Date of issue: 23/11/2018

PREAMBLE

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter referred to as the GDPR), sets out the legal framework applicable to the processing of personal data.
The GDPR reinforces the rights and obligations of controllers, processors, data subjects and data recipients.
For a proper understanding of this policy, it is specified that: “controller” means the natural or legal person who determines the purposes and means of processing personal data. Under this policy, the controller is EN3S; the “processor” refers to any natural or legal person who processes personal data on behalf of the controller. In practice, therefore, these are the service providers with whom EN3S works and who work on EN3S personal data; “data subjects” are those persons who can be identified, directly or indirectly, and their personal data are collected by the controller, i.e. all EN3S learners; the “recipients” of the data refer to natural or legal persons who receive communication of personal data. The recipients of the data can therefore be both EN3S employees and external organisations (institutions, social organisations, BRISE (St.-Étienne network libraries, etc.).
The GDPR, in its Article 12, requires that data subjects be informed of their rights in a concise, transparent, understandable and easily accessible manner.

SUBJECT

In order to ensure its proper functioning, EN3S is required to implement and use the processing of personal data relating to its students and candidates applying to the latter.
The purpose of this policy is to comply with EN3S’s obligation to provide information and thus to formalise the rights and obligations of students and candidates with regard to the processing of their personal data.

SCOPE

This personal data protection policy is intended to apply in the context of the implementation of the various processing operations for the personal data of EN3S students and candidates to EN3S.
This policy only concerns processing operations for which EN3S is responsible and therefore does not cover activities/tasks that would not be created or operated by EN3S itself (so-called “wild” processing).
The processing of personal data may be managed directly by EN3S or through a processor specifically designated by EN3S.
This policy is independent of any other document that may apply within EN3S, such as information systems charters, student charters or administrator charters, for example.

GENERAL INFORMATION

Controller of the processing operations
École nationale supérieure de Sécurité sociale
EN3S
27 rue des docteurs Charcot
CS 13132
42000 SAINT-ETIENNE cedex cedex 2

OPPOSABILITY

This document is enforceable:

  • to EN3S in its capacity as “controller” within the meaning of the DSMP;
  • EN3S learners, i.e. any person enrolled in a long or short training course provided by EN3S (students in the initial training cycle, trainees in regulatory cycles or continuing training, etc.);
  • candidates registered in selection processes organised by EN3S via the EN3S website or by other intermediaries;
  • to the persons to whom EN3S communicates the data (hereinafter referred to as “data recipient”);
  • EN3S service providers who process data on its behalf (hereinafter referred to as “subcontractors”).

GENERAL PRINCIPLES

No processing is carried out by EN3S concerning personal data of candidates and learners unless it has been previously approved by the Director or his representative and complies with the general principles of the DGPS.
Any new processing, modification or deletion of an existing processing operation will be brought to the attention of learners, candidates and more generally to the persons designated in the “opposability” section.
A list of existing processing operations of personal data is attached hereto.

PURPOSES AND LEGAL BASES

Depending on the case, EN3S processes learners’ data for the following purposes:

  • establish official documents relating to the learners’ background (diplomas, mandatory official appointments, learner card and any other official documents);
  • organize the annual educational program and examination sessions;
  • guarantee the certain identification of learners in the management of their file and allow the establishment of official documents concerning them (diplomas, certificates, attestations…);
  • ensure that EN3S is able to contact learners with certainty as part of their training paths;
  • make available to learners educational and pedagogical content, administrative information relating to the training cycle, teaching and operation of the institution as well as online documentation via an ENT (in the broad sense of a collaborative work system – extranet, Office 365®,… -) ;
  • analyse the uses made of the ENT in order to develop new pedagogical tools on digital media;
  • allow learners to create a user account in order to access the pedagogical platform via the ENT and/or the EN3S intranet;
  • allow the saving of documents and educational works via the ENT and/or the intranet;
  • allow the consultation of the learners’ pedagogical file (agenda, grade, exam results, practitioner-teacher contacts);
  • provide learners in the initial training cycle with a multiservice student card allowing them to access several of the services implemented by EN3S or its partners;
  • select candidates from EN3S through any means of application available to the candidate;
  • control the access and presence of learners to EN3S premises through individual badges;
  • implement video surveillance to prevent damage outside the establishment or any attempt by unauthorised persons to intrude into the establishment;
  • implement video surveillance of certain areas within the institution for the purpose of student and property security and to identify the perpetrators of theft, damage or possible assaults;
  • ensure the production of statistical reports related to the attendance and evaluation of training courses;
  • ensure the production of statistical reports on the diversity of learners and the nature of their professional backgrounds.

All learners are informed that the collection of their personal data is necessary for the performance of a public service mission or a legal obligation of EN3S.

DATA RECIPIENTS – AUTHORIZATION AND TRACEABILITY

EN3S ensures that data are only accessible to authorised internal or external recipients.
EN3S decides which recipient will be able to access which data according to a defined authorization policy.

EN3S is in no way liable for any damage of any kind that may result from unlawful access to personal data.
In particular, the following may be recipients of such personal data:

  • EN3S partner universities and schools, in particular the network of “grandes écoles de service public” and members of the RESP (network of public service schools);
  • publishers of educational content or services linked to EN3S or accessible via ENT;
  • the association of former EN3S students; the supervisory authorities;
  • organizations related to student life such as BRISE or EN3S partners such as competition preparation centres.

In addition, personal data may be communicated to any authority legally entitled to know them. In this case, EN3S is not responsible for the conditions under which the staff of these authorities have access to and use the data.

STORAGE PERIOD

The storage period of the data is defined by EN3S in the light of the legal and contractual constraints weighing on it and, failing that, in accordance with its needs.

Processing concerned / Conservation period of the data collected

Application and recruitment:

  • Competition – Candidates admitted Conservation at EN3S for five years Transfer to the Loire departmental archives
  • Competitions – other candidates :
    • Absent candidates: Destruction after five years
    • Incomplete files: destruction after two years
    • Copies: five years then transfer to the Loire departmental archives

Management of the learner’s file

  • Administrative file (administrative information, preventive medicine, medical certificates, discipline, resignation, etc.): ten years at EN3S then transfer to the departmental archives
  • Individual monitoring files for each student or trainee (interviews on training and professional background, etc.): five years then transfer to the Loire departmental archives

Implementation of an ENT

  • The data are kept until the person concerned requests their deletion, insofar as the person is entitled to keep his ENT account at the end of his training.
  • For accounts that are inactive for more than one year, an explicit request for consent to the storage of their data will be sent to the person concerned.
  • Personal contributions left in community spaces and spaces for storing personal information or publication may, unless the contributor objects when closing his ENT account, only be kept by the institution for information purposes.

Video surveillance

  • Data kept for one month.

After the deadlines set, the data are either deleted or stored after anonymisation, in particular for statistical purposes.
Learners are reminded that deletion or anonymisation are irreversible operations and that EN3S is no longer able to restore them afterwards.

RIGHT OF CONFIRMATION AND RIGHT OF ACCESS

The learner or candidate has a right to ask EN3S to confirm whether or not data relating to him/her are being processed.
The learner or candidate also has a right of access, which is subject to compliance with the following rules:

  • the request comes from the person himself and is accompanied by a copy of an identity document;
  • be made by internet at dpo@en3s.fr or in writing at the following address:
    EN3S
    To the attention of the Data Protection Officer
    27 rue des docteurs Charcot
    CS 13132
    42,031 SAINT-ETIENNE cedex 2

The learner or candidate has the right to request a copy of his or her personal data being processed from EN3S. However, in the event of a request for an additional copy, EN3S may require the student or candidate to bear the cost.
If the learner or candidate submits his or her request for a copy of the data electronically, the information requested will be provided in an electronic form in common use, unless otherwise requested.

Finally, the learner or candidate is informed that this right of access cannot relate to confidential information or data or for which the law does not allow communication.
The right of access must not be exercised in an abusive manner, i.e. on a regular basis, with the sole aim of destabilising the service concerned.

UPDATE – UPDATE AND RECTIFICATION

In order to allow a regular update of the personal data collected by EN3S, the latter may request the learner who will be obliged to comply with its requests.
The learner or candidate also has a right to rectify his or her data.

To do this, EN3S:

  • provide learners and candidates with all the necessary means online or offline to inform them of any changes to the personal data held by EN3S; corrections shall be made, save in exceptional and justified cases, within a period of time which may not exceed eight (8) days;
  • updates its databases once a calendar year

The learner or candidate is informed that EN3S will not make any so-called “comfort” changes, only substantial changes to the learner’s civil status, identity and contact details will be made.
As far as possible, EN3S shall pass on these corrections to the persons to whom it has transmitted the learners’ data. However, this obligation cannot be imposed where such an approach is impossible or requires disproportionate effort.

RIGHT TO ERASE

The right to erase the learner or candidate will not be applicable in cases where the processing is carried out in response to a legal obligation.
Outside this situation, the learner or candidate may request the deletion of his or her data in the following limited cases:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • when the learner or candidate withdraws the consent on which the treatment is based and there is no other legal basis for the treatment;
  • the learner or candidate objects to processing based on the performance of a task in the public interest or necessary for the legitimate interests pursued by EN3S and that there are no compelling legitimate grounds for the processing;
  • the learner or candidate objects to the processing of his or her personal data for the purpose of prospecting, including profiling;
  • the personal data have been unlawfully processed;
  • personal data must be erased in order to comply with a legal obligation under Union law or the law of the Member State to which EN3S is subject.

In accordance with the legislation on the protection of personal data, the student or candidate is informed that this is an individual right that can only be exercised by the data subject with regard to his/her own information: for security reasons, the service concerned must therefore verify his/her identity in order to avoid any communication of confidential information concerning you to anyone other than the data subject.

RIGHT TO LIMITATION

The learner or candidate is informed that he or she does not have the right to limit the processing of his or her personal data insofar as the processing operations carried out by EN3S are lawful and that all personal data collected are necessary for the execution of the relationship between EN3S and the learners or candidates.

RIGHT TO PORTABILITY

At the end of his training at EN3S, the learner may, on request, exercise his right to portability only on the data he himself has communicated to EN3S. This data will be provided in a structured format, commonly used and machine-readable.

POST-MORTEM LAW

Learners are informed that they have the right to formulate guidelines for the storage, erasure and communication of their post-mortem data. Specific post-mortem instructions and the exercise of their rights are communicated by e-mail to dpo@en3s.fr or by post to the following address, accompanied by a copy of a signed identity document:
EN3S
To the attention of the Data Protection Officer
27 rue des docteurs Charcot
CS 13132
42,031 SAINT-ETIENNE cedex 2

OPTIONAL OR MANDATORY NATURE OF RESPONSES

The learner is informed on each personal data collection form whether the answers are mandatory or optional.
In the case where answers are mandatory, EN3S explains to the learner the consequences of not answering.

DATA FROM SOCIAL NETWORKS

EN3S shall refrain from exploiting, without the prior agreement of the learner or candidate, private data and information, even if they are made public and disseminated by the latter on social networks.

SUBCONTRACTING

EN3S informs the learner that it may involve any subcontractor of its choice in the processing of its personal data.
In this case, EN3S ensures that the subcontractor complies with its obligations under the GDPR.

EN3S undertakes to sign a written contract with all its subcontractors and imposes the same data protection obligations on subcontractors as it does. In addition, EN3S reserves the right to audit its subcontractors to ensure compliance with the provisions of the GDPR.

ORIGIN OF THE DATA COLLECTED

The data collected by EN3S are either collected directly by EN3S or indirectly.

Data collected directly from the learner or candidate

Direct data collection takes different forms:

  • data collected during the learner’s administrative registration or re-registration with EN3S;
  • data collected in the pre-registration or registration of a candidate with EN3S;
  • data collected by sending or delivering personal data by the student or candidate (email, letter, business card, etc.);
  • technical data (connection or traffic data) related to the use of EN3S IT or digital services.

Data collected indirectly

Indirect data collection takes different forms: data collected via other universities or schools outside EN3S.

SECURITY

It is the responsibility of EN3S to define and implement the technical security measures, physical or logical, that it considers appropriate to combat the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of data.
To this end, EN3S may be assisted by any third party of its choice to carry out vulnerability audits or intrusion tests at the frequencies it deems necessary.
Except in cases of urgency or imminent risk, the services concerned will be informed before such audits are carried out and will be required to take appropriate protective measures, which will be notified in advance.
In any event, EN3S undertakes, in the event of a change in the means of ensuring the security and confidentiality of personal data, to replace them with superior performance means. No change can lead to a reduction in the level of security.
In the event of subcontracting part or all of the processing of personal data, EN3S undertakes to contractually impose security guarantees on its subcontractors by means of technical measures for the protection of such data and appropriate human resources.

DATA BREACH

In the event of a violation of personal data, EN3S undertakes to notify the CNIL under the conditions prescribed by the GDPR.
If the violation poses a high risk to learners and the data has not been protected, the EN3S:

  • will notify the learners or candidates concerned;
  • will provide the learners or candidates concerned with the necessary information and recommendations.

DATA PROTECTION DELEGATION

EN3S has appointed a Data Protection Officer.
The contact details of the Data Protection Officer are as follows:
EN3S
To the attention of the Data Protection Officer
27 rue des docteurs Charcot
CS 13132
42031 SAINT ETIENNE cedex 2
dpo@en3s.fr
In the event of the implementation of a new processing of personal data, EN3S will first refer the matter to the Data Protection Officer.
If the learner or candidate wishes to obtain specific information or wishes to ask a specific question, he or she may refer the matter to the Data Protection Officer, who will give an answer within a reasonable time with regard to the question asked or the information required.
In the event of a problem encountered with the processing of personal data, the learner or candidate may refer the matter to the designated Data Protection Officer.

TRANSBOUNDARY FLOWS

EN3S alone reserves the right to choose whether or not to have cross-border flows for the personal data it collects and processes.
In the event of a transfer of personal data to a country outside the European Union or to an international organisation, EN3S will inform the student and ensure that his rights are properly respected by these same persons.
EN3S undertakes, if necessary, to sign one or more contracts to regulate cross-border data flows.
The provisions on cross-border flows are enforceable against EN3S, except in the derogations provided for in Article 49 of the GDPR.

PROCESSING REGISTER

EN3S, as controller, undertakes to keep an up-to-date register of all processing activities carried out.
This register is a document or application used to identify all processing operations carried out by EN3S as controller.
EN3S undertakes to provide the supervisory authority, on first request, with the information enabling the said authority to verify the conformity of the processing operations with the data protection regulations in force.

RIGHT TO FILE A COMPLAINT WITH THE CNIL

The learner or candidate concerned by the processing of his or her personal data shall be informed of his or her right to lodge a complaint with a supervisory authority, namely the CNIL, if he or she considers that the processing of the personal data concerning him or her does not comply with European data protection regulations, at the following postal address:

COMMISSION NATIONALE DE L’INFORMATIQUE ET DES LIBERTÉS
3 Place de Fontenoy
TSA 80715
75334 PARIS CEDEX 07
Tel: 01 53 53 73 73 22 22 22
(Monday to Thursday from 9am to 6.30pm / Friday from 9am to 6pm)
Fax: 01 53 53 73 73 22 00

EVOLUTION

This policy may be modified or amended at any time in the event of legal or jurisprudential changes, decisions and recommendations of the CNIL or practices.
Any new version of this policy will be made available to learners by any means defined by EN3S, including electronic means (e.g. by e-mail or online).

FOR MORE INFORMATION

For further information, you can contact the Data Protection Officer: dpo@en3s.fr