Data Protection Policy

Summary:

1. Introduction

2. Legal framework and definitions

3. Legal information

4. Personal data

5. Collection of personal data

6. Use of personal data

7. Information technology systems

8. Privacy and disclosure

9. Rights of individuals concerned

10. Duration of data retention

11. Measures to protect data

12. Cookies

Page last updated on 16/04/2025

1. Introduction and Scope

1.1 Considering that the protection of personal data is a fundamental right for all individuals, and considering that the Business Science Institute (hereinafter referred to as “the Institution”) processes such data as part of its educational, administrative, and research activities, this Data Protection Policy (hereinafter referred to as “the Policy”) is hereby established.

1.2 This Policy applies, without limitation, to any processing of personal data carried out by the Institution, whether such processing is performed wholly or partly by automated means, and whether or not such data form part of, or are intended to form part of, a filing system.

1.3 The territorial scope of this Policy extends to all premises of the Institution and to all data processing activities carried out on behalf of the Institution, regardless of the geographical location of such processing.

1.4 The Institution hereby affirms its commitment to maintaining the confidentiality of users’ personal data in accordance with the General Data Protection Regulation (GDPR).

2. Legal Framework and Definitions

2.1 For the purposes of this Policy, and in accordance with applicable data protection legislation, the following definitions apply:

(a) “Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

(b) “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;

(c) “Controller” means the Institution which, alone or jointly with others, determines the purposes and means of the processing of personal data;

(d) “Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;

(e) “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

3. Legal Information

3.1 The following legal information relates to the Institution:
(a) Corporate name: BSI Luxembourg ASBL
(b) Legal form: Non-profit association
(c) Registered office: Château de Wiltz, L-9516 Luxembourg
(d) Registration number: F9655
(e) National identification number: 2013 6102 436
(f) Publication director: Michel Kalika
(g) Contact: president@business-science-institute.com

3.2 The Institution’s website is hosted by OVH SAS, located at 2 Rue Kellermann, 59100 Roubaix, France.

4. Principles Relating to the Processing of Personal Datas

4.1 The Institution hereby affirms its commitment to respecting the following principles in all its data processing activities:

(a) Personal data must be processed lawfully, fairly, and transparently in relation to the data subject (“lawfulness, fairness, transparency”);

(b) Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes (“purpose limitation”);

(c) Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

(d) Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);

(e) Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as they are processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the implementation of appropriate technical and organisational measures as required by law (“storage limitation”);

(f) Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

4.2 The Institution is responsible for compliance with the above principles and must be able to demonstrate such compliance (“accountability”).

5. Collection of Personal Data

5.1 The Institution collects personal data in the following circumstances:
(a) When users browse any of the Institution’s websites (anonymised IP address);
(b) When users subscribe to the monthly newsletter (email address only);
(c) When users register for a webinar (full name, address, industry);
(d) When users request to download a brochure (full name, email address, phone number);
(e) When users make a purchase on the Institution’s e-commerce site (full name, address, email address, phone number);
(f) When users submit an application (identity information, professional background information).

5.2 For each type of data collection, the Institution clearly identifies and documents the legal basis for processing, which may be:
(a) The explicit consent of the data subject;
(b) The performance of a contract to which the data subject is party;
(c) Compliance with a legal obligation to which the Institution is subject;
(d) Protection of the vital interests of the data subject;
(e) Performance of a task carried out in the public interest;
(f) The legitimate interests pursued by the Institution, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

6. Use of Personal Data

6.1 Depending on the form used, the collected information may be used to:
(a) Personalize the user experience;
(b) Improve the Institution’s website;
(c) Enhance customer service and support needs;
(d) Share information about the Institution’s activities;
(e) Send links to attend webinars and follow-up materials (replay link, PDF support);
(f) Send the brochure and all relevant registration information;
(g) Deliver purchased products;
(h) Process enrollment in the Institution’s programs.

7. Technological Systems and Data Processing Operations

7.1 The Institution uses various technological systems in the course of its operations involving personal data processing, including but not limited to:

7.1.1 Zoom Video Communications Platform

(a) Used to facilitate virtual education, meetings, conferences, and seminars.

(b) Personal data processed may include names, email addresses, profile pictures, audiovisual recordings (when enabled per institutional policy), chat messages, attendance logs, and attention tracking metrics.

(c) Appropriate contractual arrangements have been made with Zoom Video Communications, Inc., acting as a data processor, to ensure compliance with data protection laws.

7.1.2 Centralized Database Management System

(a) Maintains student records, academic progress, and research results.

(b) Access is strictly controlled via role-based access controls and authentication mechanisms.

(c) Technical and organizational measures, including encryption and audit logging, are in place to safeguard data integrity and confidentiality.

7.1.3 Customer Relationship Management (CRM) System

(a) Used to manage relationships with prospective students, academic partners, and other stakeholders.

(b) Personal data in the CRM system is subject to retention policies ensuring data is not kept longer than necessary.

7.1.4 Newsletter and Electronic Communications

(a) Newsletters and communications are sent to individuals who have given explicit consent or where another legal basis exists.

(b) All communications include a clear and visible opt-out mechanism.

(d) MailChimp is used to send newsletters. Personal data (name, surname, email) is shared with MailChimp, acting as a processor under GDPR compliance.

7.1.5 Moodle Online Learning Platform

(a) Used to deliver courses, track student progress, and conduct assessments.

(b) Personal data may include names, email addresses, login data, activity records, assessment results, and user communications.

7.1.6 Google Suite and Dropbox

(a) Used for file storage and email management (Gmail, Google Drive, Google Docs, etc.).

(b) Data processing agreements compliant with GDPR have been signed with Google LLC and Dropbox Inc.

7.1.7 Tripetto for Website Forms

(a) Used to create and manage website forms.

(b) Data collected is processed according to specified purposes and is accessible only to authorized personnel.

7.1.8 YouTube for Video Broadcasting

(a) Used to publish educational and promotional videos.

(b) YouTube is embedded with enhanced privacy settings when possible to protect user data.

7.1.9 Diploma Authenticity Verification Platform

(a) Used to allow public verification of diplomas issued by the Institution.

(b) Processes only necessary data (diploma number, graduate name, date of issuance) without revealing additional personal information.

8. Privacy and Disclosure of Personal Data

8.1 Personal information collected will not be sold, exchanged, transferred, or provided to any third party for any reason without the consent of the data subject, except when necessary to fulfill a request or transaction, such as for shipping an order.

8.2 The Institution will not sell, exchange, or transfer personal information to third parties.

8.3 This does not include trusted third parties who assist the Institution in operating its website or conducting its activities, provided these parties agree to keep the information confidential.

8.4 In the case of international data transfers, the Institution ensures that:

(a) The destination country provides an adequate level of protection recognized by a decision of adequacy from the European Commission;

(b) Alternatively, appropriate safeguards are in place, such as standard contractual clauses approved by the European Commission, binding corporate rules, or other certified mechanisms;

(c) Complete documentation of these safeguards is maintained and can be provided upon request to the data subjects or the supervisory authority.

9. Rights of Data Subjects and Their Exercise

9.1 In accordance with the GDPR, data subjects have the right to access, rectify, and erase their personal data.

9.2 Data subjects can exercise these rights by contacting the Institution at contact@business-science-institute.com.

9.3 The Institution commits to responding to any request to exercise rights within one month of receiving the request. This period may be extended by an additional two months if necessary, considering the complexity and number of requests.

9.4 In addition to the rights mentioned above, data subjects also have:

(a) The right to restrict processing;

(b) The right to data portability;

(d) The right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning them or significantly affects them.

9.5 When a data subject exercises any of their rights, the Institution keeps a detailed record of the request, the actions taken to address it, and the date of response.

10. Data Retention Period

10.1 The Institution retains personal data only for as long as necessary to fulfill the purposes for which it was collected.

10.2 The following retention periods apply:

(a) Data related to user accounts and interactions on the website is kept for 3 years from the last activity by the data subject (login, purchase, click on a link in an email sent by the Institution, etc.);

(b) Data related to website browsing is kept for 13 months;

(c) Data related to transactions, including contact information and invoices, is kept for 10 years in accordance with legal requirements.

10.3 Beyond these periods, personal data is either deleted or retained in anonymized form, particularly for statistical purposes. In such cases, the data can no longer be used for any form of exploitation.

10.4 A processing activity register is maintained, including for each data category:

(a) The purpose of the processing;

(b) The specific retention period;

(d) The procedures for deletion or anonymization applied at the end of the retention period.

11. Data Security Measures

11.1 The Institution implements a variety of measures to ensure the security of personal information. All data exchanged between the Institution’s website and users’ browsers is encrypted (SSL certificate).

11.2 The Institution also protects data when stored on its servers. Only support team members who need to perform specific tasks (e.g. billing or customer service) have access to personally identifiable information.

11.3 Computers and servers used to store personal information are kept in a secure environment.

11.4 The Institution has established strict measures to prevent data breaches, including:

(a) Least privilege principle: only authorized personnel have access to the data they strictly need for their duties;

(b) Individual authentication: each staff member has their own access credentials, prohibiting account sharing;

(c) Access logging: all access to systems containing personal data is logged to facilitate investigations in case of incidents;

(d) Regular access rights review: access privileges are regularly audited and updated based on changes in responsibilities;

(e) Staff training: all staff members receive regular training on data security and privacy best practices;

(f) Incident response procedures: clear procedures are in place to respond quickly and effectively to any data security incident.

11.5 Data Breach Notification Procedure

11.5.1 The Institution has a specific procedure for managing and notifying personal data breaches in accordance with GDPR requirements.

11.5.2 Definition of a data breach: (a) A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

11.5.3 Internal procedure: (a) Any staff member who detects or suspects a data breach must immediately inform the Data Protection Officer (DPO) by phone and email; (b) The DPO coordinates an incident response team including representatives from IT, legal, and communications departments; (c) The team conducts an initial assessment to determine whether a breach occurred and, if so, its nature, scope, and potential risks to the data subjects; (d) Immediate measures are taken to contain the breach and mitigate its impact, while preserving evidence.

11.5.4 Notification to the supervisory authority: (a) If the breach is likely to result in a risk to the rights and freedoms of data subjects, the DPO notifies the competent supervisory authority (CNIL) within 72 hours of becoming aware of it; (b) The notification includes: (i) A description of the nature of the breach, including the categories and approximate number of data subjects and data records affected; (ii) The name and contact details of the DPO; (iii) A description of the likely consequences of the breach; (iv) A description of the measures taken or proposed to address the breach and mitigate its possible adverse effects.

11.5.5 Communication to data subjects: (a) If the breach is likely to result in a high risk to the rights and freedoms of data subjects, the Institution will notify the affected individuals without undue delay; (b) This notification clearly and simply describes the nature of the breach and includes at least the information outlined in 11.5.4(b)(ii), (iii), and (iv); (c) Notification may be waived if: (i) The Institution has implemented appropriate technical and organizational protection measures (e.g. encryption) rendering the data unintelligible; (ii) The Institution has taken subsequent measures ensuring the high risk is no longer likely to materialize; (iii) It would involve disproportionate effort, in which case a public communication or similar measure will be used.

11.5.6 Breach documentation: (a) All personal data breaches, including facts related to the breach, its effects, and remedial actions taken, are documented; (b) This documentation is retained for at least 5 years and may be provided to the supervisory authority upon request.

12. Cookie Policy

12.1 Definition and types of cookies used:

(a) A cookie is a small text file placed on the user’s device during their visit to the Institution’s website;
(b) The Institution uses several types of cookies:
(i) Strictly necessary cookies: essential for the functioning of the website;
(ii) Preference cookies: store user choices;
(iii) Analytical cookies: help understand how users navigate the site;
(iv) Marketing cookies: used to track visitors and display relevant advertisements.

12.2 Consent and cookie management:
(a) On the first visit, an information banner appears to inform the user about cookie usage and to obtain explicit consent;
(b) Users can change their cookie preferences at any time via the “Manage my cookies” link at the bottom of each page;
(c) Refusing non-essential cookies does not prevent access to the site’s core functionalities.

12.3 Cookie retention periods:
(a) Strictly necessary cookies: session duration;
(b) Preference cookies: 6 months;
(c) Analytical cookies: 13 months;
(d) Marketing cookies: 13 months.

12.4 Third-party cookies:
(a) The Institution allows certain third parties to place cookies on the user’s device, including:
(i) Google Analytics for web traffic analysis;
(ii) YouTube for video playback;
(iii) MailChimp for email tracking;
(b) These third parties are contractually bound to ensure the protection of data collected via cookies;
(c) The Institution ensures these third parties comply with GDPR requirements, especially for international data transfers.

12.5 Data collected and purposes:
(a) For each cookie type, the Institution specifies:
(i) The specific data collected;
(ii) The exact purpose of the collection;
(iii) The data recipients;
(iv) The retention period.
(b) A summary table of this information is kept up to date and made available to users via the website’s “Cookie Policy” page.