GGE Branded Generic Image (lara)

Personal Data Policy

1. Introduction

  1. As part of its activities, the Galileo Global Education Group collects and processes personal data.
  2. Committed to fostering innovation while building a lasting relationship of trust based on respect for individual rights and freedoms, the Institutions strive to implement the necessary technical and organizational measures to protect the personal data they process.
  3. The primary objective of this policy is to compile, in a concise, transparent, comprehensible, and easily accessible format, information regarding data processing to help you understand under what conditions your data is processed, what your rights are in this regard, and to present the Institutions’ commitments.

 

2. Who are we?

  1. The Galileo Group is a company with a capital of €127,691,775, registered with the Paris Trade and Companies Register under the SIREN number 752 994 566 RCS. Its registered office is located at 41 rue Saint Sébastien, 75011 Paris.

 

3. Data Protection Officer and Representative

  1. The Galileo Group has appointed a shared Data Protection Officer (DPO) for all its entities and schools. The DPO's contact details are:
    • Address: 41 rue Saint Sébastien, 75011 Paris
    • Designation: Data Protection Officer (DPO)
    • Email: dpo@ggeedu.fr
  2. To facilitate communication with the DPO, a Data Protection Representative ("DPO Representative - DDPO") has been designated in each Institution of the Group.

The DPO and the Data Protection Representatives of the Institutions are responsible for advising, informing, and ensuring compliance with data protection regulations.

 

4. Fair and Transparent Data Collection

  1. To ensure transparency, the Institutions take care to inform individuals about each data processing activity concerning them.
  2. These data are collected fairly. No data is collected without the knowledge of individuals or without them being informed.

 

5. Purpose Principle

  1. When the Institutions process data, they do so for specific purposes: each data processing activity is carried out for a legitimate, determined, and explicit purpose.

 

6. Proportional Data Processing

  1. For each processing activity, the Institutions commit to collecting and using only adequate, relevant, and limited data necessary for the intended purposes.
  2. The Institutions ensure that the data is updated when necessary and implement procedures for the deletion or correction of inaccurate data.

 

7. Personal Data We Process

  1. As part of the personal data processing activities outlined below, the Institution collects and processes the following categories of data:
  • Identification data such as name(s), first name(s), date of birth, and nationality of the individuals concerned.
  • Education-related data such as academic background or information related to educational projects.
  • Economic and financial information such as details regarding financing methods.
  • Personal life data such as home address, phone number, and email address.
  • Where applicable, professional data such as occupation, employer, professional contact details, and work experience.
  1. In general, the Institution does not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It also does not process genetic data, biometric data intended to uniquely identify an individual, or data concerning an individual's sex life or sexual orientation.
  2. However, in exceptional cases, the Institution may collect health-related data, particularly regarding disabilities, to adapt the practical modalities of training services. Additionally, biometric data may be collected for access control management.

 

8. Source of the Data We Process

 

8.1 Declarative Personal Data

  1. These are personal data that you provide mainly in the context of:
  • Your interactions with the Institution, particularly during fairs, forums, high school events, or open days.
  • Entering into a contract with the Institution.
  • Creating a personal file with the Institution.
  • Surveys conducted among the concerned individuals.
  1. These data are mainly collected through our forms, as well as paper and electronic questionnaires.

 

8.2 Personal Data from Third Parties or Other Services

  1. Personal data may also come from:
  • Your browsing on the websites of schools.
  • Other schools within the Galileo Group or partner institutions.
  • Lead providers.
  • Your employer (if applicable).
  • Public organizations.

 

9. Legal Bases and Purposes of Our Data Processing

  1. The data processing carried out by the Institution and, more broadly, by the Galileo Group is necessary for the execution of a contract or pre-contractual measures requested by the individual. This applies to processing activities with the following purposes:
  • Managing and tracking registration for a competition or a training program.
  • Managing and tracking training; in this context, for hybrid learning programs, courses may be recorded and broadcast to all students attending remotely. They may also be subject to recordings.
  • Recording and processing the provision of training services.
  • Administrative and financial management of training.
  1. The following processing activities are carried out to fulfill legal and regulatory obligations of the Institution, such as:
  • Actions related to education and training.
  • Necessary adjustments in training programs for individuals with disabilities.
  • Enforcing individuals’ rights under data protection regulations.
  • Accounting and tax management.
  1. The following processing activities are carried out to serve the legitimate interests of the Institution, in particular:
  • Managing prospecting for the Institution or any other school within the Galileo Group.
  • Conducting marketing studies and internal statistics.
  • Promoting the educational programs offered by the Institution.
  • Managing surveys.
  • Organizing events.
  • Analyzing and measuring website traffic.
  • Managing alumni and developing the school’s network; as a former student, you may receive communications regarding this.
  1. The Institution relies on the consent of the individuals concerned for data processing activities that do not fall under the legal bases of legitimate interest, legal and regulatory obligations, or contractual necessity.

 

10. Recipients of Your Data

  1. The personal data we collect, as well as any data collected later, is intended for us in our capacity as data controller.
  2. The following categories of recipients may also have access to your data:
  • Staff members of the Institution, other schools within the Galileo Group, and Galileo Group staff, particularly for managing prospective candidates. If applicable, this also includes staff members of partner institutions.
  • Our potential subcontractors.
  • Public or private organizations to comply with our legal obligations.
  • Ranking organizations to promote the school’s reputation.
  1. We ensure that only authorized personnel have access to these data. The Institution applies strict authorization policies, ensuring that processed data are only transmitted to those who are explicitly authorized to access them.

 

11. Transfers of Your Data

  1. The personal data processed by the Institution may, in some cases, be transferred to countries within or outside the European Union.
  2. If processing occurs outside the European Union, including remote access, the Institution commits to implementing safeguards to ensure the protection and security of this information, in accordance with applicable regulations.
  3. You may request information on the list of data transfers and the safeguards in place by contacting the DPO at dpo@ggeedu.fr.

 

12. Data Retention Periods

  1. The Institution ensures that personal data are retained in an identifiable form only for the time necessary to fulfill the intended purposes.
  2. The data retention periods applied are proportional to the purposes for which they were collected.
  3. Specifically, our data retention policy is as follows:
  • Data collected for prospect management: Up to 3 years.
  • Data collected and processed as part of educational training: Up to 10 years.
  • Data processed for graduation purposes: Up to 50 years.
  • The Institution reserves the right to retain your data beyond the above-mentioned periods if required due to legal or regulatory obligations.

 

13. Data Security

  1. The Galileo Group places a high priority on the security of personal data.
  2. Technical and organizational measures are implemented to ensure that data is processed securely, protecting it from loss, destruction, or accidental damage that could compromise its confidentiality or integrity.
  3. During the development, design, selection, and use of various tools that process personal data, the Institution ensures they offer an optimal level of data protection.
  4. The Institution implements measures that comply with the principles of data protection by design and by default. When necessary, it employs pseudonymization or encryption techniques to enhance data security.

 

14. Subcontracting

  1. When engaging a service provider, the Institution only shares personal data after obtaining a commitment from the provider, ensuring compliance with security and confidentiality requirements.
  2. Contracts with subcontractors strictly define the conditions and methods for processing personal data in accordance with legal and regulatory obligations.
  3. Additionally, the Galileo Group conducts or commissions audits of its own services as well as those of its subcontractors to verify compliance with data security regulations.

 

15. Your Rights

  1. The Institution is particularly committed to respecting the rights granted to you regarding the processing of your personal data. It ensures that data processing is fair and transparent, considering the specific circumstances and context in which your personal data is processed.

 

15.1 Your Right of Access

  1. You have the right to confirm whether your personal data is being processed. If it is, you may request a copy of your data and obtain the following information:
  • The purposes of the processing.
  • The categories of personal data concerned.
  • The recipients or categories of recipients who receive your data, including any international organizations or third countries to which the data has been or will be transferred.
  • Where possible, the retention period of personal data or, if not possible, the criteria used to determine that period.
  • The existence of the right to request rectification, erasure, restriction of processing, or to object to such processing.
  • The right to file a complaint with a regulatory authority.
  • Information about the source of the data when not collected directly from the individual concerned.
  • The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and consequences of such processing for the individual.

 

15.2 Your Right to Rectification

  1. You have the right to request that your personal data be corrected or completed if it is inaccurate, incomplete, ambiguous, or outdated.

 

15.3 Your Right to Erasure ("Right to be Forgotten")

  1. You may request the deletion of your personal data if one of the following conditions applies:
  • The data is no longer necessary for the purposes for which it was collected or processed.
  • You withdraw your previously given consent.
  • You object to the processing of your personal data when there is no overriding legitimate reason for the processing.
  • The processing of personal data does not comply with applicable laws and regulations.
  1. The right to erasure is not absolute and can only be granted if one of the regulatory conditions is met. If the Institution is legally required to retain your data due to regulatory or judicial obligations, your request for deletion may be denied.
     
  2. Your Right to Restrict Processing. You may request the restriction of processing of your personal data under the conditions set by applicable laws and regulations.

 

15.4 Your Right to Object to Data Processing

  1. You have the right to object at any time, for reasons related to your specific situation, to the processing of your personal data when the legal basis for processing is the legitimate interest pursued by the data controller (see the section above on the legal basis for processing).
  2. If you exercise this right to object, we will ensure that we stop processing your personal data in relation to the concerned processing activity, unless we can demonstrate compelling legitimate grounds for maintaining the processing. These grounds must override your interests, rights, and freedoms, or the processing must be necessary for the establishment, exercise, or defense of legal claims.
  3. You have the right to object to direct marketing, including profiling to the extent that it is related to such marketing.
  4. Regarding direct marketing, you may refuse to receive marketing communications via postal mail or phone calls from the Institution.
  5. For email, SMS, or MMS marketing, the Institution may send communications only if you have given your prior consent at the time of data collection. However, you may unsubscribe at any time by clicking the unsubscribe link in the email or replying STOP to the number indicated in the message received.

 

15.5 Your Right to Data Portability

  1. You have the right to request data portability of your personal data. However, this is not a general right and applies only to automated processing, excluding manual or paper-based processing.
  2. This right is limited to processing activities where the legal basis is your consent or the execution of pre-contractual measures or a contract.
  3. It does not include derived or inferred data, which are personal data created by the Institution or the Galileo Group.
  4. The data covered by this right includes:
  • Only your personal data, excluding anonymized data or data that does not concern you.
  • Declarative personal data and operational personal data as previously described.
  1. The right to data portability must not infringe upon the rights and freedoms of third parties, such as those protected by trade secrets.
  2. You may request data portability following the procedure defined below, specifying whether you wish to receive the data yourself or, if technically possible, have us transmit it directly to another data controller.
  3. In the latter case, you must provide the exact name, contact details, and the relevant department or recipient of the new data controller. To facilitate this process, you must inform the recipient about your request with our services.

 

15.6 Your Right to Withdraw Your Consent

  1. If the processing of your data is based on your consent, you may withdraw it at any time. We will then stop processing your personal data without affecting previous processing activities for which you had given consent.

 

15.7 Your Right to File a Complaint

  1. You have the right to file a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) at 3 Place de Fontenoy, 75007 Paris, in France. This right applies without prejudice to any other administrative or judicial remedies.

 

15.8 Your Right to Define Post-Mortem Directives

  1. You have the option to establish specific instructions regarding the retention, deletion, and communication of your personal data after your death. These instructions can be submitted to our services under the conditions defined below. These directives will apply only to processing activities carried out by us and will be limited to this scope.
  2. Additionally, if a general directive is designated by the government, you may define general instructions for the same purposes.

 

15.9 How to Exercise Your Rights

  1. All the rights listed above can be exercised by providing proof of your identity and contacting the DDPO (Data Protection Representative) of the Institution, who is responsible for personal data protection.
  2. The DDPO will then forward your requests to the DPO (Data Protection Officer) of the Galileo Group for processing.

 

15.10 Changes to This Document

  1. We encourage you to regularly review this policy on our website, as it may be updated periodically.