Personal data

Last updated: 13/10/2020

1. Introduction

1. As part of its activities, Atelier Chardon Savard, a member of the Galileo Global Education Group, is required to collect and process personal data.
2. Accordingly, with a view to fostering innovation while building a lasting relationship of trust based on respect for individuals’ rights and freedoms, the Institution implements the technical and organizational measures necessary to protect the personal data it processes.
3. The main purpose of this policy is to present, in a concise, transparent, understandable, and easily accessible format, information relating to the data processing activities implemented, in order to enable you to understand under what conditions your data are processed, what your rights are in this regard, and to present the commitments of the Institution.

2. Who are we?

4. Atelier Chardon Savard is a company with share capital of €30,000, registered with the Paris Trade and Companies Register under SIREN number 331 037 796 RCS, with its registered office located at 15 rue Gambey, 75011 Paris.

3. Data Protection Officer and Contact Person

5. The Galileo Group has appointed a shared Data Protection Officer (DPO) for all entities and schools within the Galileo Group. The DPO’s contact details are as follows:
   41 rue Saint Sébastien, 75011 PARIS
   Data Protection Officer (DPO)
   Email: dpo@ggeedu.fr
6. In order to act as a liaison with the DPO, the Institution has also appointed an internal personal data protection contact person (“DPO Delegate – DDPO”), whose contact details are: dpo@atelier-chardon-savard.com.

The DPO and the Institution’s personal data protection contact person are responsible for advising, informing, and monitoring compliance with personal data protection regulations.

4. Fair and Transparent Data Collection

7. In the interest of transparency, the Institution ensures that data subjects are informed of each processing activity that concerns them.
8. Data are collected fairly. No data are collected without the knowledge of the individuals concerned or without informing them.

5. Purpose Limitation Principle

9. When the Institution processes data, it does so for specific purposes. Each data processing activity pursues a legitimate, determined, and explicit purpose.

6. Proportionate Data Processing

10. For each processing activity implemented, the Institution undertakes to collect and use only data that are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
11. The Institution ensures that data are kept up to date where necessary and implements procedures to enable the deletion or rectification of inaccurate data.

7. Personal Data We Process

12. As part of the personal data processing activities whose purposes are described below, the Institution mainly collects and processes the following categories of data:

• identification data such as last name(s), first name(s), date of birth, nationality of the data subjects;
• data relating to education, such as educational background or training-related projects;
• economic and financial information, such as funding arrangements;
• personal life data, such as personal address, telephone number, email address;
• where applicable, data relating to professional situation, such as profession, employer, professional contact details, and professional experience.

13. In general, the Institution does not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, nor genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning a person’s sex life or sexual orientation.
14. However, exceptionally, the Institution may be required to collect health data, in particular data relating to a disability situation, in order to adapt the practical arrangements of the training services provided, or biometric data for access control management.

8. Source of the Data We Process

8.1 Declarative Personal Data

15. These are personal data that you mainly provide in the context of:

• your interactions with the Institution, particularly during trade fairs, high school forums, or open days;
• entering into a contract with the Institution;
• compiling an application file with the Institution;
• surveys conducted among data subjects.

16. These data are mainly collected through our forms and our paper and electronic questionnaires.

8.2 Personal Data from Third Parties or Other Services

17. Personal data may also originate from:

• your browsing on the schools’ websites;
• other schools within the Galileo Group or partner institutions;
• lead providers;
• where applicable, your employer;
• public authorities.

9. Legal Bases and Purposes of Our Data Processing

18. The processing activities implemented by the Institution, and more broadly by the Galileo Group, are necessary for the performance of a contract or the implementation of pre-contractual measures taken at the request of the data subject. This applies in particular to processing activities for the following purposes:

• management and monitoring of registration for an entrance examination or a training program;
• management and monitoring of training programs. For this purpose, and within the framework of so-called bimodal training, courses may be filmed and broadcast to all students attending remotely and may also be recorded;
• recording and processing of training services;
• administrative and financial monitoring of training programs.

19. Processing activities carried out for the following purposes are necessary to comply with the legal and regulatory obligations incumbent upon the Institution:

• actions relating to training;
• necessary adaptations to training programs for persons with disabilities;
• implementation of the rights of data subjects under personal data protection regulations;
• accounting and tax management.

20. Processing activities carried out for the following purposes are necessary to pursue the legitimate interests of the Institution, in particular the management, proper functioning, and development of its activities:

• management of prospecting for a specific Institution or for any other school within the Galileo Group;
• conducting marketing studies and internal statistics;
• promotion of training programs offered by the Institutions;
• survey management;
• event organization;
• analysis and measurement of website traffic;
• alumni management and development of the school’s network; in this context, as a former student, you may be contacted.

21. The Institution relies on the consent of data subjects for processing purposes that are not based on legitimate interests, legal and regulatory obligations, or the performance of contracts.

10. Recipients of Your Data

22. The personal data we collect, as well as those collected subsequently, are intended for us in our capacity as data controller.
23. The following categories of recipients may also receive your data:

• staff members of the Institution, other schools within the Galileo Group, and Galileo Group staff, particularly for the management of prospective candidates, and where applicable, staff members of partner institutions;
• our service providers;
• public or private bodies to meet our legal obligations;
• ranking organizations in order to promote the school’s reputation.

24. We ensure that only authorized persons have access to these data. The Institution applies strict authorization policies to ensure that the data it processes are only transmitted to authorized persons.

11. Transfers of Your Data

25. The personal data processed by the Company may, during certain operations, be transferred to countries located within or outside the European Union.
26. In the event of processing outside the European Union, including remote access, the Company undertakes to implement appropriate safeguards to ensure the protection and security of this information, in accordance with applicable regulations.
27. You may obtain information about transfers and the safeguards implemented by contacting the DPO at dpo@ggeedu.fr.

12. Data Retention Periods

28. The Institution ensures that data are kept in a form that allows identification of data subjects only for as long as necessary in relation to the purposes for which they are processed.
29. The data retention periods applied to your personal data are proportionate to the purposes for which they were collected.
30. In particular, our data retention policy is organized as follows:

• Data collected for prospect management: maximum of 3 years
• Data collected and processed as part of educational training: maximum of 10 years
• Data processed as part of diploma awarding: 50 years

The Institution reserves the right to retain your data beyond the above periods where necessary to comply with legal or regulatory obligations or for the establishment, exercise, or defense of legal claims.

13. Data Security

31. The Galileo Group places particular importance on the security of personal data.
32. Appropriate technical and organizational measures are implemented to ensure that data are processed in a manner that guarantees protection against loss, destruction, or accidental damage that could compromise their confidentiality or integrity.
33. During the design, selection, and use of tools used to process personal data, the Institution ensures that they provide an optimal level of protection for the data processed.
34. The Institution implements measures that comply with the principles of data protection by design and by default. In this context, the Institution may use pseudonymization or encryption techniques where possible and/or necessary.

14. Subcontracting

35. When using a service provider, the Institution only communicates personal data after obtaining commitments and guarantees regarding the provider’s ability to meet security and confidentiality requirements.
36. Contracts are concluded with subcontractors in compliance with legal and regulatory obligations, precisely defining the conditions and modalities for processing personal data.
37. The Galileo Group carries out or commissions audits of its own services and those of its service providers in order to verify compliance with data security rules.

15. Your Rights

38. The Institution is particularly committed to respecting the rights granted to you in connection with the data processing activities it carries out, in order to ensure fair and transparent processing in view of the specific circumstances and context in which your personal data are processed.

15.1 Right of Access

39. You have the right to obtain confirmation as to whether or not your personal data are being processed and, where they are, to request a copy of your data and information relating to:

• the purposes of processing;
• the categories of personal data concerned;
• the recipients or categories of recipients and, where applicable, international organizations to which personal data have been or will be disclosed;
• where possible, the envisaged data retention period or, if not possible, the criteria used to determine that period;
• the existence of the right to request rectification or erasure of your personal data, restriction of processing, or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• information on the source of the data where they are not collected directly from the data subject;
• the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing.

15.2 Right to Rectification

40. You may request that your personal data be rectified or completed where they are inaccurate, incomplete, ambiguous, or outdated.

15.3 Right to Erasure

41. You may request the erasure of your personal data where one of the following grounds applies:

• the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• you withdraw your previously given consent;
• you object to the processing and there are no overriding legitimate grounds for the processing;
• the processing does not comply with applicable laws and regulations.

The right to erasure is not an absolute right and applies only where one of the grounds provided by applicable regulations is met.

42. Otherwise, the Institution will not be able to comply with your request, particularly where data must be retained to comply with legal or regulatory obligations or for the establishment, exercise, or defense of legal claims.

15.4 Right to Restriction of Processing

43. You may request the restriction of processing of your personal data in the cases provided for by law and regulations.

15.5 Right to Object

44. You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data where the legal basis is the legitimate interest pursued by the data controller.
45. In the event of such an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds overriding your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defense of legal claims.
46. You have the right to object to direct marketing and to profiling insofar as it is related to such marketing.
47. With regard to direct marketing, you may object to receiving marketing communications by post or by telephone from the Institution.
48. In the case of electronic marketing (email, SMS, MMS), the Institution may use such channels if you have given your consent at the time of data collection. You may withdraw your consent at any time via the link included in the email or by sending “STOP” to the number indicated in the message received.

15.6 Right to Data Portability

49. You have the right to data portability. This is not a general right and applies only to automated processing, excluding manual or paper-based processing.
50. This right is limited to processing based on your consent or on the performance of pre-contractual measures or a contract.
51. It does not include derived or inferred data created by the Galileo Group.
52. The data covered by this right are:

• only your personal data, excluding anonymized data or data that do not concern you;
• declarative personal data and operational personal data referred to above.

53. The right to portability must not adversely affect the rights and freedoms of third parties, including those protected by trade secrets.
54. You may request data portability in accordance with the procedure defined below, specifying whether you wish to receive the data yourself or, where technically feasible, have them transmitted directly to another data controller.
55. In the latter case, you must provide the exact name, contact details, and relevant department or contact person of the recipient and inform them of your request.

15.7 Right to Withdraw Consent

56. Where processing is based on your consent, you may withdraw it at any time. We will then cease processing your personal data without affecting the lawfulness of processing carried out prior to withdrawal.

15.8 Right to Lodge a Complaint

57. You have the right to lodge a complaint with the CNIL (3 place de Fontenoy, 75007 Paris) in France, without prejudice to any other administrative or judicial remedy.

15.9 Post-Mortem Directives

58. You may define specific directives regarding the retention, deletion, and communication of your personal data after your death, in accordance with the procedures described below. These directives will apply only to processing carried out by us.
59. You may also define general directives for the same purposes where provided for by law.

15.10 Exercising Your Rights

60. All the rights listed above may be exercised by providing proof of identity and contacting the Institution’s DDPO, the personal data protection contact person.
61. The DDPO will forward the requests to the Galileo Group DPO.

15.11 Amendments to This Policy

62. We invite you to consult this policy regularly on our website, as it may be updated.