Website privacy policy

PERSONAL DATA PROTECTION POLICY

1. Purpose and Scope of the Policy

The Rennes School of Business (Rennes SB) association attaches great importance to the protection of your personal data as well as to compliance with the provisions of
the applicable Legislation.
Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such Data
(hereinafter “GDPR”) states that Personal Data must be processed lawfully, fairly and transparently. Thus, the purpose of this personal data protection policy (hereinafter the
“Policy”) is to provide you with easy to understand, clear information about the Processing of Personal Data relating to you during your visit to the website and the
operations carried out on our website.

2. Data Controller

As part of your activity at www.rennes-sb.fr, we collect and use Personal Data relating to you, natural persons (hereinafter “Data Subject”).
For all Processing, Rennes SB, an association located at 2 rue Robert d’Arbrissel in Rennes (35000), France, determines the means and purposes of the Processing.
Thus, we act as a Data Controller within the meaning of the Regulations on Personal Data, and in particular Regulation (EU) 2016/679 on the protection of natural persons
with regard to the Processing of Personal Data and on the free movement of such Data.

3. What Personal Data do we collect and how do we collect it?

By using our website, you provide us with certain information about you, some of which may identify you (“Personal Data”). This is the case when you visit our site or when
you fill out forms online.
The nature and quality of the Personal Data collected about you vary depending on the relationship you have with Rennes SB, the main ones of which are:
– Identification data: this includes all the information that would allow us to identify you, such as your surname, first name and telephone number. We will also collect your email address as well as your postal address (in the event of payment, the postal address will be necessary to generate an invoice).
– Login data: this is all the information we need to access your personal account, such as the password and other information needed to authenticate and access
an account.
We also collect your IP address for maintenance and statistical purposes.
– Financial data: this corresponds to Banking data such as bank details.
– Different types of documents (PDF, Image, Office format) with titles, content, folder names or information linked to a document, such as written comments in
the documents, alert and reminder dates.
– Information about your browsing habits: by browsing our website, you interact with it. Therefore, certain information about your browsing habits is
collected.
– Data collected from Third Parties: Personal Data that you have agreed to share with us or on publicly available social media and/or that we may collect
from other publicly available databases.
– Data relating to the student and professional pathway (degrees obtained, validation of skills, languages spoken, curriculum vitae, disciplinary sanctions).

4. Why do we collect your Personal Data and how do we collect it?

We collect your Personal Data for specified purposes and on different legal grounds.

5. Who has access to your Personal Data?

Your Data is mainly intended for authorised employees of Rennes SB, in particular the Educational and Academic Department, the Information Systems Department, the
Communication and Marketing Department, the Finance Department, as well as persons responsible for the security of premises and reception.
It may be transmitted to the following recipients for certain tasks related to the purposes, and within the limits of their respective missions and authorisations:

– Foreign educational institutions that are partners of Rennes SB where the student would receive training;
– Partners of Rennes SB for the purposes of contract management, such as, for example, organisations collecting outstanding payments;
– IT subcontractors of Rennes SB, such as IT hosting and maintenance providers;
– Rennes SB technical subcontractors such as dispatchers, partners involved in organising events carried out by Rennes SB (gala evenings, etc.), etc.
– Organisations specialised in carrying out surveys and compiling statistics (in particular for the rankings of educational institutions);
– The rectorate and, in general, any establishment under the supervision of the Ministry of National Education, in particular for the purpose of carrying out
national surveys;
– Organisations that cover all or part of the cost of training such as, for example, government approved vocational training organisations;
– The Rennes SB alumni association;
– Partners of Rennes SB for the purposes of managing Rennes SB academic accreditations;
– The European Commission for the management of grants awarded under the Erasmus programme;
– Partners of Rennes SB which run student associations, clubs and other schemes under the aegis of Rennes SB;
– Any judicial or administrative entity when Rennes SB must meet its regulatory obligations;
– Business partners only when you have expressly consented to this through the cookie consent manager:

  • Google
  • Facebook / Instagram
  • LinkedIn

– Service providers and subcontractors that we use to carry out a range of operations and tasks on our behalf, in particular:
When your Data is communicated to our service providers and subcontractors, they are also asked not to use the Data for purposes other than those initially intended. We make every effort to ensure that these Third Parties maintain the confidentiality and security of your Data.
In any case, only the necessary Data is made available to them. We make every effort to ensure secure communication or transmission of your Data.
We do not sell your Data.

6. Is your Personal Data transferred to Third countries?

Rennes SB endeavours to keep Personal Data in France, or at least within the European Economic Area (EEA).
In the event that the data of Data Subjects is transferred outside the European Union, Rennes SB will use one of the mechanisms ensuring appropriate guarantees as
provided for by the applicable regulations, and in particular the adoption of the standard contractual clauses drawn up by the European Commission. You can contact the Data
Protection Officer of Rennes SB for further information on these topics as well as to obtain a copy of the relevant documents.

7. How long do we keep your Personal Data?

Personal data processed by Rennes SB is retained for the time necessary to achieve the purpose for which we keep it, in order to meet your needs or for the time
necessary for the performance of the legal and contractual obligations of Rennes SB, in accordance with the data protection regulations and according to the duration of
the legal requirements.
Generally speaking, the data is stored in accordance with circular no. 2005-003 of 22 February 2005 issued by the Minister of National Education, Higher Education and
Research.
For example:
– Data relating to the administrative and educational file of students is kept for 10 years;
– Copies of examinations/evaluations are kept for one year after publication of the results, except in the case of litigation;
– Invoices are kept for 10 years;
– Trainee attendance sheets and copies of the internship certificates issued are kept for 5 years;
– Data relating to disability management is kept for the duration of the disability if this is less than the duration of the education or, otherwise, for the duration
of the education;
– Data relating to unpaid debts is retained until the amicable settlement of the dispute or, failing that, until the enforcement of legal action;
– Contract management data is retained for the duration of the contract plus five years;
– Data relating to marketing activities is retained for three years from the last contact;
– Survey questionnaires are kept for 5 years and the results (summaries, scoreboards, etc.) are kept for 10 years.

8. How do we ensure the security of your Personal Data?

Rennes SB undertakes to protect the Personal Data that we collect or process, against loss, destruction, alteration, unauthorised access or disclosure.
Accordingly, we implement all appropriate technical and organisational measures, depending on the nature of the Data and the risks involved in Processing it. These
measures must ensure the security and confidentiality of your Personal Data. They may include practices such as limited access to Personal Data by authorised persons,
due to their functions, pseudonymisation or encryption.
In addition, our practices and policies and/or physical and/or logical security measures (secure access, authentication process, backup copy, software, etc.) are regularly
verified and updated if necessary.

9. What are your rights?

The GDPR provides Data Subjects with the necessary information about the rights that they may exercise. This includes:
1. Right to information: the right to be clearly, precisely and comprehensively informed about the use of Personal Data by Rennes SB.
2. Right of access: the right to request a copy of the Personal Data that the Data Controller holds about the Data Subject.
3. Right to rectification: the right to have the Personal Data rectified if it is inaccurate or obsolete and/or to complete it if it is incomplete.
4. Right to erasure / right to be forgotten: the right, under certain conditions, to have the Data erased or deleted, unless Rennes SB has a legitimate interest in
keeping it.
5. Right to object: the right to object to the Processing of Personal Data by Rennes SB for reasons relating to the particular situation of the Data Subject
(subject to conditions).
6. Right to withdraw Consent: the right at any time to withdraw Consent when Processing is based on Consent.
7. Right to restriction of Processing: the right, under certain conditions, to request that the Processing of Personal Data be temporarily suspended.
8. Right to data portability: the right to request that Personal Data be transmitted in a reusable format allowing it to be used in another database.
9. Right not to be subject to an automated decision: the right for the applicant
to refuse fully authorised decision-making and/or to exercise the additional guarantees offered in this area.
10. Right to define post-mortem guidelines: the right for the Data Subject to define guidelines regarding the fate of their Personal Data after their death.
Additional rights may be granted to Data Subjects by the Local Regulations.
To this end, Rennes SB has implemented a procedure for managing the rights of Persons that complies with the requirements of the applicable Legislation. This
procedure establishes:
– The standards to be complied with to ensure the provision of transparent information to the Data Subjects;
– The legal requirements that must be complied with;
– The means authorised to submit a request for each right, according to the category of Data Subjects;
– The operational procedures used to process these requests in accordance with the above requirements;
– The parties involved in these procedures, their roles and responsibilities.
To exercise your rights, you can contact the Data Protection Officer (DPO) by email or by post:
– DPO, General Secretary, 2 Rue Robert d’Arbrissel, 35065 Rennes, France
– dpo@rennes-sb.com
When you send us a request to exercise your Right, you are asked to specify, as far as possible, the scope of the request, the type of right exercised, the Processing of
Personal Data concerned, and any other useful element, in order to facilitate the examination of your request. In addition, in the event of reasonable doubt, you may be
asked to prove your identity.
You also have the right to refer any complaint relating to the way in which Rennes SB collects and processes your data to the Commission Nationale de l’Informatique et des
Libertés (CNIL), 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07, France.

10. Updating this Policy

This Policy may be updated regularly to reflect any changes in the Personal Data
Regulations.

Last updated on 19/08/2022.