ISAE-SUPAERO external data protection policy
Table of contents
- ABOUT US
- DATA PROTECTION OFFICER
- FAIR AND TRANSPARENT COLLECTION
- PROPORTIONATE DATA PROCESSING
- PERSONAL DATA WE PROCESS
- ORIGIN OF THE DATA WE PROCESS
- PERSONAL DATA GENERATED BY YOUR ACTIVITY
- INFERRED OR DERIVED PERSONAL DATA
- PERSONAL DATA FROM THIRD PARTIES OR OTHER SERVICES
- THE LEGAL BASES AND PURPOSES OF OUR DATA PROCESSING
- RECIPIENTS OF YOUR DATA
- DATA TRANSFERS
- DATA SECURITY
- YOUR RIGHTS
- YOUR RIGHT TO ACCESS
- YOUR RIGHT TO RECTIFICATION OF YOUR DATA
- YOUR RIGHT TO ERASURE OF YOUR DATA
- YOUR RIGHT TO LIMIT DATA PROCESSING
- YOUR RIGHT TO OBJECT TO DATA PROCESSING
- YOUR RIGHT TO THE PORTABILITY OF YOUR DATA
- YOUR RIGHT TO WITHDRAW YOUR CONSENT
- YOUR RIGHT TO LODGE A COMPLAINT
- YOUR RIGHT TO SET POST-MORTEM DIRECTIVES
- HOW TO EXERCISE YOUR RIGHTS
- AMENDMENT TO THIS DOCUMENT
1. As part of its activity, the Higher Institute of Aeronautics and Space ("ISAE-SUPAERO") is required to collect and process personal data concerning visitors to its website, candidates for recruitment, candidates for training offered by the institute, its students and their entourage (tutors, members of its family, recommenders) and its service providers ("you").
2. Therefore, anxious to build a lasting relationship of trust based on respect for the rights and freedoms of individuals, ISAE-SUPAERO endeavors to put in place the technical and organizational means necessary to protect the personal data it processes.
3. The main purpose of this policy is to gather in a concise, transparent, understandable and readily accessible format, the information concerning the data processing implemented by the institute to allow you to understand the conditions under which your data are processed, what your rights are in this regard and to present the commitments of ISAE-SUPAERO.
4. ISAE-SUPAERO is a scientific, cultural and professional public institution of the large establishment type (EPSCP-GE) whose head office is located at 10, avenue Édouard-Belin BP 54032 - 31055 Toulouse CEDEX 4. ISAE-SUPAERO is registered with the SIREN register under number 130 004 278 and whose SIRET number is 130 004 278 00011.
DATA PROTECTION OFFICER
5. ISAE-SUPAERO has appointed a Data Protection Officer (DPO) with the following contact details: Cabinet ALTIJ, dpo for isae-supaero.fr.
6. This data protection officer is responsible in particular for advising, informing and monitoring compliance with data protection regulations.
FAIR AND TRANSPARENT COLLECTION
7. For the sake of transparency, ISAE-SUPAERO strives to inform the data subjects (i.e. the persons whose data are processed) of each of the processing operations that concern them.
8. When ISAE-SUPAERO is called upon to process data, it does so for specific purposes: each data processing carried out pursues a legitimate, determined and explicit purpose.
PROPORTIONATE DATA PROCESSING
9. For each of the processing operations implemented, ISAE-SUPAERO undertakes to collect and use only data that is adequate, relevant and limited to what is necessary for the purposes for which it is processed.
10. ISAE-SUPAERO shall ensure that the data are, if necessary, updated and shall implement processes to enable the erasure or rectification of inaccurate data.
PERSONAL DATA WE PROCESS
11. In the context of the processing of personal data, the purposes of which will be presented to you below, ISAE-SUPAERO collects and processes mainly the following categories of data:
identification or civil status data of the persons concerned, such as surname(s), given name(s) of the persons concerned, date of birth;
data relating to the professional situation, such as the profession or professional contact details;
economic and financial information;
data relating to family life (surname and given name of the student’s parents, their profession, the number of siblings);
connection data such as the IP address;
12. ISAE-SUPAERO shall not process personal data revealing racial origin, political opinions, religious beliefs, genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning the sexual life or sexual orientation of a natural person.
13. When the data are mandatory for the conclusion of the contract or to meet legal or regulatory obligations, the collection forms will specify it with an asterisk. In the absence of this information, your request may not be considered or its analysis may be delayed.
ORIGIN OF THE DATA WE PROCESS
Personal declarative data
14. This is the personal data that you provide as part of:
your exchanges with ISAE-SUPAERO;
the creation of an application file;
the creation of a recruitment file;
PERSONAL DATA GENERATED BY YOUR ACTIVITY
15. The use of some of our equipment generates personal data that is processed by ISAE-SUPAERO. For example, your browsing on our website generates traces of connections that are used to count the number of visitors to our website.
INFERRED OR DERIVED PERSONAL DATA
16. Some data are generated and/or calculated from other categories of data, such as our students’ exam results.
PERSONAL DATA FROM THIRD PARTIES OR OTHER SERVICES
17. Personal data about you may also come from third parties, such as:
partners in higher education;
the ISAE-SUPAERO Foundation;
the ISAE-SUPAERO Amicale;
18. We would like to draw your attention to the fact that we are not responsible for the processing carried out by these third parties. We invite you to refer to their data protection policy to learn more about how they process your data.
THE LEGAL BASES AND PURPOSES OF OUR DATA PROCESSING
19. Processing for the following purposes is based on the consent of the data subject:
communication management (e.g. commercial prospecting by electronic means);
management of research and educational resources (e.g. the dissemination of the thesis of a doctoral student online);
management of master’s courses (e.g. prospecting for the recruitment of new students);
management of relations with companies and patronage (e.g. partnership management);
management of information systems (e.g. audience measurements);
20. Processing operations which pursue the following purposes are based on the performance of a contract to which the data subject is a party or on the performance of pre-contractual measures taken at the request of the data subject:
management of research and educational resources (e.g. management and monitoring of doctoral students at ISAE SUPAERO);
management of engineering training (e.g. management of admissions);
management of master’s courses (e.g. student file management);
management of international relations (e.g. monitoring of the progress of the implementation of agreements with international universities);
management of procurements (e.g. drafting and monitoring of contracts);
management of financial affairs and accounting (e.g. management of the payment of ISAE-SUPAERO staff);
management of infrastructure and logistics (e.g. management of the recruitment of supervisors for the joint competition);
management of human resources (e.g. payroll management);
management of information systems (e.g. messaging management);
21. The processing operations that pursue the following purposes are implemented to meet the legal and regulatory obligations incumbent on ISAE-SUPAERO, namely:
management of research and teaching resources (e.g.: dissemination of the thesis in the defense institution and within the university community as a whole);
management of engineering training (e.g.: management of recruitment in engineering training);
management of master’s training (e.g.: management of authorizations for the publication of the names of graduates by the conference of grandes écoles);
management of relations with companies and patronage (e.g.: management of the list of parties opposed to receiving the newsletter);
procurement management (e.g., identification of procurement needs of the various ISAE-SUPAERO services and departments);
infrastructure and logistics management (e.g., management of secret and confidential defense authorizations);
quality, safety and working environment management (e.g., monitoring the implementation of mandatory occupational health and safety training);
human resources management (e.g., ongoing training and skills management);
management of information systems (e.g. log management);
22. The processing operations which pursue the following purposes are implemented to achieve the legitimate interests of ISAE-SUPAERO in particular the management, proper functioning and deployment of its activities:
communication management (e.g. management of the contact form on the ISAE-SUPAERO website);
management of research and educational resources (e.g. management of meeting minutes);
management of engineering training (e.g. teaching assessment);
management of master’s courses (e.g. management of the award of scholarships);
management of relations with companies and patronage (e.g. management of partners);
management of international relations (e.g. management of leave);
procurement management (e.g. supplier list management);
financial affairs and accounting management (e.g. scholarship payment management);
legal affairs management (e.g. legal claims management);
infrastructure and logistics management (e.g. visitor register management);
quality, safety and working environment management (e.g. process audit management);
human resources management (e.g. organizational chart management);
management of information systems (e.g. IT support management);
RECIPIENTS OF YOUR DATA
23. The personal data that we collect, along with those that are collected later, are intended for us in our capacity as data controller, or even as joint data controllers with the Amicale and the ISAE-SUPAERO Foundation in the context of certain processing operations.
24. With regard to the processing operations carried out with the Amicale and the Foundation, we invite you to consult the data protection policy of these bodies in order to know how they manage your data.
25. The recipients of your personal data are:
the different departments and services of Isae Supaero within the limits of their missions.
our partners such as the university community, the ISAE-SUPAERO Amicale, the ISAE-SUPAERO Foundation;
our law firms in the context of the management of pre-litigation.
26. We ensure that only authorized persons may access this data. ISAE-SUPAERO applies strict authorization policies that allow the data it processes to be transmitted only to persons authorized to access them.
27. ISAE-SUPAERO only transfers your data subject to the implementation of appropriate safeguards (such as the signing of standard contractual clauses based on those of the European Commission).
PERIODS FOR WHICH WE KEEP YOUR DATA
28. ISAE-SUPAERO ensures that the data are kept in a form allowing the identification of the persons concerned only for a period necessary for the purposes for which they are processed.
29. The retention periods that we apply to your personal data are proportionate to the purposes for which they are collected.
30. ISAE-SUPAERO attaches particular importance to the security of personal data.
31. Appropriate technical and organizational measures shall be implemented to ensure that the data are processed in such a way as to guarantee their protection against accidental loss, destruction or damage which could affect their confidentiality or integrity.
32. During elaboration and design, or during the selection and use of the various tools that allow the processing of personal data, ISAE-SUPAERO ensures that they ensure an optimal level of protection of the data processed.
33. ISAE-SUPAERO thus implements measures that respect the principles of protection by design and protection by default of the data processed. As such, ISAE-SUPAERO is able to use data encryption techniques when necessary.
34. When using a service provider, ISAE-SUPAERO only communicates personal data to this latter after having obtained a commitment and guarantees on its ability to meet these security and confidentiality requirements.
35. We conclude contracts with our subcontractors in compliance with our legal and regulatory obligations that precisely define the terms and conditions of processing of personal data by them.
36. Similarly, ISAE-SUPAERO may be required to carry out or have carried out audits of its own services as well as those of its service providers, in order to verify the application of data security rules.
37. ISAE-SUPAERO is particularly concerned about respecting the rights granted to you in the context of the data processing it implements, to guarantee you fair and transparent processing given the particular circumstances and context in which your personal data are processed.
YOUR RIGHT TO ACCESS
38. As such, we confirm whether your personal data are or are not being processed and when they are, you have the right to request a copy of your data and information concerning:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients and, where appropriate, if such communication were to be made, the international organizations to which the personal data have been or will be communicated, in particular the recipients who are established in third countries;
where possible, the envisaged retention period of personal data or, where this is not possible, the criteria used to determine this period;
the existence of the right to request from the controller the rectification or erasure of your personal data, the right to request a limitation of the processing of your personal data and the right to object to such processing;
the right to lodge a complaint with a supervisory authority;
information relating to the source of the data when it is not collected directly from the data subjects;
the existence of automated decision-making, including profiling, and in the latter case, useful information about the underlying logic, as well as the significance and intended consequences of such processing for data subjects.
YOUR RIGHT TO RECTIFICATION OF YOUR DATA
39. You can ask us to ensure that your personal data, depending on the case, be rectified, completed, if they are inaccurate, incomplete, equivocal or out of date.
YOUR RIGHT TO ERASURE OF YOUR DATA
40. You can ask us to erase your personal data when one of the following reasons applies:
the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
you withdraw the previously given consent;
you object to the processing of your personal data where there are no overriding legitimate grounds for the processing;
the processing of personal data does not comply with the provisions of the applicable legislation and regulations.
41. We draw your attention to the fact that the right to erasure of data is not a general right and that it can only be granted if one of the grounds provided for in the applicable regulations is present.
42. Thus, if none of these reasons is present, ISAE-SUPAERO will not be able to respond favorably to your request; this will be the case if it is required to keep the data due to a legal or regulatory obligation or for the establishment, exercise or defense of legal claims.
YOUR RIGHT TO LIMIT DATA PROCESSING
43. You can request the limitation of the processing of your personal data in the cases provided for by law and regulation.
YOUR RIGHT TO OBJECT TO DATA PROCESSING
47. In terms of commercial prospecting, it is recalled that you can oppose receiving prospecting by post or by telephone from ISAE-SUPAERO.
48. ISAE-SUPAERO may use email prospecting if you have given your consent at the time of collection. Consequently, you may at any time object to this by the link in the email sent to you.
YOUR RIGHT TO THE PORTABILITY OF YOUR DATA
49. You have the right to ensure the portability of your personal data. We draw your attention to the fact that this is not a general right. Indeed, not all data from all processing operations is portable and this right only concerns automated processing and excludes manual or paper processing.
50. This right is limited to processing operations whose legal basis is your consent or the execution of pre-contractual measures or a contract.
51. This right does not include derived data or inferred data, which are personal data created by ISAE-SUPAERO.
52. The data on which this right can be exercised include:
only your personal data, which excludes anonymized personal data or data that do not concern you;
the declarative personal data as well as the personal operating data mentioned above.
53. The right to portability may not affect the rights and freedoms of third parties such as those protected by trade secrets.
54. You can request the portability of the data according to the procedure defined below by specifying whether you wish to receive them yourself or, if it is technically possible for us, that we transmit them directly to another controller.
55. In this latter case, you will make sure to provide us with the exact name of this controller, their contact details and the service or person who should be the recipient. In order to facilitate the exercise of this right you must inform this recipient of your request to our services.
YOUR RIGHT TO WITHDRAW YOUR CONSENT
56. When the data processing that we carry out is based on your consent, you can withdraw it at any time. We will then stop processing your personal data without the previous operations you had consented to being called into question.
YOUR RIGHT TO LODGE A COMPLAINT
57. You have the right to lodge a complaint with the French National commission for information technology and civil liberties (CNIL, 3 place de Fontenoy 75007 Paris) on French territory, without prejudice to any other administrative or judicial remedy.
YOUR RIGHT TO SET POST-MORTEM DIRECTIVES
58. You have the possibility to define specific guidelines relating to the storage, erasure and communication of your personal data after your death with our services according to the modalities defined below. These specific directives will only concern the processing operations implemented by us and will be limited to this scope only.
59. You will also have the right to define general guidelines for the same purposes to a person designated by the executive.
HOW TO EXERCISE YOUR RIGHTS
60. All the rights listed above can be exercised at the following email address dpo at isae-supaero.fr or by postal mail by contacting ISAE-SUPAERO, DPO, 10, avenue Édouard-Belin BP 54032 - 31055 Toulouse CEDEX 4, providing proof of your identity.
AMENDMENT TO THIS DOCUMENT
61. We invite you to regularly view this policy on our website. It may be subject to updates.