ISARA recognises the importance of processing personal data pursuant to the provisions of Regulation 2016/679 of 27 April 2017 relating to the protection of individuals in relation to the processing of personal data (hereinafter “GDPR”) and the free movement of such data, and pursuant to national and European laws and regulations.
As such, this Policy provides data subjects, visitors to and users of the ISARA website all of the information relating to personal data processing operations carried out by ISARA, thereby ensuring compliance with the GDPR transparency requirement.
In order to ensure the highest possible degree of transparency and clarity with regard to the information provided by ISARA to visitors and users of its website, a list of definitions has been provided below to assist you in understanding this policy:
“Personal data” refers to any information relating to an individual who is or may be directly or indirectly identified through data. For example, an individual’s last name, email address, identification number, location data, or username are considered personal data.
“Processing” or “Data processing” refers to any operation or set of operations carried out on one of more pieces of personal data. For example: collecting, recording, retaining/storing, using, modifying or extracting, consulting, deleting or destroying data are all forms of data processing.
“Data controller” refers to any individual or legal entity that processes personal data in accordance with the means and purposes (objectives) set and determined by them.
“Processor” or “Data processor” refers to any individual or legal entity that processes personal data on behalf of the Data Controller in accordance with the orders, instructions, means and purposes (objectives) set and defined by the Data Controller.
Article 1 – Data controller
ISARA, association registered with the Préfecture du Rhône under number W691054501, having its registered office at 23 Rue Jean Baldassini 69007 Lyon, registered with INSEE under number 779 845 056 00042, higher education institution acting via its website.
Article 2 – Legal basis and purpose of processing
The ISARA website carries out a number of personal data processing operations in order to communicate and exchange information with users.
ISARA carries out its data processing operations on the following legal bases: the data subject’s consent, the performance of a contract or precontractual measures at the data subject’s request, ISARA’s legitimate interests, or compliance with a legal obligation.
The following personal data processing operations are based on your consent:
– Responding to written requests submitted through the contact form
– Responding to applications submitted via applications forms
– Responding to requests for brochures submitted via the relevant forms
The following personal data processing operations are carried out pursuant to a statutory obligation:
– Data retention under statutory security and tax obligations
The following personal data processing operations are based on ISARA’s legitimate interests:
– Managing information/registration requests submitted by web users
– Analysing website traffic (via the “Matomo” tool)
Article 3 – Categories of personal data collected
The data processed by ISARA is mainly collected via forms accessible on our website, except for certain data relating to visitor connections (IP addresses), which is automatically recorded by our systems and server logs and by Matomo’s systems.
ISARA undertakes to comply with the principle of personal data minimisation set out in Article 5.1 of the GDPR, which involves only collecting the exact data strictly required for processing. As such, the data collected by ISARA includes:
|Category of personal data||Personal data|
|Data relating to identification||– Last name
– First name
– Date of birth
|Data relating to contact details||– Email address
– Phone number
– Post code
|Other personal data||– Education
– Current educational establishment
|Technical data||– Visitor IP addresses
– Browsing data- Connection data (logs)
Article 4 – Recipients of personal data collected on the website
The recipients of personal data collected via the forms accessible on the website are ISARA employees authorised to process your request. ISARA ensures that its employees are trained in processing personal data, in accordance with its statutory obligations under the GDPR.
Data collected through the web portal is for internal use only, and is not communicated, transferred or disclosed to third parties, except for the authorisations granted by ISARA to its data processors.
Article 5 – Personal data subcontracting
ISARA may be required to enlist the services of subcontractors to effectively perform its services (e.g. subcontractors specialised in hosting, email campaigns, etc.).
ISARA hereby guarantees, vis-a-vis users and visitors to its website, that its subcontractors will comply with the statutory obligations imposed by the GDPR with regard to personal data. As such, prior to and throughout the performance of the contract, ISARA ensures that its subcontractors comply with the technical and organisational security measures essential to the processing of personal data by ISARA.
Article 6 – Transfer of personal data outside the European Union
ISARA does not transfer any personal data outside the European Union. The personal data collected by ISARA is hosted within the European Union.
If ISARA is required to transfer data outside the European Union, it undertakes to take all necessary and essential measures to ensure such data is protected, pursuant to applicable European laws.
Article 7 – Personal data retention period
In accordance with the maximum retention period set out in the GDPR, personal data collected and processed by ISARA is only retained for the time required for the purpose of the processing.
|Data categories||Retention period|
|Data relating to website visitors and users||For the period required to process the user’s request, and two years after the last visit to the site|
|Data relating to applications||Following the most recent action by the applicant, unless the applicant objects:
– 1 year for Bac+2 (two-year course) and Bac+4 (four-year course) courses
– 2 years for other courses
|6 months following collection, unless otherwise provided by law.|
|Cookies||13 months following the individual’s consent to the storing of cookies|
ISARA ensures that information recorded on the website is kept confidential. The addresses and personal data of registered users are not displayed on the website at any time.
Finally, ISARA undertakes to immediately delete and remove any data collected when the website user submits a request to ISARA on the website or in writing to the following address:
AGRAPOLE – ISARA
23 rue Jean Baladassini
69364 LYON 07
ATTN: Christian PINEAU
23 rue Jean Baladassini
69364 LYON 07
Article 8 – Exercising rights
Pursuant to the French Data Protection Act (law no. 78-17 of 6 January 1978) and the European General Data Protection Regulation (“GDPR”), you have the following rights in relation to the processing of your personal data:
– Right of access and to obtain copies:
This refers to the right to obtain from the Data Controller the confirmation as to whether or not your personal data is processed; if so, you have a right to access such personal data. In this case, ISARA will provide you with a copy of the personal data processed. ISARA is entitled to charge a reasonable fee for administrative costs incurred for any excessive requests for additional copies.
– Right of rectification:
This refers to the right to obtain from the Data Controller the correction of inaccurate personal data, in a timely manner. You also have the right to update any incomplete personal data, including by providing an additional declaration.
– Right of deletion:
This refers to the right to obtain from the Data Controller the deletion of your personal data in a timely manner.
– Right to limit processing:
This refers to the right to obtain from the data controller a limitation on data processing when:
o You object to the accuracy of the personal data. Such limitation on processing will then be applicable for the time required by ISARA to verify the accuracy of your personal data;
o The processing is unlawful, and you would like ISARA to restrict the use of your data rather than delete your data;
o ISARA no longer needs your personal data in relation to the processing carried out, however you consider that such personal data is still necessary for the assertion, exercise or defence of legal claims;
o You have objected to the processing of your data (in accordance with your right of opposition). Such limitation on processing will then be applicable for the time required by ISARA to verify whether its legitimate reasons for processing prevail over the reasons put forward by you.
– Right of opposition:
This right consists in objecting, at any time and for reasons relating to their specific situation, to the processing of personal data when such processing is based on ISARA’s legitimate interests, or when processing is carried out for prospecting or profiling purposes.
– Right to data portability:
This refers to the right to obtain the personal data you have provided to ISARA, in a structured, commonly used and machine-readable format, or to have such data sent to another data controller without obstruction by ISARA when the following conditions are met:
o The data processing is based on consent or on a contract
o The processing is carried out using automated processes.
– Right to lodge a complaint with a supervisory authority:
This refers to the right to lodge a complaint with the French Data Protection Authority (CNIL), either directly on its website (https://www.cnil.fr/fr/plaintes) or at the following address: CNIL – Service des Plaintes – 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07.
You may exercise these rights by writing to us at firstname.lastname@example.org or at the following address:
ATTN: Christian PINEAU
23 RUE JEAN BALDASSINI
69364 LYON 07
However, we will take care to verify your identity before granting you access to your personal data or applying your corrections.
Article 9 – Security measures
ISARA undertakes to take all technical and organisational security measures to ensure personal data is protected and to avoid any personal data breaches.
Following legislative and regulatory changes with regard to data privacy, ISARA may modify and update this policy at any time. Therefore, the most recent version of this policy shall take precedence over any previous versions.