Additional Privacy Notice for Campus Eligibility
This additional Privacy Notice for Campus Eligibility and measures to limit the spread of COVID-19 (“Privacy Notice”) should be read in conjunction with INSEAD’s Personal Data Protection Charter available at www.insead.edu/privacy-policy.
This additional Privacy Notice applies to all individuals who are entering the Europe Campus that are subject to Campus Eligibility criteria, hereinafter collectively referred to as the “INSEAD Community”. It applies to the INSEAD Community using the INSEAD Green Light application, either mobile, web or paper version as from 1 January, 2021.
INSEAD requires to process and retain certain personal data relating to you, by virtue of your being a member of the INSEAD Community accessing the Europe Campus.
Sources of Data
The personal data INSEAD holds about you is obtained from a number of sources, including the following:
- Information you have provided when submitting the INSEAD Green Light app check
- Information you provide us when using your INSEAD badge on the Europe Campus
- Information related to COVID-19 you may voluntarily disclose to dedicated INSEAD teams
- Public authorities or other data controllers.
What Personal Data INSEAD processes
Personal data about students is processed in different data systems of INSEAD and manually.
INSEAD processes the following data:
- Personal details and identification data: name, surname, date of birth.
- Contact details: email, phone number
- Answers submitted via Campus Eligibilitythe INSEAD Green Light app checks and time-stamps
- Badge details and time-stamps
- When using SynLab’s services on the Europe Campus: name, surname, email address, mobile phone number, and appointment date. No medical data isare provided by Synlab to INSEAD, nor collected directly by INSEAD.
Purposes of Processing
INSEAD processes the personal data it collects about you for the purposes of protecting the INSEAD community against serious threats related to the spread of COVID-19. This includes but is not limited to the following:
- Limit the spread of COVID-19 and promote the safety and well-being of the INSEAD Community while ensuring continuity of INSEAD operations and mission
- Physical, data network and software access controls on the Europe Campus and management and administration of INSEAD property
- The provision of advice and support to the INSEAD Community
- Comply with applicable laws and regulation, including cooperation with public administrations (e.g. French Regional Health Agency)
Legal Basis for Processing your Personal Data
The right of INSEAD as the data controller to process personal data about the INSEAD Community is based on a number of legal basis that legitimise its processing activities. Given the wideness and ramifications of matters for which INSEAD processes your personal data, the majority of INSEAD processing activities in are based upon the following grounds:
- To fulfil the agreement (Art. 6.1(b) GDPR): As you are a member of the INSEAD Community and you have a contract with INSEAD.
- To perform tasks carried out in the public interest (Art. 6.1(e) GDPR) or INSEAD’s legitimate interest (Art. 6.1 (f) GDPR): INSEAD may process personal data to carry out certain functions required to operate. This includes for example processing related to organize teaching and educational services on campus, ensure safety of the INSEAD Community, collaborating with other institutions, suppliers or authorities.
- Compliance with a Legal Obligation (Art. 6.1(c) GDPR): INSEAD may need to process your personal data to comply with a legal obligation imposed upon INSEAD (e.g. restrictive measures imposed by public authorities).
- Your Consent (Art. 6.1(a) GDPR): Some processing may trigger your explicit consent. In such cases, your consent will be sought as and when required. You have the right to withdraw consent at any time without prejudice to your status within INSEAD.
Retention of Your Personal Data
INSEAD retains your personal data covered by this Privacy Notice for 30 days from collection, in line with the INSEAD’s data retention policy. Afterwards, your Personal Data will be securely deleted from the systems. If requested by applicable laws and regulations, or by public authorities, your personal data may be kept over 30 days. Your Personal Data will be securely deleted from the systems without delay when no longer needed.
Personal Data may be communicated or accessed by INSEAD representatives and divisions located outside your country of residence and, particularly, outside the European Union as well as to the cloud service provider, with the knowledge that INSEAD guarantees security and confidentiality. The transfer is supervised according to the requirements of the applicable privacy laws, including GDPR and standard contractual clauses. For other information on INSEAD processing activities, including your rights and the relevant contact details please refer to the INSEAD Personal Data Protection Charter available at www.insead.edu/privacy-policy.
Last update: December 2020