business@school data privacy information

(status of March 15, 2019)


1.1.1 Preamble

As initiator and operator of the educational initiative business@school, we are pleased at your interest in our online platform. As the responsible party under data protection law, Boston Consulting Group (BCG) takes the protection of your private data very seriously.

In the following, we inform you about the collection of personal information when using our website. Personal information is any data that can be related to you personally, e.g., your name, address, e-mail addresses, or user behavior.

BCG has commissioned the licensor of this online platform—DigiOnline GmbH, Probsteigasse 15-19, 50670 Cologne, Germany—with the hosting and administration of business@school. For this purpose, your personal information is disclosed to our data processor DigiOnline GmbH and processed as described in this data privacy information. DigiOnline GmbH has many years of experience in the development of web-based content management systems as well as communication, work, and learning platforms for the education sector and is committed to complying with the applicable data protection regulations. 

1.1.2 Responsible party/Data protection officer

Responsible for data processing
The Boston Consulting Group GmbH
Ludwigstraße 21
80539 Munich

Data protection officer of the responsible party
Dr. Stephan Thiel
The Boston Consulting Group GmbH
Ludwigstraße 21
80539 Munich
Tel.: +49 89 231740

1.1.3 General data collection when accessing our website

If you use our website for information purposes only, we only collect the personal information that your browser transmits to our server. If you view our website, we will collect the following information that is technically required for us to display our website to you and to ensure its stability and security. The legal basis is the legitimate interest in accordance with Article 6(1)(f) GDPR.

We have considered and weighed our interest in the provision and your interest in data protection-compliant processing as part of our balancing of interests in accordance with Article 6(1)(f) GDPR. As the following data is sometimes needed for technical reasons to make our website available and to ensure its stability and security, in particular protection against misuse, we have come to the conclusion that this data can be processed—with a state-of-the-art guarantee of data security—with due consideration to your interest in data protection-compliant processing.

DataOperating system used
Purpose of processingAnalysis based on devices to ensure an optimized presentation of the website
DataInformation on the browser type and version used
Purpose of processingAnalysis of the browsers used to optimize our websites for them
DataUser’s internet service provider
Purpose of processingAnalysis of the internet service provider
DataIP address
Purpose of processingPresentation of the website on the respective device, compilation of usage statistics
DataDate and time of access
Purpose of processingEnsuring the proper operation of the website
DataManufacturer and type of smartphone, tablet, or other device, where applicable
Purpose of processingAnalysis of the device manufacturers and types of mobile devices for statistical purposes
DataLog files
Purpose of processingEnsuring the proper operation of the website

Storage period
The data in the server log is saved for seven days, after which it is deleted automatically.

The collection of data for provision of the website, and the storage of data in log files, is necessary in order to operate the website. There is therefore no option of objection on the part of the user.

1.1.4 General information about the legal basis for processing, deleting, and deactivating cookies

In accordance with Article 13(1)(c) GDPR, the following applies with regard to the legal basis, unless stated in this data privacy statement:

  • In case of consent granted, Article 6(1)(a) and Article 7 GDPR apply.
  • In case of performance of a contract or in order to take steps and respond to questions, Article 6(1)(b) GDPR applies.
  • In case of compliance with a legal obligation, Article 6(1)(c) GDPR applies.
  • When protecting legitimate interests, Article 6(1)(f) GDPR applies.

Our concern in the sense of the GDPR (legitimate interest) is marketing and improving our services and our online presence. If the processing is based on legitimate interests, personal data will generally be pseudonymized.

Unless otherwise indicated in this data privacy statement, the personal information we process will be deleted, or its processing restricted, in accordance with Articles 17 and 18 GDPR. Personal information will be deleted when it is no longer required for the purposes for which it was collected or processed in another way and there is no legal obligation to retain it. The processing will be restricted if the personal information cannot be deleted but is strictly necessary for other purposes, in particular to fulfill commercial or tax obligations.

You have the option to deactivate any cookies used in general, or to object to their use, for instance through the website . You can also deactivate cookies through your browser settings.

1.1.5 Cookies—general information

Our website uses cookies. Cookies are text files that are saved in the internet browser, or are saved by the internet browser in the user’s computer system. If a user accesses a website, a cookie may be saved in the user’s operating system. The cookie contains a characteristic string of characters that enables a clear identification of the browser when the website is accessed again.

1.1.6 Cookies—differentiation by type of cookie

  • a) Technically required cookies
    We use cookies to make our website more user-friendly. Some elements on our website require the accessing browser to be identifiable even after moving to a different page. 

    Technically required cookies are not strictly necessary to view the website. However, some functionalities of this website, such as the contact form, cannot be used properly without these cookies. There is therefore no option of objection on the part of the user. However, these cookies can be deactivated by choosing the corresponding setting in the respective browser.
  • b) Audience measurement cookies
    Audience measurement cookies collect information about how our website is used. These cookies do not store information that allows the user to be identified. The collected information will be analyzed only in aggregated form and thus anonymously.

1.1.7 etracker analysis service

If you object to the storage and evaluation of your data as described below, you can opt out of it at any time by clicking below or deactivating it on each page. An opt-out cookie will then be stored on your browser, with the result that the analysis service etracker described below will not collect any session data. Please keep in mind that completely deleting your cookies will also delete the opt-out cookie, in which case you must reactivate it if desired.

We utilize the services of etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany (see also for the analysis of user data. This employs cookies that enable the statistical analysis of business@school platform use and of content or advertising related to use. Cookies are small text files stored by the Internet browser on the user's end device. etracker cookies contain no information that enable user identification.

The data generated as a result is processed and saved solely in Germany by etracker on our behalf and is thus subject to strict German and European data privacy laws and standards. etracker was independently audited and certified in this regard and awarded the data privacy quality seal

Data is processed on the basis of Art. 6, para. 1 lit. f (legitimate interest) of the GDPR. Our legitimate interest is the optimization of our online offering and Web site. Since the private sphere of our visitors is important to us, data that may allow conclusions to be made about any specific person, such as IP addresses and login or device IDs, is anonymized soon as possible. The data is not used for other purposes, etracker does not merge it with its own or other data, and it is not passed on to third parties.

You may object to the data processing described above at any time, insofar as it is done in a person-related manner. Objection has no negative consequences for you.

More information about privacy at etracker can be found at

Service provider name
etracker GmbH
Erste Brunnenstraße 1
20459 Hamburg

Service provider type

Data transfer to third countries

Category of data concernedIP address (saved anonymously)
Purpose of processingCreation and modification of cookie information
Legal basis for processingLegitimate interest
Storage periodThe duration of data storage is defined per etracker's stipulations.
Category of data concernedDevice-related data such as device type, model, operating system, browser type and version
Purpose of processingOptimization of the business@school platform and modification of content
Legal basis for processingLegitimate interest
Storage periodThe duration of data storage is defined per etracker stipulations.
Category of data concernedUse-related information such as time and duration of use
Purpose of processingOptimization of the business@school platform and modification of content
Legal basis for processingLegitimate interest
Storage periodThe duration of data storage is defined per etracker stipulations.

1.1.8 Newsletter

You will receive newsletters or informational e-mails from us with news and current information about the business@school competition if you subscribe with your e-mail address.

We use the so-called double opt-in procedure when you subscribe for our newsletters. That means that, once you enter an e-mail address, we will send a confirmation e-mail to that e-mail address asking you to confirm that you wish to receive our newsletter. If you do not confirm within seven days, your subscription will be deleted automatically. If you confirm that you wish to receive the newsletter, we will save your e-mail address until you unsubscribe. The storage serves the sole purpose of sending you our newsletter. We will also save the IP addresses and times of your subscription and confirmation to prevent misuse of your personal information.

You may revoke your consent to receipt of our newsletter at any time by clicking on the link provided in every newsletter e-mail or by sending a message to the data protection officer. Your e-mail address will then be automatically deleted from the newsletter distribution list. The information you provide will not be disclosed to third parties.

The e-mails will be sent by DigiOnline GmbH, Probsteigasse 15–19, 50670 Cologne.

The processing for the purposes of our newsletter is based on your consent (Article 6(1)(a) GDPR). The double opt-in procedure is based on our legitimate interest in accordance with Article 6(1)(f) GDPR, as we have to prove your consent (Article 7(1) GDPR).

1.1.9 Guest registration for a business@school event

On our online platforms, users have the option of registering for the regional competitions and our international finals. When registering in this way, you transmit the following personal information to us: IP address, honorific, title (optional), first name, last name, e‑mail address, chosen event, time of participation, and—where indicated—role description (family member or supporter, teacher, student, b@s alum, b@s coach, or guest), and company/organization/school. We use this data exclusively to organize and carry out the chosen event(s), including preparation of name tags.

The legal basis for this processing of your personal information is Art. 6(1) sentence 1b GDPR. The processing of the optional information is based on our legitimate interest in accordance with Art. 6(1) sentence 1f GDPR in improving our event offerings by analyzing the groups of visitors.

1.1.10 Disclosure of data

Your personal information will not be disclosed to third parties other than for the purposes listed above.

We will only share your personal information with third parties if

  • you have given us your express consent to do so,
  • the disclosure is necessary for the assertion, exercise, or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data,
  • we are legally required to disclose the information,
  • it is otherwise legally permitted or necessary for processing our contractual relationships with you.

1.2 Use of the website as a member of business@school

If you register with business@school to become a member of business@school, the following additional data protection information will apply to you: Members may be participating teachers, students, former participating students, and participating coaches.

1.2.1 Registration as a member of business@school

Participation in business@school is generally only permitted for individuals over 18 years of age. Minors who wish to participate in business@school require the consent of their legal guardians.

1.2.2 Collection, processing, and use of members’ personal information Required information

In order to allow you to use the services of business@school, we collect, process, and use the required information necessary for registration and participation:

  • First and last name
  • Date of birth (students)
  • Gender
  • Grade at the time of participation (students)
  • School name
  • Postal code, city/town, and country (students)
  • External e-mail address

You can amend or supplement this information at any time under “Profile” in the “My b@s” area. The legal basis for processing the required information is Article 6(1)(b) GDPR. Voluntary information

Besides the required information, as a member of business@school you have the option of providing additional information on a purely voluntary basis to enable other members to get to know you better, socialize, and exchange thoughts. Voluntary information comprises any data included under “Profile” other than the required information. We use this information only in the context of the intended purpose of this agreement. You can amend, supplement, or delete your voluntary information at any time in the “My b@s” area. The legal basis for this is Article 6(1)(a) GDPR. Personal profile

Your information collected during the registration with business@school is automatically transferred to your profile in the “My b@s” area. In addition to the required information, you may include a photograph of yourself in your profile. Your profile will be visible to other members of business@school. In the member lists of business@school and in the sections of the online portal in which you have authored contributions, a profile icon will appear next to your permanently visible user name as contribution author. The profile icon opens by clicking and provides the following personal information, insofar as you have provided or linked to it:

  • First and last name
  • Date of birth (students)
  • Gender
  • Name of the school
  • Grade at the time of participation (students)
  • Postal code and city/town (students)
  • Country
  • Phone (teachers) and mobile number
  • External e-mail address
  • University (and city) (business@school alumni)
  • Studies/education (business@school alumni)

The information you provide in your profile may be amended, supplemented, or deleted at any time. business@school e-mail address

Participants in business@school will be assigned a business@school e-mail address. The e-mail address you are assigned by business@school is based on the user name you provide during registration. An additional element of the e-mail address indicates your type of membership:

  • Teachers receive the name of their school as e-mail address addition.
  • Students receive the e-mail address “student” with indication of the year in which they participated in a business@school competition.

Other business@school members can find your business@school e-mail address, e.g., in the respective member lists on business@school and in your profile. We will use the business@school address to provide you with current information on business@school as well as all project participants for collaboration during the project year. Quick messenger service

business@school provides its participants with a quick messenger service to enable them to exchange personal messages with each other individually or in groups (QuickMessages). These messages are saved in the system for 30 days in a personal area that can be viewed by the user in the "My b@s" section, and are then automatically deleted. This storage period also applies to messages sent to groups.

If a QuickMessage is sent to a user who is offline, it will be saved for a maximum of 28 days in an attempt to deliver it. At the next login during this period, the user will receive the QuickMessage, which will then be deleted from the system. If the user does not log in during the 28-day period, the QuickMessage will be deleted without having been delivered to the recipient. Information in the publicly accessible section

In the context of the competition, the following information of the students participating in business@school in particular will be published, provided that a separate informed consent form has been obtained: name, age, attended school, name and description of the business idea, and photographs. This information is publicly accessible in various areas of business@school (e.g., in the areas “Events” and “Press”). The legal basis for this is Article 6(1)(a) GDPR. Usage data

In the course of your activities at business@school, the following data will be collected:

  • User name (login name)
  • First and last name, date of account creation
  • Storage space used in the mail service and file storage functions, as well as membership in institutions, etc.
  • All participants may use their external e-mail address instead of their business@school e-mail address as an alternative login (alias).

This usage data will be saved until you delete your user account. We process and use the usage data without a separate consent granted on your part exclusively to allow the use of business@school, in accordance with Article 6(1)(b) GDPR. Deletion of data

The access data for the online platform will be deleted four years after participation in the competition, together with all personal information processed in connection with the access to the online platform.

1.2.3 Information about rights of data subjects

Every data subject has the right of access to information under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR, and the right to data portability under Article 20 GDPR. With regard to the right of access to information and the right to erasure, the limitations of § 34 and § 35 of the German Federal Data Protection Act (BDSG) apply.

1.2.4 Information about the right to lodge a complaint

You also have the right to lodge a complaint with a competent data protection supervisory authority about our processing of your personal information.

1.2.5 Information about revocation of consent

You can revoke your consent to the processing of your personal information at any time. This also applies to the revocation of declarations of consent given to us before the GDPR took effect, i.e., before May 25, 2018. Please note that the revocation will only take effect for the future. Any processing that occurred before the revocation will not be affected.

1.2.6 Information about the right to objection in balancing of interests

If our processing of your personal information is based on a balancing of interests, you may object to such processing. Should you issue such an objection, we ask you to explain the reasons why we should not process your personal information in the ways we have described. In the event of a justified objection, we will examine the facts and either discontinue or adjust our data processing, or explain our compelling, protectable reasons due to which the processing must continue despite your objection.

1.3 Links to other websites

Our websites may contain links to the websites of other providers. Please note that this data privacy statement apples exclusively to the business@school website. We have no influence over and cannot control other providers’ compliance with the applicable privacy laws.

1.4 Career

You may apply for a position with BCG electronically. We will of course use your information for the sole purpose of processing your application and will not disclose it to third parties. Please note that access-restricted transmission is not provided for e‑mails sent unencrypted.

1.5 Changes to the privacy policy

We reserve the right to amend or adapt this privacy policy at any time in accordance with the applicable data protection regulations.


For general questions:
Send e-mail