External Personal Data Protection Policy

Last Updated: 11/05/2021

 

1. Introduction

1.  As part of its activities, PST&B, a member of the Galileo Global Education Group, collects and processes personal data.

2. Committed to fostering innovation while building a lasting relationship of trust based on respect for the rights and freedoms of individuals, the institution implements the necessary technical and organizational means to protect the personal data it processes.

3. The main objective of this policy is to present concise, transparent, understandable, and easily accessible information concerning data processing, allowing you to understand how your data is processed, your rights in this regard, and the institution’s commitments.

 

2. Who Are We?

4. PST&B (hereinafter referred to as “the Institution”) is a school belonging to the private higher education group Galileo Global Education France (“Galileo Group”).

5. PST&B is a simplified joint-stock company with a capital of €1,000,000, registered under SIREN 812 095 586 RCS PARIS, with headquarters located at 41 rue Chanzy – 75011 Paris – France.

 

3. Data Protection Officer (DPO) and Internal Data Protection Representative

6. The Galileo Group has appointed a Data Protection Officer (DPO) to oversee all schools and entities within the group, whose contact details are: 41 rue Saint Sébastien, 75011 PARIS, Data Protection Officer or DPO, email address : dpo@ggeedu.fr.

7. To liaise with the DPO, the Institution has also appointed an internal data protection representative (“DPO Delegate – DDPO”) who can be reached at dpo@pstb.fr.
The DPO and the internal data protection representative advise, inform, and monitor compliance with data protection regulations.

 

4. Fair and Transparent Data Collection

8. In the interest of transparency, the Institution informs individuals about each data processing operation that concerns them.

9. Data is collected fairly. No data is collected without the knowledge or consent of the individuals involved.

 

5. Purpose Principle

10. When the Institution processes data, it does so for specific purposes: each data processing operation has a legitimate, determined, and explicit purpose.

 

6. Proportional Data Processing

11. For each data processing operation, the Institution collects and uses only data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

12. The Institution ensures that data is updated when necessary and implements procedures to allow the correction or deletion of inaccurate data.

 

7. Personal Data We Process

13. The Institution collects and processes the following main categories of personal data:

  • Identification data: names, first names, date of birth, nationality ;
  • Education data: academic background, training-related information ;
  • Financial and economic information: funding arrangements ;
  • Personal information: home address, phone number, email address ;
  • Professional information: job, employer, work contact details, professional experience ;

14. The Institution does not generally process data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, genetic data, biometric data for identification purposes, or data related to an individual’s sexual life or orientation.

15. Exceptionally, the Institution may process health data, especially related to disability, to adapt practical training conditions or biometric data for access control management.

 

8. Source of the Data We Process

8.1 Declarative Personal Data

16. This includes personal data that you provide primarily during :

  • Your interactions with the Institution, such as at fairs, forums, or open house events ;
  • The conclusion of a contract with the Institution ;
  • The creation of a file with the Institution ;
  • Surveys conducted with the individuals concerned.

17. This data is mainly collected via our forms, paper or electronic questionnaires.

8.2 Personal Data from Third Parties or Other Services

18. Personal data may also come from :

  • Your navigation on the websites of the schools ;
  • Other schools within the Galileo Group or partner institutions ;
  • Lead providers ;
  • Your employer, if applicable ;
  • Public organizations ;

 

9. Legal Bases and Purposes of Our Data Processing

19. The data processing carried out by the Institution and, more broadly, by the Galileo Group, is necessary for the performance of a contract or pre-contractual measures requested by the person concerned. This includes processing for purposes such as :

  • Managing and monitoring enrollment in a competition or training program ;
  • Managing and monitoring training (including recording and broadcasting courses for distance learning students).
  • Recording and processing training services ;
  • Administrative and financial management of training ;

20. Some processing is implemented to comply with legal and regulatory obligations, including :

  • Actions related to training ;
  • Adapting training for individuals with disabilities ;
  • Enabling individuals to exercise their rights under data protection laws ;
  • Managing accounting/tax obligations ;

21. Other processing is carried out to meet the Institution’s legitimate interests, particularly in managing and expanding its activities, such as :

  • Prospecting for the Institution or other Galileo Group schools ;
  • Conducting marketing studies and internal statistics ;
  • Promoting the training programs offered ;
  • Conducting surveys ;
  • Organizing events ;
  • Analyzing website traffic ;
  • Managing alumni and expanding the school’s network.

22. Consent is obtained for processing that does not rely on legal, contractual, or legitimate interest grounds.

 

10. Recipients of Your Data

23. The personal data we collect, as well as any data collected later, is intended for us as the data controller.

24. Data may also be shared with the following categories of recipients :

  • Institution staff, staff from other schools in the Galileo Group, and partners for candidate management ;
  • Our subcontractors ;
  • Public or private organizations to meet legal obligations ;
  • Ranking organizations to promote the school’s reputation ;

25. The Institution ensures that only authorized individuals have access to your data, enforcing strict authorization policies.

 

11. Data Transfers

26. Personal data processed by the Institution may be transferred to countries within or outside the European Union.

27. In cases of processing carried out outside the EU, including remote access, the Institution implements guarantees to protect and secure the information in accordance with applicable regulations.

28. You can request details of these transfers and the measures taken by contacting the DPO at dpo@ggeedu.fr.

 

12. Data Retention Periods

29. The Institution retains data in a form that allows for the identification of individuals only for as long as necessary for the purposes for which it was collected.

30. The retention periods we apply to your personal data are proportionate to the purposes for which they were collected.

31. In particular, we organize our data retention policy as follows :

  • Data collected for prospect management: a maximum of 3 years
  • Data collected and processed for training: a maximum of 10 years
  • Data processed for graduation: a maximum of 50 years.

L’Etablissement reserves the right to retain your data beyond the time limits set out above in the event of legal or regulatory obligations.

 

13. La sécurité de vos données

32. The Galileo Group prioritizes the security of personal data.

33. Appropriate technical and organizational measures are implemented to ensure data protection against loss, destruction, or accidental damage that could compromise its confidentiality or integrity.

34. The Institution ensures that tools enabling personal data processing provide optimal data protection.

35. Measures respecting data protection by design and by default principles, including pseudonymization or encryption, are applied when necessary.

 

14. Subcontracting

36. When using a service provider, the Institution shares personal data only after obtaining security and confidentiality assurances.

37. Contracts are concluded with subcontractors in compliance with legal and regulatory obligations, precisely defining data processing conditions.

38. The Galileo Group conducts audits of its own services and those of its subcontractors to verify data security compliance.

 

15. Your Rights

39. The Institution ensures respect for your rights regarding data processing, ensuring fair and transparent treatment based on the circumstances in which your personal data is processed.

15.1 Your Right of Access

40. You have the right to confirm whether your personal data is being processed and to request a copy of your data and information regarding :

  • the purposes of the processing ;
  • the categories of personal data concerned ;
  • the recipients or categories of recipients and, where applicable, if such communications are to be made, the international organizations to which the personal data has been or will be communicated, in particular recipients established in third countries ;
  • where possible, the length of time for which personal data will be kept or, where this is not possible, the criteria used to determine this length of time ;
  • the existence of the right to ask the data controller to rectify or erase your personal data, the right to request a restriction on the processing of your personal data, the right to object to such processing ;
  • the right to lodge a complaint with a supervisory authority ;
  • information on the source of the data when it has not been collected directly from the data subject ;
  • the existence of automated decision-making, including profiling, and in the latter case, useful information concerning the underlying logic, as well as the significance and anticipated consequences of such processing for the data subjects.

15.2 Your Right to Rectification

41. You may request that your personal data be corrected or completed if it is inaccurate or incomplete.

15.3 Your Right to Erasure of Your Data

42. You can request the erasure of your personal data when one of the following reasons applies :

  • The personal data is no longer necessary for the purposes for which it was collected or otherwise processed ;
  • You withdraw the previously given consent ;
  • You object to the processing of your personal data when there is no overriding legitimate reason for the processing ;
  • The processing of personal data does not comply with applicable legal and regulatory provisions.
    The right to erasure is not a general right, and it can only be granted if one of the reasons provided for in the applicable regulations is present.

The right to data deletion is not a general right, and can only be exercised if one of the reasons provided for in the applicable regulations is present.

43. Otherwise, the Institution may not respond favorably to your request, particularly if it is required to retain the data due to a legal or regulatory obligation or for the establishment, exercise, or defense of legal claims.

15.4 Your Right to Restrict Data Processing

44. You can request the restriction of the processing of your personal data in cases provided for by legislation and regulations.

15.5 Your Right to Object to Data Processing

45. You have the right to object, at any time, for reasons related to your particular situation, to the processing of your personal data based on the legitimate interest pursued by the data controller (see the article above on the legal basis of processing).

46. In the event of exercising such a right to object, we will ensure that your personal data is no longer processed within the scope of the relevant processing, unless we can demonstrate that there are legitimate and compelling reasons to continue this processing. These reasons must outweigh your interests, rights, and freedoms, or the processing must be necessary for the establishment, exercise, or defense of legal claims.

47. Regarding direct marketing, you are reminded that you can object to receiving marketing materials by mail or phone from the Institution.

48. En matière de prospection commerciale, il est rappelé que vous pouvez vous opposer à recevoir de la prospection par voie postale ou par téléphone de la part de l’Etablissement.

49. In the case of direct marketing via electronic means (email, SMS, MMS), the Institution may do so if you have given your consent at the time of data collection. You can object to this type of marketing at any time via the link provided in the email sent to you or by replying “stop” to the number indicated in the message you received.

15.6 Your Right to Data Portability

50. You have the right to the portability of your personal data. This is not a general right and only applies to automated processing, excluding manual or paper-based processing.

51. This right is limited to processing whose legal basis is your consent or the execution of pre-contractual measures or a contract.

52. It does not include derived or inferred data, which are personal data created by the Institution or the Galileo Group.

53. The data subject to this right includes :

  • Only your personal data, excluding anonymized data or data that does not concern you ;
  • Declarative personal data as well as operational personal data mentioned previously.

54. The right to data portability must not infringe upon the rights and freedoms of third parties, such as those protected by trade secrets.

55. You can request data portability according to the procedure defined below, specifying whether you wish to receive the data yourself or, if technically possible, for us to transfer it directly to another data controller.

56. In the latter case, you must provide the exact name of the data controller, their contact details, and the service or person who should receive the data. To facilitate the exercise of this right, you should inform the recipient of your request with our services.

15.7 Your Right to Withdraw Consent

57. When the processing of data we carry out is based on your consent, you can withdraw it at any time. We will then stop processing your personal data without affecting the validity of previous operations for which you had given your consent.

15.8 Your Right to Lodge a Complaint

58. You have the right to lodge a complaint with the CNIL (3 Place de Fontenoy 75007 Paris) in France, without prejudice to any other administrative or judicial remedy.

15.9 Your Right to Define Post-Mortem Instructions

59. You have the option to define specific instructions regarding the retention, deletion, and communication of your personal data after your death with our services according to the procedures defined below. These specific instructions will only concern the processing carried out by us and will be limited to this scope.

60. You will also be able, when authorized by the executive authority, to define general instructions for the same purposes.

15.10 How to Exercise Your Rights

61. All the rights listed above can be exercised by proving your identity and contacting the DDPO (Data Protection Representative) of the Institution, the internal point of contact for personal data protection.

62. The DDPO will forward the requests regarding the exercise of rights to the Galileo Group’s DPO.

15.11 Changes to This Document

63. We invite you to regularly review this policy on our website. It may be updated periodically.