Pursuant to the personal data protection legislation, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, and French Law no. 78-17 of 6 January, amended, HEC Paris undertakes to protect all the personal data it collects and uses in its processing.
This data protection policy applies to any:
- Use of one of the online services of HEC Paris:
- Whether this is a website, intranet (forms, cookies, etc.) or a digital work environment,
- On social media,
- Whatever the type of exchanges (email, text message, paper or electronic form, etc.),
- Or on mobile apps.
- Participation in training or an event;
- Response to a solicitation by HEC by an alumnus, speaker, partner or supplier.
The HEC Paris websites contain links that may redirect the user to third party sites which have their own confidentiality and cookie management policies. The policies of such third parties should be consulted, and HEC Paris declines any responsibility regarding the confidentiality practices implemented by such third parties.
HEC PARIS, an EESC (Consular Higher Education Institute) with a capital of €60,451,500, registered with the Registry of Trade&Companies In Paris under the number 817 759 186, and headquartered at 8, avenue de la Porte de Champerret - 75017 Paris, is represented as a Data Controller by Robin Ajdari, in his capacity as Chief Digital Officer.
To meet its operational needs, HEC Paris has to set up and use means of processing personal data relating to its prospects, applicants, clients, alumni, faculty, partners, companies and organizations:
- "Prospect" means any person who may potentially be interested in a course or event;
- "Applicant" means any person interested in a course who has started to complete an application;
- "Client" means any person who has confirmed their registration or had their registration confirmed by their company, where applicable, following an admission process, whether by making a down payment or signing a financing contract or form;
- "Student" means any person registered on a course leading to a Grande Ecole or MBA qualification;
- "Third party payer" means the natural or legal person managing all of part of the funding of a Client's training;
- "Alumnus" means any person who has taken a course, whether or not it leads to a qualification and whether or not they have completed the course;
- "Speaker" refers to any person providing teaching services whether or not they are a salaried employee of HEC Paris;
- "Providers" refers to companies or organizations with which HEC Paris has a purchase contract as well as the suppliers of HEC Paris;
- "Partners"refers to companies or organizations with which HEC Paris has a contractual partnership relationship, in particular in connection with training services.
"User" may refer to all populations.
Non-technical types of data may include:
- Personal status (surname, first name, address, date and place of birth, nationality, title);
- Contact details (telephone number, email address, social media identifiers, mailing address);
- Preferred means of contact;
- Academic history (degrees, specialist qualifications, years obtained, language and management levels, scores in GMAT-type tests, etc.);
- Previous professional experience (titles of positions held, internships, role, responsibilities, companies, pay level);
- Reasons for applying to HEC Paris;
- Where applicable, data relating to means of payment (bank or post office account details, check number and/or credit card details, and, where applicable, transaction no., details of services subscribed to);
- Contract history and, where applicable, details of third party payer;
- Any information relating to training courses taken (HEC Paris student no., modules or courses taken and, where applicable, scores, internships, assessment, exam panels, etc.);
- Any medical information, in particular consultations at the HEC Paris medical center;
- Any information relating to cohort tracking during and/or after the course (employer, position, salary, etc.).
Technical types of data may include:
- IP address;
- Connection data (login/password);
- Browsing data (pages visited, clickstream, length of visit, etc.);
- Browser-related data (type of browser, plugin, etc.);
- Preferences (languages used, etc.).
As part of its relations with Users, HEC Paris collects technical data relating to their browsing on our websites, mobile apps or other content published by HEC Paris.
Depending on the category of Users, HEC Paris collects and processes different data:
Surname, first name, email address, request for services and/or documentation.
For Applicants, Clients and Third party payers:
Personal status, means of contact, preferred means of contact, contract history, where applicable consents, academic history, professional situation and experience and motivation.
For Companies, Providers, Partners and Subcontractors:
Details relating to the entity (name, type of company, share capital, SIRET no., address of headquarters, etc.) contract information, means of payment and/or billing of different transactions; also contacts in these entities (title, surname, first name, email address, position, role, telephone number, etc.).
For Faculty members:
Personal status, means of contact, preferred means of contact, academic history, professional situation and experience, areas of expertise, means of payment, contract history.
Surname, first name, email address, position/role, telephone number and, if cohort tracking, professional situation.
The data mainly originates from direct collection via:
- Browsing and data entered among other things in forms and questionnaires on the HEC Paris websites and/or third party tools;
- Paper forms;
- Creation of an account or a personal page on one of our websites or applications;
- Information provided by Prospects, Applicants or Clients at Forums, Master classes, fairs, in paper or electronic forms, before, during and after a course;
- Orders for products or services;
- Submission of an application or enrolling on one of our programs;
But also indirect collection via our academic, business and technical partners.
The Client is informed that data are shared between our information sites and our application or admission sites. Following their admission, we will ask Clients to check and, if necessary, correct their data so that we can carry out their administrative registration.
Faculty members and Providers are informed that data are shared between our management applications, in particular order handling, and the tools we use to manage the performance of services by Providers and Speakers.
HEC Paris has introduced a policy of minimizing the re-entry of data in order to facilitate access to its different services. As soon as a Client has finalized his administrative registration or the Provider or Seaker signed their contract, HEC Paris creates all the services that will be linked to their training or necessary to the performance of their service (e.g.: multi-purpose badge, access to premises, accommodation, food services, access to networks and intranet, email box, access to document lending system, access to the services in the HEC residence, access to Online training with partners where there are educational prerequisites, etc.). HEC Paris will then enrich these data when the Client, Speaker member or Provider uses these services.
Only data necessary to the processing will be collected.
When personal data is collected in online or paper forms or questionnaires, the required fields are indicated.
If no data is entered in the mandatory fields, the service reliant on this data collection may not be able to be provided or the application or access to the service may not be able to be fully estimated. The optional fields enable us to process data more effectively.
The legal basis depends on the processing involved:
- Connected to HEC Paris's legal obligations,
- Necessary to the performance of HEC Paris's public service mission,
- Necessary to the performance of a contract or pre-contractual measures,
- Connected to the consent of the person concerned,
- Necessary to safeguard the vital interests of the person concerned,
- Connected to HEC Paris's legitimate interests.
HEC Paris will seek the permission of the person concerned to send its marketing messages or accept a subscription to its newsletters. The User is entirely free to refuse such processing simply by clicking on the "unsubscribe" or "désinscription" link which is always present in HEC Paris's messages.
The purpose of the collection of this information is to enable:
- The setting up of prospecting and advertising operations relating to the programs, activities and events organized by HEC Paris or its community and subscriptions to HEC Paris newsletters;
- Access to the admission platform, and its improvement;
- Management of the student's application and, after admission, monitoring his/her training regarding administrative, financial and academic aspects;
- Client relations monitoring;
- Purchase management;
- Management of unpaid bills and disputes;
- Attribution either:
- For Students: of an international multi-service student card enabling them to access HEC Paris premises, cafeterias, etc. to print and/or photocopy documents, access CROUS-run student catering facilities, pay for different items and manage document borrowing;
- For other Users, of a temporary badge or multi-service card giving access to the premises and, where applicable, catering facilities, print and/or photocopy documents;
- Medical follow-up of students;
- In some cases, to assist the Client with the procedure for obtaining financial grants and to monitor their file;
- Where applicable, access to HEC Paris network, application resources and digital documentation;
- Where applicable, submission of documents and academic work;
- Setting up filtering by means of a firewall, antivirus, video surveillance and access control for reasons of security of people and property, and operations connected to the Vigipirate/terrorism alert system;
- Handling requests for intervention if a Client encounters any difficulties in their use of IT media or HEC Paris's premises;
- Organization of surveys, in particular for HEC Paris, the Ministry of Higher Education and Research, the Conférence des Grandes Ecoles, accreditation bodies, organizations publishing rankings for which HEC Paris has to produce statistics or answer inquiries in accordance with current legislation;
- Access to professional support offers developed by the Careers & Business Partnership Department of HEC Paris;
- Management of the risk of fraudulent use;
- Management of the awarding of HEC Paris diplomas and certificates, and in some cases, their electronic equivalents;
- Collection of the apprenticeship tax;
- Management of relations with companies;
- Transmission of data to companies (especially CVs), Partners and/or subsidiaries of HEC Paris;
If HEC Paris subsequently wishes to carry out processing of personal data for a purpose other than that for which the data were collected, HEC Paris will provide Users with prior information about this other purpose and any other relevant information.
In connection with the administrative, financial and educational monitoring of Clients' training, depending on the course taken, the Student may be called upon to choose classes. This processing will allocate places according to availability in the class chosen and in accordance with the Student's wishes. In order to satisfy the Student's training preferences as closely as possible, the latter will still be able to contact the head of their program to modulate their training according to their wishes.
As part of the management of the fraud risk, HEC Paris uses a digital process that enables it to compare, depending on the requirements of the program, some of the work submitted by Clients to internal and external sources in order to detect plagiarism. This processing is a legal obligation for HEC Paris, required under its public service mission, in particular when Clients are submitting work for a diploma or certificate. This processing will systematically be subject to examination by the faculty teams in charge of identifying any possible consequences.
HEC Paris applies retention times to the data it collects according to any legal and contractual requirements that apply, and where there are none, according to its own needs. The retention time may vary according to the data category or processing concerned or user profile.
HEC Paris will retain these data for a period not exceeding that necessary to the purposes for which they are processed.
|Data retention times|
|Data relating to prospecting and marketing||3 years after the last contact|
|Data relating to newsletters||Until the person concerned unsubscribes|
|Data relating to a programme for which there is no admission process||3 years if it give rise to any specific academic recognition|
Data relating to enrolment on courses with an admission process:
Duration of training course, then linked to the Client's individual file for a program
Client's individual file for a program:
|Medical follow-up of the Student||Graduation + 1 year|
|Management of documents provided in connection with the right of access, modification, deletion and objection.||1 year from date of receipt|
|Documents relating to bursary applications, then
summary list of students receiving bursaries
|Funding agreements with continuing education bodies||1 year after clearance of accounts|
|Third party payer data||3 years after last payment|
|Data relating to log management||1 year then deleted|
|Purchasing management for contract documents||5 years for supply and service contracts 10 years for works and prime contractor's contracts after the end of contract performance|
|Purchasing management for applicants and bids||5 years after date of signing contracts|
|Billing management||10 years or after settlement of any disputes|
|Video surveillance||Data retained for one month after images recorded|
|Management of premises and Campus access control||Duration of employment or training or contract|
|Billing and accounts management||10 years|
Certain data will be anonymized. In this case, they may be retained indefinitely by HEC Paris.
HEC Paris guarantees that this confidentiality policy will be adhered to by all subcontractors processing personal data on its behalf in connection with the use of one of the HEC services.
HEC Paris ensures that personal data are only accessible to authorized internal or external recipients.
Internally, only the HEC Paris departments concerned will have access to the User's data, each within the limits of its respective remit.
- HEC Paris's partner universities and schools;
- HEC Paris's parent company or subsidiaries;
- Student services organizations such as the CNOUS, CROUS or the student mutual health schemes,
- Where applicable, HEC Paris student associations;
- Partners of HEC Paris such as:
- Lifelong training like organizations such as Opca,
- Professionals taking part in exam boards or teaching on HEC Paris courses;
- Providers such as:
- Publishers of educational content or services linked to HEC Paris or accessible via HEC Paris's digital platforms;
- Where appropriate, a catering, accommodation and/or travel provider.
HEC Paris may use third party products to provide complementary services to the User. HEC Paris asks these third parties to follow its instructions concerning the User's personal data and only to use them in connection with the contract signed with the third parties unless the person concerned explicitly consents to such third parties using their data for their own purposes.
The User acknowledges that the third party may be located outside the territory of the European Union and agrees to their data being transferred to such places. In this case, HEC Paris will take all the measures necessary to ensure that the provider or partner guarantees an adequate level of data protection in line with the data protection legislation and regulation. In order to guarantee the privacy of Users and their personal data, the subcontractors concerned are obliged among other things to sign standard contract clauses approved by the European Commission.
For the Clients of degree Programs, HEC Paris will transfer the Clients' personal data to the HEC Paris alumni association (HEC Alumni). The Client will be able to object by sending an email to (re.: STOP Transfer HEC Alumni).
For Partners, companies and organizations, the contacts' personal data will be transmitted to the Fondation HEC.
Under Regulation (EU) 2016/679 and the amended French Law n°78-17, the User has a right of access, modification, rectification and erasure of their personal data as well as a right of objection on legitimate grounds, which can be exercised by writing to HEC Paris, Correspondant à la protection des données, 1 rue de la libération, 78350 Jouy-en-Josas or by sending an email, email@example.com mentioning in the subject line "Droit des personnes" (personal rights) and attaching a copy of your proof of identity.
These are individual rights that can only be exercised by the person concerned in relation to their own information: for security reasons, the department concerned will therefore need to check the person's identity in order to avoid sending confidential information concerning someone else.
The User is entitled to ask for a copy of their personal information held by HEC Paris, with the exception of cases where its disclosure would violate the privacy of another person or if an exemption were to apply.
Any requests to rectify data will be passed on to the department concerned and HEC Paris will inform the User when the rectification has been made.
Any request to delete data made by a User will be studied to determine whether the erasure should be carried out or not. The User's right of erasure will not apply if the processing has been set up to meet a legal obligation. Certain data are necessary to track training and/or its payment.
If our processing required the User's consent, the latter may withdraw it any time.
Under the same conditions, the User possesses a right to control the usage of their data by writing to the same address.
HEC Paris reserves the right to contact the Prospect or Client by the means of communication of its choice: telephone, text message, email (including at the Client's personal address if they have entered it), social media, etc. The Client may ask that a certain means of communication not be used by HEC Paris, by sending their request to firstname.lastname@example.org (re.: STOP Means of communication).
The management of usage also means that the User has the possibility of requesting:
- Restrictions on HEC Paris's processing (for example, that HEC Paris no longer contact a person who has taken a training course to propose similar offers or services);
- Post mortem management of data by drawing up advance directives. The User is informed that they have a right to formulate specific and general directives concerning the retention, erasure and disclosure of their data post mortem. This right can be exercised by an email to this address: email@example.com or by ordinary mail to this address: 1 rue de la libération, 78350 Jouy-en-Josas (France), mentioning "Droit des personnes - post-mortem" (Post mortem personal rights) and enclosing a copy of their proof of identity.
The User is informed that they have a right to data portability so that they can obtain and reuse their data for their own purposes in another IT environment. They can exercise this right by writing to HEC Paris, Correspondant à la protection des données, 1 rue de la libération, 78350 Jouy-en-Josas or by sending an email to firstname.lastname@example.org mentioning in the subject line "Droit des personnes - portabilité" (Personal rights - portability) and enclosing a copy of their proof of identity.
This portability right does not apply to all the processing carried out by HEC Paris, in particular when it is done in connection with HEC Paris's public service mission or its legal obligations. The User's request will be studied and implemented for the data able to benefit from this right only.
The User also has a right to lodge a complaint with the national data protection authority, which for France is the CNIL: COMMISSION NATIONALE DE L'INFORMATIQUE ET DES LIBERTÉS, 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
A list of the different European supervisory authorities can be found on the CNIL website or here.
In order to ensure the security of its data , HEC Paris implements a level of security appropriate and proportional to the risks involved by talking all useful precautions, whether they be physical, logical, administrative or organizational, in view of the nature of the data it collects, processes or transfers.
These measures include, mainly:
- Protection and access control at the HEC Paris Campus, its premises and server rooms;
- Protection of the accesses to the premises and server rooms;
- Backup data center off the HEC Paris campus;
- Filtered, secure internet access;
- Securing of interconnections with remote sites and access to the HEC services;
- Compartmentalized network with filtering rules between the different segments;
- Use of a SSL-type encryption protocol for the transmission of data between the terminals and servers of HEC Paris or its service providers;
- Regular backups replicated in the backup data center;
- Securing of hardware, servers and applications via specific accounts with regular inventories;
- Management of accreditations for accessing data, and only allowing necessary resources to access data;
- Separation of development/acceptance, pre-production and production environments;
- Control of workstations allowed to connect to the internal network.
HEC Paris has appointed a Data Protection Officer.
Anyone encountering any problems with the processing of personal data may contact the Data Protection Officer at this address email@example.com or by sending a letter to "HEC Paris, Déléguée à la protection des données, 1 rue de la libération, 78350 Jouy-en-Josas".
This confidentiality policy is liable to be amended or adapted at any time in the event of changes in the law, case law or usages.