A new European Law called the General Data Protection Regulation (GDPR) gives individuals in Europe greater control over their data covered by the GDPR and imposes additional obligations on organizations that collect this data.

Legal Basis of Processing

Harvard Business School Online collects and processes your personal data as set out in our Privacy Policy, which also describes the purposes of processing and our legitimate interests. Our legal basis for processing your personal data when subject to the GDPR is our legitimate interests (for example providing educational offerings and providing information about these offerings); to process transactions requested by you and meet our contractual obligations (for example, processing your payments, delivering our programs and evaluating your performance); as necessary to comply with a legal obligation (for example, responding to a subpoena); as necessary for the performance of tasks we carry out in the public interest (for example, furthering research and understanding in fields of academic study); or on the basis of your consent, where applicable.

Certain Rights

Under GDPR individuals have the right in certain cases, with respect to personal data subject to GDPR, to:

• Obtain details of how their personal data is collected and used. Harvard Business School Online does this in our Privacy Policy.
• Obtain copies of personal data that an organization holds on them. The majority of the personal data that Harvard Business School Online holds on you is given to us by you. However if you would like more information on this please contact us.
• Have incorrect or incomplete data corrected. We encourage our participants to keep their information up to date. If any of your information changes please let us know.
• Have their data erased by an organization in certain circumstances, subject to certain limitations.
• Obtain their data from an organization where it is processed by automated means and have it transmitted to another organizations.
• Object to the collection and use of their data in certain circumstances. If you have registered for one of our programs or services, Harvard Business School Online needs the personal data we request to deliver the program to you. See our Privacy Policy for more details.
• Not be subject to automated decision making, including profiling, in certain circumstances.

Retention of Information

Harvard Business School Online will retain your Personal Data for as long as is necessary for the purposes set out in our Privacy Policy unless a longer period is required under applicable law or is needed to resolve disputes or protect our legal rights or otherwise to comply with legal obligations.

Where we are processing Personal Data based on our legitimate interests, we generally will retain the data for a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of the data subjects.

Where we are processing Personal Data based on contract, we generally will retain the information for the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the statute of limitations for legal claims that could arise from the contractual relationship.

Where we are processing Personal Data based on your consent, we generally will retain the information for the period of time necessary to carry out the processing activities to which you consented, subject to your right, under certain circumstances, to have certain of your personal data erased (see “Certain Rights” above).

Where we are processing Personal Data based on the public interest, we generally retain the information for the period of time that continues to serve that underlying interest.

International Data Transfers

In the event we collect any of your personal data in the European Economic Area (EEA), we may transfer the data outside the European Economic Area relying on appropriate or suitable safeguards or specific derogations recognized under data protection laws, including the GDPR.

The disclosures in this document and our Privacy Policy are in lieu of Harvard’s Additional EEA Privacy Disclosures, which do not apply to these Harvard Business School Online data processing activities.

If you have any questions, comments or complaints regarding the handling of your personal data please reach out to hbsonlineprivacy@hbs.edu. You also have the right to complain to a data protection authority in Europe.