China Europe International Business School Privacy Notice (CEIBS Switzerland) Date: 10.10.2023

 

Table of contents

1        General

2        Who is responsible for data processing?

3        General Information on which categories of personal data we process and for what purpose

3.1    What is personal data and what categories of personal data do we process?

3.2    For what purposes do we process personal data?

3.4    What are the legal bases for data processing?

4        Disclosure of personal data

4.1    Are personal data disclosed to third parties?

4.2    Do we use third-party service providers?

4.3    Do we transfer personal data to third countries?

5        Duration of storage and retention periods?

6        Your rights

6.1    Right of access

6.2    Right of rectification

6.3    Right to erasure

6.4    Right to restriction of processing

6.5    Right to data portability

6.6    Right of withdrawal of consent

6.7    Right of objection

6.8    How can you exercise your rights?

7        Am I obliged to provide personal data?

8        To what extent is automated decision-making including profiling carried out?

9        Is profiling taking place?

10     Contact details for data protection matters

11     Can we amend this Privacy Notice?

 

1. General

CEIBS Switzerland AG (hereinafter referred to as “CEIBS”, “we”, “us”) is committed to protecting and respecting your privacy. CEIBS takes the protection of your data seriously. Below we explain what data we collect and how we use it.

We have aligned this privacy notice (“Privacy Notice”) with both the Swiss Federal Act on Data Protection (“FADP”) and the European General Data Protection Regulation (“GDPR”). However, whether and to what extent the GDPR is applicable at all depends on the individual case.

2. Who is responsible for data processing?

Responsibility for data processing lies with the company that determines whether such processing is to take place, for what purposes it is to take place and how it is to be configured. Typically, CEIBS Switzerland AG (Hirsackerstrasse 46, 8810 Horgen, Switzerland) is controller of the processing activities that are covered by the present Privacy Notice. If you want to contact us in data protection matters, please see Section 10 below.

 

3. General Information on which categories of personal data we process and for what purpose

CEIBS wants you to feel secure about your personal data and to inform you when, for what purposes and what personal data about you are processed.

1.  What is personal data and what categories of personal data do we process?

Personal data is any information relating to an identified or identifiable natural person (e.g. name, address, telephone number, date of birth or e-mail address). We process in particular the following categories of personal data:

• Master data, which is the basic data that we need to process our business relationships or for marketing and advertising purposes and that relates directly to your person and characteristics. For example, we process the following master data:
  • salutation, surname and first name, gender and date of birth;
  • address, contact details such as e-mail address and telephone and mobile number;
  • nationality and status of residence permit, visa information;
  • further information from identification documents;
  • family data (e.g. marital status);
  • language preference declarations;
  • details of occupational profile and employment (e.g. terms of employment, employer, start of employment) and training, if applicable;
  • information on housing situation;
  • in case of contact persons of companies also relations to the company you are working for;
  • signature authorizations and consent forms.

 

We usually obtain this master data from you directly but possibly also from other persons who work for your company, but we may also obtain personal data from third parties, for example, from agencies you work for or from third parties such as our contracting parties, associations, and address dealers and from publicly accessible sources such as public registers or the internet (websites, social media, etc.).
 

• Contract data is information that incurs in connection with the conclusion or execution of a contract, for example information about contracts and cooperative partnerships and the services to be rendered or the services rendered, as well as data from the period prior to the conclusion of a contract, information on the conclusion of the contract itself (e.g. the closing date and the subject matter of the contract), as well as the information required or used for the execution. For example, we process the following contract data:
  • date, information on the type and duration as well as conditions of the respective contract, data concerning the termination of the contract;
  • contact details;
  • information on the use of services;
  • information on payments and payment methods, invoices, mutual claims, contact with customer service, objections, complaints, feedback, etc.;
  • for services available online, also access data and logins.

 

We receive this data from you, but also from partners with whom we work. Again, this data may relate to your company, in which case it is not ”personal data“, but it may also relate to you if you work for a company or if you obtain services from us.
 

• Communication data is data in connection with our communication with you. Communication data are is, for example:
  • name and contact details such as e.g. postal address, e-mail address and telephone number;
  • content of correspondence (e.g. of e-mails, written correspondence, telephone conversations, chat messages, etc.);
  • responses to satisfaction surveys;
  • information on the type, time and, if applicable, location of the communication and other peripheral data of the communication.

 

 

• Technical data is generated in connection with the use of our website. This includes, for example, the following data:
  • The IP address of the end device and device ID;
  • information about your device, the operating system of your end device or language settings;
  • information about your internet provider;
  • accessed content or protocols in which the use of our systems is recorded;
  • date and time of access to the website and your approximate location;
  • details of the content and files accessed in your personal Login or Portal;
  • other information that is required when using a Login a Portal, such as sending the access code via push message for logging into your Login or Portal via our website.

 

• To tailor our offers and services to you or your company in the best way possible, we try to get to know you better and try to better tailor our services to you. For this purpose, we collect and use data on your behaviour. Behavioural data is, in particular, information about your use of our website. It may also be collected based on technical data. This includes, for example, information on your use of electronic communications (e.g. whether and when you opened an e-mail or clicked on a link, especially when sending newsletters). We may also use your other interactions with us as behavioural data, and we may link behavioural data with other data (e.g. with anonymous information from statistical offices) and evaluate this data on a personal and non-personal basis.
• Preference data tells us which needs you are likely to have, and which services might meet your interest (e.g. when selecting topics for the newsletter, or with regard to study programmes). We therefore also process data regarding your interests and preferences. For this purpose, we can link behavioural data with other data and evaluate this data on a personal and non-personal basis. This allows us to draw conclusions about characteristics, preferences, and anticipated behaviour.
• We process data relevant to deliver services to our Alumni, who opted in to the Alumni community. This comprises in particular your occupation and career path.
• We may also collect data from you in other situations. In connection with official or judicial proceedings, for example, data (such as files, evidence,visa applications details etc.) incurs that may also relate to you. We may also collect data for health protection purposes (for example, as part of protection concepts). We may also obtain or produce photographs, videos, and sound recordings in which you may be identifiable (e.g. at events, by security cameras, etc.). We may also collect data on who enters certain buildings and when or has corresponding access rights (incl. in the case of access controls, based on registration data or visitor lists, etc., who participates in events and who uses our infrastructure and systems and when). Most of the data mentioned above is provided by you to us.To the extent necessary for the performance of our services or the contract between you and CEIBS, we also process personal data that we receive from other CEIBS companies (e.g. CEIBS Shanghai) or other third parties (e.g. professors and other teaching staff).

We also process personal data from publicly accessible sources (e.g. debtors' registers, press, (social) media, internet) which we are legally entitled to receive and process.

1. For what purposes do we process personal data?

CEIBS processes the personal data for the following purposes:

• Communication process: Personal data are processed in the context of internal and external communication. This includes answering inquiries and contacting you in case of queries, e.g. by e-mail (e.g. course information, absence information, exchange with sponsors). For this purpose, we especially process your communication and master data.
• Providing spatial infrastructure, courses, exchange programs, travelling and similar events: Personal data are processed for issues in connection with the provision of facilities (e.g. event management, course planning) and teaching activities (e.g. recruitment and enrolment of students, enrolling, learning and controlling processing activities). It also includes activities and/or coordination in connection with (online) courses, such as organisation of teaching staff. It also includes the organisation of exchanges or study-related travel activities. For these purposes, we especially process technical data, contract data, master data, communication data and behavioural data.
• Individual advisory services, such as the control of learning process (e.g. student performance, time management) as well as career preparation (e.g. advice concerning professional social media accounts and applications in general). For this purpose, we especially process master data, communication data and behavioural data.
• Customer and students care, marketing and quality management:  To offer you targeted information about new offers according to your personal preferences, for example, through the newsletter and personalised advertising. This also includes quality management (e.g. improvement of sales and marketing strategies, training courses, performance measurement). For this purpose, we especially process technical data, master data, communication data and behavioural data.
• Administration of alumni association: We maintain an alumni database, in order to facilitate exchange between alumni and to organize events. For this purpose, we especially process master data, contract data, communication data and behavioural data.
• To ensure IT security and for prevention: we process personal data to monitor the performance of our company, in particular IT, our website, applications, and other platforms, for security purposes, to ensure IT security, to prevent theft, fraud and abuse, and for evidence purposes. This includes, for example, the evaluation of technical records of the use of our systems (log data), the prevention, defence and investigation of cyber-attacks and malware attacks, analyses and tests of our networks and IT infrastructures, system and error checks. For this purpose, we especially process technical data and behavioural data.
• To maintain the internal rules and other measures for IT, building and facility security and for the protection of our employees and other persons and assets belonging to or entrusted to us (such as access controls, visitor lists, network and mail scanners, telephone records). For this purpose, we especially process technical data and behavioural data.
• To protect our rights: we may also process personal data to enforce claims in or out of court and before authorities in Switzerland and abroad, or to defend ourselves against claims. For this purpose, particularly master data and communication data may be processed.
• To comply with legal requirements: this includes, for example, the processing of complaints and other notifications, compliance with orders of a court or an authority, measures to detect and investigate abuses, and generally measures that we are obliged to take by applicable law, self-regulation, or industry standards. For this purpose, we may especially process your master data and communication data.
• For administration and support: to shape our internal processes efficiently, we process data as far as necessary for the administration of IT, for accounting or for archiving data. For this purpose, particularly contract data, communication and behavioural data as well as technical data may be used.
• We may also process data for other purposes. These include company management, including business organization and company development, other internal processes and administrative purposes (e.g. management of master data, accounting and archiving), training as well as educational purposes and the preparation and processing of purchase and sale of business units, companies or parts of companies and other transactions under company law and the associated transfer of personal data, as well as measures for business management and the protection of other legitimate interests.
  3. What are the legal bases for data processing?

As the case may be, data processing is only permitted if the applicable law specifically allows it. This does not apply under the FADP, but does apply, for example, under the GDPR as far as it is applicable. In this case, we base the processing of your personal data on the following legal bases:

• on your consent (Article 6(1)(a) and Article 9(2)(a) GDPR),
• that the processing is necessary for the performance of the contract or pre-contractual measures (e.g. the review of a contract proposal; Article 6(1)(b) GDPR),
• that the processing is necessary for the establishment or defence of legal claims or civil proceedings (Article 6(1)(f) and Article 9(2)(f) GDPR),
• that the processing is necessary for compliance with domestic or foreign legal provisions (Article 6(1)(c) and (f); Article 9(2)(g) GDPR),
• that the processing is necessary for a legitimate interest in the data processing, in particular the interests mentioned in section 4 (Article 6(1)(f) GDPR).

 

4. Disclosure of personal data
   1. Are personal data disclosed to third parties?

In connection with our processing activities, we may disclose your personal data to other recipients.

The educational program of CEIBS is jointly offered by us and China Europe International Business School, 699 Hongfeng Road, Pudong, Shanghai 201206, P.R.C. (“CEIBS Shanghai”). Integral part of this offering is the close cooperation between the different CEIBS locations. Therefore, personal data transfers between us and CEIBS Shanghai, as well as other CEIBS locations are necessary for our services.

Other than our teaching activities, this may serve the internal group administration (e.g. centralized use of IT services) or the support of the respective CEIBS locations and their own processing purposes, e.g. for the personalisation of marketing activities, the provision of cross-border teaching offers or the development and improvement of services. Another example is our alumni database which is maintained by CEIBS Shanghai and CEIBS Switzerland.  In order to keep these databases up to date, data transfers between CEIBS Switzerland and CEIBS Shanghai can occur.

1. Do we use third-party service providers?

We further disclose personal data to service providers as required for their services. This particularly concerns IT service providers, but also consulting companies, analysis service providers, debt collection service providers, credit agencies, marketing service providers, etc. As far as service providers process personal data as processors, they are obliged to process personal data exclusively according to our instructions and to implement data security measures.

Data may also be disclosed to other recipients, e.g. to courts and authorities as part of legal proceedings and legal information and cooperation duties, to buyers of companies and assets, to financing companies in the case of securitizations, and to collection agencies.

In individual cases, it is possible that we also disclose personal data to other third parties for their own purposes, e.g. if you have given us your consent to do so or if we are legally obliged or entitled to disclose such data.

1. Do we transfer personal data to third countries?

We also disclose personal data to other CEIBS entities, third parties or processors that are not located in the EU/EEA or Switzerland. In particular, we may disclose personal data to recipients in China, Switzerland, USA if you use our services provided through Zoom and Qualtrics, France , Singapore)  

We may also transmit data to authorities and other persons abroad if we are legally obliged to do so or, for example, in the context of a company sale or legal proceedings. Not all of these countries currently guarantee an adequate level of data protection according to the standards of Swiss law. We therefore take contractual precautions to contractually compensate for the lower level of legal protection, especially with the standard contractual clauses issued by the European Commission and recognised by the Swiss Data Protection and Information Commissioner (FDPIC). For more information and a copy of these clauses, please visit www.edoeb.admin.ch/edoeb/en/home/data-protection/handel-und-wirtschaft/transborder-data-flows.html

 In certain cases, we may transmit data in accordance with data protection law requirements even without such contracts, e.g. if you have consented to the corresponding disclosure or if the disclosure is necessary for the execution of the contract, for the establishment, exercise or enforcement of legal claims or for overriding public interests. We can provide you with an overview of third country recipients together with a copy of the terms specifically agreed to ensure an adequate level of data protection. Please use the details underdataprotection@ceibs.edu for this purpose.

5. Duration of storage and retention periods

We process and store your personal data for as long as it is necessary to provide our (contractual) services (usually for the duration of the contractual relationship), as long as we have a legitimate interest in storing it (e.g. to enforce legal claims, for archiving and or to ensure IT security) and as long as the data is subject to a legal retention obligation (for example, for certain data, a ten-year retention period applies). If there are no legal or contractual obligations to the contrary, we will delete or anonymise your data after the storage or processing period has expired within our normal processes.

6. Your rights

Under the applicable data protection law, you have certain rights to obtain further information about and influence our data processing. Please note that these rights are subject to legal requirements and restrictions and are therefore not fully applicable in every case. In particular, we may need to further process and store your personal data in order to fulfil a contract with you, to protect our own legitimate interests such as the assertion, exercise or defence of legal claims, or to comply with legal obligations. To the extent legally permissible, in particular to protect the rights and freedoms of other data subjects and to safeguard interests worthy of protection, we may therefore also reject a data subject request in whole or in part (e.g. by redacting certain content relating to third parties or our trade secrets.

Particularly, you may have the following rights:

1. Right of access

You can request further information about our data processing. We are at your disposal for this purpose. You can also submit a so-called information request if you wish to receive further information and a copy of your data. .

1. Right of rectification

You have the right to request the controller to correct any incorrect or incomplete personal data concerning you or to complement your personal data by a note that indicates your objection.

1. Right to erasure

You have the right to request the controller to erase personal data concerning you if the data are no longer necessary for the purposes for which they were collected or processed. The same applies if you withdraw consent or object to the processing and there are no overriding legitimate grounds for the processing, or the personal data have been processed unlawfully.

1. Right to restriction of processing

You have the right to request the controller to restrict the processing of personal data.

1. Right to data portability

You have the right to receive the personal data concerning you that you have provided to a controller in a structured, commonly used and machine-readable format, and you have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, as far as the respective data processing is based on your consent or is necessary for the execution of the contract.

1. Right of withdrawal of consent

You have the right to withdraw your consent to the processing of personal data at any time. Despite withdrawal, the lawfulness of the processing carried out on the basis of your consent until withdrawal is not affected.

1. Right of objection

You have the right to object at any time to the processing of personal data concerning you, where the processing is carried out on the basis of the legitimate interest of the controller/third party or is necessary for the performance of a task carried out in the public interest. If the personal data are processed for the purpose of direct marketing, you may object at any time.

1. How can you exercise your rights?

To exercise your rights, contact dataprotection@ceibs.edu. You will find further details under section 10.

Every person has the right to file a complaint with a supervisory authority.

For Switzerland: Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter Feldeggweg 1 CH-3003 Bern Telefon: +41 (0)58 462 43 95

For EU/EEA: Please find your supervisory authority on this list: https://edpb.europa.eu/

7. Am I obliged to provide personal data?

For the performance of the pre-contractual relationship or of the contract as well as the offering of our services, we rely on the provision of personal data or are legally obliged to collect it. If no personal data is provided, it is not possible for us to enter into a contract with you or to continue to provide or perform the contract or our services.

8. To what extent is automated decision-making including profiling carried out?

We do not make any exclusively automated decisions within the scope of the contractual relationship or our services. We inform about the possible use of automated decisions within the scope of our legal obligations.

9. Is profiling taking place?

In certain situations, we process personal data to evaluate certain personal aspects relating to an individual, in particular to evaluate aspects relating to an individual's study or lecturing performance, an individual’s interests and reliability. For example, we use profiling in the following cases:

• In the context of the contractual relationship or our services (e.g. performance tracking, personal interest management) to evaluate performance and development in our company.
• In the context of marketing (e.g. personal course & program suggestions, selection and recruitment of potential students and professors).

10. Contact details for data protection matters

For information and suggestions on the subject of data protection, please contact our data protection manager:

CEIBS Switzerland AG eMail:dataprotection@ceibs.edu

Representative in the EU/EEA: Representation for data subjects in the EU We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact. Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website. https://prighter.com/cc/EUprivacyrequestCEIBS Company Maetzler Rechtsanwalts GmbH & Co KG c/o CEIBS Switzerland AG Address: Schellinggasse 3/10 1010 Vienna Country: Austria Website: https://prighter.com Please add the following subject to all correspondence: ID-15018800556 Make an enquiry or submit request: https://prighter.com/cc/EUprivacyrequestCEIBS

If you are based in a country outside of Switzerland, EU or EEA, please refer to our data protection officer in Switzerland. He will assist you in finding your responsible contact person.

11. Can we amend this Privacy Notice?

CEIBS reserves the right to amend this Privacy Notice from time to time. You should therefore read this Privacy Notice regularly. The date of the most current version (effective from) can be found at the beginning of the Privacy Notice.