business@school data privacy statement

(as of November 7, 2019)

Download

Preamble

As initiator and operator of the educational initiative business@school, we are pleased by your interest in our online platform www.business-at-school.net ("b@s platform"). As the responsible party under data protection law, The Boston Consulting Group (BCG) takes the protection of your private data very seriously.

In the following, we inform you about how personal information is processed when you use the b@s platform. Personal information is any data that can be related to you personally, e.g., your name, address, e-mail addresses, or user behavior.

1. Responsible party/data protection officer/service provider

Responsible for data processing
The Boston Consulting Group GmbH
Ludwigstraße 21
80539 Munich
Germany
E-mail: datenschutz@bcg.com

Data protection officer of the responsible party
Dr. Stephan Thiel
The Boston Consulting Group GmbH
Ludwigstraße 21
80539 Munich
Germany
Tel.: +49 89 231740
E-mail: datenschutz@bcg.com

Service providers contracted

  • BCG has commissioned the licensor of the b@s platform—DigiOnline GmbH, Probsteigasse 15–19, 50670 Cologne—with the hosting and administration of the b@s platform. For this purpose, your personal information is disclosed to our data processor DigiOnline GmbH and processed as described in this data privacy statement. DigiOnline GmbH has many years of experience in the development of web-based content management systems as well as communication, work, and learning platforms for the education sector and is committed to complying with the applicable data protection regulations.
  • We engage the services of etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany (www.etracker.com) for the analysis of use data. More information on etracker can be found under section 2.5.

2. Using the b@s platform

The following applies for every user of the b@s platform, regardless of whether the user participates in the educational initiative business@school.

2.1 General data processing when acessing the b@s platform
If you use the b@s platform for informational purposes only, we only collect the personal information that your browser transmits to our server. If you view the b@s platform, we will collect the following information that is technically required for us to display the b@s platform to you and to ensure its stability and security.

The legal basis is the legitimate interest in accordance with Article 6 (1) (f) of the EU General Data Protection Regulation (GDPR).

We have considered and weighed our interest in the provision and your interest in data protection–compliant processing as part of our balancing of interests in accordance with GDPR Article 6 (1) (f). As the following data points are sometimes required to provide our service of offering you the b@s platform and guarantee its stability and security, particularly protecting against misuse, we have come to the conclusion that these data points—with a guarantee of data privacy oriented to the state of the art—can be processed, appropriately taking your interest in data protection–compliant processing into consideration.

DataOperating system used
Purpose of processingAnalysis based on devices to ensure an optimized presentation of the website
DataInformation on the browser type and version used
Purpose of processingAnalysis of the browsers used to optimize our websites for them
DataUser’s internet service provider
Purpose of processingAnalysis of Internet service providers to optimize our websites for them
DataIP address
Purpose of processingPresentation of the website on the respective device, compilation of usage statistics
DataDate and time of access
Purpose of processingEnsuring the proper operation of the website
DataManufacturer and type of smartphone, tablet, or other device, where applicable
Purpose of processingAnalysis of the device manufacturers and types of mobile devices for statistical purposes
DataLog files
Purpose of processingEnsuring the proper operation of the website

Storage period
The data listed under section 2.1 is saved for seven days, after which it is deleted automatically.

2.2 Cookies—general information
Our b@s platform uses cookies. Cookies are text files that are saved in an Internet browser or by an Internet browser on the user's end device. If a user accesses a website, a cookie may be saved on the user's end device. The cookie contains a characteristic string of characters that enables clear identification of the browser when the website is accessed again.

2.3 General information about the legal basis for processing, deleting, and deactivating cookies
Personal information processed with cookies will be deleted when it is no longer required for the purposes for which it was collected or was processed in another way and there is no legal obligation to retain it (cf. GDPR Art. 17). Processing will be restricted if the personal information cannot be deleted, but is strictly necessary for other purposes, in particular to fulfill commercial or tax obligations (cf. GDPR Art. 18).

Insofar as the legal basis for data processing with the use of cookies is based on safeguarding our legitimate interests as described in GDPR Art. 6 (1) (f), data subjects have the right to object to data processing. ("opt-out"). In addition, many browsers offer the option of generally deactivating cookies or opting out of their use with the appropriate settings. See www.youronlinechoices.com for further opt-out possibilities.

2.4 Cookies—differentiation by type of cookie
There are four categories of cookies, based on their function and purpose: (a) Strictly necessary cookies, (b) functional cookies, (c) performance cookies, and (d) marketing cookies.

We use the following cookies on our b@s platform:

a) Strictly necessary cookies
Strictly necessary cookies guarantee functions without which you would not be able to use the b@s platform as intended. User consent is therefore not required for the use of strictly necessary cookies.

b) Functional cookies
Functional cookies enable user-friendly websites by storing decisions made by the user (e.g., user name or preferred language). The processing of personal data with functional cookies serves the safeguarding our legitimate interests in providing a user-friendly and user-specific online service by adjusting the user interface per individual user decisions for a better experience on our b@s platform (cf. (GDPR Art. 6 (1) (f)).

The storage period for our functional cookies is limited to the duration of the respective session.

2.5 etracker analysis service
We utilize the services of etracker GmbH (see also www.etracker.com/en/) to analyze user data and improve our online offering. This includes the employment of technologies that enable the statistical analysis of business@school platform use by visitors to the site.

The types of data processed are as follows:

  • IP address (anonymized)
  • Browser information (referrer URL, browser, operating system, device information, date and time and/or website content)
  • Use information (views, scrolling, and clicks)

This storage period for this data is up to two years.

Etracker processes data on our behalf. Data is processed only in Germany.

Data is processed on the basis of Art. 6, para. 1 lit. f (legitimate interest) of the GDPR. Our legitimate interest is the optimization of our online offering and website. Because the privacy of visitors to our site is important to us, IP addresses are anonymized as soon as possible. The data is not used for other purposes, etracker does not merge it with its own or other data, and it is not passed on to third parties.
You may object here to the data processing described above at any time. Objection has no negative consequences for you.

More information about privacy at etracker can be found at www.etracker.com/en/data-privacy.

Service provider name
etracker GmbH
Erste Brunnenstraße 1
20459 Hamburg
Germany

3. Newsletters

You will receive our newsletter and informational e-mails from us with news and current information about the business@school competition if you subscribe with your e-mail address.

We use the so-called double opt-in procedure when you subscribe to our newsletter. This means that, once you enter an e-mail address, we will send a confirmation e-mail to that e-mail address asking you to confirm that you wish to receive the newsletter. If you do not confirm within seven days, your subscription will be automatically cancelled. If you confirm that you wish to receive the newsletter, we will store your e-mail address until you unsubscribe. The storage of your e-mail address serves the sole purpose of sending you our newsletter. We will also save the IP addresses and times of your subscription and confirmation to prevent misuse of your personal information.

You may revoke your consent to the receipt of our newsletter at any time by clicking on the link provided in every newsletter e-mail or by sending a message to the data protection officer, whose contact information can be found in section 1. Your e-mail address will then be automatically deleted from the newsletter distribution list. The information you provided when subscribing to our newsletter will not be disclosed to third parties, with the exception of our service provider DigiOnline GmbH.

The e-mails will be sent by DigiOnline GmbH, Probsteigasse 15–19, 50670 Cologne.

The processing for the purposes of our newsletter is based on your consent (GDPR Article 6 (1) (a)). The double opt-in procedure is based on our legitimate interest in accordance with GDPR Article 6 (1) (f), as we have to prove your consent (GDPR Article 7 (1)).

4. Registration for participation in business@school

4.1 Registering as a judge
Those who have received a response link from BCG by e-mail (particularly former student participants, BCG alumni, and coaches) can indicate on the b@s Pplatform their availability as a judge for the school competitions. When registering in this way, you transmit the following personal information to us:

  • IP address
  • First name
  • Last name
  • Company
  • Mobile or landline number
  • E-mail address
  • Preferred schools

We will use this information in organizing and carrying out the school competitions.

The legal basis for this processing of your personal information (including forwarding) is GDPR Art. 6 (1) (b) (fulfillment of contract as agreed with the data subject or implementation of pre-contractual measures at the data subject's request).

4.2 Guest registration for a business@school event
On our b@s platform, users have the option of registering for the regional competitions and our international finals. When registering in this way, you transmit the following personal information to us:

  • IP address
  • Form of address
  • Title (optional)
  • First name
  • Last name
  • E-mail address
  • Event
  • Time of participation
  • If specified: Role description (family member or supporter, teacher, student, b@s alumni, b@s coach, or guest) and company/organization/school

We use this data exclusively to organize and carry out the chosen event(s), including preparation of name tags.

The legal basis for this processing of your personal information is GDPR Art. 6 (1) (b) (fulfillment of contract as agreed with the data subject or implementation of pre-contractual measures at the data subject's request).  The processing of the optional information is based on our legitimate interest in accordance with GDPR Art. 6 (1) (f) in improving our event offerings by analyzing the groups of visitors.

5. Using the b@s platform as a participant in buiness@school

If you register on the b@s platform to participate in the educational initiative business@school as a teacher, student, or coach, the following additional data protection information will apply to you. Participants in business@school may be teachers, students, former participating students (as student coaches functioning as contact persons at schools or as coaches), and coaches as defined in section (3) of the business@school terms and conditions of use.

5.1 Registering with business@school
Participation in business@school is generally only permitted for individuals 18 years of age and older. Minors who wish to participate in business@school require the consent of their legal guardians.

5.2 Mandatory information when registering
In order to enable you to participate in business@school and use the non-publicarea of our b@s platform, we process the following mandatory data for registration and participation:

Participating teachers:

  • First and last name
  • Gender
  • School name
  • Town of the school
  • Private e-mail address

For students:

  • First and last name
  • Birthday
  • Gender
  • Grade at the time of participation
  • School name
  • Town of the school
  • Postal code, city, and country
  • Private e-mail address

Student assistants of business@school (FastForwarders) who register on the b@s platform as a coach:

  • First and last name
  • Course and place of study
  • Coach category
  • Private e-mail address
  • Mobile or landline number
  • School preference with priority
  • Number of years as coach
  • Willingness to assume the role of the coach team speaker

Current employees of BCG who register as a coach on the b@s platform:

  • First and last name
  • E-mail address
  • Cohort/department
  • Office
  • School preference with priority
  • Number of years as coach
  • Willingness to assume the role of the coach team speaker

Other people who register as a coach on the b@s platform (current employees of business@school partner companies, former employees of BCG, students who formerly participated in b@s, i.e., alumni, and other persons of legal age):

  • First and last name
  • Company
  • Position
  • Coach category
  • Private e-mail address
  • Mobile or landline number
  • School preference with priority
  • Number of years as coach
  • Willingness to assume the role of the coach team speaker

You can amend or supplement parts of this information at any time under "Profile" in the "My b@s" area.

The input and processing of this personal data is necessary for the execution of the business@school competition, for providing the non-public area of the b@s platform, for the communication, coordination, and support between the participants, and for the communication between BCG and the participants.

The legal basis for processing the required information is Article 6(1)(b) GDPR (fulfillment of contract as agreed with the data subject or implementation of pre-contractual measures at the data subject's request).

In addition to the aforementioned mandatory information, a title and a reason for first-time or renewed participation can be indicated when registering. The processing of the optional information is based on our legitimate interests in accordance with GDPR Art. 6 (1) (f) in improving our event offerings by gathering information about participants.

5.3 Voluntary information
Besides the required information, you have the option of providing additional information on a purely voluntary basis on the b@s platform to enable other business@school participants to get to know you better, socialize, and exchange thoughts. Voluntary information comprises any data included under "Profile" other than the required information. BCG uses this information only in the context of the intended purpose of this agreement. You can amend, supplement, or delete your voluntary information at any time in the "My b@s" area.

The legal basis for this is GDPR Article 6 (1) (a) (consent).

5.4 Personal profile
Parts of your information collected during the registration with business@school is automatically transferred to your profile in the "My b@s" area. In addition to the required information, you may include a photograph of yourself in your profile. Your profile will be visible to other participants of business@school. In the participant lists of business@school and in the sections of the b@s platform in which you have authored contributions, a profile icon will appear next to your permanently visible user name as contribution author. The profile icon opens by clicking and provides the following personal information, insofar as you have provided or linked to it.

Participating teachers:

  • First and last name
  • Gender
  • Name of the school
  • Country
  • Landline and mobile telephone numbers
  • Private e-mail address

Participating students:

  • First and last name
  • Date of birth
  • Gender
  • Name of the school
  • Grade at the time of participation
  • Postal code and city/town
  • Country
  • Mobile telephone number
  • External e-mail address

Students who formerly participated in business@school (alumni):

  • First and last name
  • Gender
  • Name of school
  • Country
  • Mobile telephone number
  • Private e-mail address
  • University (and location of study)
  • Studies/education

Coaches:

  • First and last name
  • Gender
  • Name of the school
  • Country
  • Mobile telephone number
  • Private e-mail address
  • Company

The information you provide in your profile may be amended, supplemented, or deleted at any time.

In the non-public part of the b@s platform (ProjectCommunity), we also post invitations to various events (e.g., seminars or workshops) for business@school participants. If you register for one or more of these events, we will also use the information provided in your profile for the registration processes, organization, and realization of the respective event(s), including the creation of name tags.

The legal basis for this processing of your personal information is GDPR Art. 6 (1) (b) (fulfillment of contract as agreed with the data subject or implementation of pre-contrac-tual measures at the data subject's request). The processing of optional information is based on our legitimate interest in accordance with GDPR Art. 6 (1) (f) in improving our event offerings by analyzing groups of visitors.

5.5 business@school e-mail address
Participants in business@school will be assigned a business@school e-mail address. The e-mail address you are assigned by business@school is based on the user name you provide during registration. An additional element of the e-mail address indicates your type of membership:

  • Teachers receive the name of their school as e-mail address addition.
  • Students receive the e-mail address "student" with indication of the year in which they participated in a business@school competition.
  • Participating coaches receive the e-mail address "coach."

Other business@school participants can find your business@school e-mail address, e.g., in the respective participant lists on business@school and in your profile. We use the business@school e-mail address to provide you with current information about business@school. All participants can use their business@school e-mail address for their collaboration during the project year.

The legal basis for this is GDPR Article 6 (1) (b) (fulfillment of contract as agreed with the data subject or implementation of pre-contractual measures at the data subject's request) and GDPR Article 6 (1) (f) (legitimate interest). Our legitimate interest lies in enabling communication and coordination between participating teachers, students, and coaches.

5.6 Quick messenger service
BCG provides business@school participants with a quick messenger service to enable participants to send messages among each other personally and in groups (QuickMessages). These messages are saved in the system for 30 days in a personal area that can be viewed by the participant in the "My b@s" section, and are then automatically deleted. The same storage period also applies to messages sent to groups.
If a QuickMessage is sent to a participant who is offline, it will be saved for a maximum of 28 days in an attempt to deliver it. At the next login during this period, the participant will receive the QuickMessage, which will then be deleted from the system. If the participant does not log in during the 28-day period, the QuickMessage will be deleted without having been delivered to the recipient.

The legal basis for this is GDPR Article 6 (1) (b) (fulfillment of contract as agreed with the data subject or implementation of pre-contractual measures at the data subject's request) and GDPR Article 6 (1) (f) (legitimate interest). Our legitimate interest lies in enabling communication and coordination between participating teachers, students, and coaches.

5.7 Information in the public area
As part of the competition, the following information of the participants will be made public on the b@s platform, provided that a separate informed consent form has been obtained.

Participating teachers:

  • First and last name
  • School name
  • Town of the school
  • Name and description of the business idea
  • Pictures
  • Videos
  • Statements

Students:

  • First and last name
  • Age
  • School name
  • Town of the school
  • Name and description of the business idea
  • Pictures
  • Videos
  • Statements

Participating coaches:

  • First and last name
  • Company
  • Name and town of mentored school
  • Name and description of the business idea
  • Pictures
  • Videos
  • Statements

This information is publicly accessible in various areas of the b@s platform (e.g., in the areas "Current Events" and "Press").

The legal basis for these is GDPR Article 6 (1) (a) (consent).

5.8 Usage data
In the course of your usage of the b@s platform, the following data will be gathered.

  • User name (login name)
  • First and last name
  • Date account created
  • The date and time of your first, last, and second-to-last login as well as your IP address at the time of your last login
  • Storage space used in the mail service and file storage functions, as well as membership in institutions, etc.
  • All participants may use their external e-mail address instead of their business@school e-mail address as an alternative login (alias).

This usage data will be stored until the respective user account is deleted or deleted in accordance with section 5.9 if the user account has not already been deleted. We process and use the usage data exclusively to enable the use of the b@s platform without any consent given separately.

The legal basis for this is GDPR Article 6 (1) (b) (fulfillment of contract as agreed with the data subject or implementation of pre-contractual measures at the data subject's request).

5.9 Deletion of data
The access data for the online platform will be deleted on July 1, four years after the school year during which the data subject participated ends, , together with all personal information processed in connection with the access to the online platform.

Contact details of the participating students—i.e., first and last name, external e-mail address, school, and year of participation—are stored by BCG outside the b@s platform and used according to section 5.10 until one of the following takes place:

  • Deregistration in the context of coach feedback
  • Objection to the usage of the data

5.10 Usage of contact details after the project year
The contact details of participating students described in section 5.0 will be used by BCG after the end of a business@school project year for contacting you and providing you with general information about business@school. This particularly includes the annual inquiry as to whether the students (either again or for the first time) would like to be a coach. To that end, business@school sends and e-mail with a link to a website on which alumni students can register as coaches by filling out the registration forms.

The legal basis for the use of these contact details is GDPR Article 6 (1) (f). Our legitimate interest lies in the advancement of the educational initiative business@school by including former students.

6.General data protection information

6.1  Disclosure of data
In general, a transferring of your personal data to third parties other than the recipients mentioned in this data privacy statement or to the specified recipients for purposes other than those specified will not take place.

We disclose your personal information to third parties if one of the following legal grounds for the transmission of data applies:

  • You gave us your express consent to do so (legal basis: GDPR Art. 6 (1) (a)), such as for the publication of data,
  • Disclosure is necessary for the assertion, exercise, or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data (legal basis: GDPR Article 6 (1) (f)—our legitimate interest lies in the ability to assert legal claims or defend ourselves against legal claims),
  • We are legally required to disclose the information (legal basis: GDPR Art. 6 (1) (c)),
  • Disclosure is otherwise legally permitted and necessary for processing our contractual relationships with you (legal basis: GDPR Art. 6 (1) (b)).

The current recipients are

  • service providers, detailed information about which may be found in section 1 above
  • other users of the non-public area of the b@s platform—e.g., the names and profiles of users are visible to other users, such as in the Quick Messenger Service.
  • other users of the publicly accessible area of the b@s platform (applicable only to the information published there)

6.2 Information about rights of data subjects
Every data subject has the right of access to information under GDPR Article 15, the right to rectification under GDPR Article 16, the right to erasure under GDPR Article 17, the right to restriction of processing under GDPR Article 18, the right to object under GDPR Article 21, and the right to data portability under GDPR Article 20. With regard to the right of access to information and the right to erasure, the limitations of § 34 and § 35 of the German Federal Data Protection Act (BDSG) apply.

6.3 Information about the right to lodge a complaint
You also have the right to lodge a complaint with a competent data protection supervisory authority about our processing of your personal information.

6.4 Information about revocation of consent
You can revoke your consent to the processing of your personal information (e.g., in the context of the declaration of consent for participating in business@school or in registering for the newsletter) at any time. This also applies to the revocation of declarations of consent given to us before the GDPR took effect, i.e., before May 25, 2018. Please note that the revocation will only take effect for the future. Any processing that occurred before the revocation will not be affected.

6.5 Information about the right to objection in balancing of interests
If our processing of your personal information is based on a balancing of interests, you may object to such processing. Should you issue such an objection, we ask you to explain the reasons why we should not process your personal information in the ways we have described. In the event of your justified objection, we will examine the facts and either discontinue or adapt the data processing or explain to you our compelling reasons for processing worthy of protection, on the basis of which the processing must take place despite your objection.

7. Links to other websites

The b@s platform may contain links to websites of other providers. Please note that this data privacy statement applies exclusively to the online platforms of business@school. We have no influence over and cannot control other providers' compliance with the applicable privacy laws.

8. Career

You may apply for a position with BCG electronically. We will of course use your information for the sole purpose of processing your application and will not disclose it to third parties. Please note that access-restricted transmission is not provided for e‑mails sent unencrypted.

9. Amendments to the data privacy statement

We reserve the right to amend or adapt this privacy statement at any time in accordance with the applicable data protection regulations.