Welcome to the General Data Protection Regulation (GDPR) Compliance Document of the Qualiopi NextGen Management Training Institute. This document aims to define and explain the measures and procedures implemented by NextGen to ensure the protection and confidentiality of personal data, in accordance with the GDPR.

Our institute, as a dedicated entity to management training, recognizes the crucial importance of information security in today’s digital world. The protection of personal data of our learners, trainees, students, trainers, employees, and partners is at the core of our mission and values.

The GDPR, as a European Union regulation, imposes strict standards for the processing of personal data. These standards are essential to enhance trust and ensure transparency in our relationship with all stakeholders. This document illustrates our commitment to adhere to these standards and act with integrity and responsibility in the management of personal data.

This document outlines the guiding principles that NextGen follows in terms of data protection, the rights of data subjects, the institute’s obligations as a data controller, as well as the specific measures implemented to ensure GDPR compliance.

Our commitment to the protection of personal data is a key element of our strategy, corporate culture, and reputation. By adopting a proactive and transparent approach, we aim to set high standards not only for ourselves but also for the entire management training sector.

We invite you to review this document to understand our approach to personal data protection and the efforts we make to ensure GDPR compliance.

2. Scope

This chapter defines the scope of application of the GDPR compliance document within the Qualiopi NextGen Management Training Institute. It specifies the personal data processed by our institute, the activities and services involved, as well as the individuals and entities affected by these practices.

A. Definition of Processed Personal Data

Personal data refers to any information relating to an identified or identifiable natural person. Within NextGen, this includes, but is not limited to:

  • Personal identification information (name, first name, date of birth, etc.).
  • Contact information (address, phone number, email).
  • Professional data (position, qualifications, training history).
  • Financial data (payment information, transactions).
  • Data related to the use of digital resources and connectivity (login logs, online interaction history).

B. Scope of Application

This document applies to all personal data processing activities carried out by NextGen, including but not limited to:

  • Course and training program administration.
  • Management of relationships with learners, trainees, students, trainers, and employees.
  • Marketing and communication activities.
  • Use of our website and online platforms.
  • Interactions with partners and external service providers.

C. Individuals and Entities Affected

This document concerns all individuals whose personal data is processed by NextGen, including:

  • Learners, trainees, students, and training participants.
  •  Trainers and educational staff.
  • Employees and associates of NextGen.
  • Partners, suppliers, and other third parties involved in our activities.

D. Responsibilities and Compliance

NextGen is the data controller and is committed to complying with all GDPR obligations. All stakeholders, including employees, trainers, and partners, are informed of their role in personal data protection and receive training on best practices for data confidentiality and security.

3. Data Protection Principles

In the context of its compliance with the General Data Protection Regulation (GDPR), the Qualiopi NextGen Institute for Management Training commits to respecting the following fundamental principles regarding the protection of personal data.

A. Lawfulness, Fairness, and Transparency

Lawfulness: NextGen ensures that all data is collected and processed in accordance with the legal bases established by the GDPR.

Fairness: We process data in a fair manner, without misleading the individuals concerned about how their data is used.

Transparency: Information relating to the collection and processing of personal data is communicated clearly and in an accessible manner.

B. Purpose Limitation

Personal data is collected for specific, explicit, and legitimate purposes and is not further processed in a manner that is incompatible with those purposes.

C. Data Minimization

NextGen commits to collecting only the data that is strictly necessary for achieving the objectives for which they are processed. No superfluous data is collected.

D. Accuracy

We ensure that personal data is accurate and, where necessary, kept up to date. Measures are taken to erase or rectify without delay any inaccurate data.

E. Storage Limitation

Personal data is stored in a form that allows the identification of the individuals concerned for no longer than is necessary for the purposes for which it is processed.

F. Integrity and Confidentiality

NextGen implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk and to protect personal data against unauthorized access, disclosure, alteration, or destruction.

G. Accountability

NextGen adopts a proactive approach to demonstrate compliance with the GDPR principles, including maintaining processing records, conducting data protection impact assessments, and implementing appropriate measures to ensure and demonstrate this compliance.

4. Rights of the Concerned Persons

The Qualiopi NextGen Institute of Management Training fully recognizes and respects the rights of individuals regarding their personal data, in accordance with the GDPR. Here is an overview of the fundamental rights granted to concerned persons:

A. Right of Access

Individuals have the right to know if NextGen holds data about them and, if so, to request access to this data. This includes the right to receive a copy of these data.

B. Right to Rectification

Individuals have the right to request the correction of inaccurate or incomplete data about them.

C. Right to Erasure (“Right to be Forgotten”)

Individuals can request the erasure of their personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.

D. Right to Restriction of Processing

Individuals can request the restriction of the processing of their data in certain situations, for example, when the accuracy of the data is contested.

E. Right to Data Portability

This right allows individuals to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit it to another data controller.

F. Right to Object

Individuals have the right to object to the processing of their personal data in certain circumstances, particularly for direct marketing.

G. Rights Related to Automated Decision-Making and Profiling

Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or significantly affects them.

H. Right to Withdraw Consent at Any Time

Where processing is based on consent, individuals have the right to withdraw this consent at any time.

I. Right to Lodge a Complaint with a Supervisory Authority

Individuals have the right to lodge a complaint with a competent supervisory authority if they believe that the processing of their personal data violates the GDPR.

5. Consent and Data Collection

The Qualiopi NextGen Institute of Management Training places special emphasis on consent and data collection in compliance with the requirements of the GDPR.

A. Principles of Consent

Clarity and Freedom: Consent must be given freely, specifically, informedly, and unambiguously. NextGen ensures that individuals clearly understand what they are consenting to.

Documentation of Consent: We keep a record of consents received to prove compliance.

Withdrawal of Consent: Individuals can withdraw their consent at any time, as easily as they gave it.

B. Procedures for Obtaining Consent

Clear Information: When collecting data, NextGen provides clear and understandable information about the purposes of data processing.

Methods of Consent: Consents are collected through methods that ensure the individual has understood and voluntarily agreed. This may include online checkboxes, electronic signatures, or written consent forms.

C. Data Collection

Limited and Specific Purposes: Personal data is collected only for defined, legitimate purposes that are clearly communicated.

Data Minimization: Only the data necessary for these purposes are collected. NextGen avoids collecting excessive or irrelevant information.

Data Updating: Data is regularly reviewed and updated to ensure accuracy.

D. Transparency in Data Collection

Informing Concerned Persons: NextGen informs individuals, at the time of data collection, about the identity of the data controller, the purposes of processing, the recipients of the data, and the rights of the concerned persons.

Privacy Policy: A detailed privacy policy is available and easily accessible, explaining all data collection and processing practices.

E. Awareness and Training

Staff Awareness: NextGen staff are regularly trained and made aware of the importance of consent and appropriate data collection practices.

Continuous Updates: Consent procedures and policies are regularly re-evaluated and updated to remain compliant with GDPR developments and best practices.

6. Data Usage

The Qualiopi NextGen Institute of Management Training commits to responsibly using the personal data collected in compliance with the GDPR. This section details the principles and practices related to data usage within our organization.

A. Purposes of Data Processing

Specific Objectives: Personal data collected are used exclusively for the purposes for which they were collected, such as managing training courses, communicating with learners, interns, students, developing training programs, and administrative activities.

Restrictions: No use of the data outside these purposes is allowed without additional consent or an appropriate legal basis.

B. Sharing Data with Third Parties

Secure Transfers: When NextGen shares data with third parties (such as partners, service providers, or regulatory authorities), this is done in compliance with GDPR principles and based on agreements ensuring an adequate level of protection.

Transparency: Concerned persons are informed of any sharing of their data with third parties, including the identity of these third parties and the reasons for sharing.

C. Marketing and Communication

Consent for Marketing: The use of data for direct marketing purposes is conditional upon obtaining explicit consent from the concerned individuals.

Opt-out Options: Easy-to-use mechanisms for unsubscribing or refusing direct marketing are provided.

D. Data Retention and Archiving

Retention Period: Data are retained for a period not exceeding that necessary for the purposes for which they are processed. Clear retention policies are established and enforced.

Deletion or Anonymization: Upon expiration of the retention period, data are either deleted or anonymized so that they can no longer be associated with an individual.

E. Data Security and Confidentiality

Security Measures: Appropriate technical and organizational measures are implemented to protect data against unauthorized access, accidental loss, destruction, or damage.

Staff Training: NextGen employees are trained and made aware of the importance of data confidentiality and security in their work.

7. Data Security

Data security is a top priority for the Qualiopi NextGen Institute of Management Training. This chapter outlines the measures and policies we implement to ensure the protection of personal data against unauthorized access, alteration, disclosure, or destruction.

A. Technical Measures

System Security: NextGen uses advanced technologies to secure computer systems, including firewalls, antivirus software, and intrusion detection systems.

Data Encryption: Sensitive data are encrypted during their transmission and storage.

Secure Access: Access to personal data is strictly limited to authorized employees and partners who need it to perform their duties.

B. Organizational Measures

Security Policies: Internal policies and procedures are in place to manage data security, including guidelines on password management and data access.

Training and Awareness: NextGen employees receive regular training on best data security practices and awareness of potential threats.

C. Incident Management

Incident Response Procedures: In the event of a data breach, NextGen has procedures to respond quickly and effectively to minimize impact.

Breach Notification: In accordance with the GDPR, significant data breaches are reported to regulatory authorities and, if necessary, to affected individuals as soon as possible.

D. Risk Assessments and Testing

Regular Assessments: Regular risk assessments are conducted to identify potential vulnerabilities and implement corrective measures.

Security Testing: Penetration testing and security audits are regularly conducted to ensure the effectiveness of the security measures in place.

E. Management of Suppliers and Subcontractors

Requirements for Third Parties: Suppliers and subcontractors processing data on behalf of NextGen are carefully selected and must adhere to strict data security standards.

Data Processing Agreements: Clear agreements define responsibilities for data protection and security requirements for all third parties involved.

8. Data Breach

Managing data breaches is a crucial aspect of the data protection strategy at the Qualiopi NextGen Institute of Management Training. This chapter outlines our approach to identifying, managing, and responding to personal data breaches.

A. Definition of a Data Breach

A data breach refers to a security breach leading to the destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data transmitted, stored, or otherwise processed.

B. Identification and Assessment of Breaches

Rapid Detection: NextGen has implemented detection systems to quickly identify any potential data breach.

Risk Assessment: Each incident is assessed to determine the potential impact on the rights and freedoms of the concerned individuals.

C. Incident Response Procedures

Incident Response Plan: In the event of a breach, a response plan is activated to contain, assess, and mitigate the impacts of the breach.

Incident Response Team: A dedicated team is responsible for managing the incident response, including data security experts, management, and legal staff.

D. Notification of Breaches

Regulatory Authorities: In accordance with the GDPR, data breaches are notified to the competent supervisory authority within 72 hours of becoming aware of it, unless the breach does not pose a risk to the rights and freedoms of individuals.

Affected Persons: If the breach is likely to result in a high risk to the rights and freedoms of individuals, they are informed without undue delay.

E. Documentation and Recording of Breaches

Breach Register: All data breaches are documented in an internal register, including the facts relating to the breach, its effects, and the corrective measures taken.

Analysis and Improvement: Each incident is analyzed to learn lessons and improve security measures and incident response procedures.

F. Communication and Crisis Management

Transparent Communication: NextGen commits to transparent communication with all stakeholders in the event of a data breach.

Crisis Management Plan: A crisis management plan is in place to handle the external and internal aspects of post-breach communication.

9. Data Protection Officer (DPO)

The Qualiopi NextGen Institute of Management Training recognizes the critical importance of the role of the Data Protection Officer (DPO). This chapter describes the responsibilities, functions, and significance of the DPO within our organization.

A. Role of the DPO

The DPO is the central point for all data protection-related issues within NextGen. They play a key role in implementing and monitoring GDPR compliance practices.

B. Responsibilities of the DPO

Compliance Monitoring: The DPO monitors NextGen’s compliance with GDPR obligations, including matters related to the rights of concerned individuals, data processing, and data security.

Advice and Awareness: The DPO provides advice on interpreting and applying the GDPR and raises awareness among NextGen staff about data protection obligations.

Cooperation with Regulatory Authorities: The DPO acts as a point of contact with data protection authorities and cooperates with them.

C. Independence of the DPO

The DPO acts independently and is not subject to any direct instruction regarding the performance of their tasks. NextGen ensures that the DPO is appropriately involved in all issues related to data protection.

D. Qualifications and Skills

The DPO has specialized knowledge of data protection law and practices. They also have a thorough understanding of NextGen’s internal processes, allowing effective assessment and management of data-related risks.

E. Accessibility of the DPO

Internal Communication: The DPO is easily accessible to NextGen staff for any data protection-related queries or advice.

External Communication: Concerned individuals can contact the DPO for any questions about how NextGen processes their personal data.

F. Resources and Support

NextGen provides the DPO with the necessary resources to carry out their tasks, including access to data and processing operations, as well as resources needed to maintain their specialized knowledge.

10. Training and Awareness

Training and awareness of staff and stakeholders are key components of the GDPR compliance strategy at the Qualiopi NextGen Institute of Management Training. This chapter highlights our initiatives to ensure a thorough understanding and effective application of data protection principles.

A. Training Program

Training Content: Regular GDPR and data protection trainings are organized for staff. These trainings cover GDPR principles, rights of concerned individuals, data processing procedures, and data security measures.

Customized Training: Depending on roles and responsibilities, specific training sessions are set up, particularly for teams handling large amounts of personal data.

B. Ongoing Awareness

Regular Updates: Updates and information on the latest developments in data protection legislation and best practices are regularly communicated to staff.

Accessible Resources: Resources and guides are made available to facilitate understanding and application of data protection policies.

C. Leadership Engagement

Compliance Leadership: NextGen’s management is committed to promoting a data protection culture within the organization, recognizing that awareness and training are essential to the success of this approach.

Support for Training Initiatives: Training and awareness initiatives are actively supported and encouraged by management.

D. Assessment and Improvement

Regular Evaluations: The effectiveness of training programs is regularly assessed to ensure they meet the organization’s needs and keep up with regulatory changes.

Feedback and Improvement: Feedback is collected from participants to continuously improve the training programs.

E. Integration into Onboarding

Training for New Employees: Data protection awareness is an integral part of the onboarding process for new employees, ensuring immediate understanding of the importance of respecting data confidentiality and security.

11. Audit and Compliance

The Qualiopi NextGen Institute of Management Training is committed to maintaining and continuously improving its compliance with the General Data Protection Regulation (GDPR). This chapter describes our audit and compliance processes designed to assess, monitor, and strengthen our data protection practices.

A. Internal Audit Process

Regular Audits: Internal audits are conducted regularly to evaluate the compliance of our data processing practices with GDPR requirements.

Audit Criteria: The audits focus on various aspects, such as the legality of data processing, data security, the effectiveness of protective measures, and staff awareness.

B. Compliance Action Plan

Gap Identification: Audits help identify any gaps or weaknesses in our current data protection practices.

Remediation Plans: Following audit findings, detailed action plans are developed to address identified deficiencies.

Progress Monitoring: Progress in implementing remediation plans is tracked and periodically evaluated.

C. Engagement with Partners and Suppliers

Third-Party Assessments: We conduct regular assessments of our partners’ and suppliers’ data protection practices to ensure their compliance with the GDPR.

Data Processing Agreements: Clear agreements regarding data protection are established with all third parties processing data on our behalf.

D. Training and Knowledge Update

Skill Updating: Our compliance teams receive ongoing training to stay current on the latest regulations and best practices in data protection.

Staff Awareness: Raising staff awareness and training are integral parts of our compliance approach, ensuring all employees understand their role in data protection.

E. Documentation and Reporting

Comprehensive Documentation: All data processing procedures, policies, and activities are thoroughly documented.

Compliance Reports: Regular reports on the status of our GDPR compliance are prepared and reviewed by management.

12. Document Modifications

The dynamic nature of data protection laws and best practices necessitates that the Qualiopi NextGen Institute of Management Training maintains a flexible and responsive approach. This chapter establishes procedures for revising and updating this GDPR compliance document.

A. Periodic Revisions

Regular Review: This document is regularly reviewed to ensure it remains up-to-date with the latest data protection regulations and industry best practices.

Revision Frequency: Revisions are scheduled at least annually, or more frequently in case of significant changes in legislation or the institute’s operations.

B. Update Process

Assessment of Necessary Modifications: Potential modifications are evaluated based on their impact on current practices and overall compliance.

Approval of Changes: Proposed changes are reviewed and approved by the data protection officers and the institute’s management.

C. Communication of Changes

Internal Notification: All significant changes are communicated internally to NextGen staff to ensure consistent understanding and implementation.

Stakeholder Information: External stakeholders, including students, trainers, and partners, are informed of significant changes that might affect how their data are processed.

D. Documentation and Archiving

Retention of Previous Versions: Previous versions of the document are retained for reference and to trace the evolution of our data protection policies.

Documentation of Reasons for Changes: The reasons and contexts for the changes made are documented to ensure transparency and accountability.

E. Responsiveness to Regulatory and Technological Developments

Regulatory and Technological Monitoring: NextGen maintains active monitoring of regulatory and technological developments to anticipate and quickly integrate necessary changes into this document.

13.Contact and Complaints

The Qualiopi NextGen Institute of Management Training is committed to providing clear and accessible communication channels for all inquiries, concerns, or complaints regarding data protection. This chapter provides information on how to contact the institute and submit complaints related to the processing of personal data.

A. Contact for General Data Protection Inquiries

Contact Point: For any general questions about how NextGen processes personal data, please contact our Data Protection Officer (DPO) via [].

Availability: Our DPO is available during normal business hours to address your questions and concerns.

B. Submission of Complaints

Complaint Procedure: If you have a concern or complaint regarding how your personal data has been processed, please submit your written complaint to our DPO at the above address.

Complaint Handling: Complaints will be processed confidentially and efficiently, with the aim of achieving a satisfactory resolution.

C. Right to Lodge a Complaint with a Supervisory Authority

Information on Rights: You also have the right to lodge a complaint with the competent data protection authority if you believe that your data protection rights have been violated.

Contact Details of the Supervisory Authority: The contact details of the national data protection authority can be found on their official website.

D. NextGen’s Commitment

Prompt Response: NextGen commits to responding promptly to all inquiries, questions, or complaints.

Continuous Improvement: Feedback is used to continuously improve our data protection practices.

Contact us


72, Rue du Faubourg Saint-Honoré
75008 Paris

Send us your message