Additional Notice for INSEAD Research
This Additional Notice for Research should be read in conjunction with INSEAD’s Personal Data Protection Charter.
As part of INSEAD’s mission, INSEAD promotes research activities (e.g. fundamental research, applied research and experimental development) in various fields and develops and stewards mutually-beneficial relationships with other institutions (private and public) as well as the global philanthropic and corporate sectors.
INSEAD ensures that it is in the general or legitimate interest when it processes personal data from individuals. This means that INSEAD will use personal data for that research only in the ways needed to conduct the research and analyse the data, following internal policies and procedures.
For the purpose of this Privacy Notice, “Research” is a specific process of methodical investigation that entails collection of data; its documentation and analysis and interpretation in accordance with suitable methodologies set by specific professional fields and academic disciplines. Sometime it may be conducted in collaboration with other institutions, commercial organisations and funders.
This additional Privacy Notice thus applies to all individuals whose personal data are processed by INSEAD for Research purposes. It applies throughout the length of the research, regardless of location.
Sources of Data
The personal data INSEAD holds about you is obtained from a number of sources, including the following:
- Information you have voluntarily provided to INSEAD at the moment of collection request, interview or via a survey, for the purposes underlined in the participant consent form and/or information notice
- Information under the control of INSEAD or that has been legitimately provided to INSEAD by third parties for Research purposes;
- Public authorities and other institutions;
- Funders, partner institutions or organisations such as educational partners, professional bodies or employers.
What Personal Data INSEAD processes
As Research objectives may vary considerably, personal data collected and processed will vary accordingly. In any case, INSEAD will only collect personal data that are proportionate to achieving the Research objectives. INSEAD may collect and process amongst other according to the Research one or more of the following data:
- Personal details and identification data e.g. name, surname, identification number if any, home town, gender, nationality, native language, date of birth, CV etc;
- Contact details e.g. email, phone number, postal address;
- Employment details if relevant;
- Interviews, feedbacks, samples, answers to surveys;
- Behaviour as family, lifestyle, social circumstances, records of communications and interactions if relevant;
- Sensitive data, subject to applicable law, specific constraints and security measures. Sensitive data would only be collected for a specific Research. Specific information notice will be provided.
Purposes of Processing
INSEAD requires to collect, process, record and store personal data it collects about you for Research purposes, whose details are provided in specific consent forms and/or information notices.
Legal Basis for Processing your Personal Data
The right of INSEAD as the data controller to process personal data for Research purposes is based on a number of legal bases that legitimise its processing activities. Given the breadth and ramifications of matters for which INSEAD processes your personal data for Research purposes, the majority of INSEAD’s processing activities are based upon the following grounds:
- To perform tasks carried out in the public interest (Art. 6.1(e) GDPR) or INSEAD’s legitimate interest (Art. 6.1 (f) GDPR): INSEAD may process personal data to carry out certain tasks in the public interest, or certain functions required to operate as an Academic Institution. It is most likely that this will be the lawful basis for processing personal data for Research.
- Archiving (Art.9 1(j) GDPR): INSEAD’s processing may be necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to appropriate safeguards. This will be applicable e.g. for any special categories of data used in Research as health data or ethnicity.
- Your Consent (Art. 6.1(a) GDPR): Some processing may trigger your explicit consent, when Art.6 1 (e) does not apply. In such cases, your consent will be sought as and when required. You have the right to withdraw consent where it is permissible, at least, before your data is processed for Research.
Retention of Your Personal Data
INSEAD retains your personal data for as long as is necessary to conduct a particular Research project, including its scientific review, or longer if further Research is scheduled. Research data that is stored in a data archive will be anonymized or, where not possible for Research purpose or pending scientific review, will be encrypted and key stored separately. During the Research, any keys to identify research participants, that is, a list of participants to a given research and a unique identifier used to de-identify individuals within a research data set, will be kept separately from that research dataset while the Research is ongoing and destroyed once Research and scientific review are completed.
Any consent form that includes personal data may be kept for a defined minimum number of years after the Research has been completed in accordance with any legal, accounting, or reporting requirements; as well as requirements of funder or INSEAD retention policy.
Sharing of Personal Data
Personal Data may be shared within the Research team managing the specific project for the purpose of achieving the research outcomes. The Research team may include individuals belonging to different INSEAD entities or partner academic institutions or public authorities. Please note that most of personal data used in Research will be pseudonymised or anonymized at the earliest convenience and before sharing widely or the outcome is published.
Personal Data may be communicated or accessed by INSEAD representatives and divisions located outside your country of residence and, particularly, outside the European Union as well as to the cloud service provider, with the knowledge that INSEAD guarantees security and confidentiality. The transfer is supervised according to the requirements of the applicable privacy laws, including GDPR and standard contractual clauses.
You have a right to be informed about the research in which your data will be used. This will normally be done either via a written notice (such as a participant consent form or information notice) or in the introduction of a survey. When INSEAD is unable to inform you before Research is conducted (e.g. due to the data used, or methodology as observation), INSEAD will try to brief individuals after the Research is finished.
For other information on INSEAD’s data processing activities, including your rights, the third parties your personal data may be shared with and the relevant contact details please refer to INSEAD’s Personal Data Protection Charter.
Last update: 12 January 2021