business@school data privacy statement

(as of August 18, 2020)

Download

Preamble

As initiator and operator of the educational initiative business@school, we are pleased by your interest in our online platform www.business-at-school.net ("b@s platform"). As the responsible party under data protection law, The Boston Consulting Group GmbH (BCG) takes the protection of your personal data very seriously.

In the following, we inform you about how personal information is processed when you use the b@s platform. Personal information is any data that can be related to you personally, e.g., your name, address, e-mail addresses, or user behavior.

1. Responsible party/data protection officer/service provider

Responsible for data processing
The Boston Consulting Group GmbH
Ludwigstraße 21
80539 Munich
Germany
E-mail: datenschutz@bcg.com

Data Protection Officer of the responsible party
Dr. Stephan Thiel
The Boston Consulting Group GmbH
Ludwigstraße 21
80539 Munich
Germany
Tel.: +49 89 231740
E-mail: datenschutz@bcg.com

Service providers contracted

  • BCG has commissioned the licensor of the b@s platform—DigiOnline GmbH, Probsteigasse 15–19, 50670 Cologne—with the hosting and administration of the b@s platform. For this purpose, your personal information is disclosed to our data processor DigiOnline GmbH and processed as described in this data privacy statement. DigiOnline GmbH has many years of experience in the development of web-based content management systems as well as communication, work, and learning platforms for the education sector and is committed to complying with the applicable data protection regulations.
  • We engage the services of etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany (www.etracker.com) for the analysis of use data. More information on etracker can be found under section 2.5.
  • When seminars, workshops, and other BCG events, the regional competitions or International or Munich Finals, or meetings with BCG coaches cannot be held on location as planned, such as to prevent the transmission of infectious disease, they will be held digitally using videoconferencing services from various providers, such as Zoom and WebEx. Further information on the specific videoconferencing services and the use of personal information will be provided upon registration or otherwise before the respective events, regional competitions, International or Munich Finals, or meetings with BCG coaches.

2. Using the b@s platform

The following applies to every user of the b@s platform, regardless of whether the user participates in the educational initiative business@school.

2.1 General data processing when acessing the b@s platform
If you use the b@s platform for informational purposes only, we collect only the personal information that your browser transmits to our server. If you view the b@s platform, we will collect the following information, which is technically required for us to display the b@s platform to you and to ensure its stability and security.

The legal basis is our legitimate interest in accordance with Article 6 (1) (f) of the EU General Data Protection Regulation (GDPR).

As part of our balancing of interests in accordance with GDPR Article 6 (1) (f), we have considered and weighed our interest in provision and your interest in data protection-compliant processing. As the following data points are sometimes required to provide our service of offering you the b@s platform and to guarantee its stability and security, particularly in regard to protection against misuse, we have come to the conclusion that these data points may be processed—with a guarantee of data privacy oriented on the state of the art—while taking your interest in data protection-compliant processing into consideration.

DataOperating system used
Purpose of processingAnalysis based on devices to ensure an optimized presentation of the website
DataInformation on the browser type and version used
Purpose of processingAnalysis of the browsers used to optimize our websites for them
DataUser’s internet service provider
Purpose of processingAnalysis of Internet service providers to optimize our websites for them
DataIP address
Purpose of processingPresentation of the website on the respective device, compilation of usage statistics
DataDate and time of access
Purpose of processingEnsuring the proper operation of the website
DataManufacturer and type of smartphone, tablet, or other device, where applicable
Purpose of processingAnalysis of the device manufacturers and types of mobile devices for statistical purposes
DataLog files
Purpose of processingEnsuring the proper operation of the website

Storage period
The data listed under section 2.1 is saved for seven days, after which it is deleted automatically.

2.2 Cookies—general information
The b@s platform uses cookies. Cookies are text files that are saved in an Internet browser or by an Internet browser on the user's end device. If a user accesses a website, a cookie may be saved on the user's end device. The cookie contains a characteristic string of characters that enables clear identification of the browser when the website is accessed again.

2.3 General information about the legal basis for processing, deleting, and deactivating cookies
Personal information processed with cookies will be deleted when it is no longer required for the purposes for which it was collected or was processed in another way and there is no legal obligation to retain it (cf. GDPR Art. 17). Processing will be restricted if the personal information cannot be deleted, but is strictly necessary for other purposes, in particular to fulfill commercial or tax obligations (cf. GDPR Art. 18).

Insofar as the legal basis for data processing with the use of cookies is based on safeguarding our legitimate interest as described in GDPR Art. 6 (1) (f), data subjects have the right to object to data processing. ("opt-out"). In addition, many browsers offer the option of generally deactivating cookies or opting out of their use with the appropriate settings. See www.youronlinechoices.com for further opt-out possibilities.

2.4 Cookies—types of cookie
There are four types of cookies, based on their function and purpose: (a) Strictly necessary cookies, (b) functional cookies, (c) performance cookies, and (d) marketing cookies.

We use the following cookies on the b@s platform:

a) Strictly necessary cookies
Strictly necessary cookies guarantee functions without which you would not be able to use the b@s platform as intended. User consent is therefore not required for the use of strictly necessary cookies.

b) Functional cookies
Functional cookies enable user-friendly websites by storing decisions made by the user (e.g., user name or preferred language). The processing of personal data with functional cookies serves the safeguarding our legitimate interest in providing a user-friendly and user-specific online service by adjusting the user interface per individual user decisions for a better experience on the b@s platform (cf. (GDPR Art. 6 (1) (f)).

The storage period for our functional cookies is limited to the duration of the respective session.

2.5 etracker analysis service
We utilize the services of etracker GmbH (see also www.etracker.com/en/) to analyze user data and improve our online offering. This includes the employment of technologies that enable the statistical analysis of business@school platform use by visitors to the site.

The types of data processed are as follows:

  • IP address (anonymized)
  • Browser information (referrer URL, browser, operating system, device information, date and time and/or website content)
  • Use information (views, scrolling, and clicks)

This storage period for this data is up to two years.

Etracker processes data on our behalf. Data is processed only in Germany.

Data is processed on the basis of Art. 6, para. 1 lit. f (legitimate interest) of the GDPR. Our legitimate interest is the optimization of our online offering and website. Because the privacy of visitors to our site is important to us, IP addresses are anonymized as soon as possible. The data is not used for other purposes, etracker does not merge it with its own or other data, and it is not passed on to third parties.
You may object here to the data processing described above at any time. Objection has no negative consequences for you.

More information about privacy at etracker can be found at www.etracker.com/en/data-privacy.

Service provider name
etracker GmbH
Erste Brunnenstraße 1
20459 Hamburg
Germany

3. Newsletters

You will receive our newsletter and informational e-mails from us with news and current information about business@school if you subscribe with your e-mail address.

We use the so-called double opt-in procedure when you subscribe to our newsletter. This means that, once you enter an e-mail address, we will send a confirmation e-mail to that e-mail address asking you to confirm that you wish to receive the newsletter. If you do not confirm within seven days, your subscription will be automatically cancelled. If you confirm that you wish to receive the newsletter, we will store your e-mail address until you unsubscribe. The storage of your e-mail address serves the sole purpose of sending you our newsletter. We will also save the IP addresses and times of your subscription and confirmation to prevent misuse of your personal information.

You may revoke your consent to the receipt of our newsletter at any time by clicking on the link provided in every newsletter e-mail or by sending a message to the Data Protection Officer, whose contact information can be found in section 1. Your e-mail address will then be automatically deleted from the newsletter distribution list. The information you provided when subscribing to our newsletter will not be disclosed to third parties, with the exception of our service provider DigiOnline GmbH.

The e-mails will be sent by DigiOnline GmbH, Probsteigasse 15–19, 50670 Cologne.

The processing for the purposes of our newsletter is based on your consent (GDPR Article 6 (1) (a)). The double opt-in procedure is based on our legitimate interest in accordance with GDPR Article 6 (1) (f), as we have to prove your consent (GDPR Article 7 (1)).

4. Registration for participation in business@school

4.1 Registering as a judge
Those who have received a response link from BCG by e-mail (particularly former student participants, BCG alumni, and coaches) can indicate on the b@s Pplatform their availability as a judge for the school competitions. When registering in this way, you transmit the following personal information to us:

  • IP address
  • First name
  • Last name
  • Company
  • Mobile or landline number
  • E-mail address
  • Preferred schools

We will use this information to organize and carry out school competitions.

The legal basis for this processing of your personal information (including forwarding) is GDPR Art. 6 (1) (b) (fulfillment of contract as agreed with the data subject or implementation of pre-contractual measures at the data subject's request).

4.2 Guest registration for a business@school event
On the b@s platform, users have the option of registering for the regional competitions and our International Finals. When registering in this way, you transmit the following personal information to us:

  • IP address
  • Form of address
  • Title (optional)
  • First name
  • Last name
  • E-mail address
  • Event
  • Time of participation
  • If specified: Role description (family member or supporter, teacher, student, b@s alumni, b@s coach, or guest) and company/organization/school

We use this data exclusively to organize and carry out the chosen event(s), including for the preparation of name tags.

The legal basis for this processing of your personal information is GDPR Art. 6 (1) (b) (fulfillment of contract as agreed with the data subject or implementation of pre-contractual measures at the data subject's request).  The processing of the optional information is based on our legitimate interest in accordance with GDPR Art. 6 (1) (f) in improving our event offerings by analyzing groups of visitors.

5. Using the b@s platform as a participant in buiness@school

If you register on the b@s platform to participate in the educational initiative business@school as a teacher, student, or coach, the following additional data protection information applies to you. Participants in business@school may be teachers, students, former participating students (as student coaches functioning as contact persons at schools or as coaches), and coaches, as defined in section (3) of the business@school terms and conditions of use.

5.1 Registering with business@school
Participation in business@school is generally permitted only for individuals 18 years of age and older. Minors who wish to participate in business@school require the consent of their legal guardians.

5.2 Required information when registering
In order to enable you to participate in business@school and use the non-public area of the b@s platform, we process the following required information for registration and participation:

For participating teachers:

  • First and last name
  • Gender
  • School name
  • School location (city)
  • Personal e-mail address

For students:

  • First and last name
  • Birthday
  • Gender
  • School name
  • School location (city)
  • Address (street, house number, postal code and city)
  • Personal e-mail address

For students who are minors:

  • Legal guardian's form of address
  • Legal guardian's title
  • Legal guardian's first and last name
  • Legal guardian's personal e-mail address

For business@school student assistants (FastForwarders) who register on the b@s platform as coaches:

  • First and last name
  • Course and place of study
  • Coach category
  • Personal e-mail address
  • Mobile or landline number
  • School preference with priority
  • Number of years as coach
  • Willingness to assume the role of coach team speaker

For current employees of BCG who register as coaches on the b@s platform:

  • First and last name
  • E-mail address
  • Cohort/department
  • Office
  • School preference with priority
  • Number of years as coach
  • Willingness to assume the role of the coach team speaker

For others who register as coaches on the b@s platform (current employees of business@school partner companies, former employees of BCG, students who formerly participated in b@s, i.e., alumni, and other persons of legal age):

  • First and last name
  • Company
  • Position
  • Coach category
  • Personal e-mail address
  • Mobile or landline number
  • School preference with priority
  • Number of years as coach
  • Willingness to assume the role of coach team speaker

You can amend or make additions to this information at any time under "Profile" in the "My b@s" area.

The input and processing of this personal data is necessary for the execution of the business@school competition, for providing the non-public area of the b@s platform, for communication, coordination, and support between participants, and for communication between BCG and participants.

The legal basis for the processing of the required information of participants and coaches is GDPR Art. 6 (1) (b) (fulfillment of contract as agreed with the data subject or implementation of pre-contractual measures at the data subject's request). The legal basis for the processing of the information of participants' legal guardians is GDPR Article 6 (1) (f), where our legitimate interest is to ensure that minors' parents or legal guardians agree to their participation.

In addition to the aforementioned required information, a title and a reason for first-time or renewed participation can be indicated when registering. The processing of this optional information is based on our legitimate interest in accordance with GDPR Art. 6 (1) (f) in improving our event offerings by gathering information about participants.

5.3 Voluntary information
Besides the required information, you have the option of providing additional information on a purely voluntary basis on the b@s platform to enable other business@school participants to get to know you better, socialize, and exchange thoughts. Voluntary information comprises any data included under "Profile" other than the required information. BCG uses this information only in the context of the intended purpose of this agreement. You can amend, supplement, or delete your voluntary information at any time in the "My b@s" area.

The legal basis for this is GDPR Article 6 (1) (a) (consent).

5.4 Personal profile
Parts of your information collected during the registration with business@school is automatically transferred to your profile in the "My b@s" area. In addition to the required information, you may include a photograph of yourself in your profile. Your profile will be visible to other participants of business@school. In the participant lists of business@school and in the sections of the b@s platform in which you have authored contributions, a profile icon will appear next to your permanently visible user name as contribution author. The profile icon opens by clicking and provides the following personal information, insofar as you have provided or linked to it.

Participating teachers:

  • First and last name
  • Gender
  • Name of the school
  • Country
  • Landline and mobile telephone numbers
  • Personal e-mail address

Participating students:

  • First and last name
  • Date of birth
  • Gender
  • Name of the school
  • Grade at time of participation
  • Postal code and city/town
  • Country
  • Mobile telephone number
  • External e-mail address

Students who formerly participated in business@school (alumni):

  • First and last name
  • Gender
  • Name of school
  • Country
  • Mobile telephone number
  • Personal e-mail address
  • University (and location of study)
  • Studies/education

Coaches:

  • First and last name
  • Gender
  • Name of the school
  • Country
  • Mobile telephone number
  • Personal e-mail address
  • Company

The information you provide in your profile may be amended, supplemented, or deleted at any time.

In the non-public part of the b@s platform (ProjectCommunity), we also post invitations to various events (e.g., seminars or workshops) for business@school participants. If you register for one or more of these events, we will also use the information provided in your profile for the registration processes, organization, and realization of the respective event(s), including for the creation of name tags.

The legal basis for this processing of your personal information is GDPR Art. 6 (1) (b) (fulfillment of contract as agreed with the data subject or implementation of pre-contrac-tual measures at the data subject's request). The processing of optional information is based on our legitimate interest in accordance with GDPR Art. 6 (1) (f) in improving our event offerings by analyzing groups of visitors.

5.5 business@school e-mail address
Participants in business@school will be assigned a business@school e-mail address. The e-mail address you are assigned by business@school is based on the user name you provide during registration. An additional element of the e-mail address indicates your type of membership:

  • Teachers receive the name of their school as e-mail address addition.
  • Students receive the e-mail address "student" with indication of the year in which they participated in a business@school competition.
  • Participating coaches receive the e-mail address "coach."

Other business@school participants can find your business@school e-mail address, e.g., in the respective participant lists on business@school and in your profile. We use the business@school e-mail address to provide you with current information about business@school. All participants can use their business@school e-mail address for their collaboration during the project year.

The legal basis for this is GDPR Article 6 (1) (b) (fulfillment of contract as agreed with the data subject or implementation of pre-contractual measures at the data subject's request) and GDPR Article 6 (1) (f) (legitimate interest). Our legitimate interest is to enable communication and coordination between participating teachers, students, and coaches.

5.6 Quick messenger service
BCG provides business@school participants with a quick messenger service to enable participants to send messages among each other personally and in groups (QuickMessages). These messages are saved in the system for 30 days in a personal area that can be viewed by the participant in the "My b@s" section, and are then automatically deleted. The same storage period also applies to messages sent to groups.
If a QuickMessage is sent to a participant who is offline, it will be saved for a maximum of 28 days in an attempt to deliver it. At the next login during this period, the participant will receive the QuickMessage, which will then be deleted from the system. If the participant does not log in during the 28-day period, the QuickMessage will be deleted without having been delivered to the recipient.

The legal basis for this is GDPR Article 6 (1) (b) (fulfillment of contract as agreed with the data subject or implementation of pre-contractual measures at the data subject's request) and GDPR Article 6 (1) (f) (legitimate interest). Our legitimate interest is to enable communication and coordination between participating teachers, students, and coaches.

5.7 Information in the public area
As part of the competition, the following information of the participants will be made public on the b@s platform, provided that a separate informed consent form has been obtained.

Participating teachers:

  • First and last name
  • School name
  • School location (city)
  • Name and description of the business idea
  • Pictures
  • Videos
  • Statements

Students:

  • First and last name
  • Age
  • School name
  • School location (city)
  • Name and description of the business idea
  • Pictures
  • Videos
  • Statements

Participating coaches:

  • First and last name
  • Company
  • Name and location (city) of mentored school
  • Name and description of the business idea
  • Pictures
  • Videos
  • Statements

This information is publicly accessible in various areas of the b@s platform (e.g., in the areas "Current Events" and "Press").

The legal basis for this is GDPR Article 6 (1) (a) (consent).

5.8 Usage data
In the course of your use of the b@s platform, the following data will be gathered.

  • User name (login name)
  • First and last name
  • Date account created
  • The date and time of your first, last, and second-to-last login as well as your IP address at the time of your last login
  • Storage space used in the mail service and file storage functions, as well as membership in institutions, etc.
  • All participants may use their external e-mail address instead of their business@school e-mail address as an alternative login (alias).

This usage data will be stored until the respective user account is deleted or deleted as described in section 5.9 if the user account has not already been deleted. We process and use the usage data exclusively to enable the use of the b@s platform without any consent given separately.

The legal basis for this is GDPR Article 6 (1) (b) (fulfillment of contract as agreed with the data subject or implementation of pre-contractual measures at the data subject's request).

5.9 Deletion of data
If not otherwise noted in this section, the information collected on the b@s platform for registration and participation will be stored for the duration of the respective school year and subsequently deleted.

The access data for the online platform will be deleted on July 1, four years after the school year during which the data subject participated ends, together with all personal information processed in connection with the access to the online platform.

Contact details of the participating students—i.e., first and last name, external e-mail address, school, and year of participation—are stored by BCG outside the b@s platform and used as described in section 5.10 until one of the following occurs:

  • Deregistration in the context of coach feedback
  • Objection to the use of the data

5.10 Usage of contact details after the project year
The contact details of participating students described in section 5.0 will be used by BCG after the end of the business@school project year to contact you and provide you with general information about business@school. This particularly includes an annual inquiry as to whether students (either again or for the first time) would like to be a coach. For this, business@school sends an e-mail with a link to a website on which alumni students can register as coaches by filling out the registration forms.

The legal basis for the use of this contact information is GDPR Article 6 (1) (f). Our legitimate interest is to advance the educational initiative business@school with the involvement of former students.

6.General data protection information

6.1  Disclosure of data
In general, your personal data will be transferred neither to third parties other than the recipients mentioned in this data privacy statement nor to the specified recipients for purposes other than those described.

We disclose your personal information to third parties if one of the following legal grounds for the transmission of data applies:

  • If you have given us your express consent to do so (legal basis: GDPR Art. 6 (1) (a)), such as for the publication of data
  • If disclosure is necessary for the assertion, exercise, or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data (legal basis: GDPR Article 6 (1) (f), whereby our legitimate interest is the ability to assert legal claims or defend ourselves against legal claims)
  • If we are legally required to disclose the information (legal basis: GDPR Art. 6 (1) (c))
  • If disclosure is otherwise legally permitted and necessary for to process our contractual relationships with you (legal basis: GDPR Art. 6 (1) (b)).

The current recipients are

  • service providers, detailed information about which may be found in section 1 above
  • other users of the non-public area of the b@s platform—e.g., the names and profiles of users are visible to other users, such as in the Quick Messenger Service.
  • other users of the publicly accessible area of the b@s platform (applicable only to the information published there)

6.2 Information about rights of data subjects
Every data subject has the right of access to information under GDPR Article 15, the right to rectification under GDPR Article 16, the right to erasure under GDPR Article 17, the right to restriction of processing under GDPR Article 18, the right to object under GDPR Article 21, and the right to data portability under GDPR Article 20. With regard to the right of access to information and the right to erasure, the limitations of § 34 and § 35 of the German Federal Data Protection Act (BDSG) apply.

6.3 Information about the right to lodge a complaint
You also have the right to lodge a complaint with a competent data protection supervisory authority about our processing of your personal information.

6.4 Information about revocation of consent
You can revoke your consent to the processing of your personal information (e.g., in the context of the declaration of consent to participate in business@school or to register for the newsletter) at any time. This also applies to the revocation of declarations of consent given to us before the GDPR took effect, i.e., before May 25, 2018. Please note that revocations are effective only for the future. Any processing that occurred before revocation will not be affected.

6.5 Information about the right to objection in balancing of interests
If our processing of your personal information is based on a balancing of interests, you may object to such processing. Should you issue such an objection, we ask you to explain the reasons why we should not process your personal information in the ways we have described. In the event of your justified objection, we will examine the facts and either discontinue or adapt the data processing or explain to you our compelling reasons for processing worthy of protection, on the basis of which the processing must take place despite your objection.

7. Links to other websites

The b@s platform may contain links to websites of other providers. Please note that this data privacy statement applies exclusively to the online platforms of business@school. We have no influence over and cannot control other providers' compliance with applicable privacy laws.

8. Careers

You may apply for a position with BCG electronically. We will use your information for the sole purpose of processing your application and will not disclose it to third parties. Please note that access-restricted transmission is not provided for e‑mails sent unencrypted.

9. Amendments to the data privacy statement

We reserve the right to amend or adapt this privacy statement at any time in accordance with the applicable data protection regulations.