Privacy Notice
This Privacy Notice describes how your personal data is processed by the International Institute for Management Development (hereafter referred to as “IMD” or “we” or “us”), as well as, where applicable, IMD affiliates.
1) IMD’s role and contact details
IMD’s main establishment is the International Institute for Management Development (IMD), a Swiss-based foundation established in Lausanne, Vaud, that may be contacted with the following information:
IMD – International Institute for Management Development
Chemin de Bellerive 23
CH – 1007 Lausanne
IMD operates two branches in Singapore and Shenzhen (China), which qualify in the context of this Privacy Notice as “IMD Affiliates”. Specific privacy notices (apply whenever IMD Affiliates directly collect your personal data, please click for Singapore).
In the context of this Privacy Notice, IMD is the controller of your personal data. As a Swiss-based foundation, IMD is directly subject to the Swiss Federal Act on Data Protection (“FADP”).
2) Scope of the Privacy Notice
This Privacy Notice applies to all processing activities that are implemented by IMD in the context of its activities, especially in relation to:
- IMD’s website (IMD.org) and other IT platforms as well as IMD’s mobile applications (hereafter together the “Online Platforms”)
- Programs and courses, in person and/or online (including any assessments, reports, or other pedagogical tools)
- Conferences and other events organized by and/or in relation to IMD
- Fundraising and networking activities
- Communication activities, including newsletters, as well as IMD’s presence on social networks
- Management of the alumni community
- Research and other scientific activities (including statistics)
- Statistical activities
Please note that a specific privacy notice shall apply for employment-related processing activities as well as for the specific processing activities linked to board members of IMD.
3) Definitions
4) Applicable modalities to the processing activities
(Categories of personal data, purpose, basis, retention period, and transfer to third parties)
In this chapter, IMD details the applicable modalities to the processing activities, being underlined that it chooses to apply a specific basis for each category of the processing operation. It is also specified that the transfers to “third parties” that are listed hereunder do not include processors of IMD, who are mentioned and listed under par. 5.
For further detail, please choose hereunder the chapter that relates to the processing operation you are interested in.
5) Sharing of personal data and international transfers
As mentioned under par. 4 above, for each category of processing operations, some of your personal data may, under limited circumstances, be disclosed and shared with third parties.
In addition to the third parties mentioned above, such sharing may also be made with processors and subcontractors who support IMD in performing its services. This is especially the case for the various software used in the context of IMD’s courses and programs to offer you the best and most complete experience in this context, as well as for the continuous improvement of our online services and learning experience. A list of such processors and subcontractors may be made available on request. It is also the case for part of the hosting of our IT environment.
Transfers may also occur with IMD Affiliates, for example when organizing courses, programs, and events.
Overall, we never share, sell, or in any other way transmit your data to any third party for commercial purposes without your permission. In any case of transfer of some of your personal data to third parties and processors, any such recipients are contractually prohibited from using or sharing further such personal data for any other purpose than what is contractually provided.
From a geographical point of view, IMD favors whenever possible processors and hosting facilities located in Switzerland and/or the EEA (for its general personal data). Whenever this is not possible, and such recipients are in a country that does not offer adequate data protection legislation, IMD performs a prior data transfer impact assessment (DTIA) that includes the analysis of alternatives existing in an adequately protected country. Whenever this last possibility is not available, and the transfer has to be made, IMD applies additional safeguards with each recipient, which include inter alia (i) the obligation for the recipient to answer a detailed questionnaire on IT security and data protection, (ii) the signing of Standard Contractual Clauses (SCCs), or the use of another safeguard mechanism that is compliant with applicable law, as well as (iii) the regular review and updating of these mechanisms.
For IMD Affiliates in China and Singapore, dedicated copies and hosting requirements for personal data may apply, as provided in the applicable specific privacy notice.
Please note that, aside from the above, IMD may also communicate personal data to third parties when we are ordered or obliged to do so because of a court order, governmental authority, and/or by law. In such a situation, IMD shall implement the required means to limit as much as possible the transfer of personal data. You shall also be informed of this unless applicable law prohibits us from doing so.
Should you have any questions on the above, require any further information, and/or wish to receive a copy of the additional safeguards that apply, please contact us directly.
6) Security, internet security, and integrity
Considering the absolute importance of security applied to personal data, IMD is certified ISO 27001 and ISO 27701. In compliance with these two certifications, we take high-end precautions to protect personal data in our possession from loss and misuse as well as unauthorized access, disclosure, alteration, and destruction. We also maintain physical, electronic, and procedural safeguards that comply with applicable laws to safeguard personal data.
At IMD, we make every effort to follow industry-standard security. However, no data transmitted through the internet and/or stored on servers is 100% secure. As a result, we are unable to guarantee that any personal data covered by this Privacy Notice will be entirely secure. That being said, we do work thoroughly to limit any risks as much as possible.
7) IMD principles applied to the retention period
IMD applies the following principles for the retention of data (letters are used in the applicable modalities for ease of reference). Please note that specific regulations and retention periods may apply to some of our processing activities.
Basis | Pniciples applied to retention period (for references see para 7) |
A | From the last active contact with IMD we retain data for 10 years for a program participant, or for 2 years otherwise |
B | 10 years from the last active contact with IMD |
C | 6 months from program completion |
D | 1 month from payment |
E | No limitation |
8) Your rights
Please note that you benefit from various rights, depending on the applicable legal regime to your personal data. Each may be limited based on IMD’s and/or third parties’ legitimate interests or based on other grounds, including IMD’s legal obligations. To exercise them, please contact us by using the contact information provided under par. 1 above.
- Information right: See current notice.
- Access right: You have the right to receive from IMD confirmation about the actual processing or not of your personal data. If your personal data is processed, you have the right to access such personal data (including to receive a copy).
- Rectification right: You have the right to request that your personal data be rectified or completed without undue delay.
- Erasure right: You have the right to request the erasure of your personal data without undue delay.
- Limitation of processing right: IMD grants you the right to request that your personal data be processed in a limited manner.
- Data portability right: IMD grants you the right to retrieve the data you have provided in a structured, commonly used, and machine-readable format, and you have the right to transfer this personal data to another controller.
- Right to object: IMD grants you the right at any time to object to the processing of your personal data for reasons deriving from your personal situation, even if this processing concerns IMD’s legitimate interest or public interest.
- Possible right to lodge a complaint with a supervisory authority: If you are a resident of Switzerland, the complaint can be lodged at the following address: Swiss Federal Data Protection and Information Commissioner, Feldeggweg 1, 3003 Berne, Switzerland. For more information please visit www.edoeb.admin.ch.
When the processing is based on your consent, you can at any time withdraw it. Please note, however, that in such a case, IMD may be authorized to continue processing your personal data based on another lawful ground. Similarly, the lawfulness of any data processing that occurred before the consent’s withdrawal is not impacted by such withdrawal.
Access and modification of most of your personal data can be done at any time by accessing your profile on MyIMD. It is your responsibility to ensure that the personal data used in the context of your profile and activities with IMD is up-to-date and correct.
9) Changes
This Privacy Notice was last updated on 14 June 2023.
We may update this Privacy Notice at any time. Any changes to it will be posted on this page.