The Students' Consulting Club at the University of St. Gallen ("Consulting Club," "we," "us," or "our") is a university association operating under the SHSG (Student Organization of the University of St. Gallen) umbrella. We are committed to protecting your privacy and personal data in accordance with the highest standards of data protection.
This Privacy Policy explains how we collect, use, store, and protect your personal information when you:
•Use our website (consultingclub.ch)
•Register for membership using your HSG email address or other approved credentials
•Attend events, workshops, or networking sessions
•Interact with our social media accounts and digital platforms
•Communicate with us through any channel
•Use any other services we provide
This Privacy Policy should be read in conjunction with our Terms of Service, which govern your use of our services.
Data Controller: Students' Consulting Club at the University of St. Gallen
c/o SHSG (Student Organization of the University of St. Gallen)
University of St. Gallen
Dufourstrasse 50
CH-9000 St. Gallen, Switzerland
Email: [email protected]
Data Protection Contact: Nicolas Holzhauser
Email: [email protected]
We process your personal data in accordance with the following legal frameworks:
•Swiss Federal Act on Data Protection (FADP/nFADP) - Our primary governing law as a Swiss-based organization
•Swiss Civil Code - Governing our operations as a university association
•Swiss Code of Obligations - For contractual relationships with members
•EU General Data Protection Regulation (GDPR) - Applicable when:
oProcessing data of EU residents (given our diverse international membership from 130+ nationalities)
oUsing EU-based service providers for data processing
oSharing member data (CVs, cover letters) with partner companies located in the EU
•Other applicable international data protection laws - As relevant to our members' nationalities and service providers
Important Note: The University of St. Gallen (HSG) retains ownership of student HSG email addresses. When members choose to use their HSG email address as their primary contact for their Consulting Club account, they do so voluntarily by entering it themselves during registration. This constitutes explicit consent for us to use their HSG email address for Consulting Club communications and services.
Given our international membership and partnerships with companies worldwide, we ensure compliance with applicable data protection laws in all jurisdictions where we process personal data, particularly when sharing member information with partner companies outside Switzerland.
Registration & Membership Data:
•Full name (first name and family name)
•University email address (HSG email) and personal email address
•University affiliation and student status
•Age or date of birth (only where required for eligibility or compliance)
•Phone number
•Profile photograph (optional)
Academic Information (required for event participation):• Study major and year/semester of study• Curriculum Vitae (CV) in PDF format• GPA/grades, expected graduation date, and academic achievements• Optional items such as transcripts or exchange participation may be requested for certain events
This information is required because all partner companies use academic and professional data to select participants for their events.
Professional Information:• Additional application documents (e.g., cover letters) when required by partners• Work experience and internship history• Skills and competencies• Career interests and preferences• Language proficiencies
Event & Application Data:• Event registrations and preferences• Attendance history and points records• Application materials and answers for specific events• Partner-requested screening criteria (where applicable)• Dietary restrictions and accessibility needs (only where relevant to a given event and shared on a need-to-know basis with service providers)• Selection outcomes (e.g., invited/waitlisted/not selected)
Communication Data:
•Messages sent through our contact forms
•Email correspondence with our team
•Support requests and inquiries
•Feedback and survey responses
Technical Data:
•IP address and approximate location data
•Browser type and version
•Device information (operating system, device type)
•Website usage patterns and navigation data
•Cookies and similar tracking technologies
•Time stamps and session duration
Analytics Data:
•Page views and click patterns
•User journey and behavior on our website
•Performance metrics and error logs
Social Media Interaction Data:
•Social media engagement metrics (views, likes, follows) when you interact with our social media content
•Note: We do not actively monitor or collect your personal social media activity
•Transaction details and payment history
•Billing information (processed securely through our payment providers)
•Membership fee payments and event ticket purchases
•Note: We do not store complete credit card details on our servers
Certain information marked as "mandatory" on our website must be provided to:
•Complete your member profile
•Apply for specific events
•Access partner company opportunities
•Participate in selection processes
The mandatory nature of each data field is clearly indicated during the registration and application processes on consultingclub.ch.
•Legal Basis: Performance of contract (Art. 6(1)(b) GDPR)
•Processing membership applications and renewals
•Maintaining member records and status in our CRM system
•Providing access to member-exclusive content and events
•Managing the Points system and attendance tracking
•Maintaining alumni network for former Board members
•Legal Basis: Performance of contract (Art. 6(1)(b) GDPR) and legitimate interests (Art. 6(1)(f) GDPR)
•Organizing and managing events, workshops, and networking sessions
•Event Selection Process: Using academic data (GPA, grades, academic achievements) as selection criteria for:
oPartner company events (based on company-specific criteria)
oConsulting Club events
oConsulting Days events
oCase Class events
•Sharing member data (CVs, academic information, application responses) with partner companies for their specific events only
•Partner Access: Partners can only access and manage data for applicants to their own events
•Recording high-level selection outcomes (e.g., invited, waitlisted, not selected) as provided by partners
•Coordinating with corporate partners for recruitment and networking opportunities
•Managing event attendance and capacity
•Legal Basis: Consent (Art. 6(1)(a) GDPR) and legitimate interests (Art. 6(1)(f) GDPR)
•Sending membership confirmations and event notifications
•Providing updates about club activities and opportunities
•Communicating acceptance/rejection decisions from partner companies or our boards
•Responding to inquiries and support requests
•Sending newsletters and promotional materials (with your consent)
•Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)
•Operating and maintaining our website and CRM services
•Ensuring website security and preventing fraud
•Managing user accounts and access permissions
•Troubleshooting technical issues
•Legal Basis: Legal obligation (Art. 6(1)(c) GDPR)
•Complying with applicable laws and regulations
•Responding to legal requests and investigations
•Protecting our rights and interests in legal proceedings
•Legal Basis: Consent for non-essential analytics (via cookie banner); legitimate interests for aggregated/de-identified analytics and service improvement
•Understanding user behavior and preferences through website analytics
•Improving our services and website functionality
•Conducting organizational development activities
•Legal Basis: Consent (Art. 6(1)(a) GDPR)
•Member Approval Required: Any use of member data for promotional purposes, case studies, or success stories requires explicit prior approval from the concerned members
•Promoting the club to prospective members (only with consent from featured members)
Purpose: Event selection and recruitment opportunities
Data Shared: CVs, academic information, contact details, professional profiles, application responses
Legal Basis: Performance of contract and legitimate interests
We share member data with our corporate partners (primarily consulting firms and other professional services companies) for the purpose of:
•Selecting participants for company-specific events
•Facilitating recruitment and networking opportunities
•Matching candidates with relevant career opportunities
Partner Company Characteristics:
•Global firms operating primarily through their Swiss, German, Austrian, Italian, and French offices
•Updated partner list available on our website on relevant event pages
•Transparency: Members can see which specific company will receive their data when applying for company-based events
Data Access Scope:
• Partners may review applications only for their own events• Where necessary, partners may receive exports of applicant data solely for event selection• Once data is shared, the partner company becomes an independent data controller responsible for its own processing and retention• We require partners contractually to use the data only for the stated purpose and to delete it after the selection process
• Location: Services are hosted with reputable cloud providers in the EU/EEA (or with adequate safeguards)• Safeguards: Data processing agreements and appropriate technical and organizational measures
• Data Shared: Only dietary or accessibility information necessary to deliver safe and suitable catering at a specific event• Purpose: Food safety and accommodation of stated needs• Scope: Shared on a need-to-know basis with the relevant provider for that event
• Data Shared (where required by venue): Name and basic contact details for attendee management and safety/compliance• Purpose: Security, capacity management, and emergency procedures
Limited Sharing: We do not routinely share member data with SHSG Exception: Data may be shared only when forced to by circumstances involving:
•Issues with the university
•Issues with SHSG
•Disciplinary matters involving members (as members are HSG students) Legal Basis: Legal obligation and legitimate interests in maintaining institutional relationships
Circumstances: When required by law or legal process Purpose:
•To protect our rights, safety, or property
•In case of emergency or public safety concerns
•Compliance with legal obligations
Some of our service providers and partner companies may process your data outside Switzerland and the EU/EEA. When this occurs, we ensure adequate protection through appropriate safeguards as required by GDPR and nFADP.
We use recognized transfer safeguards where required (e.g., adequacy decisions or standard contractual clauses) and apply additional technical and organizational measures as appropriate.
Our hosting providers store and process data within the EU/EEA. We have data processing agreements and safeguards in place.
• Partners review applications only for their own events• Where necessary, partners may receive exports of applicant data solely for that event’s selection• Once shared, partners act as independent data controllers responsible for their own processing and retention• Contractual obligation: partners must use the data only for the stated purpose and delete it after the selection process• Members should be aware that partners may process data in jurisdictions chosen by the partner’s global operations
• Informed applications: When you apply to an event, you see which partner will receive your data• Right to object: You may object to transfers based on legitimate interests• Data subject rights: Your GDPR/nFADP rights apply regardless of processing location
We continuously monitor the legal landscape regarding international data transfers, including:
•Schrems II Compliance: Ongoing assessment of transfer mechanisms following CJEU rulings
•Adequacy Decision Updates: Monitoring changes to EU Commission adequacy decisions
•Enhanced Safeguards: Implementation of additional technical and organizational measures beyond Standard Contractual Clauses
•Transfer Impact Assessments: Regular evaluation of risks associated with data transfers to third countries
Note: The regulatory landscape for international data transfers continues to evolve. We are committed to adapting our practices to ensure continued compliance with applicable data protection laws while maintaining the functionality of our services.
We retain personal data only as long as necessary for membership management, event participation, and compliance with legal obligations. Once membership ends, personal data is deleted or anonymized after a reasonable period (normally within one year), unless retention is required by law.
This typically includes:• Registration and membership information• Academic and professional data used for event applications• Event and application history and selection outcomes• Communications with you• Points records (if applicable)
Member Accounts: Data linked to inactive accounts is deleted or anonymized within one year of inactivity or account deletion, unless longer retention is required by law.
Payment/Financial Records: Retained for 10 years in accordance with Swiss commercial law requirements (independent of account deletion requests) Website Analytics Data: Anonymized data retained for 2 years maximum Legal Compliance Records: Retained as required by applicable Swiss and EU law System Logs and Security Data: Retained for 12 months for security and operational purposes
Member-Initiated Deletion:
•Members may request account deletion by contacting us via email
•Processing Timeline: We process deletion requests promptly and within the timeframes required by applicable law (generally within 30 days).
•All member-linked data will be permanently deleted except where retention is required by law (e.g., financial records)
Automatic Deletion:
•Analytics data is automatically anonymized after 2 years
•Security logs are automatically deleted after 12 months
•Points expire automatically after 12 months as per our Terms of Service
Once partner companies receive applicant data for a specific event, they act as independent data controllers responsible for their own retention and deletion policies. We require partners contractually to use such data only for the stated event purpose and to delete it afterwards. Members who wish to have their data deleted from a partner’s system must contact the partner directly.
Right to Erasure (Article 17 GDPR):
•Members have the right to request deletion of their personal data
•We will process deletion requests promptly while ensuring compliance with legal retention requirements
•For data held by partner companies, we will provide members with the information needed to contact the relevant companies directly
Information Provided for Partner Contact:
•Complete list of events the member applied to
•Names of partner companies that received the member's data
•Approximate dates when data was shared
•Guidance on exercising data subject rights with partner companies
Swiss Commercial Law: Financial records retained for 10 years regardless of deletion requests nFADP/GDPR Compliance: Retention periods align with data minimization principles while respecting legal obligations University Regulations: Compliance with any applicable University of St. Gallen data retention requirements
When data is deleted:• Operational copies are deleted or anonymized• Backups are rotated out and overwritten on their normal lifecycle• We document deletion actions where appropriate• Data required by law (e.g., financial records) is retained in restricted systems
Note: Members are encouraged to review their application history regularly and contact partner companies directly if they wish to exercise their data subject rights regarding data those companies have downloaded.
Under the GDPR and nFADP, you have the following rights:
What you can request:
•Information about how we process your personal data
•A copy of all your personal data we hold
•Partner data sharing history: You can see which partner companies received your data through your dashboard (as your data is only sent to partners for events you applied to)
•Additional details by contacting us directly
Data format: We provide data in the most relevant format depending on the type of data requested (PDF for documents, CSV for structured data, etc.)
Self-service updates: You can directly update most of your information through our website, including:
•Profile information
•Academic records
•CV and professional information
•Contact details
Assisted updates: For data you cannot update directly, contact us and we will make the corrections promptly
Account deletion: Request complete deletion of your account and all associated data Legal limitations: Some data may be retained as required by Swiss commercial law (e.g., financial records for 10 years) Partner company data: For data downloaded by partner companies, we can assist you in contacting them, but you will need to request deletion from them directly
Case-by-case evaluation: We handle restriction requests individually based on your specific circumstances Possible restrictions:
•Limiting how we use your data while maintaining your account
•Suspending certain types of processing while preserving others
•Temporary suspension during dispute resolution
Export options: Receive your personal data in structured, machine-readable formats Data included: All data you provided to us that we process based on consent or contract Format flexibility: Data provided in the most appropriate format based on the type and use case
Marketing communications: You can opt out of newsletters and promotional communications at any time Event applications: You can choose to stop applying for events while maintaining your membership Processing objections: Object to any processing based on legitimate interests
Specific consent areas where you can opt-out:
•Newsletter and marketing communications - unsubscribe at any time
•Event applications - stop applying while keeping your account active
•Optional data processing - withdraw consent for non-essential processing
Note: Withdrawing consent does not affect the lawfulness of processing before withdrawal
You have the right to lodge a complaint with:
•Switzerland: Federal Data Protection and Information Commissioner (FDPIC) - www.edoeb.admin.ch
•EU: Your local data protection authority - www.edpb.europa.eu
Our support: We can assist you in exercising your rights with partner companies by:
•Providing contact information for relevant partner companies
•Sharing details of when and what data was transferred
• Facilitation: On request, we can relay your deletion or access request to the relevant partner
•Guidance on how to exercise your rights with each company
To exercise any of these rights, please contact us at:
Email: [email protected]
Subject Line: "Data Protection Request - [Your Name]"
Required Information:
•Your full name and membership details
•Specific right you wish to exercise
•Details of your request
•Verification of your identity (for security purposes)
Response Time: We will respond to your request within 30 days (or 1 month under GDPR). If we need additional time, we will notify you and explain the delay.
No Cost: Generally, exercising your rights is free. However, we may charge a reasonable fee for excessive or repetitive requests.
Essential Cookies
•Required for basic website functionality
•Session management and security
•Legal basis: Legitimate interests
Analytics Cookies
• Used to analyze website performance and user behavior (e.g. Hotjar)• Legal basis: Consent – analytics cookies are only activated if you provide consent via our cookie banner
Functional Cookies
•Enhanced website features and user preferences
•Language settings and accessibility options
•Legal basis: Legitimate interests
You can control cookies through:
•Browser settings (accept, reject, or delete cookies)
•Our cookie consent banner
•Third-party opt-out mechanisms (e.g., Hotjar opt-out)
Note: Disabling essential cookies may affect website functionality.
We implement appropriate technical and organizational measures to protect your personal data:
•Encryption: Data encryption in transit and at rest
•Access Controls: Restricted access based on need-to-know principles
•Secure Infrastructure: Hosted on secure, certified platforms (Azure/AWS)
•Regular Updates: Security patches and system updates
•Monitoring: Continuous security monitoring and threat detection
•Staff Training: Regular data protection training for team members
•Access Management: Strict access controls and user authentication
•Data Processing Agreements: Contracts with all service providers
•Incident Response: Procedures for handling data breaches
•Regular Audits: Periodic review of data protection practices
In case of a personal data breach, we will:
•Notify relevant supervisory authorities within 72 hours (where required)
•Inform affected individuals without undue delay if there's a high risk to their rights
•Document and investigate all breaches
•Take measures to prevent future incidents
Our website may contain links to external websites and services not operated by us. This Privacy Policy does not apply to third-party sites. We encourage you to review the privacy policies of any external sites you visit.
Third-party services we use:
•Payment processors (Payrexx)
•Analytics providers (Hotjar)
•Cloud hosting services
Each service has its own privacy policy governing how they handle your data.
We may update this Privacy Policy from time to time to reflect:
•Changes in our services or business practices
•Legal or regulatory requirements
•Improvements in data protection practices
Notification of Changes:
•Material Changes: We will notify you by email or prominent website notice at least 14 days before changes take effect
•Minor Changes: Posted on our website with an updated "Last updated" date
Your Continued Use: Using our services after changes become effective constitutes acceptance of the updated Privacy Policy.
Students' Consulting Club
University of St. Gallen
Dufourstrasse 50
CH-9000 St. Gallen, Switzerland
Email: [email protected]
For specific data protection questions, you may contact our data protection team at: Email: [email protected]
Subject: "Data Protection - [Your Request]"
If you believe we have not adequately addressed your data protection concerns, you may contact:
Switzerland:
Federal Data Protection and Information Commissioner (FDPIC)
Website: www.edoeb.admin.ch
EU/EEA:
Your local data protection authority
List available at: www.edpb.europa.eu
Effective Date: This Privacy Policy is effective as of the "Last updated" date shown at the top of this document.
Language: This Privacy Policy is available in English. In case of conflicts between translations, the English version shall prevail.
