GDPR

CentraleSupélec Data Protection Policy

Our Commitments

Advances in traditional computing, the internet, and artificial intelligence are increasing risks to people's rights and freedoms.

In this context, CentraleSupélec applies the General Data Protection Regulation (GDPR). Because progress must serve people, we are committed to protecting personal data and limiting the possible impacts of our activities on their rights and freedoms.

At CentraleSupélec, the Data Protection Officer (DPO) reports to the General Management and appears before the Management Committee if necessary; he participates in crisis units as needed.

CentraleSupélec raises awareness among all users of information systems about the need to protect personal data. Each data processing operation is subject to clear and precise information: objectives, categories of data processed, recipients, retention period, security, etc. CentraleSupélec documents its compliance with the GDPR (in particular through the Registers) and its ongoing compliance approach.

GDPR Compliance Means at CentraleSupélec

As part of our activities

All departments are responsible for ensuring the GDPR compliance of the IT systems they implement; the DPO supports them in this process. In particular, we analyze processes and information systems, we work to process only strictly necessary data, we regularly review access rights, and we apply the data retention periods that we define.

This sphere of protection extends to CentraleSupélec's suppliers and subcontractors, by verifying or improving the in-depth compliance of contracts with the GDPR, collaborating in the event of security breaches, and even auditing subcontractors accessing systems or data that pose the greatest risk to individuals. These compliance controls apply to subcontractors directly accessing personal data as well as to subcontractors of IT systems.

The Information Systems Department contributes to this compliance by developing and selecting systems that promote compliance from the design stage and from the implementation stage. Together with the Information Systems Security Manager (ISSM) and our Education and Research Security partners, it strengthens system security and monitors for new threats.

As part of our training

In addition to general training in law and corporate social responsibility, the School raises students' awareness of the concepts and obligations of the GDPR.

As part of our research activities

CentraleSupélec systematically assesses the GDPR compliance of research contracts involving the processing of personal data. If necessary, the DPO works with their counterparts at our funders to define and strengthen contracts, security protocols, data retention periods, etc. We pay particular attention to research activities related to health.

As part of the CentraleSupélec ecosystem

The CentraleSupélec DPO provides assistance to the structures directly attached to the School: EXED, CentraleSupélec Foundation, Digital Lab. Their compliance approach is identical to that of the School, even in the absence of a formal designation of a Data Protection Officer.

He participates in the development and revision of partnership and exchange agreements within the framework of studies – for example on the subjects of double degrees or studies outside the European Union.

Within the framework of the University of Paris-Saclay, he discusses GDPR compliance issues with other University establishments and participates in joint actions. He works with the DPOs of members of the Ecoles Centrale Group, other organizations on the Paris-Saclay Plateau, and other universities.

Your rights

We are committed to respecting your rights. In accordance with the GDPR, the doctrine of the French National Commission for Information Technology and Civil Liberties (CNIL), and other applicable texts, if you wish to exercise your rights, obtain additional information about this Policy, or report any difficulties, please do not hesitate to contact the Data Protection Officer by email: dpo@centralesupelec.frWe are committed to responding to you quickly, generally within one week, rather than the one-month deadline provided for in the texts.

The Director General of CentraleSupélec