business@school data privacy information

(Status of November 15, 2018)


1.1.1 Preamble

As initiator and operator of the educational initiative business@school, we are pleased at your interest in our online platform. As the responsible party under data protection law, Boston Consulting Group (BCG) takes the protection of your private data very seriously.

In the following, we inform you about the collection of personal information when using our website. Personal information is any data that can be related to you personally, e.g., your name, address, e-mail addresses, or user behavior.

BCG has commissioned the licensor of this online platform—DigiOnline GmbH, Probsteigasse 15-19, 50670 Cologne, Germany—with the hosting and administration of business@school. For this purpose, your personal information is disclosed to our data processor DigiOnline GmbH and processed as described in this data privacy information. DigiOnline GmbH has many years of experience in the development of web-based content management systems as well as communication, work, and learning platforms for the education sector and is committed to complying with the applicable data protection regulations. 

1.1.2 Responsible party/Data protection officer

Responsible for data processing
Boston Consulting Group GmbH
Ludwigstraße 21
80539 Munich

Data protection officer of the responsible party
Dr. Stephan Thiel
Boston Consulting Group GmbH
Ludwigstraße 21
80539 Munich
Tel.: +49 89 231740

1.1.3 General data collection when accessing our website

If you use our website for information purposes only, we only collect the personal information that your browser transmits to our server. If you view our website, we will collect the following information that is technically required for us to display our website to you and to ensure its stability and security. The legal basis is the legitimate interest in accordance with Article 6(1)(f) GDPR.

We have considered and weighed our interest in the provision and your interest in data protection-compliant processing as part of our balancing of interests in accordance with Article 6(1)(f) GDPR. As the following data is sometimes needed for technical reasons to make our website available and to ensure its stability and security, in particular protection against misuse, we have come to the conclusion that this data can be processed—with a state-of-the-art guarantee of data security—with due consideration to your interest in data protection-compliant processing.

DataOperating system used
Purpose of processingAnalysis based on devices to ensure an optimized presentation of the website
DataInformation on the browser type and version used
Purpose of processingAnalysis of the browsers used to optimize our websites for them
DataUser’s internet service provider
Purpose of processingAnalysis of the internet service provider
DataIP address
Purpose of processingPresentation of the website on the respective device, compilation of usage statistics
DataDate and time of access
Purpose of processingEnsuring the proper operation of the website
DataManufacturer and type of smartphone, tablet, or other device, where applicable
Purpose of processingAnalysis of the device manufacturers and types of mobile devices for statistical purposes
DataLog files
Purpose of processingEnsuring the proper operation of the website

Storage period
The data in the server log is saved for seven days, after which it is deleted automatically.

The collection of data for provision of the website, and the storage of data in log files, is necessary in order to operate the website. There is therefore no option of objection on the part of the user.

1.1.4 General information about the legal basis for processing, deleting, and deactivating cookies

In accordance with Article 13(1)(c) GDPR, the following applies with regard to the legal basis, unless stated in this data privacy statement:

  • In case of consent granted, Article 6(1)(a) and Article 7 GDPR apply.
  • In case of performance of a contract or in order to take steps and respond to questions, Article 6(1)(b) GDPR applies.
  • In case of compliance with a legal obligation, Article 6(1)(c) GDPR applies.
  • When protecting legitimate interests, Article 6(1)(f) GDPR applies.

Our concern in the sense of the GDPR (legitimate interest) is marketing and improving our services and our online presence. If the processing is based on legitimate interests, personal data will generally be pseudonymized.

Unless otherwise indicated in this data privacy statement, the personal information we process will be deleted, or its processing restricted, in accordance with Articles 17 and 18 GDPR. Personal information will be deleted when it is no longer required for the purposes for which it was collected or processed in another way and there is no legal obligation to retain it. The processing will be restricted if the personal information cannot be deleted but is strictly necessary for other purposes, in particular to fulfill commercial or tax obligations.

You have the option to deactivate any cookies used in general, or to object to their use, for instance through the website . You can also deactivate cookies through your browser settings.

1.1.5 Cookies—general information

Our website uses cookies. Cookies are text files that are saved in the internet browser, or are saved by the internet browser in the user’s computer system. If a user accesses a website, a cookie may be saved in the user’s operating system. The cookie contains a characteristic string of characters that enables a clear identification of the browser when the website is accessed again.

1.1.6 Cookies—differentiation by type of cookie

  • a) Technically required cookies
    We use cookies to make our website more user-friendly. Some elements on our website require the accessing browser to be identifiable even after moving to a different page. 

    Technically required cookies are not strictly necessary to view the website. However, some functionalities of this website, such as the contact form, cannot be used properly without these cookies. There is therefore no option of objection on the part of the user. However, these cookies can be deactivated by choosing the corresponding setting in the respective browser.
  • b) Audience measurement cookies
    Audience measurement cookies collect information about how our website is used. These cookies do not store information that allows the user to be identified. The collected information will be analyzed only in aggregated form and thus anonymously.

1.1.7 Newsletter

You will receive newsletters or informational e-mails from us with news and current information about the business@school competition if you subscribe with your e-mail address.

We use the so-called double opt-in procedure when you subscribe for our newsletters. That means that, once you enter an e-mail address, we will send a confirmation e-mail to that e-mail address asking you to confirm that you wish to receive our newsletter. If you do not confirm within seven days, your subscription will be deleted automatically. If you confirm that you wish to receive the newsletter, we will save your e-mail address until you unsubscribe. The storage serves the sole purpose of sending you our newsletter. We will also save the IP addresses and times of your subscription and confirmation to prevent misuse of your personal information.

You may revoke your consent to receipt of our newsletter at any time by clicking on the link provided in every newsletter e-mail or by sending a message to the data protection officer. Your e-mail address will then be automatically deleted from the newsletter distribution list. The information you provide will not be disclosed to third parties.

The e-mails will be sent by DigiOnline GmbH, Probsteigasse 15–19, 50670 Cologne.

The processing for the purposes of our newsletter is based on your consent (Article 6(1)(a) GDPR). The double opt-in procedure is based on our legitimate interest in accordance with Article 6(1)(f) GDPR, as we have to prove your consent (Article 7(1) GDPR).

1.1.8 Disclosure of data

Your personal information will not be disclosed to third parties other than for the purposes listed above.

We will only share your personal information with third parties if

  • you have given us your express consent to do so,
  • the disclosure is necessary for the assertion, exercise, or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data,
  • we are legally required to disclose the information,
  • it is otherwise legally permitted or necessary for processing our contractual relationships with you.

1.2 Use of the website as a member of business@school

If you register with business@school to become a member of business@school, the following additional data protection information will apply to you: Members may be participating teachers, students, former participating students, and participating coaches.

1.2.1 Registration as a member of business@school

Participation in business@school is generally only permitted for individuals over 18 years of age. Minors who wish to participate in business@school require the consent of their legal guardians.

1.2.2 Collection, processing, and use of members’ personal information Required information

In order to allow you to use the services of business@school, we collect, process, and use the required information necessary for registration and participation:

  • First and last name
  • Date of birth (students)
  • Gender
  • Grade at the time of participation (students)
  • School name
  • Postal code, city/town, and country (students)
  • External e-mail address

You can amend or supplement this information at any time under “Profile” in the “My b@s” area. The legal basis for processing the required information is Article 6(1)(b) GDPR. Voluntary information

Besides the required information, as a member of business@school you have the option of providing additional information on a purely voluntary basis to enable other members to get to know you better, socialize, and exchange thoughts. Voluntary information comprises any data included under “Profile” other than the required information. We use this information only in the context of the intended purpose of this agreement. You can amend, supplement, or delete your voluntary information at any time in the “My b@s” area. The legal basis for this is Article 6(1)(a) GDPR. Personal profile

Your information collected during the registration with business@school is automatically transferred to your profile in the “My b@s” area. In addition to the required information, you may include a photograph of yourself in your profile. Your profile will be visible to other members of business@school. In the member lists of business@school and in the sections of the online portal in which you have authored contributions, a profile icon will appear next to your permanently visible user name as contribution author. The profile icon opens by clicking and provides the following personal information, insofar as you have provided or linked to it:

  • First and last name
  • Date of birth (students)
  • Gender
  • Name of the school
  • Grade at the time of participation (students)
  • Postal code and city/town (students)
  • Country
  • Phone (teachers) and mobile number
  • External e-mail address
  • University (and city) (business@school alumni)
  • Studies/education (business@school alumni)

The information you provide in your profile may be amended, supplemented, or deleted at any time. business@school e-mail address

Participants in business@school will be assigned a business@school e-mail address. The e-mail address you are assigned by business@school is based on the user name you provide during registration. An additional element of the e-mail address indicates your type of membership:

  • Teachers receive the name of their school as e-mail address addition.
  • Students receive the e-mail address “student” with indication of the year in which they participated in a business@school competition.

Other business@school members can find your business@school e-mail address, e.g., in the respective member lists on business@school and in your profile. We will use the business@school address to provide you with current information on business@school as well as all project participants for collaboration during the project year. Quick messenger service

business@school provides its members with a quick messenger service to allow members to exchange messages (QuickMessages) among each other. These messages are not saved permanently in the system.

If a QuickMessage is sent to a user who is offline, it will be saved for a maximum of 28 days in an attempt to deliver it. At the next login during this period, the user will receive the QuickMessage, which will then be deleted from the system. If the user does not log in during the 28-day period, the QuickMessage will be deleted without having been delivered to the recipient. Information in the publicly accessible section

In the context of the competition, the following information of the students participating in business@school in particular will be published, provided that a separate informed consent form has been obtained: name, age, attended school, name and description of the business idea, and photographs. This information is publicly accessible in various areas of business@school (e.g., in the areas “Events” and “Press”). The legal basis for this is Article 6(1)(a) GDPR. Usage data

In the course of your activities at business@school, the following data will be collected:

  • User name (login name)
  • First and last name, date of account creation
  • Storage space used in the mail service and file storage functions, as well as membership in institutions, etc.
  • All participants may use their external e-mail address instead of their business@school e-mail address as an alternative login (alias).

This usage data will be saved until you delete your user account. We process and use the usage data without a separate consent granted on your part exclusively to allow the use of business@school, in accordance with Article 6(1)(b) GDPR. Deletion of data

The access data for the online platform will be deleted four years after participation in the competition, together with all personal information processed in connection with the access to the online platform.

1.2.3 Information about rights of data subjects

Every data subject has the right of access to information under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR, and the right to data portability under Article 20 GDPR. With regard to the right of access to information and the right to erasure, the limitations of § 34 and § 35 of the German Federal Data Protection Act (BDSG) apply.

1.2.4 Information about the right to lodge a complaint

You also have the right to lodge a complaint with a competent data protection supervisory authority about our processing of your personal information.

1.2.5 Information about revocation of consent

You can revoke your consent to the processing of your personal information at any time. This also applies to the revocation of declarations of consent given to us before the GDPR took effect, i.e., before May 25, 2018. Please note that the revocation will only take effect for the future. Any processing that occurred before the revocation will not be affected.

1.2.6 Information about the right to objection in balancing of interests

If our processing of your personal information is based on a balancing of interests, you may object to such processing. Should you issue such an objection, we ask you to explain the reasons why we should not process your personal information in the ways we have described. In the event of a justified objection, we will examine the facts and either discontinue or adjust our data processing, or explain our compelling, protectable reasons due to which the processing must continue despite your objection.

1.3 Links to other websites

Our websites may contain links to the websites of other providers. Please note that this data privacy statement apples exclusively to the business@school website. We have no influence over and cannot control other providers’ compliance with the applicable privacy laws.

1.4 Career

You may apply for a position with BCG electronically. We will of course use your information for the sole purpose of processing your application and will not disclose it to third parties. Please note that access-restricted transmission is not provided for e‑mails sent unencrypted.

1.5 Changes to the privacy policy

We reserve the right to amend or adapt this privacy policy at any time in accordance with the applicable data protection regulations.


For general questions:
Send e-mail