School processes the Data. These persons must guarantee the confidentiality of the Personal Data to which they have access.
- Ensure that persons authorised to use a data processing system have access only to the Data to which they are authorised and that Personal Data cannot be read, copied, altered or deleted without authorisation during Processing, use and after storing (access control, need-to-know principle)
- Ensure that Personal Data cannot be read, copied, altered or deleted without authorisation during transport, electronic transfer or storage on storage mediums, and that it is possible to verify and monitor who is transferring Personal Data using data transfer means (disclosure control)
- Ensure that it is possible to monitor and verify whether Personal Data has been added, modified or deleted from data processing systems and if so, by whom (input control)
- Ensure that Personal Data processed on behalf of others is in strict accordance with the Controller’s instructions (task control)
- Ensure that Personal Data is protected against accidental destruction or loss (availability control)
- Ensure that Personal Data collected for different purposes can be processed separately
- Ensure that Data is anonymised where required by School regulations to carry out the processing
- The name and contact details of the Controller and, where applicable, the Joint Controller, the Controller’s representative and the DPO
- The Processing Purposes
- A description of the categories of Data Subjects and the categories of Personal Data
- The categories of Recipients to whom the Personal Data have been or will be disclosed
- Transfers of Personal Data to a different country or to an international organisation, including the identification of that third country or international organisation and the documentation attesting to the existence of appropriate safeguards
- The retention periods for the different categories of Data
- A general description of the technical and organisational security measures implemented for the Processing in question.
- The Data Subject’s explicit consent has been obtained for the Purpose
- The Processing is necessary for the fulfilment of the obligations and the exercise of the Controller or Data Subject’s rights with regard to employment law, social security and social protection or by a collective agreement provided for by a specific NEOMA BS regulation
- The Processing is necessary to safeguard the vital interests of the Data Subject or of another natural person, in the event that the Data Subject is physically or legally unable to give consent
- The Processing relates to Personal Data that is manifestly made public by the Data Subject
- The Processing is necessary for the establishment, exercise or defence of legal claims or whenever the courts act in their judicial capacity
- The Processing is necessary for important public interest reasons, on the basis of NEOMA BS national legislation which must be proportionate to the objective pursued, respect the essence of the right to Data Protection and provide for appropriate and specific measures to safeguard the fundamental rights and interests of the Data Subject
- The Processing is necessary for the purposes of preventive or occupational medicine, assessment of the employee’s capacity to work, medical diagnosis, health or social care, or the management of health or social care systems and services or under contract to a health professional
- The Processing is necessary for reasons of public interest related to public health
- The Processing is necessary for archival purposes in the public interest, for scientific or historical research or for statistical purposes.
- Ensuring the update of the register of processing operations
- Monitoring new projects and ensuring the completion of privacy impact assessments of new processing operations
- Ensuring the compliance of contracts with third parties and Subcontractors
- Monitoring the evolution of NEOMA BS regulations to identify updates to the General Data Protection Policy
- Training and educating employees on their obligations regarding the Processing of Personal Data
- Verifying the application of the various Data Protection policies established by NEOMA BS and implementing them in the different departments: HR, Marketing, Information Systems
- Regularly reporting to management on the progress of its activity and its roadmap for compliance with the General Data Protection Regulation, on the status of data privacy analysis on local projects and on any identified risk in terms of Personal Data Protection
- Overseeing annual internal audits to verify Processing compliance
- Making and updating notifications to the NEOMA BS Data Protection Authority (DPA) when necessary
- Ensure that the DPO is promptly informed of all matters relating to the protection of Personal Data, and in particular that he or she is consulted on all new projects involving the Processing of Personal Data
- NEOMA BS provides the DPO with the resources necessary to carry out his or her duties, whether material or financial
- NEOMA BS allows the DPO to have access to the Personal Data and to the Processing activities carried out within NEOMA BS
- NEOMA BS guarantees the DPO’s autonomy and ensures that he or she does not receive any instructions in the performance of his or her duties
- NEOMA BS ensures that the DPO has organisational and decision-making freedom in the exercise of his or her missions
- NEOMA BS allows the DPO to interact directly with the highest level of management
- When other missions and tasks are entrusted to the DPO, NEOMA BS ensures that they do not lead to a conflict of interest
- The DPO does not assume the legal responsibility for NEOMA BS’ compliance with the Data Protection Regulation
- Indicating the contact details of the DPO on all Personal Data collection tools and information notices (postal address, telephone number or dedicated e-mail address)
- Notifying their teams of the existence of a DPO, his or her name and contact details
- Conducting pre-analyses of privacy risks for each processing operation. Where a significant risk is demonstrated, conducting a Privacy Impact Assessment and involving the DPO at the design stage in all new product or service design projects
- Taking Data Protection requirements into account prior to initiation of any project
- Implementing Privacy by Design and Privacy by Default in any new product or service
- Where appropriate, documenting and justifying in writing the reasons why the DPO’s advice was not followed when such advice was given
- Responding to any request for information from the DPO on all matters that have an impact on the privacy of individuals
- Providing the DPO access to all documentation relating to Data Processing and associated procedures and setting up a documentation system to facilitate this access
- Advising the DPO of any new processing operation so that it can be registered in the NEOMA BS Data Processing Register
- Canada (only for transfers taking place in the course of commercial activities)
- Faroe Islands
- Isle of Man
- New Zealand
3.1.3. How to inform people?
This information must be provided in writing or by other means including, where appropriate, electronic methods. Where the Data Subject so requests, the information may be provided verbally, provided that the identity of the Data Subject is established by other means.
3.2. Minimisation and adequacy
Any Personal Data collected for any purpose must be relevant and not excessive in relation to the Processing Purpose. In other words, only the Data strictly necessary to achieve the Processing Purpose must be collected.
To comply with this obligation, prior to initiating the project or processing, the Employee in charge of the processing must verify the pertinence and scope of each data item in relation to the Processing Purpose. For each new project or processing, this verification must necessarily be accompanied by an analysis of the risk to the privacy of individuals in accordance with the project management procedure established by the School.
Furthermore, the Personal Data collected must be accurate, complete and, if necessary, kept up-to-date.
The Employee in charge of the Processing must always ensure that his or her database is up to date with the consent expressed by the Data Subjects when consent is required for the Processing to be carried out.
3.3. Compliance with processing purposes
Prior to any collection of Personal Data, the Employee in charge of the Processing must clearly define all the Purposes pursued by the Data collection.
Personal Data must not be processed for a subsequent Purpose that is incompatible with the initial Purpose for which the Data was collected. For example, processing for statistical purposes is not considered incompatible with the initial purpose.
Prior to carrying out any further processing whose Purpose is incompatible with the initial Purpose, the Employee in charge of the Processing must ensure that he or she has received the Data Subject’s consent for this new Purpose and, if not, obtain the Data Subject’s consent or meet another condition of lawfulness (execution of a contract with the Data Subject, compliance with a legal obligation, legitimate interest of NEOMA Business School).
3.4. Lawfulness of processing and consent
Each Employee in charge of Processing must ensure that the Processing of Personal Data that he or she will carry out is lawful, i.e. that it has a legal basis provided for by the regulations. The Employee in charge of Processing therefore checks whether the Processing:
Where the processing of Personal Data is based on the Consent of the Data Subject, each Employee in charge of the Processing must be able to demonstrate that the Consent has been given by the Data Subject for the processing of his or her Personal Data and that this Consent has been recorded and traced in an IT system.
To obtain the Data Subjects’ consent, the following requirements must be met:
The Data Subject must be able to withdraw his or her consent at any time. The Employee in charge of Processing must put in place and inform the Data Subject about the means allowing him or her to withdraw consent, in particular through the information provided at the time of Data collection.
These means must enable the Data Subject to withdraw his or her consent as simply as it was given.
The Employee in charge of Processing shall refer to the consent procedure established internally for the purpose of passing on Consents and withdrawals of Consent within the applications used and the IT System.
3.5. Data transfer outside the European Union
3.5.1. General information on any Personal Data transfer
International transfers of Personal Data require special attention and additional safeguards.
3.5.2. Transfers to countries offering an adequate level of protection under national law
Transfer of Personal Data abroad will be permitted if the European Commission recognises the recipient country as providing an adequate level of protection, without prejudice to compliance with national provisions.
The list of countries offering an adequate level of protection of Personal Data is provided in the Annex and is available at the following link. This list is subject to change. It is therefore the responsibility of the Employee in charge of Processing to check on the European Commission website that this list is still up to date.
3.5.3. Transfers covered by appropriate safeguards
If the Personal Data Protection law of the country of the Importer of the Data is not considered adequate by the European Commission, the Employee in charge of the Processing will have to conclude contractual clauses with the Joint Controller or the Subcontractor abroad.
The Employee in charge of the Processing may frame the Transfer by means of Standard Contractual Clauses established by the European Commission or by the supervisory authority. In this case, it may transfer the Data without the authorisation of the competent supervisory authority. The Employee in charge of Processing may also frame the transfer through contractual clauses established between him/her and the Data Importer, but in this case, he/she will have to obtain the authorisation of the competent supervisory authority.
There are three other possibilities for managing the transfer:
In all cases, the Employee in charge of the Processing must establish a written agreement with the Data Importer, in which the School guarantees that it will apply a level of Data Protection equivalent to that required by the laws on the protection of Personal Data in France. These contractual clauses will have to foresee technical and organisational security measures to be applied by the Joint Controllers or the Subcontractors established in a third country not providing an adequate level of protection in order to ensure a level of security adapted to the risks presented by the Processing of Personal Data and the nature of the Data to be protected.
3.5.4. Transfers in response to a particular situation
In the absence of an adequate decision or appropriate safeguards, a Transfer or a set of Transfers of Personal Data to a third country or to an international organisation may only take place under one of the following conditions:
3.6. Storage period
Personal Data must not be kept longer than necessary for the purposes for which it was collected, unless otherwise specified by applicable legislation. In this context, the School must set up a policy for the conservation of Personal Data which specifies the duration of conservation applicable to the Data for the different Processing Purposes, the conditions of conservation as well as the storage format of the Data. This data retention policy shall follow the guidelines set out in this Policy. The employee in charge of the Processing shall refer to the data retention policy to ensure compliance with this requirement.
In general, the maximum period of data retention should be determined according to each Processing Purpose. The following elements must be taken into account when determining the retention period for each category of Data collected:
Apart from the cases in which there is an obligation to archive, Data that is no longer of interest must be deleted forthwith. In the event of an automatic deletion procedure, the Employee in charge of Processing must ensure that the data is effectively deleted by drawing up a Certificate of Deletion.
See NEOMA’s retention periods for personal data.
3.7.Data subjects’ rights and responses to complaints
In general, the European Data Protection Regulation grants Data Subjects the following rights subject to local specificities:
The Employee in charge of the Processing must provide a response within a maximum of one month from the date of receipt of the request. He or she must refer to the procedure for managing Data Subjects’ rights to ensure that the procedure is properly implemented.
3.8. Data security
Appropriate controls and procedures must be put in place by the Data Controller to ensure the security of the Personal Data and to prevent unauthorised access or disclosure, taking into account the current state of technology and the possible harm that could result from loss or unauthorised access to the Data.
More specifically, the collection, use, processing, transmission and transfer, storage and destruction of Personal Data requires the School to take reasonable steps to implement effective organisational systems and physical and technical measures, in particular to:
The Employee in charge of the Processing must identify the risks to the privacy of individuals generated by the Processing before determining the appropriate security and confidentiality measures to reduce these risks. For this purpose, the Data Processor shall refer to the internal project management procedure which contains the procedure for pre-analysis of the risk of the Processing on Data Subjects’ privacy.
When this pre-analysis of the risk to privacy demonstrates that the proposed Processing presents a high risk to Data Subjects’ privacy, the Employee in charge of the Processing shall perform a Privacy Impact Assessment (PIA) in order to determine the security and confidentiality measures necessary to reduce this risk. The Employee in charge of the Processing shall then refer to the privacy impact analysis procedure established by the School.
The level of security measures necessary for Data protection depends on the sensitivity of the data and the Processing Purpose.
3.9. Data by design & by defaults
Before the launch of any project, any collection of Data, any new product or service, or any new application, the Employee in charge of the Processing must take into account Data Protection and refer to the NEOMA BS project management procedure which integrates the requirements of Privacy by Design.
Data must be protected from the outset, but also throughout the project and the data life cycle (from collection to destruction). The Employee in charge of processing must implement, in accordance with the best practices, all the technical and organisational security measures that will ensure end-to-end security.
3.10. Relationships with subcontractors
Where processing is carried out by a Subcontractor, the Controller must choose a Subcontractor providing sufficient technical security measures and organisational measures to ensure that the Processing will be carried out in accordance with legal requirements.
The Employee in charge of the Processing must ensure that the Subcontractor accepts in writing the technical and organisational security measures imposed by the School. In particular, he or she must consult the legal department in order to incorporate standard contractual clauses on Personal Data Protection, which attest to its compliance with the GPRD.
The Contract must also prohibit the Subcontractor from subcontracting any Processing of Personal Data requested by the Data Controller to a Third Party, unless the Data Controller has expressly given permission to do so.
In particular, any Subcontractor shall be subject to a selection procedure so that the Controller can ensure that the security requirements are met. Each Employee in charge of Processing is responsible for compliance with the principles set out in this Policy (i.e. lawfulness, fairness, transparency, compliance with the Purposes, data minimisation, data accuracy, compliance with the retention period and security measures) and must be able to demonstrate that these principles are complied with and provide tangible evidence that all appropriate technical and organisational measures have been taken to limit the risks to Data Subjects’ privacy. Compliance with these principles thus includes the implementation of appropriate policies.
3.11. Documentation (Accountability)
Each Employee in charge of the Processing must complete and update the Processing register mentioning all the Data Processing Purposes
He or she must also keep all evidence of compliance with laws or regulations that must be respected with regard to the Processing registered in the register of processing.
3.12. Register of Processing
The Data Controller must keep a register of all Processing activities, including, at a minimum, the information required by the Regulation for each Processing operation. This information is as follows:
The DPO is responsible for maintaining the NEOMA Business School register. With the contribution of the Employees in charge of Processing and/or the project managers, he or she shall ensure that any new processing operation is registered with the information described above. The DPO will validate the Data Processing operations entered and will ensure that the register is updated.
This register may be kept in written or electronic form and must be made available to the Supervisory Authority on request.
3.13. Sensitive Personal Data
NEOMA Business School may collect Sensitive Data in the context of its Processing. This Data must only be collected and processed in the following cases:
The Employee in charge of Processing must keep proof of the legal basis authorising him or her to process Sensitive Personal Data.
Access to this Sensitive Personal Data must be limited to those employees who strictly need it in the course of their activities. Sensitive Personal Data may only be used for the purposes for which it was collected. Adequate security measures must be put in place to prevent the loss, degradation or theft of such data.
The Controller is required to comply with all local laws and requirements relating to Sensitive Personal Data including health data and data relating to criminal offences.
4. DATA GOVERNANCE: MISSIONS AND RESPONSIBILITIES
4.1. Missions and responsibilities of the DPO
The DPO guarantees the conformity of Personal Data Processing within NEOMA BS.
The main mission of the DPO is to ensure that NEOMA BS is in constant compliance with the legal framework relating to Personal Data (European Regulation on the Protection of Personal Data).
In this context, the DPO is subject to an obligation of confidentiality and in particular respects the strict confidentiality of information, procedures, practices, complaints and disputes of which he or she is aware in the course of his or her activities.
This objective is achieved through the following missions:
4.1.1. To ensure the conformity of the processing carried out within NEOMA Business School
4.1.2. To be the contact person for the NEOMA supervisory authority
4.1.3. NEOMA’s obligations to the DPO
4.2. Missions and responsibilities of the different departments
Each Employee in charge of Processing shall respect the following obligations towards the DPO:
5. AWARENESS AND TRAINING
The Controller shall ensure that employees, faculty and all persons working for NEOMA BS are made aware of and trained in the principles of this Policy and the requirements of all other laws, regulations, rules and procedures relating to the protection of Personal Data, when they are involved in the Processing of Personal Data.
6. COMPLIANCE MONITORING PROCEDURES
6.1. Internal control and reporting
A compliance gap analysis with regard to the Policy’s principles shall be carried out annually.
6.2. External control: Audit of subcontractors
NEOMA BS must carry out audits of its Subcontractors to verify that they are complying with their obligations under the Regulations and the present Policy.
List of countries offering an adequate level of protection
1. Transfers are permitted within the European Union and the European Economic Area, which includes:
2. List of countries offering an adequate level of Personal Data protection (this list is subject to change, the Data Controller should regularly check this list on the website of the European Commission or the CNIL):