PRIVACY POLICY OF HBS ERC
1. INTRODUCTION
This is the privacy policy of Centre de Recherche Européen de la Harvard Business School (HBS Europe Research Center), located at 62 rue François 1er, 75008 Paris, registration number SIRET 443 993 159 00013 - in this policy, “HBS ERC” or “we.” This privacy policy describes the processing of personal data by HBS ERC, in compliance with applicable data protection laws, including the General Data Protection Regulation dated April 27, 2016 of the European Union (“GDPR”) and the recommendations of the CNIL (Commission Nationale de l'Informatique et des Libertés – the data protection authority of France).
“Personal data” means any information or pieces of information that could identify you either directly or indirectly.
We undertake to:
- process your personal data fairly and lawfully;
- process your personal data for legitimate purposes;
- ensure that your personal data is accurate, complete and, where necessary, kept up to date;
- store your personal data for a period no longer than is needed for the purposes for which it is obtained and processed.
2. PERSONAL DATA COLLECTED AND PROCESSED BY HBS ERC
HBS ERC collects and processes personal data as a data controller, and also as a data processor for Harvard Business School, a part of Harvard University, Boston, Massachusetts USA.
The purposes for which HBS ERC may process data as data controller or data processor, the categories of data subjects whose data HBS ERC may collect, the types of data, and parties with whom we may share such data, are as follows –
Purposes of processing may include:
- Encouraging prospective students to apply to Harvard Business School
- Assisting with matriculation of admitted students
- Promoting and organizing Harvard Business School donor and alumni relations, events and donations
- Promoting and organizing other conferences, workshops and events
- Participating in coaching of Harvard Business School students and alumni
- Supporting other Harvard Business School student activities
- Supporting Harvard Business School research projects and publications
- Supporting Harvard Business School collaborations with other universities, research institutions, government agencies and businesses in France and Europe
- Communicating and responding to inquiries about the foregoing and other matters
Data subjects may include:
- Harvard Business School students, prospective students and admittees
- Harvard Business School alumni
- Donors and potential donors to Harvard Business School
- Research subjects
- Researchers
- Other persons inquiring about or participating in HBS ERC activities
Types of data may include:
- Contact information
- Educational and career information
- Financial and bank information
- Other personal information volunteered by alumni and donors
- Photos
- Coaching notes
Data may be shared with the following parties for the purposes stated above:
- Offices of Harvard University, including offices of Harvard Business School and HBS faculty*
*For information on practices of Harvard University relating to the processing of personal data when such processing is within the scope of the GDPR, please see https://gdpr.harvard.edu/eeaprivacydisclosures .
- Harvard Business School Publishing
- Harvard Business School Publishing Europe
- Harvard Business School alumni clubs
- Government agencies as legally required
- Service providers as described below
Other Data Processing Information
HBS ERC will process personal data, such as contact information and bank account numbers where applicable, provided by persons wishing to enter into transactions as necessary to complete the requested transactions, such as making donations.
HBS ERC may process or share personal data, including communicating data to government authorities, as necessary for preventing, investigating, providing notice of, or taking other action concerning fraud, unlawful or criminal activity, other misconduct, security or technical issues, or unauthorized access to or use of personal data or our website or data systems; responding to subpoenas, court orders, or other legal process; managing and enforcing our agreements; protecting your or our health, safety, rights or property and the health, safety, rights or property of others; and meeting other legal obligations.
HBS ERC may also engage service providers to assist in processing of personal data for the purposes described above. Our service providers must agree to contractual commitments to safeguard the privacy and security of personal data.
HBS ERC does not sell your personal data to third parties.
3. LEGAL BASES FOR THE PROCESSING OF PERSONAL DATA
HBS ERC processes personal data for the purposes described above on the basis of its legitimate interests; to carry out requests of or agreements with data subjects; to carry out agreements with Harvard University for the benefit of data subjects; to satisfy its legal or regulatory obligations; or, where applicable, on the basis of legally compliant data subject consent.
4. INTERNATIONAL DATA TRANSFERS
Your personal data may be transferred from France to a country located outside of the EEA, including to the United States, which may provide for different data protection rules than the EEA. Transfers of personal data from one country to another (or one geographic region to another) will be completed securely and in accordance with this policy and applicable personal data protection laws, including the GDPR.
5. SECURITY OF PERSONAL DATA
We have taken appropriate technical and organizational measures to provide a level of security for the personal data appropriate to the risk. Unfortunately, however, no data transmission, processing, sharing or storage by any party can be guaranteed to be completely secure.
6. DURATION OF PERSONAL DATA RETENTION
Personal data will be kept for the period necessary for the performance of the purposes described above and may also be kept to the extent legally permitted for the archival and statistical records of HBS ERC.
7. YOUR RIGHTS
HBS ERC will provide you, upon your reasonable, good faith request, with information about whether HBS ERC holds any of your personal data as part of the processing described in this policy, to the extent required by and in accordance with applicable law.
In certain cases, you may also have rights as follows with respect to your personal data processed under this policy:
- access: the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, to access such personal data and obtain a copy of it.
- rectification: the right to obtain the rectification of inaccurate personal data or to have incomplete personal data completed.
- deletion (“right to be forgotten”): the right to obtain the erasure of your personal data. However, HBS ERC may have legal or legitimate grounds for keeping such personal data according to specific retention periods.
- revoking consent: the right to revoke your consent to the processing of your personal data when such processing is based on your consent. The revoking of consent does not affect the lawfulness of the processing carried out on the basis of such consent prior to the revocation of consent.
- objecting to processing: the right to object to processing of your personal data where the personal data has been processed based on the legitimate interest of HBS ERC, but your request must be justified by your particular situation.
- restriction of processing: the right to obtain restriction of the processing of your personal data, in particular where you contest the accuracy of your personal data or if the processing is unlawful.
- data portability: the right to receive your personal data which you have provided to HBS ERC. This right only applies when processing of your personal data is based on your consent or on a contract and such processing is carried out by automated means.
You may also have the right to communicate guidelines to HBS ERC relating to the retention, deletion and transfer of your personal data after your demise, with the right for you to also register such guidelines in accordance with the law.
To submit such a request, you may contact us by sending an email message to eeadatasubjectrequest@harvard.edu with a copy to hbseurope@hbs.edu. HBS ERC and Harvard Business School will often cooperate on the response. Because we want to avoid taking action regarding your personal data at the direction of someone other than you, we may ask you for information verifying your identity. We will respond to your request within a reasonable timeframe, typically one month following the receipt of your request.
If HBS ERC processing of your personal data is solely based on your consent, you also have the right to withdraw your consent to our processing, subject to certain limitations at law. If you withdraw your consent to the use or sharing of your personal data for the purposes set out in this policy, you may not have access to all (or any) of the related services, and we might not be able to provide you all (or any) of the services.
In certain cases, HBS ERC may continue to process your personal data after you have withdrawn consent or requested that we delete your personal data, if HBS ERC has a legal basis to do so, for example, if the data is still needed to comply with a legal obligation, to pursue or enforce our legal rights, to accomplish the lawful purposes for which the data was obtained, or to pursue our legitimate interest in keeping our services and operations safe and secure.
If you have any complaints regarding our privacy practices, you have the right to make a complaint with the CNIL or your national data protection authority (i.e., supervisory authority).
8. POLICY DATE; CHANGES
This Policy was last updated as of: 15 September 2020. This Policy may be amended from time to time in accordance with changes in the data practices of HBS ERC or in applicable law.