Protection of personal data

1.Introduction

In compliance with the General Data Protection Regulations n°2016/679 and the French Data Protection Act of January 6, 1978 in the latest version, the following policy on the protection of personal data is designed to provide you with information on the treatment of your personal data within the framework of the use of the website accessible at https://www.ipag.edu/ (the « IPAG Group website» or the « Site») and the services it offers.

2.Definitions
The following terms shall have the meanings as between the Parties, whether in the plural or in the singular, as follows:

« Personal Data » ou « Data » : any information relating to an identified or identifiable natural person, directly or indirectly, within the meaning of the Regulation;
« Data Subject(s)» : means the person(s) who are the subject of the Processing of Personal Data;
« Regulation » : regulations in force in France, applicable to the Processing of Personal Data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "RGPD") and Law n°78-17 of 6 January 1978 known as « Informatique et Libertés »;
« Data Processor » : the natural or legal person who determines the means and purposes of a Processing of Personal Data within the meaning of the Regulation ;
« Processing » : any operation involving Personal Data, as defined in the Regulation;
« Transfer of Personal Data » : means any communication, copy or movement of Personal Data.

3. The Data Manager
The entity acting as the Data Controller in respect of the services provided via the IPAG Group Site is the Institut de préparation à l'administration et à la gestion (IPAG), a registered association, located at 184 boulevard Saint-Germain (75006) Paris, registered under the SIREN number 784280802, (hereinafter the « IPAG »).

4. A fair and transparent collection of your Data

In the interest of fairness and transparency, IPAG takes care to provide the Data Subjects with information about each Processing process that it applies.

This Data is collected fairly. No collection is carried out without the knowledge of the persons and without them being informed.

5. Legitimate and proportional use of your DataWhenever IPAG processes Personal Data, it does so for specific purposes: each Data Processing carried out pursues a legitimate, determined and explicit purpose.

For each of the Processes implemented, IPAG undertakes to collect and use only Data that is adequate, relevant and limited to what is necessary for the purposes for which it is processed.

IPAG will ensure that the Data is kept up to date and will implement procedures to enable the deletion or rectification of inaccurate Data.

6. The Personal Data we processThe Data liable to be processed by IPAG are all the Data that you enter on the IPAG Group Site or when you communicate with IPAG, if applicable, and which are limited to those strictly necessary for the provision of the services offered on the IPAG Group Site, namely :

7. The legal bases and purposes of our Data ProcessingThe processing implemented by IPAG via the IPAG group website has the following purposes and legal bases:

FINAL PURPOSE	LEGAL BASIS
Management of relations with students, companies and alumni	IPAG's legitimate interests
Creation and management of the candidate area on the website	IPAG's legitimate interests
Management and follow-up of contact requests and brochure enquiries	IPAG's legitimate interests
Management and follow-up of recruitment requests	Pre-contractual measures
Management of apprenticeship tax payments	Legal requirements
Management and provision of webinars	IPAG's legitimate interests
Online registration for IPAG programmes and/or entrance exams	Pre-contractual measures
Improvement of the services offered on the site	IPAG's legitimate interests
Cookie management	IPAG's legitimate interests

Management of the video surveillance system.

8. Video protection systemIPAG also processes personal data through the implementation of its video protection system. To find out more, please consult the dedicated page here.

9. Data collectionThe Personal Data is obtained directly from the Data Subject or results from his or her use and navigation on the IPAG Group Site.

10. Recipients of your DataYour Personal Data may be communicated, according to their attributions and according to the purposes pursued, to the Recipients listed below:

Category of recipients of data	Recipients of data
Internal IPAG recipients	Admissions Department Digital Department General Service Students for the parts that concern them
Recipients external to IPAG	Company Ecritel hosting company Company Mink developer Applicants for the part that concerns them

We endeavour to ensure that only authorised persons have access to this Data. IPAG has a strict security policy which ensures that the Data it processes is only passed on to those authorised to have access to it.

11. Transfers of your Data

Certain treatments of Personal Data lead to Transfers outside the European Union, IPAG favours Transfers to countries that ensure an adequate level of data protection. Otherwise, Transfers are subject to appropriate safeguards to ensure the security of Personal Data and to allow you to exercise your rights and have effective remedies.

The latter may be based on an adequacy decision of the European Commission on the level of data protection of a country.

In the absence of an adequacy decision, Transfers are governed by the conclusion between the parties to the Transfer of standard data protection clauses approved by the European Commission.

12. The periods for which we retain your Data

IPAG ensures that Personal Data is kept in a form that allows the identification of Data Subjects only for as long as necessary for the purposes for which it is processed or to comply with legal or regulatory requirements.

The retention periods we apply to Personal Data are proportionate to the purposes for which they were collected.

Specifically, we organize our data retention policy as follows:

Purposes	Retention period
Recruitment management	The data is kept for two years from the last contact with the unsuccessful applicant.
Management of general accounting	The data is kept for the duration of the accounting year plus any legal requirements.
Management of the video surveillance and video protection system	Images are kept for 30 days. In case of disciplinary or criminal proceedings, the images are kept for the duration of the proceedings.

13. The security of Personal Data

IPAG attaches particular importance to the security of Personal Data.

It has put in place technical and organisational measures adapted to the degree of sensitivity of the Personal Data, in order to ensure the integrity and confidentiality of the latter and to protect them against any malicious intrusion, any loss, alteration or disclosure to unauthorised third parties.

Nevertheless, the security and confidentiality of Personal Data depend on the good practices of each individual, and the Data Subject is therefore invited to remain vigilant on this issue.

14. Subcontracting

Whenever IPAG resorts to a service provider, it only communicates Personal Data to the latter after receiving a commitment and guarantee on its ability to meet these security and confidentiality requirements.

We conclude contracts with our subcontractors in compliance with our legal and regulatory obligations, defining precisely the terms and conditions for the Processing of Personal Data by the latter, in accordance with the Regulation.

15. CookiesCookies are the subject of a Cookies Policy accessible here.

16. Your rightsIPAG is particularly concerned about respecting the rights granted to you in the context of the Data Processing it implements, in order to guarantee you fair and transparent Processing, taking into account the particular circumstances and context in which your Personal Data are processed.

16.1 Your access rights

In this respect, you have the right to obtain confirmation as to whether or not your Personal Data is being processed and where it is, you have the right to request a copy of your Data and information about:

The purposes of the Processing ;
The categories of Personal Data concerned;
The recipients or categories of recipients as well as, where applicable if such communication is to be made, the international organisations to which the Personal Data has been or will be communicated, in particular recipients who are established in third countries;
Whenever possible, the envisaged duration of storage of the Personal Data or, when this is not possible, the criteria used to determine this duration;
The existence of the right to ask the Controller to rectify or erase your Personal Data, the right to request a limitation of the Processing of your Personal Data, the right to object to the Processing;
The right to lodge a complaint with a supervisory authority;
Information about the source of the Data when it is not collected directly from you;
The existence of automated decision-making, including profiling, and in the latter case, relevant information about the underlying logic and the significance and intended consequences of such Processing for the Data Subjects.

16.2 Your right to rectify your Data

You can ask us to correct or complete your Personal Data if it is inaccurate, incomplete, ambiguous and/or out of date.

16.3 Your right to erase your Data

You may request the removal of your Personal Data in the cases provided for by the Regulation.

Your attention is drawn to the fact that the right to delete Data is not a general right and that it can only be granted if one of the reasons provided for in the applicable Regulation is present.

16.4 Your right to limit Data Processing

You may request the restriction of the Processing of your Personal Data in the cases provided for by the Regulation.

16.5 Your right to object to Data Processing

You are entitled to refuse at any time, on grounds relating to your particular situation, to a Processing of your Personal Data where the legal basis is the legitimate interest pursued by the Controller.

If you exercise such a right to object, we will ensure that we no longer process your Personal Data in connection with the relevant Processing unless we can demonstrate that we have compelling legitimate grounds for continuing such Processing. These grounds must be overriding your interests and rights and freedoms, or the Processing must be justified for the establishment, exercise or defence of legal claims.

16.6 Your right to the portability of your Data

You have the right to the transfer of your Personal Data. We would like to draw your attention to the fact that this is not a general right. Indeed, not all Data from all Processing are portable and this right only concerns automated Processing to the exclusion of manual or paper Processing.

This right is limited to Processing whose legal basis is your consent or the performance of pre-contractual measures or a contract.

This right does not include derived or inferred data, which are Personal Data created by IPAG.

16.7 Your right to withdraw consent

Where the Data Processing we carry out is based on your consent, you may withdraw it at any time. We will then stop processing your Personal Data without affecting the previous operations to which you have consented.

16.8 Your right to redress

You have the right to lodge a complaint with the Cnil (3 place de Fontenoy 75007 Paris) on French territory, without prejudice to any other administrative or legal remedy.

16.9 Your right to define post-mortem directives

You have the possibility of defining particular directives relating to the conservation, the erasure and the communication of your Personal Data after your death according to the methods defined hereafter. These particular directives will only concern the Processing implemented by us and will be limited to this perimeter.

You may also, when this person has been designated by the executive authority, define general directives for the same purposes.

16.10 Exercise your rights

All the rights listed above can be exercised at the following e-mail address dpo@ipag.fr or by post at the following address

IPAG BUSINESS SCHOOL
Data Protection Officer
184, boulevard Saint-Germain
75006 PARIS

In order to exercise your rights, you must prove your identity by any means. In case of doubt about your identity, IPAG may request additional information that appears necessary, including a photocopy of an identity document bearing your signature.

Amendment to this document
We encourage you to regularly consult this policy on the IPAG Group website. It may be revised from time to time.

Version 2.0
Date 21/09/2022