Skip to main content

Privacy Policy

Personal Data Protection Charter

Why is this Charter important?

Your privacy is a priority for INSEAD. We are committed to protecting the personal data of our customers, prospects and online users (hereinafter “you”), to processing it with the utmost care and ensuring it has the best level of protection in accordance with Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“the GDPR”) and the Law of 6 January 1978 as amended (hereinafter “French law”).

This charter informs you about:

  • The personal data we collect about you and the reasons for that collection,
  • The conditions for use of your personal data,
  • Your rights over your personal data and how to exercise them

INSEAD operates this website, accessible to the public at the URL address https://www.knowledge.insead.edu (hereinafter “the Site”).

During your browsing and interaction with the Site or with INSEAD, INSEAD may need to collect and process personal data about you, in the capacity of data controller.

Glossary of the main legal terms used in this charter

Terms frequently used in this Charter

Definitions provided by the GDPR

Explanations of terms in everyday language

Personal data (hereinafter “personal data”)

Any information relating to an identified or identifiable natural person (hereinafter a "data subject"); an "identifiable natural person" is considered to be a natural person who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, an online identifier or one or more elements specific to his/her physical, physiological, genetic, psychic, economic, cultural or social identity.

All types of information relating to a natural person, i.e. an individual, directly or indirectly identifiable as a person distinct from other persons.

 

For example: a name, a photo, a finger print, an email address, a telephone number, a social security number, an IP address, a voice recording, your browsing data on a website, data linked to an online purchase, etc. 

Data protection officer

The notion of data protection officer is not defined by the GDPR.

The data protection officer (DPO) is responsible within the company for compliance with the GDPR and applicable national laws as well as our policies and practices for managing your personal data. He/she is also responsible for liaising with the supervisory authorities. The DPO is your first point of contact for any request concerning your personal data.

Processing

Any operation or group of operations whether or not they are carried out with the aid of automated processes and applied to data or personal data sets, such as the collection, recording, organisation, structuring, conservation, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

Any use of personal data, regardless of the process used (recording, organising, conservation, modification, reconciliation with other data, transmission, etc. of personal data).

 

For example, use of your data for the purposes of order management, delivery, sending newsletters, etc.

Data controller

The natural person or legal entity, the public authority, the agency or other body which, alone or in conjunction with others, determines the processing purposes and methods.

The person, public authority, company or organisation which manages your data and decides how it is used, including deciding whether to create or delete a process and determining why your data will be processed and to whom it will be transmitted. The data controller is the main party responsible for compliant protection of your data.

Subcontractor

The natural person or legal entity, public authority, agency or other body which processes personal data on behalf of the controller;

Any natural person or legal entity that carries out processing tasks on the instructions and under the responsibility of the data controller.

Who is responsible for use of your data in the framework of your relationship with our departments?

The data controller responsible for processing your personal data is INSEAD, an Association Loi de 1901 (a non-profit association under French law) and a private higher education institution whose registered office is at Boulevard de Constance, 77305 Fontainebleau Cedex, France, declared to the prefecture of Paris, France, under number 59/849 on 28/08/1959, tel: 01.60.72.40.00, email address: [email protected] (hereinafter “INSEAD” or “us”).

INSEAD has appointed a data protection officer in the person of Erika Gudjonson. She is particularly responsible for independently ensuring internal application of the rules governing protection and management of your data and liaison with the supervisory authorities. Here are the contact details for Erika Gudjonson:

Mrs Erika Gudjonson

INSEAD
Department of Legal Affairs
Boulevard de Constance
77305 Fontainebleau
France

Why do we collect your personal data and on what grounds?

We collect personal data about you for various reasons.

In general terms, INSEAD collects and uses your personal data to function effectively and optimise your experience with its departments. Generally, this processing is necessary for:

  • the management, processing and tracking of your requests for the attention of INSEAD, with some of these operations being necessary to perform contractual or pre-contractual measures taken at your request (as part of a job application or a training programme or following a request to register for an event);
  • to pursue INSEAD’s legitimate interests in the framework of management and supervision of admissions to our training programmes, the management and organisation of its prospecting, canvassing and communication operations and marketing generally;

You should also be aware that we can only collect and use your personal data if that use is based on one of the legal grounds determined by the GDPR (e.g. your consent or performance of a contract concluded with us).

The table below specifically lists the purposes for use of your personal data by INSEAD, based on one or more of the following legal grounds:

  • Your consent
  • Performance of a contract concluded with you
  • Compliance with a legal obligation
  • Safeguarding your vital interests
  • Performance of a public service mission
  • Legitimate interests of INSEAD in collecting your personal data.

 

Purposes of collecting your personal data

1. Information exchange

Management, processing and monitoring of your requests and exchanges with INSEAD by means of or initiated via the Site and INSEAD's relations with its contacts (, web-users, etc.) generally. 

2. Site management

 

Management of the Site, including:

  • access to and benefit of the Site functionalities;
  • understanding and study of users’ use of the Site and their browsing behaviour in order to improve our online communications;
  • improvement of optimisation of Site content quality and functionalities;
  • Site administration, particularly for the purposes of security, and for identification and diagnostic of problems which may affect Site servers;
  • completion and preparation of studies, analyses, reports and statistics, particularly concerning the Site audience or users’ browsing of the Site;
  • management and processing of requests from Site users and, more generally, INSEAD's contacts, in order to exercise their personal data protection rights. 

As long as you are not signed in, INSEAD collects site management data only in aggregate.

3. Laws and regulations

Compliance with legal and regulatory obligations, particularly resulting from INSEAD's activity.

 

What personal data do we collect?

Your personal data is particularly collected and processed, entirely or partially, when you browse the Site and enter information in its data collection forms (brochure requests, registration for events, applications for our training programmes, etc.) and, more generally, in the framework of your relations and exchanges via the Site and subsequent (online or offline) communication with INSEAD.

Generally, your data is therefore collected directly from you under the circumstances mentioned below.

In addition to that information, you are informed that the data we collect and process about you may be enhanced by us via information sources (other web platforms provided by INSEAD, rental of files, recommendations or information from third parties, etc.).

Furthermore, more specifically in relation to the information processed in this respect by our recruitment operations, we use the information you send us by email to incorporate into our file of applicants (CV library). However, we may also contact third parties (e.g. recruitment agencies, previous employers, internship supervisors or clients you have worked with in previous roles) to collect information about you in order to study your application.

Within the Site, you are informed of the compulsory nature of providing your personal data on each collection form by the presence of an asterisk alongside the relevant field(s). Where no asterisk is present, the requested information is optional.

If the compulsory information is not entered, the request associated with that collection of personal data (e.g. brochure request, registration for an event, application for a training programme, etc.) may not be able to be processed or its processing may be delayed.

In respect of optional information requested, they are generally designed to provide us with a better knowledge of Site users and their preferences. INSEAD encourages users to provide this information in order to help ensure that the contents of our Site remain relevant to your interests and needs.

We may transmit your personal data to INSEAD affiliates. Since we wish to be as transparent as possible, below you will find a list of INSEAD affiliates with whom we share your data and their locations.

 

Recipients involved in sharing your personal data

Location of recipients

Representatives and branches of INSEAD in France

France

Representatives and branches of INSEAD around the world

INSEAD, 1 Ayer Rajah Avenue, Singapore 138676

INSEAD, 4th Street, Muroor Road, P.O. Box No. 48049, Abu Dhabi, United Arab Emirates

INSEAD Middle East Campus in Abu Dhabi 

Al Khatem Tower, ADGM Square, Al Maryah Island

PO Box 48049, Abu Dhabi, United Arab Emirates

 

INSEAD NORTH AMERICA, c/o Bencivenga Ward & Company, CPAs, PC

420 Columbus Avenue

Suite 304, Valhalla NY 10595-1381

USA

Any of our service providers and contractual and commercial partners that may be involved in processing the above-mentioned personal data may have access to your personal data.

With public authorities, in response to legal requests, including to respond to national security requirements or application of the law.

In the context of a transaction, such as a merger, acquisition, consolidation or sale of assets, we may need to share your personal data with buyers or sellers.

How long do we keep your personal data?

INSEAD has determined precise rules concerning how long we retain your personal data. This length of time varies depending on the different purposes and must take into account any legal obligations to retain some of your data.

The retention time within INSEAD has been defined to allow us to process your requests (brochures, contacts, registration for an event, job application or registration for a training programme, etc.), manage and monitor them and/or complete our prospecting, canvassing loyalty-building, communication and marketing operations, while complying with the principle of proportionality according to which personal data must not be retained for longer than necessary to fulfil the purpose for which it was collected.

It is nevertheless specified that all of this data may be retained for longer than the lengths of time mentioned in this article:

  • either with your consent;
  • or in the form of archives, to respond to any legal or regulatory obligations applicable to INSEAD or for the legal limitation or objection periods.
  • or in the form of data reused for the purposes of logs, statistics or research.

Hyperlinks to external sites

This Site includes links to third-party websites. Those sites are not managed or updated by INSEAD and are therefore not covered by this charter. INSEAD does not have any control over the content of those websites, nor over their confidentiality policies, their use of personal data, use of cookies, or the way in which they collect, process and store that data. You are therefore advised to consult the terms and conditions for collecting and using personal data established by those external sites before sending them any information.

What are your rights over your personal data and how can you exercise them?

We wish to inform you as clearly as possible of your rights over your personal data. We would also like to make it as easy as possible for you to exercise those rights.

Below you will find a summary of your rights with a description of how to exercise them.

What are your rights over your personal data and how can you exercise them?

We wish to inform you as clearly as possible of your rights over your personal data. We would also like to make it as easy as possible for you to exercise those rights.

You can ask us to access all of the following information concerning:

  • The categories of personal data we collect about you,
  • The reasons we use it,
  • The categories of persons to whom your personal data has been or will be communicated, particularly persons located outside Europe,
  • The length of time we retain your personal data in our systems,
  • Your right to ask us to correct or delete your personal data or limit the use we make of your personal data and your right to object to that use,
  • Your right to file a complaint with a European data protection authority,
  • Information concerning their source, when we have not collected your personal data directly from you,
  • The way in which your personal data is protected when it is transferred to non-European countries.

To do this, please simply contact us via email at the address [email protected], with the subject line “access right: personal data”, attaching a copy of your identity document showing your signature as well as a brief description of the information you want to accessUnless you indicate otherwise, you will receive the information requested free of charge in electronic format within one month of receipt of the request, two months in the case of a request requiring more in-depth research

If you are unable to access your information by email, you can send us your request by post at the following address:

INSEAD
Boulevard de Constance,
77305 Fontainebleau,
France

In the case of a written request, it must be signed and accompanied by a copy of your identity document bearing your signature. The request must specify the address to which the response should be sent. A response will then be sent to you within one month following receipt of the request, two months in the event of a request requiring more in-depth research or in the event that INSEAD receives an excessive number of requests.

You can ask INSEAD to correct and/or update your personal data.

You simply need to send an email to [email protected] stating your full name and with the subject line “correction right: personal data”, along with a copy of your identity document showing your signature

Also do not forget to indicate the reason for contacting us in the body of your email, i.e. correction of inaccurate information and the information to modify, with proof of the correct information where relevant and if you have it.

You can also exercise this right by sending us a letter to the following address: INSEAD, Boulevard de Constance, 77305 Fontainebleau, France. Your written request must be signed and accompanied by a copy of your identity document bearing your signature. The request must specify the address to which the response should be sent. A response will then be sent to you within one month following receipt of the request, two months in the event of a request requiring more in-depth research or in the event that INSEAD receives an excessive number of requests.

You can also contact us at any time to ask us to delete your personal data held by us, in one of the following situations:

  • Your personal data is no longer necessary in respect of the reasons for which it was collected or otherwise processed;
  • You have withdrawn the consent you provided as a basis for processing your personal data by INSEAD;
  • For your own reasons, you consider that one of the forms of processing infringes your privacy and causes you excessive harm;
  • You no longer wish to receive marketing communications from us;
  • Your personal data is not processed in accordance with the GDPR and French law
  • Your personal data must be deleted to comply with a legal obligation stipulated in European Union law or national law applicable to INSEAD;
  • Your personal data has been collected as the result of an offer by a website aimed at children.

You simply need to send an email to [email protected] stating your full name and with the subject line “deletion right: personal data”, attaching a copy of your identity document showing your signature. Also do not forget to indicate the reason for contacting us in the body of your email (e.g. deletion of your data when you have withdrawn the consent you provided as a basis for processing your personal data).

You can also exercise this right by sending us a letter to the following address: INSEAD, Boulevard de Constance, 77305 Fontainebleau, France. Your written request must be signed and accompanied by a photocopy of your identity document bearing your signature. The request must specify the address to which the response should be sent. A response will then be sent to you within one month following receipt of the request, two months in the event of a request requiring more in-depth research or in the event that INSEAD receives an excessive number of requests.

However, it may be that we are unable to accede to your request to be forgotten. It should be remembered that this right is not absolute. We need to weigh it against other important rights and values, such as freedom of expression, compliance with a legal obligation applicable to us or important public interest reasons.

You have the right to object to us processing your personal data if, for your own reasons, you consider that one of the forms of processing infringes your privacy and causes you excessive harm. You cannot prevent us from processing your data:

  • if its processing is required to conclude or perform your contract. For example, your data must be processed to validate your registration with INSEAD;
  • if its processing is required by law or a regulation. That is particularly the case when you move to another address;
  • if its processing is required to officially record, exercise or defend rights in legal proceedings.

You can object to the use of your personal data for the purposes of marketing communications and particularly advertising. You can also object to profiling if it is linked to marketing communications (e.g. when we send you personalised content).

You simply need to send an email to [email protected] with the subject line “objection right: personal data”, attaching a copy of your identity document showing your signature.

It is important to include the reasons for your objection request.

You can also exercise this right by sending us a letter to the following address: INSEAD, Boulevard de Constance, 77305 Fontainebleau, France. Your written request must be signed and accompanied by a photocopy of your identity document bearing your signature. The request must specify the address to which the response should be sent.

INSEAD has two months to respond to your objection request. If your request is imprecise or does not include all the information enabling us to fulfil your request, we will contact you to ask for further information within that time.

However, it may be that we are able to accede to your request. In that case, we will of course provide you with as clear a response as possible.

Furthermore, any emails and newsletters which may be sent to you will contain a link you can click on to stop receiving promotional information from us.

Specifically in relation to your right to object to marketing communications, we remind you that our marketing partners are responsible for their use of your personal data and taking into account your rights, including to no longer receive offers from them.

This right gives you the possibility of more easily managing your personal data yourself, specifically:

  • retrieving your personal data processed by us, for your personal use, and storing it on a device or in a private cloud for example.
  • transferring your personal data from us to another company, either by you, or directly by us, subject to that direct transfer being “technically possible”.

That right covers both your actively and knowingly declared data, such as your data supplied to create your online account (e.g. email address, username, age) and the information collected by INSEAD.

Conversely, personal data derived, calculated or inferred from data you have supplied, e.g. the results of a medical examination, is excluded from the portability right since it has been created by INSEAD.

You simply need to send an email to [email protected] stating your full name and with the subject line “portability right: personal data”, attaching a copy of your identity document showing your signature. Do not forget to indicate in your email the files concerned and the type of request (data retrieval and/or transfer to a new service provider).

You can also exercise this right by sending us a letter to the following address: INSEAD, Boulevard de Constance, 77305 Fontainebleau, France. Your written request must be signed and accompanied by a photocopy of your identity document bearing your signature. The request must specify the address to which the response should be sent. A response will then be sent to you within one month following receipt of the request, two months in the event of a request requiring more in-depth research or in the event that INSEAD receives an excessive number of requests.

You should be aware, however, that INSEAD is entitled to refuse your portability request. In fact, this right only applies to personal data based on your consent or performance of a contract concluded with us (for more details of personal data covered by the portability right: click on the Purposes and Grounds section). Similarly, this right may not infringe on third-party rights and freedoms, whose data may be contained in the data transmitted following a portability request.

Our Site may contain personal data concerning you. If you no longer wish for it to be displayed, you can ask us to delete it in one of the following situations:

  • Your personal data is no longer necessary in respect of the reasons for which it was collected or otherwise processed;
  • You have withdrawn the consent you provided as a basis for processing your personal data by INSEAD;
  • For your own reasons, you consider that one of the forms of processing infringes your privacy and causes you excessive harm;
  • You no longer wish to receive marketing communications from us;
  • Your personal data is not processed in accordance with the GDPR and French law
  • Your personal data must be deleted to comply with a legal obligation stipulated in European Union law or national law applicable to INSEAD.

We are also obliged to take reasonable measures to inform other companies (data controllers) that process the personal data for which you have asked for all links and copies to be deleted.

To have information about you on our website deleted, simply send an email to [email protected] stating your full name and with the subject line “right to be forgotten: personal data”, attaching a copy of your identity document showing your signature. Also do not forget to indicate the reason for contacting us in the body of your email, along with the precise web address (URL) of the page in question.

You can also exercise this right by sending us a letter to the following address: INSEAD, Boulevard de Constance, 77305 Fontainebleau, France. Your written request must be signed and accompanied by a photocopy of your identity document bearing your signature. The request must specify the address to which the response should be sent. A response will then be sent to you within one month following receipt of the request, two months in the event of a request requiring more in-depth research or in the event that INSEAD receives an excessive number of requests.

However, it may be that we are unable to accede to your request to be forgotten. It should be remembered that this right is not absolute. We need to weigh it against other important rights and values, such as freedom of expression, compliance with a legal obligation applicable to us or important public interest reasons.

You have the right to ask us to restrict your data, i.e. marking your personal data held by us (e.g. b y temporarily moving your data to another processing system or locking your data to make it inaccessible), in order to restrict its future use.

You can exercise this right when:

  • the accuracy of the data in question is disputed;
  • Your personal data is not processed in accordance with the GDPR and French law;
  • the data is no longer necessary to fulfil the initial purposes but cannot yet be deleted for legal reasons (e.g. official recording, the exercise or defence of your rights in legal proceedings);
  • a decision concerning your processing objection is pending.

In the case of a restriction on processing, your personal data shall no longer be subject to any processing without your prior agreement, with the exception of its retention (storage).

Your personal data may still be processed for the purpose of official recording, the exercise or defence of your rights in legal proceedings, or to protect the rights of another natural person or legal entity, or else on important grounds of public interest in the European Union or Member State.

In the case of a restriction on processing of some of your personal data, we will keep you informed of the date when the measure will be lifted.

You simply need to send an email to [email protected] stating your full name and with the subject line “restriction right: personal data”, along with a copy of your identity document.

Also do not forget to indicate the reason for contacting us in the body of your email.

You can also exercise this right by sending us a letter to the following address: INSEAD, Boulevard de Constance, 77305 Fontainebleau, France. Your written request must be signed and accompanied by a copy of your identity document. The request must specify the address to which the response should be sent. A response will then be sent to you within one month following receipt of the request, two months in the event of a request requiring more in-depth research or in the event that INSEAD receives an excessive number of requests.

You have the option to send us instructions relating to the retention, deletion and communication of your personal data after your death. Those instructions may also be recorded with a “certified digital trusted third party”. Those instructions, a sort of “digital will”, may appoint a person responsible for their execution or, failing, that your heirs will be appointed.

In the absence of any instructions, you heirs may contact us to:

  • Access the processing of personal data in order to “organise and settle the deceased’s estate”;
  • Receive communication of the “digital goods” or “personal data containing family memories, transferable to the heirs”;
  • Close your personal account on the Site and object to the continued processing of your personal data.

In any case, you have the option of informing us, at any time, that you do not want your personal data to be communicated to a third party after your death.

Is your personal data sent abroad?

Data transfer within Europe

Personal data benefits from the same level of protection within the European Economic Area.

We process your personal data on IT servers located in the EEA. 

Data transfer outside Europe

INSEAD transfers, processes and stores your information on IT servers located in a number of countries outside Europe as set out in the table below.

You should be aware that protection of privacy and rules allowing authorities to access your personal data in those countries are not necessarily equivalent to those in Europe.

In order to ensure standards are adhered to in terms of data and privacy protection, we impose technical and legal guarantees on all our partners. 

Do you wish to contact us about this Personal Data Protection Charter and/or make a complaint to a personal data protection authority?

Do you have a question or suggestion concerning this Personal Data Protection Charter?

Please let us know by contacting us here ([email protected]) or by post at:

INSEAD
Boulevard de Constance,
77305 Fontainebleau,
France

We would be delighted to hear from you and it will be a pleasure to respond as soon as possible.

Do you feel that we are not adequately protecting your personal data?

If you believe that INSEAD does not process your personal data in accordance with the GDPR and French law, you are entitled to complain to:

  • The data protection authority in the European country in which you habitually reside, or
  • The data protection authority in the European country in which you work, or
  • The data protection authority in the European country in which the GDPR violation was committed. 

Submitting a complaint to CNIL, the French data protection authority

You can submit a complaint directly via the CNIL website here.

Or by writing to the following address:

Commission Nationale de l'Informatique et des Libertés
3 Place de Fontenoy - TSA 80715
75334 PARIS CEDEX 07 

Data security

INSEAD takes all useful and appropriate physical, logical, technical, functional, administrative and organisational precautions and measures to guarantee the security of your personal data, with regard to the state of the art, implementation costs and the nature, extent, context and purposes of the processing, as well as the risks, whose degree of likelihood and severity vary, to the rights and freedoms of natural persons, to preserve data security and confidentiality and guarantee a level of security appropriate to the risks, and particularly to prevent the data being distorted, damaged or accessed by unauthorised third parties.

Due to the difficulties inherent in exercising an activity on the internet and the risks, of which you are aware, resulting from the electronic transmission of data, INSEAD may not be bound by a performance obligation.

In the event that difficulties occur, INSEAD shall do its utmost to circumvent the risks and shall take all adequate measures, in accordance with its legal and regulatory obligations (corrective actions, informing the national authority responsible for personal data protection and, where relevant, data subjects, etc.).

In the event that all or part of the personal data processing is subcontracted, INSEAD contractually imposes security guarantees on its subcontractors, particularly in terms of confidentiality in respect of the personal data to which they may have access (appropriate technical and organisational measures to protect that data).

How do you know if this Personal Data Protection Charter has been amended?

This Personal Data Protection Charter may be amended at any time, particularly to take account of any changes to the law or regulations or changes to our services.

Major changes made will be notified via our Site or by email, as soon as possible and at least 30 days before they come into force.

When we publish changes to this Charter, we will revise the “last updated on” date at the top of the confidentiality policy.

We encourage you to regularly consult this Charter to find out how INSEAD is protecting your personal data.

Last updated on: 22.05.2018