applicable to students and members of organizations external to HEC Paris
Pursuant to the personal data protection legislation, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, and French Law no. 78-17 of 6 January, amended, HEC Paris undertakes to protect all the personal data it collects and uses in its processing.
This data protection policy applies only to all the students, participants or members of organizations that are not part of or belonging to HEC Paris. It does not apply to members of the EESC and therefore applies to:
- Use of one of the online services of HEC Paris:
- Whether this is a website, intranet (forms, cookies, etc.) or a digital work environment,
- On social media,
- Whatever the type of exchanges (email, text message, paper or electronic form, etc.),
- Or on mobile apps.
- Participation in training or an event;
- Response to a solicitation by HEC by an alumnus, speaker, partner or supplier.
The HEC Paris websites contain links that may redirect the user to third party sites which have their own confidentiality and cookie management policies. The policies of such third parties should be consulted, and HEC Paris declines any responsibility regarding the confidentiality practices implemented by such third parties.
The data controller is HEC PARIS, an EESC (Consular Higher Education Institution), registered with the Registry of Trade&Companies in Versailles under the number 817 759 186, and headquartered at 1 rue de la Libération, 78350 Jouy-en-Josas, FRANCE.
To meet its operational needs, HEC Paris has to set up and use means of processing personal data relating to its prospects, applicants, clients, alumni, faculty, partners, companies and organizations:
- "Prospect" means any person who may potentially be interested in a course or event;
- "Applicant" means any person interested in a course who has started to complete an application;
- "Client" means any person who has confirmed their registration or had their registration confirmed by their company, where applicable, following an admission process, whether by making a down payment or signing a financing contract or form;
- "Student" means any person registered on a course leading to a Grande Ecole or MBA qualification;
- "Third party payer" means the natural or legal person managing all of part of the funding of a Client's training;
- "Alumnus" means any person who has taken a course, whether or not it leads to a qualification and whether or not they have completed the course;
- "Speaker" refers to any person providing teaching services whether or not they are a salaried employee of HEC Paris;
- "Providers" refers to companies or organizations with which HEC Paris has a purchase contract as well as the suppliers of HEC Paris;
- "Partners"refers to companies or organizations with which HEC Paris has a contractual partnership relationship, in particular in connection with training services.
"User" may refer to all populations.
Non-technical types of data may include:
- Personal status (surname, first name, address, date and place of birth, nationality, title);
- Contact details (telephone number, email address, social media identifiers, mailing address);
- Preferred means of contact;
- Academic history (degrees, specialist qualifications, years obtained, language and management levels, scores in GMAT-type tests, etc.);
- Previous professional experience (titles of positions held, internships, role, responsibilities, companies, pay level);
- Reasons for applying to HEC Paris;
- Where applicable, data relating to means of payment (bank or post office account details, check number and/or credit card details, and, where applicable, transaction no., details of services subscribed to);
- Contract history and, where applicable, details of third party payer;
- Any information relating to training courses taken (HEC Paris student no., modules or courses taken and where applicable), pedagogical data (pedagogical work, quizzes, online classes, group work, video), scores, internships, assessment, exam panels, etc.;
- Any medical information, in particular consultations at the HEC Paris medical center;
- Any information relating to cohort tracking during and/or after the course (employer, position, salary, etc.).
Technical types of data may include:
- IP address;
- Connection data (login/password);
- Browsing data (pages visited, clickstream, length of visit, etc.);
- Browser-related data (type of browser, plugin, etc.);
- Preferences (languages used, etc.).
As part of its relations with Users, HEC Paris collects technical data relating to their browsing on our websites, mobile apps or other content published by HEC Paris.
Depending on the category of Users, HEC Paris collects and processes different data:
Surname, first name, email address, request for services and/or documentation.
For Applicants, Clients and Third party payers:
Personal status, means of contact, preferred means of contact, contract history, where applicable consents, academic history, professional situation and experience and motivation.
For Companies, Providers, Partners and Subcontractors:
Details relating to the entity (name, type of company, share capital, SIRET no., address of headquarters, etc.) contract information, means of payment and/or billing of different transactions; also contacts in these entities (title, surname, first name, email address, position, role, telephone number, etc.).
For Faculty members:
Personal status, means of contact, preferred means of contact, academic history, professional situation and experience, areas of expertise, means of payment, contract history.
Surname, first name, email address, position/role, telephone number and, if cohort tracking, professional situation.
The data mainly originates from direct collection via:
- Browsing and data entered among other things in forms and questionnaires on the HEC Paris websites and/or third party tools;
- Paper forms;
- Creation of an account or a personal page on one of our websites or applications;
- Information provided by Prospects, Applicants or Clients at Forums, Master classes, fairs, in paper or electronic forms, before, during and after a course;
- Orders for products or services;
- Submission of an application or enrolling on one of our programs;
But also indirect collection via our academic, business and technical partners.
The Client is informed that data are shared between our information sites and our application or admission sites. Following their admission, we will ask Clients to check and, if necessary, correct their data so that we can carry out their administrative registration.
Faculty members and Providers are informed that data are shared between our management applications, in particular order handling, and the tools we use to manage the performance of services by Providers and Speakers.
HEC Paris has introduced a policy of minimizing the re-entry of data in order to facilitate access to its different services. As soon as a Client has finalized his administrative registration or the Provider or Seaker signed their contract, HEC Paris creates all the services that will be linked to their training or necessary to the performance of their service (e.g.: multi-purpose badge, access to premises, accommodation, food services, access to networks and intranet, email box, access to document lending system, access to the services in the HEC residence, access to Online training with partners where there are educational prerequisites, etc.). HEC Paris will then enrich these data when the Client, Speaker member or Provider uses these services.
Only data necessary to the processing will be collected.
When personal data is collected in online or paper forms or questionnaires, the required fields are indicated.
If no data is entered in the mandatory fields, the service reliant on this data collection may not be able to be provided or the application or access to the service may not be able to be fully estimated. The optional fields enable us to process data more effectively.
The legal basis depends on the processing involved:
- Connected to HEC Paris's legal obligations,
- Necessary to the performance of HEC Paris's public service mission,
- Necessary to the performance of a contract or pre-contractual measures,
- Connected to the consent of the person concerned,
- Necessary to safeguard the vital interests of the person concerned,
- Connected to HEC Paris's legitimate interests.
HEC Paris will seek the permission of the person concerned to send its marketing messages or accept a subscription to its newsletters. The User is entirely free to refuse such processing simply by clicking on the "unsubscribe" or "désinscription" link which is always present in HEC Paris's messages.
The purpose of the collection of this information is to enable:
- The setting up of prospecting and advertising operations relating to the programs, activities and events organized by HEC Paris or its community and subscriptions to HEC Paris newsletters;
- Access to the admission platform, and its improvement;
- Management of the student's application and, after admission, monitoring his/her training regarding administrative, financial and academic aspects;
- Client relations monitoring;
- Purchase management;
- Management of unpaid bills and disputes;
- Attribution either:
- For Students: of an international multi-service student card bearing a personal photograph in order to provide a proof of identity, to give access to the HEC Paris campus, premises, catering facilities and, where applicable, to library services, printing and/or photocopying of documents, and to access CROUS-run student catering facilities, as well as to manage payments;
- For other Users, a temporary badge or multi-service card giving access to the premises and, where applicable, catering facilities, print and/or photocopy documents;
- Management of catering and administrative and financial follow-up;
- Where applicable, management of library and associated services;
- For Students, the tracking of payments or exemption from the Contribution to Student and Campus Life (CVEC) by the CROUS;
- Medical follow-up of Students;
- Management of next of kin details in case of emergency;
- Management of the register signing for class attendance monitoring, and, where applicable, management of end of study certificates;
- Management of text message notifications (SMS) as a rapid means of communication with Students, and more broadly, with learners enrolled on a qualifying or certifying course;
- Where applicable, to assist the Client with the procedure for granting financial grants, equal opportunities or Foundation grants, American loans or grants, or financing for executive education, and to monitor their file;
- Where applicable, creation and management of a user account to access the digital work environment of HEC Paris and other network resources, applications and digital documents;
- Management of a mail directory enabling the management of mailing groups based on school offers attached to each Client;
- Where applicable, follow-up of courses or consultation of online teaching contents, uploading of pedagogical work documents, answers to quizzes, comments, participation in online discussions and management and follow-up of the above by the teaching teams of HEC Paris;
- Where applicable, management of videoconferences and web conferences;
- Management of Client mobility, whether inbound or outbound, subject to the conditions for their course, and management of the conditions linked to this mobility;
- Management of teacher assessments followed by the Client;
- Management, within the framework of a qualifying or certifying course, of continuous assessment and exams, mid-year exams and awarding jury for diplomas and certificates whether the course was followed through face-to-face classes or online, with or without supervision;
- Setting up filtering by means of a firewall, antivirus, video surveillance and access control for reasons of security of people and property, and operations connected to the Vigipirate/terrorism alert system;
- Management of requests for assistance from the Client when encountering difficulties in the use of IT resources or in the use of HEC premises;
- Management of disciplinary sanctions in case of breaches of the rules and regulations of HEC Paris and its partners;
- Organization of studies, indicators and surveys, in particular for HEC Paris, the Ministry of Higher Education and Research, the Conférence des Grandes Ecoles, the National Student Life Observatory, accreditation bodies, and in particular AMBA, AACSB and Equis, organizations publishing rankings (e.g. The Financial times, The Economist, L’Etudiant, Le Figaro, Quacquarelli Symonds Ltd (QS) , Times Higher Education (THE), Forbes, etc.) and any organization for which HEC Paris has to produce statistics or answer inquiries in accordance with current legislation;
- Access to careers support offers developed by the Careers & Business Partnership Department of HEC Paris, in particular for the management of internships required by some courses;
- Management of plagiarism detection;
- Management of the award of HEC Paris diplomas and certificates, and in some cases, their electronic equivalents;
- Collection of the apprenticeship tax;
- Management of relations with companies;
- Transmission of data, especially CVs, to companies, Partners and/or subsidiaries of HEC Paris;
- Transmission of data to the HEC Foundation, so that it can inform the Client of its actions and contact him/her;
- Management of the transfer to the HEC Alumni Association, to the HEC Paris Students Union Association and to the Sports Association of HEC Paris, so long as the student is a member of the above associations or has accepted the data transfer to the association;
- Implementation of statistics
Where applicable, if the Client needs accommodation on or near the course location, the corresponding HEC Paris subsidiary establishes the management of the accommodation, the tracking of the finances and invoicing, and the disputes that may arise;
If the enrollment of a Client is on a joint program with a partner university or school (including those abroad), in this specific case, HEC Paris can forward the Client’s data to the partner university or school for enrollment purposes, for the tracking of his/her schooling and the awarding of the necessary credits by the partner university or school.
If HEC Paris subsequently wishes to carry out processing of personal data for a purpose other than that for which the data were collected, HEC Paris will provide Users with prior information about this other purpose and any other relevant information.
In connection with the administrative, financial and educational monitoring of Clients' training, depending on the course taken, the Student may be called upon to choose classes. This processing will allocate places according to availability in the class chosen and in accordance with the Student's wishes. In order to satisfy the Student's training preferences as closely as possible, the latter will still be able to contact the head of their program to modulate their training according to their wishes.
As part of the management of the fraud risk, HEC Paris uses a digital process that enables it to compare, depending on the requirements of the program, some of the work submitted by Clients to internal and external sources in order to detect plagiarism. This processing is a legal obligation for HEC Paris, required under its public service mission, in particular when Clients are submitting work for a diploma or certificate. This processing will systematically be subject to examination by the faculty teams in charge of identifying any possible consequences.
The management of exams and their supervision is not considered an automatic decision.
In the context of exam management and when it is managed online without the need for a supervisor, the behavior of the Client related to the use of his/her browser, his/her equipment and his/her interactions with his/her environment will be tracked and will make it possible to determine whether the minimum expectations of compliance with the rules set for the exam were met. In the event of non-compliance or doubt as to the behavior of the student taking the exam, the teacher or program manager will be responsible for verifying the elements recorded in order to decide whether the rules were respected and in the event of non-compliance, it will constitute a report which will be added to the client’s school records and will be taken into account, if necessary, for the organization of a disciplinary council.
HEC Paris applies retention times to the data it collects according to any legal and contractual requirements that apply, and where there are none, according to its own needs. The retention time may vary according to the data category or processing concerned or user profile.
HEC Paris will retain these data for a period not exceeding that necessary to the purposes for which they are processed.
|Data retention times|
|Data relating to prospecting and marketing||3 years after the last contact|
|Data relating to newsletters||Until the person concerned unsubscribes|
|Data relating to a programme for which there is no admission process||3 years if it give rise to any specific academic recognition|
Data relating to enrolment on courses with an admission process:
Duration of training course, then linked to the Client's individual file for a program
Client's individual file for a program:
|Medical follow-up of the Student||Graduation + 1 year|
|Management of documents provided in connection with the right of access, modification, deletion and objection.||1 year from date of receipt|
|Documents relating to bursary applications, then
summary list of students receiving bursaries
|Funding agreements with continuing education bodies||1 year after clearance of accounts|
|Third party payer data||3 years after last payment|
|Recorded web conference classes||120 days|
|Data relating to log management||1 year then deleted|
|Purchasing management for contract documents||5 years for supply and service contracts 10 years for works and prime contractor's contracts after the end of contract performance|
|Purchasing management for applicants and bids||5 years after date of signing contracts|
|Billing management||10 years or after settlement of any disputes|
|Video surveillance||Data retained for one month after images recorded|
|Management of premises and Campus access control||Duration of employment or training or contract|
|Billing and accounts management||10 years|
Certain data will be anonymized. In this case, they may be retained indefinitely by HEC Paris.
HEC Paris guarantees that this confidentiality policy will be adhered to by all subcontractors processing personal data on its behalf in connection with the use of one of the HEC services.
HEC Paris ensures that personal data are only accessible to authorized internal or external recipients.
Internally, only the HEC Paris departments concerned will have access to the User's data, each within the limits of its respective remit.
- HEC Paris may transmit personal data to the following in particular:
- HEC Paris partner universities and schools;
- HEC Paris shareholders;
- HEC Paris subsidiaries;
- Student services organizations such as the CNOUS, CROUS, the student mutual health schemes, or the National Student Life Observatory (OVE);
- Ministry of Higher Education, Research and Innovation
- Where applicable, HEC Paris student associations, in particular, HEC Paris Students Union, HEC Alumni and HEC Paris Sports Association;
- Partners of HEC Paris such as:
- Partner businesses,
- Organizations linked to continuing education, such as an OPCA,
- Professionals taking part in exam boards or teaching on HEC Paris courses,
- Businesses financing Client’s courses.
- Providers such as:
- Publishers of educational content or services linked to HEC Paris or accessible via HEC Paris's digital platforms;
- Where appropriate, a catering, accommodation and/or travel provider.
HEC Paris may use third party products to provide complementary services to the User. HEC Paris asks these third parties to follow its instructions concerning the User's personal data and only to use them in connection with the contract signed with the third parties unless the person concerned explicitly consents to such third parties using their data for their own purposes.
The User acknowledges that the third party may be located outside the territory of the European Union and agrees to their data being transferred to such places. In this case, HEC Paris will take all the measures necessary to ensure that the provider or partner guarantees an adequate level of data protection in line with the data protection legislation and regulation. In order to guarantee the privacy of Users and their personal data, the subcontractors concerned are obliged among other things to sign standard contract clauses approved by the European Commission.
For the Clients of degree Programs, HEC Paris will transfer the Clients' personal data to the HEC Paris alumni association (HEC Alumni). The Client will be able to object by sending an email to (re.: STOP Transfer HEC Alumni).
For Partners, companies and organizations, the contacts' personal data will be transmitted to the Fondation HEC.
Under Regulation (EU) 2016/679 and the amended French Law n°78-17, the User has a right of access, modification, rectification and erasure of their personal data as well as a right of objection on legitimate grounds, which can be exercised by writing to HEC Paris, Correspondant à la protection des données, 1 rue de la libération, 78350 Jouy-en-Josas or by sending an email, firstname.lastname@example.org mentioning in the subject line "Droit des personnes" (personal rights) and attaching a copy of your proof of identity.
These are individual rights that can only be exercised by the person concerned in relation to their own information: for security reasons, the department concerned will therefore need to check the person's identity in order to avoid sending confidential information concerning someone else.
The User is entitled to ask for a copy of their personal information held by HEC Paris, with the exception of cases where its disclosure would violate the privacy of another person or if an exemption were to apply.
Any requests to rectify data will be passed on to the department concerned and HEC Paris will inform the User when the rectification has been made.
Any request to delete data made by a User will be studied to determine whether the erasure should be carried out or not. The User's right of erasure will not apply if the processing has been set up to meet a legal obligation. Certain data are necessary to track training and/or its payment.
If our processing required the User's consent, the latter may withdraw it any time.
Under the same conditions, the User possesses a right to control the usage of their data by writing to the same address.
HEC Paris reserves the right to contact the Prospect or Client by the means of communication of its choice: telephone, text message, email (including at the Client's personal address if they have entered it), social media, etc. The Client may ask that a certain means of communication not be used by HEC Paris, by sending their request to email@example.com (re.: STOP Means of communication).
The management of usage also means that the User has the possibility of requesting:
- Restrictions on HEC Paris's processing (for example, that HEC Paris no longer contact a person who has taken a training course to propose similar offers or services);
- Post mortem management of data by drawing up advance directives. The User is informed that they have a right to formulate specific and general directives concerning the retention, erasure and disclosure of their data post mortem. This right can be exercised by an email to this address: firstname.lastname@example.org or by ordinary mail to this address: 1 rue de la libération, 78350 Jouy-en-Josas (France), mentioning "Droit des personnes - post-mortem" (Post mortem personal rights) and enclosing a copy of their proof of identity.
The User is informed that they have a right to data portability so that they can obtain and reuse their data for their own purposes in another IT environment. They can exercise this right by writing to HEC Paris, Correspondant à la protection des données, 1 rue de la libération, 78350 Jouy-en-Josas or by sending an email to email@example.com mentioning in the subject line "Droit des personnes - portabilité" (Personal rights - portability) and enclosing a copy of their proof of identity.
This portability right does not apply to all the processing carried out by HEC Paris, in particular when it is done in connection with HEC Paris's public service mission or its legal obligations. The User's request will be studied and implemented for the data able to benefit from this right only.
The User also has a right to lodge a complaint with the national data protection authority, which for France is the CNIL: COMMISSION NATIONALE DE L'INFORMATIQUE ET DES LIBERTÉS, 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
A list of the different European supervisory authorities can be found on the CNIL website or here.
In order to ensure the security of its data , HEC Paris implements a level of security appropriate and proportional to the risks involved by talking all useful precautions, whether they be physical, logical, administrative or organizational, in view of the nature of the data it collects, processes or transfers.
These measures include, mainly:
- Protection and access control at the HEC Paris Campus, its premises and server rooms;
- Protection of the accesses to the premises and server rooms;
- Backup data center off the HEC Paris campus;
- Filtered, secure internet access;
- Securing of interconnections with remote sites and access to the HEC services;
- Compartmentalized network with filtering rules between the different segments;
- Use of a SSL-type encryption protocol for the transmission of data between the terminals and servers of HEC Paris or its service providers;
- Regular backups replicated in the backup data center;
- Securing of hardware, servers and applications via specific accounts with regular inventories;
- Management of accreditations for accessing data, and only allowing necessary resources to access data;
- Separation of development/acceptance, pre-production and production environments;
- Control of workstations allowed to connect to the internal network.
HEC Paris has appointed a Data Protection Officer.
Anyone encountering any problems with the processing of personal data may contact the Data Protection Officer at this address firstname.lastname@example.org or by sending a letter to "HEC Paris, Déléguée à la protection des données, 1 rue de la libération, 78350 Jouy-en-Josas".
This confidentiality policy is liable to be amended or adapted at any time in the event of changes in the law, case law or usages.