 # General Privacy and Personal Data Protection Policy

 

 

 
		{
			"@context": "https://schema.org",
			"@type": "BreadcrumbList",
			"itemListElement": [
		        {
            "@type": "ListItem",
            "position": 1,
            "name": "Home",
            "item": "https://neoma-bs.com/"
        },		        {
            "@type": "ListItem",
            "position": 2,
            "name": "General\u0020Privacy\u0020And\u0020Personal\u0020Data\u0020Protection\u0020Policy",
            "item": "https://neoma-bs.com/node/8143.md"
        }				]
	}
	 - [Home](https://neoma-bs.com/)
- General Privacy And Personal Data Protection Policy
 
  

 

  ##  1. Introduction 



 ##  1.1 Objectives

  

NEOMA is committed to ensuring the protection of data obtained in the course of its activities and to complying with applicable laws and regulations regarding the Processing of Personal Data, and in particular with European Regulation No. 2016/679 on the protection of personal data (GDPR). This regulation aims to ensure that organizations effectively protect information that can directly or indirectly identify a person and that they respect the rights of these individuals over their data, whether they are our students, employees, or partners.

The main purpose of this Policy is to ensure and make known NEOMA's implementation of appropriate governance structures, controls, methods, and procedures guaranteeing compliance with applicable laws and regulations regarding the protection of Personal Data.

In this context, the Policy establishes the following minimum standards:

- Appointment of a DPO responsible for the supervision and application of this policy within NEOMA;
- Adoption by NEOMA of legal requirements and standards for all personal data processing.

 

 



##  1.2 Scope of the Policy

  

The Policy applies to all employees, learners, candidates, service providers, third-party payers, clients, speakers, and partners, and covers all NEOMA services across its various campuses.

It applies to all Personal Data collected, processed, or shared by NEOMA, both online and offline, including:

- NEOMA and its subsidiaries' websites;
- NEOMA's official social media pages;
- Integrated management software;
- CRMs;
- Other tools and databases used within the school;
- Emails exchanged within the school;
- Conversations and correspondence;
- Paper forms.

Adequate communication about the Policy must be carried out by NEOMA.

In accordance with applicable labor law, its own internal rules, and employment contracts, NEOMA may take disciplinary action against its employees, particularly in cases of non-compliance with the minimum personal data protection standards established by this policy.

 

 



##  1.3 Application of the Policy to Third Parties

  

Subject to contrary legislative or regulatory provisions, this policy must be applied to Third Parties who access or to whom Personal Data of Learners, Alumni, Clients, Professors, Speakers, NEOMA Employees, and any other individuals whose personal data NEOMA processes, are transmitted.

Each Data Controller must ensure that contracts with Third Parties having access to NEOMA's Personal Data contain at least provisions on the following points:

- The legal basis(es) for the processing;
- The scope of responsibility;
- Data ownership;
- The characteristics of the processing (purpose, duration, nature, objective, personal data used, and data subjects);
- International data transfers;
- Compliance with instructions and the use of other Sub-processors;
- The policy for managing data subject rights;
- The fate of the Data upon contract expiration;
- The obligation of data security and confidentiality;
- The possibility for the Data Controller to conduct an audit with the Third Party;
- The procedure in case of Data breaches (security incidents).

 

 



##  1.4 Definitions

  

Within the scope of this Policy and its annexes, the terms used shall have the meaning given to them in this section:

“ **Personal Data** ” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”); an “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, ID card number, salary/remuneration, health records, bank account details, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, psychic, economic, cultural, or social identity of that natural person.

The definition is deliberately very broad. Other information (e.g., an address, a place of work, a phone number, physical characteristics, or profession) combined will generally be sufficient to clearly identify an individual.

“ **Sensitive Personal Data** ” (examples, non-exhaustive list) means Personal Data such as:

The racial or ethnic origin, political opinions, or religious or philosophical beliefs of the Data Subject;

Trade union membership;

The physical or mental health or sexual life/conditions of the Data Subject;

Data subject to specific regulations (financial data, medical data…);

Genetic and biometric data;

The alleged commission of an offense by the Data Subject;

Any proceedings initiated for an offense committed or alleged to have been committed by the Data Subject, the submission of such proceedings, or the decision of any court in relation to such proceedings;

“ **Data Subject** ” means the individual who can be identified or distinguished from others, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, behavioral, cultural, or social characteristics. This includes Learners, employees, professors, prospects, speakers, alumni, etc.

“ **Data Controller** ” means a person who, alone or jointly, decides what Personal Data is collected, why and how it is collected and processed. In most cases, this will be the person or company that “owns” the Data. Being the Data Controller does not mean they own the data and can disclose or use it as they see fit.

Within the meaning of the European Regulation on the protection of personal data, the Data Controller shall be understood in the general sense as the entity embodied by its Director, and by express and written delegation of power, the Heads of departments or business units. These individuals will be those responsible under the European Regulation.

However, within the scope of this Policy, any employee who, alone or jointly, decides which Personal Data are collected, why and how they are collected and processed will be responsible for applying this Policy. The term « **Employee in charge of processing** » will refer to this employee.

« **Subcontractor** » means any person or company, not employed by the Data Controller, who processes Personal Data on behalf of the Data Controller and according to its instructions (e.g., service providers or suppliers). The Data Controller must ensure the same duty of care is maintained when a Subcontractor processes Personal Data on its behalf and for its account.

« **Third Party** » means any natural or legal person, public authority, agency or other body other than the Data Subject, the Data Controller, the Subcontractor and the persons who, under the direct authority of the Data Controller or the Subcontractor, are authorized or empowered to process the Data. Commercial or institutional partners are Third Parties within the meaning of this policy. It may also include bodies that are intended to receive data by legal obligation (social security bodies, mutual insurance companies, etc.).

« **Processing of Personal Data** » means any operation or set of operations performed or not using automated processes and applied to Personal Data or sets of Personal Data, such as collection, access, recording, copying, reproduction, transfer, search, sorting, storage, retention, separation, cross-referencing, merging, modification, structuring, adaptation, making available, use, disclosure, dissemination, communication, extraction, registration, organization, adaptation, disclosure by transmission or any other form of making available, concealment, movement, matching, interconnection, limitation, erasure, destruction, as well as the implementation of other actions on the Data, whether automatically, semi-automatically or otherwise. This list is not exhaustive.

« **Recipient** » means a natural or legal person, public authority, department or other body that receives communication of personal data, whether or not it is a Third Party.

« **Consent** » of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement that personal data relating to him or her may be processed by NEOMA.

« **Personal data breach** » means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

« **Data transfer** » means any communication, copy or movement of Data via a network to a country located outside the European Union, or any communication, copy or movement of such data from one medium to another, regardless of the medium, to the extent that such data is intended to be processed in the recipient country located outside the European Union (example: Transfer to a service provider for digitizing data collection, international IT platform, international IT maintenance, organization of exchanges between partner schools and universities, international accreditation of professors, transmission to international press organizations for the ranking of business schools, etc.).

« **Data Importer** » means any Data Controller, Subcontractor or Third Party processing personal Data that it receives from the Data Controller as part of a Data Transfer.

« **Data Exporter** » means a Data Controller, Subcontractor or Third Party that transfers Personal Data from the country in which it is located to NEOMA (either by itself, a Subcontractor or a Third Party) to another country located outside the European Union.

« **Processing Purposes** » means the objective pursued by the Processing of Personal Data or the main objective of an IT application processing Personal Data. Examples of purposes: recruitment management, competition registration management, student registration management, premises video surveillance, library loan management, etc.

« **Binding Corporate Rules** » or BCR means internal rules relating to the protection of personal data that a Data Controller established in the territory of a Member State of the European Union applies for transfers or for a set of transfers of personal data to a data controller or a subcontractor established in one or more non-EU countries within a group of companies, or a group of companies engaged in a joint economic activity;

 

 



 

##  2. Data Governance: Missions and Responsibilities 



 ##  2.1: Data Controller

  

The data controller is NEOMA Business School Etablissement d'Enseignement Supérieur Consulaire, registered with the Rouen Trade and Companies Register under number 834 295 354 whose registered office is at 1er rue du Maréchal Juin, 76130 Mont-Saint-Aignan.

 

 



##  2.2 DPO Missions and Responsibilities

  

For any request concerning your data, we invite you to submit it to the DPO by clicking on this link [Submit a request](https://api.dastra.eu/v1/client/data-subject-request/page?id=1210&key=ca3ZKdZOyPm1HfKOZGJAp5RAOPAPC2HisGZHZ3h9Kuy) or via: <dpo@neoma-bs.fr>

The DPO is the guarantor of the compliance of Personal Data processing within NEOMA.

The main mission of the DPO is to ensure that NEOMA is constantly compliant with the legal framework relating to Personal Data (European Regulation on the protection of personal data). In this context, the DPO is subject to an obligation of confidentiality and must, in particular, maintain strict confidentiality of information, procedures, practices, complaints, and disputes of which they become aware in the course of their activity.

This objective is achieved through the following missions:

- Ensure the conformity of processing operations carried out within NEOMA;
- Ensure the updating of the processing register;
- Monitor new projects and ensure the carrying out of impact analyses on the privacy of new processing operations;
- Ensure the conformity of contracts with third parties and subcontractors;
- Monitor the evolution of NEOMA's regulations to identify updates to the general data protection policy;
- Train and raise awareness among employees on their obligations regarding the processing of personal data;
- Verify the application of the various data protection policies established by NEOMA and implement them in the different processes: HR, Marketing, Information Systems;
- Provide regular reporting to management on the progress of its activity and its compliance roadmap for the general data protection regulation, on the status of privacy data analysis for local projects, and on any identified risks regarding the protection of Personal Data;
- Be the contact point for the supervisory authority for NEOMA;
- Carry out and update notifications to the Data Protection Authority;
- Enable NEOMA to protect data (DPA) when necessary.

 

 



##  2.3 Roles and responsibilities of the various departments

  

To ensure effective and continuous compliance with the General Data Protection Regulation (GDPR) and the internal personal data protection policy, Designated Processing Officers have been appointed within the institution.  
They serve as the primary contacts for the Data Protection Officer (DPO) for any questions relating to data processing carried out within their area of activity.  
As such, each Processing Officer undertakes to comply with the following obligations towards the DPO:  
• Indicate the DPO's contact details on all personal data collection forms and information notices (postal address, telephone number, or dedicated email address);  
• Inform their teams of the existence of a DPO, their name, and their contact details;  
• Take into account data protection requirements before any project;  
• Where applicable, document and justify in writing the reasons why the DPO's opinion was not followed when it was expressed;  
• Respond to any information request from the DPO on all matters affecting individuals' privacy;  
• Allow the DPO access to all documentation relating to data processing and associated procedures, and establish a documentary structure to facilitate this access;  
• Inform the DPO of any new processing so that it can be entered into the NEOMA processing register.

 

 



 

##  3. Data subjects 



 To ensure its proper functioning, NEOMA must implement and manage personal data processing concerning its prospects, candidates, students, alumni, speakers, partners, companies, and organizations:

- "Prospects" means any person potentially interested in a course or event;
- "Candidates" means any person interested in a course who has started completing an application form;
- "Students" means any person enrolled in a program offered by NEOMA, whether in initial or continuing education;
- "Clients" means companies or organizations that use the school for the training of their employees;
- "Third-party payers" means the natural or legal person managing all or part of the financing of a student's training;
- "Alumni" refers to any person who has completed or is completing a degree or non-degree program;
- "Speakers" refers to any person in charge of pedagogical delivery, whether an employee of NEOMA or not;
- "Service providers" refers to companies or organizations with which NEOMA has contracted, as well as NEOMA's subcontractors;
- "Partners" refers to companies or organizations with which NEOMA has a contractual partnership, particularly in the context of training.

"User" represents all populations.



##  4. Personal data concerned 



 The typology of non-technical data includes, but is not limited to:

- Civil status data (name, first name, address, date and place of birth, nationality, title);
- Contact details (phone number, email address, social media identifiers, postal address);
- Preferred contact method;
- Academic background (degrees, specializations, years obtained, language and management skills, test results such as GMAT, etc.);
- Previous professional experience (job titles or internships, roles, responsibilities, employers, salary level);
- Motivations expressed in the context of an application for a NEOMA program;
- Where applicable, payment data (bank account details, bank or postal details, check number, credit card details, transaction number, details of the service subscribed);
- Data related to program tracking (NEOMA student ID, modules and courses taken, grades, pedagogical assignments, quizzes, online tracking, collaborative work, videos, internships, evaluations, juries, etc.);
- Medical data collected during a consultation with NEOMA's health services;
- Data related to cohort tracking, during or after the program (employer, position held, salary, etc.).

The typology of technical data includes, but is not limited to:

- IP address;
- Connection data (username, password);
- Navigation data (pages viewed, path, visit duration, etc.);
- Browser information (type, extensions, plugins, etc.);
- Usage preferences (languages, chosen settings, etc.).

This data is primarily collected directly, particularly through:

- Online browsing and information entered in forms or questionnaires on NEOMA's websites and/or third-party tools;
- Paper forms;
- Creation of an account or personal space on our sites or applications;
- Information provided by prospects, candidates, or clients during forums, masterclasses, trade shows, or through forms (electronic or paper) completed before, during, or after a course;
- Ordering products or services;
- From submitting an application or enrolling in one of our programs.

They may also come from indirect collections, carried out through our academic partners, companies, or technical partners.



##  5. Purpose of data processing 



 Before any personal data is collected, the employee responsible for processing must clearly define all the objectives pursued by the data collection.

Personal Data must not be processed for a subsequent Purpose incompatible with the initial Purpose for which the Data was collected.

To carry out further processing whose purpose differs from the one initially planned, the responsible employee must ensure that the Data Subject has given their consent to this new purpose. Otherwise, it is their responsibility to obtain this consent or to justify the processing on another legal basis (execution of a contract with the person, compliance with a legal obligation, or NEOMA's legitimate interest).

The collection of this information aims to enable:

- The implementation of prospecting and advertising operations related to programs, activities, or events organized by NEOMA or subscription to NEOMA newsletters;
- Access to the admissions platform and its improvement;
- Management and monitoring of the application and, once admitted, administrative, financial, and educational monitoring of Learner training;
- Customer relationship management;
- Purchasing management;
- Invoicing;
- Management of unpaid debts and disputes;
- Issuance of: 
    - For Learners: a multi-service international Learner card, bearing their individual photo, allowing them to prove their identity and access the campus, NEOMA's catering facilities, and if applicable, library services, to print and/or photocopy documents, to access Crous catering facilities, and to make payments;
    - For apprentices and continuing education interns, a trade student card.
    - For other Users, a temporary badge or a multi-service card allowing access to premises and, if applicable, catering, printing and/or photocopying of documents;
- Library and related service management;
- For the Learner, monitoring related to the payment or exemption of the Learner's Student and Campus Life Contribution (CVEC) made to CROUS;
- Learner medical monitoring;
- Management of emergency contacts;
- Attendance tracking management to attest to course attendance and, if applicable, management of training completion certificates;
- SMS sending management to communicate quickly with Learners and, more generally, any learner enrolled in a degree or certification program;
- Assistance, if applicable, to the Learner in the financial aid application process and tracking their file;
- If applicable, creation and management of a user account to access NEOMA's digital work environment as well as network resources, applications, and digital documentation;
- Management of an email directory allowing the management of distribution groups based for Clients on the academic programs attached to them;
- If applicable, online course monitoring or content consultation, submission of documents such as academic work, answers to quizzes, comments, participation in online discussions, as well as management of the monitoring of these various consultations and submissions by NEOMA's academic teams;
- If applicable, video conference or web conference management;
- Management of Learner mobility, incoming or outgoing from the national territory, within the conditions provided by their training and management of the stay conditions related to this mobility;
- Management of evaluations for courses taken by the Learner;
- Management, within the framework of a degree or certification program, of continuous assessment as well as exams, mid-terms, and juries for the awarding of diplomas or certificates, whether conducted in person or online with or without supervision;
- Implementation of filtering via firewall, antivirus, video surveillance, and access control for the security of property and people, and operations related to the Vigipirate/attack alert level;
- Management of intervention requests in case of difficulty encountered by the Client in the use of IT equipment or NEOMA premises;
- Management, in case of violation of NEOMA and its subsidiaries' regulations and charters, of disciplinary sanctions;
- Implementation of studies, indicators, and surveys, particularly for NEOMA, the Ministry of Higher Education and Research, the Conférence des Grandes Écoles, the national observatory for student life, accreditation bodies (e.g., Amba, AACSB, Equis), ranking organizations (e.g., The Financial Times, The Economist, L’Apprenant, le Figaro, Quacquarelli Symonds Ltd ‘”QS”) QS, Times Higher Education (THE), Forbes, ...), and any third-party organization for which NEOMA must produce statistics or respond to requests in accordance with current legislation;
- Access to professional development offers developed by NEOMA's Talent &amp; Career Department, particularly for the programs concerned, internship management;
- Plagiarism detection management;
- Management of the issuance of the NEOMA diploma or certificate, which may, if applicable, have an electronic equivalent;
- Collection of the apprenticeship tax;
- Management of the relationship with companies;
- Transmission of data, including CVs, to companies, Partners, and/or NEOMA subsidiaries;
- Transmission of data to the NEOMA Foundation so that it can inform the Client of its actions and contact them;
- To manage the transfer to the NEOMA Alumni association, and to the NEOMA Sports Association, insofar as the Learner has joined the association in question or has consented to the transfer of their data to the said association;
- Implementation of statistics;

If the Learner's enrollment is for a joint program with a partner university or school (including those located abroad), in this specific context, NEOMA transmits the Learner's data to the partner University or School for the purpose of managing their enrollment, monitoring their studies, and obtaining the necessary credits from the partner university or school.

If NEOMA wishes to implement further processing of personal data for a purpose other than that for which the personal data were collected, NEOMA shall first provide Users with information about this other purpose and any other relevant information.



##  6. Rights of Data Subjects 



 In general, the European Data Protection Regulation grants Data Subjects the following rights, subject to local specificities:

- To be informed when Personal Data are first recorded by the Data Controller for its own needs, unless this information is not necessary due to legal exceptions;
- To request information about the data recorded concerning them, including information about the source of the data;
- To request the recipients or categories of recipients to whom the data are transferred;
- To request the purpose of the data recording;
- To request access to the data concerning them, including in the form of a list provided in writing or electronically;
- To request the rectification of data, when they are inaccurate;
- To request the deletion of data if legally possible;
- To obtain the restriction of the processing of their Personal Data when legally possible;
- To object to the processing of their Personal Data by NEOMA;
- To request the portability of their Personal Data;
- To obtain any other information on the Processing that would be required by law.



##  7. Commitments regarding processing 



 The collection and processing of Personal Data must comply with the minimum principles detailed below:

 ##  7.1 Transparency

  

All Personal Data collected must be collected and processed lawfully, fairly, and transparently with regard to the data subject.

***7.1.1 What information to provide to data subjects?***

The following information must be systematically provided to individuals whose Personal Data are processed by NEOMA and must, in particular, appear on the website operated by NEOMA:

- The identity and contact details of NEOMA as Data Controller,
- All processing Purposes;
- The contact details of the DPO;
- The legal basis for the processing, and where applicable, the legitimate interests pursued;
- The retention period or the criteria for determining this period;
- Where applicable, the recipients or categories of recipients;
- The rights of data subjects;
- The possibility of lodging a complaint with the CNIL;
- Where applicable, the existence of a data transfer outside the European Union and the related information and safeguards;
- Where applicable, the fact that the provision of Data depends on a regulatory or contractual requirement;
- Where applicable, the fact that the provision of Data is a condition for the conclusion of a contract;
- The existence of an obligation for the Data Subject to provide their Data;
- The consequences of not providing the Data;
- Where applicable, the right to withdraw consent for processing based on consent;
- Where applicable, the existence of automated decision-making and related information;
- Where applicable, the existence of further processing for another Purpose and related information.

***7.1.2 When to inform data subjects?***

At the time of collection of Personal Data, information relating to Data Processing must be communicated to Data Subjects in a concise, transparent, understandable, and easily accessible manner, in clear and simple terms.

***7.1.3 By what means to inform data subjects?***

This information is provided in writing or by other means, including, where appropriate, electronically. When the data subject requests it, the information may be provided orally, provided that the identity of the Data Subject is demonstrated by other means.

 

 



##  7.2 Minimization and adequacy

  

Personal data collected for any purpose must **be relevant and not excessive in relation to the purpose pursued by the Processing**. In other words, only data strictly necessary to achieve the objective pursued by the Processing must be collected.

To fulfill this obligation, before the project or processing is implemented, the Employee in charge of processing must verify the adequacy and proportionality of each personal data item with respect to the Purpose of the Processing. For each new project or processing, this verification must necessarily be accompanied by a privacy risk analysis in accordance with the project management procedure established by NEOMA.

Furthermore, the Personal Data collected must be accurate, complete, and, if necessary, kept up to date.

The Employee in charge of Processing must always ensure that their file is up to date with the consents expressed by the Data Subjects when consent is required for the Processing to be implemented.

 

 



##  7.3 Respect for processing purposes

  

NEOMA undertakes to collect and process personal data exclusively for the determined, explicit, and legitimate purposes defined in Article 5 of this Policy. In accordance with Article 5, §1, b) of Regulation (EU) 2016/679 of April 27, 2016 (GDPR), no data will be processed further in a manner incompatible with these initial purposes.

Any use of data for purposes other than those mentioned in this Policy will be subject to new clear and transparent information to the data subject, and, where the law requires, to the prior collection of their consent.

In addition, NEOMA ensures compliance with the data minimization principle provided for in Article 5, §1, c) of the GDPR, by collecting only the information strictly necessary for the achievement of the pursued purposes.

 

 



##  7.4 Automated individual decision-making

  

In the context of the administrative, financial, and educational monitoring of Learners' training, depending on the training followed, the Learner may be required to choose courses. This processing will assign a place according to availability in the chosen course and according to the Learner's preference. To be as close as possible to the Learner's training wishes, they always have the option to contact their program manager to adjust their training according to their wishes.

Within the framework of fraudulent risk management, NEOMA uses a digital process that allows it to compare, according to the program's requirements, some of the work submitted by Learners with internal or external sources to detect any potential case of plagiarism. This processing is necessary for NEOMA's legal obligations within the framework of its training mission, particularly when Learners submit work that sanctions the obtaining of a diploma or certificate. This processing will systematically lead to an examination by the pedagogical teams responsible for determining any potential consequences.

The management and supervision of exams are not considered automated decisions. Within the framework of exam management, when an exam is managed using online tools that do not require the intervention of a supervisor, the Learner's behavior related to the use of their browser, their equipment, and their interactions with their environment will be tracked and will allow us to determine if the minimum expectations for respecting the rules set for the exam are met. In case of non-compliance or doubt regarding the examinee's behavior, the teacher or a program manager will be responsible for verifying the recorded elements to rule on compliance with the rules, and in case of a breach, they will compile a report that will be included in the Learner's academic file and will be taken into account, if applicable, for the organization of a disciplinary committee.

 

 



##  7.5 Lawfulness of processing and Consent

  

Each Employee in charge of Processing must ensure that the Processing of personal Data they are going to implement is lawful, meaning it is based on a legal ground provided by the regulations. The Employee in charge of Processing therefore checks if the Processing:

- Is necessary for the performance of the contract with the Data Subject, or
- Is necessary for compliance with a legal obligation, or
- Is necessary to satisfy NEOMA's legitimate interests, or
- Has received the Data Subject's Consent.

When the processing of Personal Data is based on the Data Subject's Consent, each Employee in charge of Processing must be able to demonstrate that the Consent was indeed given by the Data Subject for the processing of their Personal Data and that this Consent was recorded and tracked in a computer system.  
  
To obtain the Data Subject's consent, certain requirements must be met:

- When the request for consent is made in writing and also concerns other matters, the request for consent must be presented separately from these other matters;
- The request for consent made in writing must be in an understandable, easily accessible form, formulated in clear and simple terms;
- The request for consent must not be formulated in a way that is binding on the Data Subject;
- It is necessary to ensure that consent is given freely, particularly when the performance of a contract is made conditional on the Data Subject's consent to the Processing of their Personal Data, when such Processing would not be necessary for the performance of that contract.

The Data Subject must be able to withdraw their consent at any time. The Employee in charge of Processing must implement and inform the Data Subject of the means to withdraw their consent, particularly through the information notices provided at the time of data collection.

These means must allow the Data Subject to withdraw their consent as easily as it was given.

The Employee in charge of Processing shall refer to the internal consent procedure to record consents and withdrawals of Consent in the applications used and the Information System.

 

 



##  7.6 Transfer of data outside the European Union

  

***7.6.1 General information on any Transfer of Personal Data***

International transfers of Personal Data require particular attention and additional guarantees.

**Transfers to countries offering an adequate level of protection according to national legislation**

The transfer of Personal Data abroad will be permitted if the European Commission recognizes the recipient country as providing an adequate level of protection, without prejudice to compliance with national provisions.

The list of countries offering an adequate level of protection for Personal Data is available at the following link

<https://www.autoriteprotectiondonnees.be/professionnel/themes/flux-internationaux-de-donnees/transferts-en-dehors-de-l-ue---avec-protection-adequate>

This list is subject to change. It is therefore the responsibility of the Employee in charge of Processing to check on the European Commission's website that this list is still up to date.   
  
**Transfers covered by appropriate safeguards**

If the Personal Data Protection law of the Data Importer's country is not considered adequate by the European Commission, the Employee in charge of Processing must conclude contractual clauses with the Joint Controller or the Sub-processor abroad.

The Employee in charge of Processing may frame the Transfer using Standard Contractual Clauses established by the European Commission or by the supervisory authority. In this case, they may transfer the Data without the authorization of the competent supervisory authority. The Employee in charge of Processing may also frame the transfer using contractual clauses established between them and the Data Importer, but in this case, they must obtain authorization from the competent supervisory authority.

There are three other possibilities for framing the transfer:

- The implementation of Binding Corporate Rules (BCR) to govern exchanges between NEOMA Campuses
- The application by the Data Controller of an approved Code of Conduct
- The certification of the Data Controller by an approved certification mechanism

In all cases, the Employee in charge of Processing must provide for a written agreement with the Data Importer, in which NEOMA guarantees that it will apply a level of Data protection equivalent to that required by Personal Data protection laws in France. These contractual clauses must include technical and organizational security measures to be applied by Joint Controllers or Sub-processors established in a third country not providing an adequate level of protection, in order to ensure a level of security adapted to the risks presented by the Processing of Personal Data and the nature of the Data to be protected.

***7.6.2 Transfers relating to a specific situation***

In the absence of an adequacy decision or appropriate safeguards, a transfer or a series of transfers of personal data to a third country or an international organisation may only take place on one of the following conditions:

- The data subject has given explicit consent to the intended transfer, after having been informed of the risks that such transfer may entail for them due to the absence of an adequacy decision and appropriate safeguards;
- The transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the request of the data subject;
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- The transfer is necessary for important reasons of public interest;
- The transfer is necessary for the establishment, exercise or defence of legal claims;
- The transfer is necessary for the protection of the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
- The transfer takes place from a register which, according to Union law or the law of a Member State, is intended to provide information to the public and is open to consultation by the general public or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions for consultation laid down by Union law or the law of a Member State are met in the particular case.

 

 



##  7.7 Retention Period

  

Personal Data shall not be kept for longer than is necessary for the purposes for which they are collected, unless otherwise indicated by applicable laws. In this context, NEOMA must implement a Personal Data retention policy that specifies the retention periods applicable to Data for the different Processing Purposes, the retention conditions, and the Data storage format. This data retention policy must follow the guidelines defined in this Policy. The employee in charge of Processing must refer to the Data retention policy to ensure compliance with this requirement.

In general, the maximum retention period for data must be determined based on the Purpose of each Processing. The following elements must be taken into account when determining the retention period for each category of Data collected:

- Legal obligations;
- Recommendations from the Data Protection Authority;
- Best practices in each relevant field;
- Performance of a contract or implementation of pre-contractual measures;
- Business needs.

Except in cases where there is an archiving obligation, Data that is no longer relevant must be deleted without delay. In the event of an automatic deletion procedure, the Employee in charge of Processing must ensure that the data is effectively deleted by issuing a destruction certificate.

**For information purposes, the maximum data retention periods are set out in Appendix No. 1 of this policy.**

Certain data will be anonymised. They may be retained by NEOMA without time limitation.

 

 



##  7.8 Data Security

  

Appropriate control measures and procedures must be implemented by the Controller to ensure the security of Personal Data and to prevent any unauthorised access or disclosure, taking into account the current state of technology and the potential harm that may result from the loss of or unauthorised access to the Data.

More specifically, the collection, use, processing, transmission and transfer, storage, and destruction of Personal Data require NEOMA to take reasonable measures to implement effective organisational systems and physical and technical measures, particularly to:

- Prevent unauthorised persons from accessing information systems to process or use Personal Data (access control);
- Ensure that only persons authorised to access Data can access it within the scope of the Purpose for which NEOMA processes the Data. These persons must guarantee the confidentiality of the Personal Data they access.
- Ensure that persons authorised to use a data processing system only have access to the data they are authorised to access, and that Personal Data cannot be read, copied, altered, or deleted without authorisation during Processing, use, and after recording (access control, need-to-know principle);
- Ensure that Personal Data cannot be read, copied, modified, or deleted without authorisation during transport, electronic transfer, or storage on storage media, and that it is possible to verify and control who transfers Personal Data using data transfer methods (disclosure control);
- Ensure that it is possible to control and verify whether Personal Data has been added, modified, or deleted from data processing systems and, if so, by whom (input control);
- Ensure that Personal Data processed on behalf of others is in strict compliance with the Controller's instructions (task control);
- Ensure that Personal Data is protected against accidental destruction or loss (availability control);
- Ensure that Personal Data collected for different purposes can be processed separately;
- Ensure that data anonymisation is effective when required by a NEOMA law to implement the processing.

The Employee in charge of Processing must identify the privacy risks for individuals generated by their Processing before determining the adequate security and confidentiality measures to reduce these risks.

When this preliminary privacy risk analysis shows that the intended Processing presents a high risk to the privacy of the Data Subjects, the Employee in charge of Processing shall carry out a Privacy Impact Assessment (PIA) to determine the necessary security and confidentiality measures to reduce this risk.

The level of security measures necessary for data protection depends on the sensitivity of the data and the Purpose of the Processing.

Data exchanges, both internal and external, are ensured by the implementation of application programming interfaces (APIs) when applications allow. Data minimization, accuracy, traceability, and security are sought and implemented in accordance with CNIL guidelines.

 

 



##  7.9 Relations with Subcontractors

  

When processing is carried out by a Subcontractor, the Data Controller must choose a Subcontractor providing sufficient technical and organizational security measures to ensure that the processing will be carried out in accordance with legal requirements.

The Employee in charge of Processing must ensure that the Subcontractor accepts in writing the technical and organizational security measures imposed by NEOMA. They must, in particular, consult the legal department to integrate standard contractual clauses for the protection of Personal Data, which attest to its compliance with GDPR.

The Contract must also prohibit the Subcontractor from subcontracting in turn to a Third Party any processing of Personal Data requested by the Data Controller, unless the Data Controller has expressly authorized it.

Any Subcontractor must, in particular, undergo a selection procedure so that the Data Controller can ensure that security requirements are met.

 

 



##  7.10 Documentation

  

Each Employee in charge of Processing must complete and update the processing register, noting all Data Processing Purposes.

They must also keep all proof of compliance with laws or regulations that must be respected regarding the Processing recorded in the processing register. Each Employee in charge of Processing is responsible for complying with the principles set out in these Policies (i.e., lawfulness, fairness, transparency of Processing, adherence to the purpose limitation principle, data minimization, data accuracy, adherence to retention periods and security measures) and must be able to demonstrate that these principles are respected and prove with tangible evidence that all appropriate technical and organizational measures have been taken to limit the risks to the privacy of the Data Subjects. Compliance with these principles thus includes the implementation of appropriate policies.

 

 



##  7.11 The processing register

  

The Data Controller must maintain a register that lists all its Processing activities and specifies, at a minimum and for each processing operation, the information required by the Regulation. This information is as follows:

- The name and contact details of the Data Controller and, where applicable, of the joint controller, the Data Controller’s representative and the DPO;
- The purposes of the processing;
- A description of the categories of Data Subjects and the categories of Personal Data;
- The categories of Recipients to whom the personal data have been or will be disclosed;
- The transfer of personal data to a third country or an international organization, including the identification of that third country or international organization and the documents attesting to the existence of appropriate safeguards;
- The intended retention periods for the different categories of Data;
- A general description of the technical and organizational security measures implemented for the processing in question.

The DPO is responsible for maintaining NEOMA's register. With the contribution of the Employees in charge of processing and/or project managers, they must ensure that any new processing is entered into the register with the information described above. The DPO will validate the entered processing operations and ensure the register is updated.

This register may be kept in written or electronic form, and must be made available to the Supervisory Authority upon request.

 

 



##  7.12 Sensitive Personal Data

  

NEOMA may collect Sensitive Personal Data as part of its Processing. This Data must only be collected and processed in the following cases:

- The explicit consent of the Data Subject has been obtained for the Purpose;
- Processing is necessary for the purposes of fulfilling the obligations and exercising the rights of the data controller or the data subject in matters of labor law, social security and social protection or by a collective agreement provided for by specific NEOMA regulations;
- Processing is necessary for the protection of the vital interests of the Data Subject or another natural person, in cases where the Data Subject is physically or legally incapable of giving consent;
- Processing concerns personal data that have been manifestly made public by the Data Subject;
- Processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
- Processing is necessary for reasons of public interest in accordance with NEOMA national law, which must be proportionate to the objective pursued, respect the essence of the right to data protection and provide for appropriate and specific measures for safeguarding the fundamental rights and interests of the Data Subject;
- Processing is necessary for the purposes of preventive or occupational medicine, the assessment of the working capacity of the employee, medical diagnoses, healthcare or social protection provision, or the management of health or social protection systems and services or under a contract with a health professional;
- Processing is necessary for reasons of public interest in the area of public health;
- Processing is necessary for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes.

The Employee in charge of Processing must keep proof of the legal basis authorizing them to process Sensitive Personal Data.

Access to this Sensitive Personal Data must be limited to employees who strictly need it for their activities. This Sensitive Personal Data may only be used for the Purposes for which it was collected. Adequate security measures must be implemented to prevent the loss, degradation, or theft of this data.

The Data Controller is required to comply with all local laws and requirements relating to Sensitive Personal Data, particularly health data and data relating to criminal offenses.

 

 



 

##  8. Awareness and Training 



 The Data Controller must ensure that employees, professors, and all persons working for NEOMA are well aware of and trained in the principles of this Policy, as well as the requirements of all other laws, regulations, rules, and procedures relating to the protection of Personal Data, when they are involved in the Processing of Personal Data.



###  Appendix 1: Maximum data retention periods 



 [    Appendix 1: Maximum data retention periods ](/sites/default/files/uploaded_files/annexe_1.pdf) 

  ###  Summary