business@school privacy statement

(last updated: November 6, 2020)

Preamble

As initiator and operator of the educational initiative business@school, we are pleased by your interest in our online platform www.businessatschool.de ("b@s platform"). As the responsible party under data protection law, The Boston Consulting Group GmbH (BCG) takes the protection of your personal data very seriously.

In the following, we inform you about how personal data is processed when you use the b@s platform. Personal data is any data that can be related to you personally, e.g., your name, address, e-mail addresses, or use behavior.

1. Responsible party/Data Protection Officer/Service provider

Responsible for data processing

The Boston Consulting Group GmbH
Ludwigstraße 21
80539 Munich
Germany
E-mail: datenschutz(at)bcg.com

Data Protection Officer of the responsible party

Dr. Stephan Thiel
The Boston Consulting Group GmbH
Ludwigstraße 21
80539 Munich
Germany
Tel.: +49 89 231740
E-mail: datenschutz(at)bcg.com

Service providers contracted

  • BCG has commissioned the licensor of the b@s platform—toco3 GmbH & Co. KG, Sommerhalde 16, 78351 Bodman-Ludwigshafen, Germany—to host and administer the b@s platform. For this purpose, your personal data is disclosed to our data processor toco3 GmbH & Co. KG and processed as described in this privacy statement. toco3 GmbH & Co. KG is committed to complying with the applicable data protection regulations.
  • We engage the services of Etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany (www.etracker.com) for the analysis of use data. More information on Etracker can be found under section 2.5.
  • When seminars, workshops, other BCG events, the regional competitions or International or Munich Finals, or meetings with BCG coaches cannot be held on location as planned, such as to prevent the transmission of infectious disease, they will be held digitally using videoconferencing services from various providers, such as Zoom and WebEx. Further information on the specific videoconferencing services and the use of personal data will be provided upon registration or otherwise before the respective events, regional competitions, International or Munich Finals, or meetings with BCG coaches.

2. Use of the b@s platform

The following applies to every user of the b@s platform, regardless of whether the user participates in the educational initiative business@school.

2.1 General data processing when accessing the b@s platform

If you use the b@s platform for informational purposes only, we collect only the personal data that your browser transmits to our server. If you view the b@s platform, we collect the following information, which is technically required for us to display the b@s platform to you and to ensure its stability and security.

The legal basis is our legitimate interest in accordance with Article 6 (1) (f) of the EU General Data Protection Regulation (GDPR).

As part of our weighing of interests in accordance with GDPR Article 6 (1) (f), we have considered and weighed our interest in provision and your interest in the compliant processing of data. As the following forms of data are sometimes required to provide our service of offering you the b@s platform and to guarantee its stability and security, particularly in regard to protection against misuse, we have come to the conclusion that these forms of data may be processed—with a guarantee of privacy oriented on the state of the art—while taking into consideration your interest in the compliant processing of data.

Data Operating system used
Purpose of processing Analysis based on devices to ensure an optimized presentation of the website
Data Information on the browser type and version used
Purpose of processing Analysis of the browsers used to optimize our websites for them
Data User's Internet service provider
Purpose of processing Analysis of Internet service providers to optimize our websites for them
Data IP address
Purpose of processing Presentation of the website on the respective device and compilation of usage statistics
Data Date and time of access
Purpose of processing Assurance of the proper operation of the website
Data Manufacturer and type of smartphone, tablet, or other device, where applicable
Purpose of processing Analysis of the device manufacturers and types of mobile devices for statistical purposes
Data Log files
Purpose of processing Assurance of the proper operation of the website

Storage period

The data listed under section 2.1 is saved for seven days, after which it is deleted automatically.

2.2 Cookies—general information

The b@s platform uses cookies. Cookies are text files that are saved in an Internet browser or by an Internet browser on the user's end device. If a user accesses a website, a cookie may be saved on the user's end device. The cookie contains a characteristic string of characters that enables clear identification of the browser when the website is accessed again.

To measure reach, we use the analysis tool Etracker, which by default does not use cookies (see section 2.5 below for further information).

2.3 General information about the legal basis for processing, deleting, and deactivating cookies

Personal data processed with cookies will be deleted when it is no longer required for the purposes for which it was collected or otherwise processed and there is no legal obligation to retain it (cf. GDPR Art. 17). Processing will be restricted if the personal data cannot be deleted, but is strictly necessary for other purposes, in particular to fulfill commercial or tax obligations (cf. GDPR Art. 18).

Insofar as the legal basis for data processing with the use of cookies is based on safeguarding our legitimate interest as described in GDPR Art. 6 (1) (f), data subjects have the right to object to data processing ("opt-out"). In addition, many browsers offer the option to generally deactivate cookies or opt out of their use with the appropriate settings. See www.youronlinechoices.com for further opt-out possibilities.

2.4 Cookies—categorization by type

Cookies can be categorized based on their function and purpose. We use the following cookies on the b@s platform: (a) Strictly necessary cookies and (b) functional cookies.

a) Strictly necessary cookies
Strictly necessary cookies guarantee functions without which you would not be able to use the b@s platform as intended. User consent is therefore not required for the use of strictly necessary cookies. 

b) Functional cookies
Functional cookies enable user-friendly websites by storing decisions made by the user (e.g., user name or preferred language). The processing of personal data with functional cookies serves to safeguard our legitimate interest in providing a user-friendly and user-specific online service by adjusting the user interface per individual user decisions for a better experience on the b@s platform (cf. (GDPR Art. 6 (1) (f)).

The storage period for our functional cookies is limited to the duration of the respective session.

2.5 Etracker analysis service

We utilize the services of Etracker GmbH (see also www.etracker.com) to analyze user data and improve our online offering. This includes the employment of technologies that enable the statistical analysis of b@s platform use by visitors to the site.

By default, Etracker does not use cookies for web analysis.

The types of data processed are as follows:

  • IP address (anonymized)
  • Browser information (referrer URL, browser, operating system, device information, date and time and/or website content)
  • Use information (views, scrolling, and clicks)

The storage period for this data is up to two years.

Etracker processes data on our behalf. Data is processed only in Germany.

Data is processed on the basis of Art. 6, para. 1 lit. f (legitimate interest) of the GDPR. Our legitimate interest is the optimization of our online offering and website. Because the privacy of visitors to our site is important to us, IP addresses are anonymized as soon as possible. The data is not used for other purposes, Etracker does not merge it with its own or other data, and it is not passed on to third parties.

You may object here to the data processing described above at any time. Objection has no negative consequences for you.

More information about privacy at Etracker can be found at www.etracker.com/en/data-privacy.

Service provider name

etracker GmbH
Erste Brunnenstraße 1
20459 Hamburg
Germany

3. Use of the b@s platform to register for participation in business@school

If you register on the b@s platform to participate in the educational initiative business@school as a teacher, student, or coach, the following additional data protection information applies to you. Participants in business@school may be teachers, students, former participating students (as student coaches functioning as contact persons at schools or as coaches), and coaches.

3.1 Information required for registration

To enable you to apply for your school and participate in business@school, we process the following mandatory information necessary for application, registration and participation:

All participants:

  • Email address
  • First name and last name
  • Gender
  • Language

Teachers:

  • Phone number (also in the afternoon)
  • School location

Coaches:

  • Company or university
  • Job title or field of study
  • Phone number
  • Desired schools 1 and 2 with priority
  • Willingness to take on the role of care team spokesperson.

Students:

  • Date of birth
  • E-mail address of a parent or guardian in the case of minors
  • School location

You can change or complete this information under "Personal data".

The entry and processing of this personal data is necessary for the implementation of the business@school competition, for the provision of the non-publicly accessible area of the b@s platform (ProjectCommunity), for communication, coordination and support between the participants, and for communication between BCG and the participants.

The legal basis for processing the mandatory data of the participant(s) and supervisor(s) is Art. 6 (1) p. 1 lit. b DS-GVO (fulfillment of the contract concluded with the data subject or implementation of pre-contractual measures, which take place at the request of the data subject). The processing of the details of the legal guardian(s) is based Art. 6 para. 1 p. 1 lit. f DS-GVO on our legitimate interests in monitoring the consent of parents to the participation of their minor children.

In addition to the mandatory information specified above, titles as well as a reason for first-time or renewed participation may optionally be provided as part of the registration. The processing of this optional information is based on our legitimate interests in improving our offer by providing information about the participants, pursuant to Art. 6 (1) p. 1 lit. f DS-GVO.

3.2 Voluntary information

Besides the required information, you have the option of providing additional information on a purely voluntary basis on the b@s platform to enable other business@school participants to get to know you better, socialize, and exchange thoughts. Voluntary information includes the data listed under "Personal data", provided it is not mandatory information. This voluntary information will only be used by BCG for the purpose of this Agreement. You can change, add to or delete your voluntary information at any time in the "Personal Data" section.

The legal basis for this is GDPR Article 6 (1) (a) (consent).

3.3 Personal data (profile)

The mandatory information you provide when registering with business@school is automatically transferred to your profile in the "Personal data" section. In addition to the mandatory information, you can also include a photo of yourself in your profile. 

You can change, add to or delete the information in your profile at any time.

In the non-publicly accessible participant area of our b@s platform (dashboard), various events (e.g., seminars or workshops) are also offered for business@school participants. If you register for one or more of the events we offer, we will also use the information in your profile for the registration, organization and implementation of the event(s) you have selected, including the creation of name badges.

The legal basis for the processing of your personal data results from Art. 6 para. 1 p. 1 lit. b DS-GVO (fulfillment of the contract concluded with the data subject or implementation of pre-contractual measures, which take place at the request of the data subject). The processing of optional information is based on our legitimate interest in accordance with GDPR Art. 6 (1) (f) in improving our event offerings by analyzing groups of visitors.

3.4 Information in the public area

In the context of the competition, the following details of the participants will be published on the b@s platform, provided that a separate declaration of consent has been submitted:

All participants:

  • First name,
  • Name and description of the business idea,
  • photos,
  • film recordings,
  • Expressions.

Participating teachers:

  • Last name
  • School name/school location.

Participating students:

  • Age,
  • School name/school location.

Participating coaches:

  • Last name,
  • Company,
  • Name and location of the supervised school.

This information is publicly available in various places on the b@s platform (for example, in the "News" and "Press" sections).

The legal basis for this is in each case Art. 6 para. 1 p. 1 lit. a DS-GVO (consent).

3.5 Usage data

During your use of the b@s platform (dashboard), the following data is collected:

  • E-mail address (login name)
  • First and last name
  • Date of account creation
  • Date and time of your first, last and penultimate login as well as the IP address you used at the time of your last login.

This usage data is stored until the respective user account is deleted or deleted in accordance with section 3.6 if the user account has not been deleted before. We process and use the usage data without any separately granted consent solely to enable the use of the b@s platform (dashboard).

The legal basis for this is Art. 6 para. 1 p. 1 lit. b DS-GVO (fulfillment of the contract concluded with the data subject or implementation of pre-contractual measures that take place at the request of the data subject).

3.6 Deletion of data

Unless otherwise specified in this section 3.6, the data collected for registration and participation in the b@s platform will be stored for the duration of the school year and then deleted.

The access data to the online platform will be deleted three years after the end of the respective project year (July 1 of the school year of participation in busines@school) together with all personal data processed in connection with access to the online platform.

If the school application is rejected by business@school or if the application/registration is withdrawn by a participant (teacher, coaches, student) who has completed the application, the personal data will be deleted after 4 weeks.

Contact data of participating students - i.e. first and last name, e-mail address, school as well as year of participation - will be stored by BCG and used according to section 3.7 until one of the following cases occurs:

  • Deregistration in the context of re-registration Supervisor.
  • Objection to the use of the data

3.7 Usage of contact details after the project year

The contact data of participating students described in section 3.6 will be used by BCG after the end of a business@school project year to contact them and provide general information about business@school. This also includes the annual inquiry as to whether the students would like to become a supervisor (again or for the first time). For this purpose, business@school sends an e-mail with a link to the website where formerly participating students can register as supervisors by filling out the registration forms.

The legal basis for the use of these contact details is Art. 6 para. 1 p. 1 lit. f DS-GVO. Our legitimate interest is the further development of the educational initiative business@school by involving former students.

4. General data protection information

4.1 Disclosure of personal data

In general, your personal data will be transmitted neither to third parties other than the recipients mentioned in this data privacy statement nor to the specified recipients for purposes other than those described.

We disclose your personal data to third parties only if one of the following legal grounds for the transmission of data applies:

  • If you have given us your express consent to do so (legal basis: GDPR Art. 6 (1) (a)), such as for the publication of data
  • If you have registered to participate in business@school as a teacher and your school is accepted. In this case, we disclose your e-mail address to external coaches (who volunteer at schools and share their expert, practical business knowledge with participating students) so that they can contact you. This disclosure is necessary for carrying out the business@school competition and for communication, coordination, and support between you and the respective coaches. The legal basis for the processing of the required information is GDPR Art. 6 (1) (b) (fulfillment of contract as agreed with the data subject or implementation of pre-contractual measures at the data subject's request)
  • If disclosure is necessary for the assertion, exercise, or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data (legal basis: GDPR Article 6 (1) (f), whereby our legitimate interest is the ability to assert legal claims or defend ourselves against legal claims)
  • If we are legally required to disclose the information (legal basis: GDPR Art. 6 (1) (c))
  • If disclosure is otherwise legally permitted and necessary for to process our contractual relationships with you (legal basis: GDPR Art. 6 (1) (b))

Current recipients of personal data are

  • service providers, detailed information about which may be found in section 1 above;
  • external coaches from partner companies, if you register to participate in business@school; and
  • other users of the b@s platform, insofar as information is published in the platform’s publicly accessible area.

4.2 Information about rights of data subjects

Every data subject has the right of access to information under GDPR Article 15, the right to rectification under GDPR Article 16, the right to erasure under GDPR Article 17, the right to restriction of processing under GDPR Article 18, the right to object under GDPR Article 21, and the right to data portability under GDPR Article 20. With regard to the right of access to information and the right to erasure, the limitations of § 34 and § 35 of the German Federal Data Protection Act (BDSG) apply.

4.3 Information about the right to lodge a complaint

You also have the right to lodge a complaint with a competent data protection supervisory authority about our processing of your personal data.

4.4 Information about revocation of consent

You can revoke your consent to the processing of your personal data (e.g., such as granted in the context of registering to participate in business@school) at any time. This also applies to consent given to us before the GDPR took effect, i.e., before May 25, 2018. Please note that revocations are effective only for the future. Any processing that occurred before revocation will not be affected.

4.5 Information about the right to objection in the weighing of interests

If our processing of your personal data is based on the weighing of interests, you may object to it. In the event that you do, we will ask you to explain your reasoning as to why we should not process your personal data as described. If your objection is founded, we will review the circumstances and either cease or adjust our processing or explain our compelling legitimate grounds for doing so, on the basis of which the processing must take place despite your objection.

5. Links to other websites

The b@s platform may contain links to the websites of other providers. Please note that this privacy statement applies exclusively to the online platform of business@school. We have no influence over and cannot control other providers' compliance with applicable privacy laws.

6. Amendments to the data privacy statement

We reserve the right to amend or adapt this privacy statement at any time in accordance with the applicable data protection regulations.