Données personnelles - Politique des apprenants

Personal data policy for students at the AFPICL - Association des Fondateurs et des Protecteurs de l’Institut Catholique de Lyon


Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter GDPR) sets the legal framework applicable to processing personal data.

The GDPR reinforces the rights and obligations of controllers, processors, data subjects as well as data recipients.

To ensure this policy is fully understood, it is hereby stipulated that :

  • the 'controller' means the natural or legal person who determines the purposes and means of the processing of personal data. According to this policy, the controller is AFPICL ;
  • the 'processor' means anatural or legal person who processes personal data on behalf of the controller. In practice, this means service providers with whom the AFPICL works and who handle personal data from the AFPICL ;
  • 'data subjects' are people who may be identified, directly or indirectly, and whose personal data is collected by the controller, i.e. all the students at the AFPICL ;
  • 'Recipients' means a natural or legal person who receive personal data. Data recipients may therefore equally be employees of the AFPICL or of external bodies (establishments, social organisations, student welfare offices, etc.).

Article 12 of the GDPR states that data subjects should be informed about their rights in a concise, transparent, intelligible and easily accessible form.



  • 'personal data': any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that natural person ;
  • 'enriched data': enriched personal data is distinguished from 'raw' personal data provided by the data subject. It refers to data which is generated by the controller, such as a user profile established by analysing raw data collected from smart meter. It can also refer to deduced and/or derived data produced by the controller based on data 'provided by the data subject';
  • ‘processing personal data’: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination as well as restriction, erasure or destruction ;
  • ‘personal data breach’ : a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.


For operating purposes, the AFPICL is required to implement and use personal data processing pertaining to students at the University.

The aim of this policy is to satisfy the information requirements of the AFPICL and thereby formalise the rights and responsibilities of students in terms of processing their personal data.



This personal data protection policy is designed to apply as part of the implementation of the processing of the personal data of students at the AFPICL.

This policy covers solely processing for which AFPICL is the controller and therefore does not apply to processing which is not created or used by the AFPICL itself (known as 'unrestricted' processing).

Personal data processing may be managed directly by the AFPICL or through a processor specifically appointed by the AFPICL.

This policy applies independently of any other document which may apply at the AFPICL, including information system charters, teaching and learning regulations and administrator charters for example.



Controller :

AFPICL - Université catholique de Lyon

10 place des Archives

69002 LYON



This charter is binding on:

  • the AFPICL as 'controller' as defined in the GDPR ;
  • students at the AFPICL, i.e. anyone enrolled at the AFPICL as such ;
  • any person to whom the AFPICL communicates this data (hereinafter 'data recipient');
  • service providers and partners of the AFPICL who process data on its behalf (hereinafter 'processors').

The AFPICL shall not process any student personal data if this has not previously been approved by the AFPICL management and if this does not satisfy the general principles of the GDPR.

Any new processing, modification or removal of existing data shall be communicated to students.

A list of existing personal data processing is included in the appendix of this policy.



The AFPICL shall ensure that data is only accessible to authorised internal and external recipients, including :



  • departments in charge of enrolling students at the AFPICL ;
  • lecturers and th teaching & learning team ;
  • student bodies ;
  • any other internal department: accounting, management controlling, IT;
  • security department ;
  • students and participants in training courses offered by the establishment, in relation to their personal data ;
  • university lecturers, researchers and teachers (local or external) in relation to teaching their students and conducting research ;
  • staff other than the teaching staff, in relation to their role within the university ;
  • representatives from local authorities in the university's decision-making bodies, in relation to their mandate.
  • social organisations ;
  • the Ministry for higher education and research ;
  • sub-contractors ;
  • suppliers offering third-party services via VLE ;
  • public authorities in charge of collected data relating to full-time education and continual professional development ;
  • the legal authorities and the police.


The recipients of personal data pertaining to students at the University are subject to specific confidentiality requirements.

The AFPICL decides on the access rights granted to each recipient, in accordance with an established authorisation policy.

The AFPICL shall in no way be held liable for damages of any kind which may result from the unlawful access to personal data.

Recipients of this personal data may include :

  • the AFPICL's partner universities and schools ;
  • content editors or educational services linked to the AFPICL, or accessible via VLE (Virtual Learning Environment) ;
  • the AFPICL's internal student bodies ;
  • supervisory authorities ;
  • student organisations such as the Crous, LMDE, SMERRA, COMUE ;
  • partners of the AFPICL, such as the student union (BDE), UDESCA (the Union of Catholic Higher Education Establishments), the European Federation of Catholic Universities, the International Federation of Catholic Universities (FUCE), Campus France as well as the AUF (University Agency for French-speaking countries).

In addition, personal data may be communicated to any authority legally-authorised to have this information. In such cases, the AFPICL is not responsible for the conditions in which staff working for these authorities access and use the data.



The period for which the personal data shall be stored is established by the AFPICL with regard to any legal and contractual restrictions which apply and failing that, according to its own requirements.

Type of Processing

Period for which the collected data is stored

Student files

Tuition fees: ten years, which is the statute of limitation for any debts.

Virtual Learning Environment - VLE

Personal data is updated at the beginning of each academic year.

In higher education, where data subjects may keep their VLE accounts at the end of their course, data is stored until the person in question requests it to be removed.

An explicit agreement to store this data shall be sent out once a year to each data subject who is no longer enrolled in a higher education establishment.

Personal contributions made on community areas as well as publication or personal information storage areas, may only be stored by the establishment for information purposes, unless the contributor raises an objection to this when closing their VLE account.

CCTV System

One month following the recording of images.


Following the set period, data shall either be stored anonymously, for statistical purposes, or deleted.

Students are reminded that removing or anonymising data is an irreversible process and that the AFPICL is not able to recover this data afterwards.



Students have the right to request confirmation from the AFPICL about whether data pertaining to them has been processed.

L’apprenant dispose également d’un droit d’accès, ce dernier étant conditionné au respect des règles suivantes :

  • the request must come from the person themselves and include a copy of an identity document ;
  • it must be sent in writing to: The subject should state 'DPO-Students\'.

Students have the right to request a copy of their personal data which is processed at the AFPICL. However, if an additional copy is requested, the AFPICL may require students to cover the financial cost of this.

If students request a copy of their data via email, the information requested shall be sent back electronically, unless otherwise requested.

Finally, students are hereby informed that these access rights do not apply to confidential information, or data which the university is not legally authorised to communicate.

Access rights may not be used excessively, in other words in a regular way with the sole aim of destabilising the department in question.



In order to make sure personal data collected by the AFPICL is updated regularly, the latter may send requests to students, who must fulfil the University's requirements.

If the AFPICL makes changes to student data, the latter shall automatically be informed.

Students are nevertheless hereby informed that if changes are made to their data at their request, no additional information shall be provided to them.

Students also have the right to rectify their data.

To do so, the AFPICL shall :

  • make all the necessary means available on- and off-line to ensure students can communicate any changes to their personal data held by the AFPICL; any rectifications shall be applied within ten (10) working days, unless duly justified ;
  • keep its databases updated, mainly at the beginning of each academic year.

Students are hereby informed that the AFPICL shall not process any 'convenience' changes. Only substantial changes in relation to marital status, identity, contact details and bank account details shall be performed.

As far as possible, the AFPICL shall pass on these rectifications to the people to whom it has sent student data. However, this requirement shall not apply if such a procedure is deemed impossible or requires disproportionate means.



Students' right to erasure shall not apply if processing is implemented to satisfy a legal requirement.

Aside from this situation, students may request their data to be erased as long as they withdraw the consent on which the processing is based and that there is no other legal basis for the processing.

In accordance with data protection legislation, students are hereby informed that this is an individual right which may only be exercised by the data subject in relation to their own data: for security reasons, the department in question must therefore check your identity in order to ensure no confidential information about you is communicated to anyone other than yourself. If the student is a minor, the identity of their legal representative shall be checked.



Student are hereby informed that they do not have the right to obtain restriction of processing of their personal data insofar as the processing conducted by the AFPICL is lawful and that any personal data collected is required in order to ensure a functioning relationship between the AFPICL and students.



Before leaving the AFPICL, students may, on request, exercise their right to portability, solely regarding the data which they themselves provided to the AFPICL and only if processing required their consent. This data shall be communicated to them in a structured, commonly used and machine-readable format within six (6) months following the request.



The AFPICL undertakes no automated individual decision-making regarding its students.



Students are hereby informed that they have the right to formulate guidelines relating to the storage, erasure and communication of their data post-mortem. To communicate specific port-mortem guidelines or exercise their rights, students should send an email to or a letter to AFPICL – DPO 10 place des Archives 69002 LYON, with a copy of a signed identity document.



On each form collecting personal data, students shall be informed of the mandatory or optional nature of the answers through the use of an asterisk.

For mandatory answers, the AFPICL shall explain to students the consequences of not answering the question.



L’AFPICL se voit conférer par l’apprenant un droit d’usage et de traitement de ses données à caractère personnel pour les finalités suivantes :

  • reviewing online applications to the University (e.g.: Parcoursup) ;
  • ensuring the admission, enrolment, re-enrolment, student funding and teaching agreement conditions are fulfilled ;
  • helping obtain grants and monitoring applications ;
  • producing official documents relating to students' studies (certificates, mandatory official meetings, student cards and any official document) ;
  • organising annual educational programs and exam sessions for students ;
  • providing proof of the identity of students and producing official documents for them (diplomas, certificates, etc.) ;
  • ensuring that the University has up-to-date contact details for students for their dealings with them ;
  • ensuring students' details are communicated to foreign educational establishments in the event of studying abroad ;
  • managing participatory mandates within the University's various bodies ;
  • ensuring details pertaining to students are communicated to student bodies they are involved in ;
  • ensuring details pertaining to students are communicated to alumni databases ;
  • sending students job offers, internship information, volunteer roles or professional opportunities related to their course ;
  • sending out special offers directly linked to professional opportunities and/or related to students' studies ;
  • producing statistics, reports and various lists for educational purposes ;
  • conducting surveys and cohort monitoring for the French Ministry of Higher Education, Research and Innovation ;
  • making teaching and learning content, administrative information relating to university life, teaching and to the running of the establishment, as well as online documents, available to students ;
  • producing statistics relating to student activity on the VLE ;
  • analysing the use of the VLE in order to develop new digital teaching tools ;
  • creating user accounts for students to enable them to access the teaching and learning platform (student messaging service) ;
  • backing up documents and university work ;
  • checking teaching files (timetable, marks, results, exams, contact details of lecturers) ;
  • subject to prior consent, sending out information relating to applications for financial assistance from the AFPICL ;
  • setting up CCTV in order to ensure the security of property and people (fighting violence among students, vandalism and theft) and the security of the surroundings (fighting vandalism to the outside of the establishment, offences upon leaving the establishment, attempted trespassing by non-authorised people, etc.).

However, data which the AFPICL has processed and analysed, known as 'enriched data', remains the exclusive property of the AFPICL (usage analysis, statistics, etc.).



The AFPICL shall refrain from using private data or information without prior consent from students, even if this data has been made public or published by students on social networking sites.



The data collected by the AFPICL is done so either directly or indirectly.


Direct data collection can be done in various ways :

  • data collected during enrolment at the AFPICL or at an AFPICL event ;
  • data collected on forms ;
  • data communicated via the AFPICL's social networks ;
  • personal data sent or submitted by students (email, letter, business card, etc.) ;
  • technical data (login or online traffic information) linked to the use of the AFPICL's IT or digital services.
  • Indirect data collection can be done in various ways :

    • data collected by the government and local education authorities ;
    • data collected via third-party universities or schools ;
    • data collected through partners and patrons ;
    • data collected via the dioceses to which the AFPICL belongs ;
    • data collected as part of continual professional training.
    22. SECURITY


    It falls to the AFPICL to establish and implement the physical or logical technical security measures which it deems appropriate and proportionate to its objective to fight the accidental or illegal unauthorised destruction, loss, alteration or disclosure of data.

    To do so, the AFPICL may be assisted by a third party of its choice to conduct vulnerability audits and data breach testing as regularly as it deems necessary.

    Save emergencies or imminent risks, the departments in question shall be informed in advance about these audits and shall be required to take suitable data protection measures of which they will be notified in advance.

    In any case, the AFPICL undertakes, in the event of a change in the means used to ensure the security and confidentiality of personal data, to replace them with more effective means. Under no circumstances shall changes lead to a decrease in the level of security.

    In the event of sub-contracting part or all of the personal data processing, the AFPICL commits to making it a contractual requirement for its processors to guarantee security through appropriate technical data protection measures and human resources.



    In the event of a personal data breach, the AFPICL commits to notifying the CNIL (French national data protection commission) as stipulated in the GDPR.

    If the aforementioned breach presents a high risk for the students and the data was not protected, the AFPICL shall :

    • notify the students in question ;
    • communicate the necessary information and advice to the students in question.


    The AFPICL has appointed a data protection officer.

    The contact details of the data protection officer are :

    • Adresse e-mail :

    In the event of new personal data processing, the AFPICL shall call upon the data protection officer in advance.

    If a student wishes to obtain specific information or to ask a question, they may contact the data protection officer who shall respond within a reasonable amount of time with regard to the question asked or information requested.

    In the event of encountering a problem with personal data processing, the student may call on the appointed data protection officer.



    The AFPICL alone may decide whether to involve cross-border flows of the personal data it collects and processes.

    EIn the event of transferring personal data to a country outside the European Union, or to an international organization, the AFPICL shall inform students and make sure their rights are adhered to.

    The AFPICL undertakes, if required, to sign one or more agreements to set out the conditions of cross-border data flows.

    The clauses pertaining to cross-border data flows are binding on the AFPICL except those dispensations provided for in article 49 of the GDPR.



    As controller, the AFPICL commits to keeping up-to-date records of all processing activities.

    This record should be a document or application listing all the processing carried out by the AFPICL as controller.

    The AFPICL commits to providing the supervisory authority, on their first request, with the information it requires to check processing is compliant with the current data protection regulations.



    L’apprenant concerné par le traitement de ses données à caractère personnel est informé de son droit d’introduire une plainte auprès d'une autorité de contrôle, à savoir la CNIL, si celui-ci estime que le traitement de données à caractère personnel le concernant n'est pas conforme à la règlementation européenne de protection des données, à l’adresse suivante :

    CNIL – Service des plaintes

    3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07

    Tél : 01 53 73 22 22

    28. CHANGES


    This policy may be modified or developed at any time in the event of changes in legal requirements, case law, decisions and recommendations by the CNIL or users.

    Any new version of this policy shall be communicated to students by any means established by the AFPICL, including electronically (via email or online for example).



    If you require any further information, you can contact:

    For more general information regarding personal data protection, you can visit the CNIL website