business@school data privacy statement

(as of April 11, 2019)

Download

1.1.1 Preamble

As initiator and operator of the educational initiative business@school, we are pleased by your interest in our online platform www.business-at-school.net ("b@s Platform"). As the responsible party under data protection law, Boston Consulting Group (BCG) takes the protection of your private data very seriously.

In the following, we inform you about the collection of personal information when using our b@s Platform. Personal information is any data that can be related to you personally, e.g., your name, address, e-mail addresses, or user behavior.

1. Responsible party/data protection officer/service provider

Responsible for data processing
The Boston Consulting Group GmbH
Ludwigstraße 21
80539 Munich
Germany
E-mail: datenschutz@bcg.com

Data protection officer of the responsible party
Dr. Stephan Thiel
The Boston Consulting Group GmbH
Ludwigstraße 21
80539 Munich
Germany
Tel.: +49 89 231740
E-mail: datenschutz@bcg.com

Service providers contracted
BCG has commissioned the licensor of the b@s Platform—DigiOnline GmbH, Probsteigasse 15-19, 50670 Cologne, Germany—with the hosting and administration of the b@s Platform. For this purpose, your personal information is disclosed to our data processor DigiOnline GmbH and processed as described in this data privacy statement. DigiOnline GmbH has many years of experience in the development of web-based content management systems as well as communication, work, and learning platforms for the education sector and is committed to complying with the applicable data protection regulations.

2. Using the b@s platform

The following applies for every user of the b@s Platform, regardless of whether the user participates in the educational initiative business@school.

2.1 General data processing when acessing the b@s platform
If you use the b@s Platform for informational purposes only, we only collect the personal information that your browser transmits to our server. If you view the b@s Platform, we will collect the following information that is technically required for us to display the b@s Platform to you and to ensure its stability and security.

The legal basis is the legitimate interest in accordance with Article 6(1)(f) of the EU General Data Protection Regulation (GDPR).

We have considered and weighed our interest in the provision and your interest in data protection–compliant processing as part of our balancing of interests in accordance with Article 6(1)(f) GDPR. As the following data points are sometimes required to provide our service of offering you the b@s Platform and guarantee its stability and security, particularly protecting against misuse, we have come to the conclusion that these data points—with a guarantee of data privacy oriented to the state of the art—can be processed, appropriately taking your interest in data protection–compliant processing into consideration.

DataOperating system used
Purpose of processingAnalysis based on devices to ensure an optimized presentation of the website
DataInformation on the browser type and version used
Purpose of processingAnalysis of the browsers used to optimize our websites for them
DataUser’s internet service provider
Purpose of processingAnalysis of the internet service provider
DataIP address
Purpose of processingPresentation of the website on the respective device, compilation of usage statistics
DataDate and time of access
Purpose of processingEnsuring the proper operation of the website
DataManufacturer and type of smartphone, tablet, or other device, where applicable
Purpose of processingAnalysis of the device manufacturers and types of mobile devices for statistical purposes
DataLog files
Purpose of processingEnsuring the proper operation of the website

Storage period
The data in the server log is saved for seven days, after which it is deleted automatically.

The collection of data for provision of the website, and the storage of data in log files, is necessary in order to operate the website. There is therefore no option of objection on the part of the user.

2.2 Cookies—general information
Our b@s Platform uses cookies. Cookies are text files that are saved in the Internet browser, or are saved by the Internet browser in the user's computer system. If a user accesses a website, a cookie may be saved in the user's computer system. The cookie contains a characteristic string of characters that enables a clear identification of the browser when the website is accessed again.

2.3 General information about the legal basis for processing, deleting, and deactivating cookies
If a legal basis is not expressly indicated in this data privacy statement, the following applies to the legal basis for data processing to be stated pursuant to Article 13(1)(c) GDPR:

  • In case of consent granted, Article 6(1)(a) and Article 7 GDPR apply.
  • In case of performance of a contract or in order to take steps and respond to questions, Article 6(1)(b) GDPR applies.
  • In case of compliance with a legal obligation, Article 6(1)(c) GDPR applies.
  • When protecting legitimate interests, Article 6(1)(f) GDPR applies.

Tracking methods are used as pursuant to Article 6(1)(a) (consent) and/or (f) (legitimate interests) GDPR. Our concern in the sense of the GDPR (legitimate interest) is marketing and improving our services and our online presence. If the processing is based on legitimate interests, personal data will generally be pseudonymized.

Unless otherwise indicated in this data privacy statement, the personal information we process will be deleted, or its processing restricted, in accordance with Articles 17 and 18 GDPR. Personal information will be deleted when it is no longer required for the purposes for which it was collected or processed in another way and there is no legal obligation to retain it. The processing will be restricted if the personal information cannot be deleted but is strictly necessary for other purposes, in particular to fulfill commercial or tax obligations.

You have the option to deactivate any cookies used in general, or to object to their use, for instance through the website www.youronlinechoices.com. You can also deactivate cookies through your browser settings.

2.4 Cookies—differentiation by type of cookie

  • a) Technically required cookies
    We use cookies to make the b@s Platform more user-friendly. Some elements on the b@s Platform require the accessing browser to be identifiable even after navigating to a different page. 
    Technically required cookies are not strictly necessary to view the website. However, some functionalities of this website, such as the contact form, cannot be used properly without these cookies. There is therefore no option of objection on the part of the user. However, these cookies can be deactivated by choosing the corresponding setting in the respective browser.
  • b) Audience measurement cookies
    Audience measurement cookies collect information about how the b@s Platform is used. These cookies do not store information that allows the user to be identified. The collected information will be analyzed only in aggregated form and thus anonymously.

2.5 etracker analysis service
If you object to the storage and evaluation of your data as described below, you can opt out of it at any time. An opt-out cookie will then be stored on your browser, with the result that the analysis service etracker described below will not collect any session data. Please keep in mind that completely deleting your cookies will also delete the opt-out cookie, in which case you must reactivate it if desired.

We utilize the services of etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany (see also www.etracker.com/en/) for the analysis of user data. This employs cookies that enable the statistical analysis of business@school platform use and of content or advertising related to use. Cookies are small text files stored by the Internet browser on the user's end device. etracker cookies contain no information that enable user identification.

The data generated as a result is processed and saved solely in Germany by etracker on our behalf and is thus subject to strict German and European data privacy laws and standards. etracker was independently audited and certified in this regard and awarded the data privacy quality seal www.eprivacy.eu.

Data is processed on the basis of Art. 6, para. 1 lit. f (legitimate interest) of the GDPR. Our legitimate interest is the optimization of our online offering and Web site. Since the private sphere of our visitors is important to us, data that may allow conclusions to be made about any specific person, such as IP addresses and login or device IDs, is anonymized soon as possible. The data is not used for other purposes, etracker does not merge it with its own or other data, and it is not passed on to third parties.

You may object to the data processing described above at any time, insofar as it is done in a person-related manner. Objection has no negative consequences for you.

More information about privacy at etracker can be found at www.etracker.com/en/data-privacy.

Service provider name
etracker GmbH
Erste Brunnenstraße 1
20459 Hamburg
Germany

Service provider type
Processor

Data transfer to third countries
No

Category of data concernedIP address (saved anonymously)
Purpose of processingCreation and modification of cookie information
Legal basis for processingLegitimate interest
Storage periodThe duration of data storage is defined per etracker's stipulations.
Category of data concernedDevice-related data such as device type, model, operating system, browser type and version
Purpose of processingOptimization of the business@school platform and modification of content
Legal basis for processingegitimate interest
Storage periodThe duration of data storage is defined per etracker stipulations.
Category of data concernedUse-related information such as time and duration of use
Purpose of processingOptimization of the business@school platform and modification of content
Legal basis for processingLegitimate interest
Storage periodThe duration of data storage is defined per etracker stipulations.

3. Newsletters

You will receive newsletters or informational e-mails from us with news and current information about the business@school competition if you subscribe with your e-mail address.

We use the so-called double opt-in procedure when you subscribe for our newsletters. That means that, once you enter an e-mail address, we will send a confirmation e-mail to that e-mail address asking you to confirm that you wish to receive our newsletter. If you do not confirm within seven days, your subscription will be deleted automatically. If you confirm that you wish to receive the newsletter, we will store your e-mail address until you unsubscribe. The storage of your e-mail address serves the sole purpose of sending you our newsletter. We will also save the IP addresses and times of your subscription and confirmation to prevent misuse of your personal information.

You may revoke your consent to the receipt of our newsletter at any time by clicking on the link provided in every newsletter e-mail or by sending a message to the data protection officer. Your e-mail address will then be automatically deleted from the newsletter distribution list. The information you provide will not be disclosed to third parties.

The e-mails will be sent by DigiOnline GmbH, Probsteigasse 15–19, 50670 Cologne.

The processing for the purposes of our newsletter is based on your consent (Article 6(1)(a) GDPR). The double opt-in procedure is based on our legitimate interest in accordance with Article 6(1)(f) GDPR, as we have to prove your consent (Article 7(1) GDPR).

4. Registration for participation in business@school

4.1 Registering as a judge
Those who have received a response link from BCG by e-mail (particularly former student participants, BCG alumni, and coaches) can indicate on the b@s Platform their availability as a judge for the school competitions.

When registering in this way, you transmit the following personal information to us:

  • IP address
  • First name
  • Last name
  • Company
  • Mobile or landline number
  • E-mail address
  • Preferred schools

We will use this information in organizing and carrying out the school competitions.

The legal basis for this processing of your personal information (including forwarding) is Art. 6(1) sentence 1b GDPR.

4.2 Guest registration for a business@school event
On our b@s Platform, users have the option of registering for the regional competitions and our international finals. When registering in this way, you transmit the following personal information to us:

  • IP address
  • Form of address
  • Title (optional)
  • First name
  • Last name
  • E-mail address
  • Event
  • Time of participation
  • If specified: Role description (family member or supporter, teacher, student, b@s alumni, b@s coach, or guest) and company/organization/school

We use this data exclusively to organize and carry out the chosen event(s), including preparation of name tags.

The legal basis for this processing of your personal information is Art. 6(1) sentence 1b GDPR. The processing of the optional information is based on our legitimate interest in accordance with Art. 6(1) sentence 1f GDPR in improving our event offerings by analyzing the groups of visitors.

5. Using the b@s platform as a participant in buiness@school

If you register on the b@s Platform to participate in the educational initiative business@school as a teacher, student, or coach, the following additional data protection information will apply to you. Participants in business@school may be teachers, students, former participating students, and coaches.

5.1 Registering with business@school
Participation in business@school is generally only permitted for individuals 18 years of age and older. Minors who wish to participate in business@school require the consent of their legal guardians.

5.2 Mandatory information when registering
In order to enable you to participate in business@school and use a nonpublicly accessible participant area of our b@s Platform, we collect, process, and use the following mandatory data for registration and participation:

Participating teachers:

  • First and last name
  • Gender
  • School name
  • Town of the school
  • Private e-mail address

For students:

  • First and last name
  • Birthday
  • Gender
  • Grade at the time of participation
  • School name
  • Town of the school
  • Postal code, city, and country
  • Private e-mail address

Student assistants of business@school (FastForwarders) who register on the b@s Platform as a coach:

  • First and last name
  • Course and place of study
  • Coach category
  • Private e-mail address
  • Mobile or landline number
  • School preference with priority
  • Number of years as coach
  • Willingness to assume the role of the coach team speaker

Current employees of BCG who register as a coach on the b@s Platform:

  • First and last name
  • E-mail address
  • Cohort/department
  • Office
  • School preference with priority
  • Number of years as coach
  • Willingness to assume the role of the coach team speaker

Other people who register as a coach on the b@s Platform:

  • First and last name
  • Company
  • Position
  • Coach category
  • Private e-mail address
  • Mobile or landline number
  • School preference with priority
  • Number of years as coach
  • Willingness to assume the role of the coach team speaker

You can amend or supplement parts of this information at any time under "Profile" in the "My b@s" area

The input and processing of this personal data is necessary for the execution of the business@school competition, for providing the nonpublicly accessible area of the b@s Platform, for the communication, coordination, and support between the participants, and for the communication between BCG and the participants.

The legal basis for processing the required information is Article 6(1)(b) GDPR.

In addition to the aforementioned mandatory information, a title and a reason for first-time or renewed participation can be indicated when registering. The processing of the optional information is based on our legitimate interests in accordance with Art. 6(1) sentence 1f GDPR in improving our event offerings by gathering information about participants.

5.3 Voluntary information
Besides the required information, you have the option of providing additional information on a purely voluntary basis on the b@s Platform to enable other business@school participants to get to know you better, socialize, and exchange thoughts. Voluntary information comprises any data included under "Profile" other than the required information. BCG uses this information only in the context of the intended purpose of this agreement. You can amend, supplement, or delete your voluntary information at any time in the "My b@s" area.

The legal basis for this is Article 6(1)(a) GDPR.

5.4 Personal profile
Parts of your information collected during the registration with business@school is automatically transferred to your profile in the "My b@s" area. In addition to the required information, you may include a photograph of yourself in your profile. Your profile will be visible to other participants of business@school. In the participant lists of business@school and in the sections of the b@s Platform in which you have authored contributions, a profile icon will appear next to your permanently visible user name as contribution author. The profile icon opens by clicking and provides the following personal information, insofar as you have provided or linked to it:

  • First and last name
  • Date of birth (students)
  • Gender
  • Name of the school
  • Grade at the time of participation (students)
  • Postal code and city/town (students)
  • Country
  • Phone (teachers) and mobile number
  • Private e-mail address
  • University (and city) (business@school alumni)
  • Studies/education (business@school alumni)
  • Company (coach)

The information you provide in your profile may be amended, supplemented, or deleted at any time.

5.5 business@school e-mail address
address. The e-mail address you are assigned by business@school is based on the user name you provide during registration. An additional element of the e-mail address indicates your type of membership:

  • Teachers receive the name of their school as e-mail address addition.
  • Students receive the e-mail address "student" with indication of the year in which they participated in a business@school competition.
  • Participating coaches receive the e-mail address "coach."

Other business@school participants can find your business@school e-mail address, e.g., in the respective participant lists on business@school and in your profile. We use the business@school e-mail address to provide you with current information about business@school. All participants can use their business@school e-mail address for their collaboration during the project year.

The legal basis for this is Article 6(1) sentence 1(b) and (f) GDPR. Our legitimate interest lies in enabling communication and coordination between participating teachers, students, and coaches.

5.6 Quick messenger service
BCG provides business@school participants with a quick messenger service to enable participants to send messages among each other personally and in groups (QuickMessages). These messages are saved in the system for 30 days in a personal area that can be viewed by the participant in the "My b@s" section, and are then automatically deleted. The same storage period also applies to messages sent to groups.

If a QuickMessage is sent to a participant who is offline, it will be saved for a maximum of 28 days in an attempt to deliver it. At the next login during this period, the participant will receive the QuickMessage, which will then be deleted from the system. If the participant does not log in during the 28-day period, the QuickMessage will be deleted without having been delivered to the recipient.

The legal basis for this is Article 6(1) sentence 1(b) and (f) GDPR. Our legitimate interest lies in enabling communication and coordination between participating teachers, students, and coaches.

5.7 Information in the publicly accessible section
As part of the competition, the following information of the participants will be made public on the b@s Platform, provided that a separate informed consent form has been obtained.

Participating teachers:

  • First and last name
  • School name
  • Town of the school
  • Name and description of the business idea
  • Pictures
  • Videos
  • Statements

Students:

  • First and last name
  • Age
  • School name
  • Town of the school
  • Name and description of the business idea
  • Pictures
  • Videos
  • Statements

Participating coaches:

  • First and last name
  • Company
  • Name and town of mentored school
  • Name and description of the business idea
  • Pictures
  • Videos
  • Statements

This information is publicly accessible in various areas of the b@s Platform (e.g., in the areas "Current Events" and "Press").

The legal basis for these is Article 6(1)(a) GDPR.

5.8 Usage data
In the course of your usage of the b@s Platform, the following data will be gathered.

  • User name (login name)
  • First and last name
  • Date account created
  • The date and time of your first, last, and second-to-last login as well as your IP address at the time of your last login
  • Storage space used in the mail service and file storage functions, as well as membership in institutions, etc.
  • All participants may use their external e-mail address instead of their business@school e-mail address as an alternative login (alias).

This usage data will be stored until the respective user account is deleted or deleted in accordance with section 5.9 if the user account has not already been deleted. We process and use the usage data exclusively to enable the use of the b@s Platform without any consent given separately.

The legal basis for this is Article 6(1)(b) GDPR.

5.9 Deletion of data
The access data for the online platform will be deleted four years after participation in the competition, together with all personal information processed in connection with the access to the online platform.

Contact details of the participating students—i.e., first and last name, external e-mail address, school, and year of participation—are stored by BCG outside the b@s Platform and used according to section 5.10 until one of the following takes place:

  • Deregistration in the context of coach feedback
  • Objection to the usage of the data

5.10 Usage of contact details after the project year
The contact details of participating students described in section 5.0 will be used by BCG after the end of a business@school project year for contacting you and providing you with general information about business@school. This particularly includes the annual inquiry as to whether the students (either again or for the first time) would like to be a coach. To that end, business@school sends and e-mail with a link to a website on which alumni students can register as coaches by filling out the registration forms.

The legal basis for the use of these contact details is Article 6(1) sentence 1(f) GDPR. Our legitimate interest lies in the advancement of the educational initiative business@school by including former students.

6.General data protection information

6.1  Disclosure of data
In general, a transferring of your personal data to third parties other than the recipients mentioned in this data privacy statement or to the specified recipients for purposes other than those specified will not take place.

We will only share your personal information with third parties if

  • you have given us your express consent to do so (legal basis: Art. 6(1)(a) GDPR),
  • the disclosure is necessary for the assertion, exercise, or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data (legal basis: Article 6(1)(f) GDPR—our legitimate interest lies in the ability to assert legal claims or defend ourselves against legal claims),
  • we are legally required to disclose the information (legal basis: Art. 6(1)(c) GDPR),
  • it is otherwise legally permitted and necessary for processing our contractual relationships with you (legal basis: Art. 6(1)(b) GDPR).

6.2 Information about rights of data subjects
Every data subject has the right of access to information under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR, and the right to data portability under Article 20 GDPR. With regard to the right of access to information and the right to erasure, the limitations of § 34 and § 35 of the German Federal Data Protection Act (BDSG) apply.

6.3 Information about the right to lodge a complaint
You also have the right to lodge a complaint with a competent data protection supervisory authority about our processing of your personal information.

6.4 Information about revocation of consent
You can revoke your consent to the processing of your personal information (e.g., in the context of the declaration of consent for participating in business@school or in registering for the newsletter) at any time. This also applies to the revocation of declarations of consent given to us before the GDPR took effect, i.e., before May 25, 2018. Please note that the revocation will only take effect for the future. Any processing that occurred before the revocation will not be affected.

6.5 Information about the right to objection in balancing of interests
If our processing of your personal information is based on a balancing of interests, you may object to such processing. Should you issue such an objection, we ask you to explain the reasons why we should not process your personal information in the ways we have described. In the event of your justified objection, we will examine the facts and either discontinue or adapt the data processing or explain to you our compelling reasons for processing worthy of protection, on the basis of which the processing must take place despite your objection.

7. Links to other websites

The b@s Platform may contain links to websites of other providers. Please note that this data privacy statement applies exclusively to the online platforms of business@school. We have no influence over and cannot control other providers' compliance with the applicable privacy laws.

8. Career

You may apply for a position with BCG electronically. We will of course use your information for the sole purpose of processing your application and will not disclose it to third parties. Please note that access-restricted transmission is not provided for e‑mails sent unencrypted.

9. Amendments to the data privacy statement

We reserve the right to amend or adapt this privacy statement at any time in accordance with the applicable data protection regulations.

 
 
 
Contact

For general questions:
Send e-mail