Your integrity and how we handle your personal information is important to us. GDPR (General Data Protection Regulation) enters into force the 25th May 2018 to all citizens of the EU. To make you feel safe with us handling your personal information we would like to explain how we work with it.
Our work with the GDPR already started in 2016, we have analyzed and charted the flow of personal data, made technical changes to the service, established new routines within the company to handle requests and questions related to personal data and ensured there are binding and legally adequate data processing agreements with our external service providers.
We view the work with GDPR-compliance as an ongoing procedure and we keep data protection in mind in our development. We do this to ensure that DigiExam’s services are always in line with any legal requirements concerning the processing of personal data, and to make GDPR-compliance as easy as possible for our customers.
For users of DigiExam
We use your personal information in order to provide the service of doing exams and tests digitally.
You have an agreement with your school that allows them to use your personal information to provide educational services to you, or as an employer. The school then has an agreement with us to allow us to use your personal information on behalf of them to provide our services.
This agreement between us and the school say which of your personal information we are allowed to use and for what purposes.
The purposes for collecting your personal information are:
- Provide the service to allow you to do digital exams and tests
- Improve the service by understanding how you use it
- Provide support for the service
If you want to know more about how we work with your privacy you can see the following documents:
Questions or requests that you have regarding your privacy should primarily be sent to your school, if there are any questions specific to DigiExam you can contact our Data Privacy Officer at firstname.lastname@example.org.
For schools using DigiExam
DigiExam is complaint with the GDPR and has signed Data Processing Agreements with Privacy Shield with all our subprocessors.
Data processing agreement (DPA)
According to article 28 of the GDPR, the processing must be governed by a contract with certain minimum requirements. Many of our customers have their own DPA which we can review and sign. If you do not have such a template, we have asked our legal team to draft one up that we can use.
Please disregard this if we already have signed a DPA with you (or are in the process of doing so). If not, we ask you to contact your Customer Success Manager at DigiExam and we’ll help you set this up.
DigiExam uses subprocessors to provide parts of our service. We have signed a Data Processing Agreement with Privacy Shield agreement with each subprocessor. You can find a complete list of subprocessors here: Appendix A – Subprocessors.
Frequently Asked Question
How do I use my right to be forgotten?
Your primary contact is the school for privacy related questions, this also applies to the right to be forgotten. The school is responsible for handling your personal information as they are the data controller in GDPR-terms, they need to send this request to all services (data processors) they use including DigiExam, and then each service need to request all services it uses to remove your data.
Worth mentioning is that there can be legitimate reasons for not fulfilling your right to be forgotten immediately, reasons can be that you currently are studying at the school or that the personal information needs to be stored according to the law.
How do I request a data export?
Your primary contact is the school for privacy related questions, this also applies when you request a data export. The school need to request the data export from the services it uses including DigiExam and provide it to you.
The following picture gives you an overview on how the GDPR is regulated between the different parties involved in providing you our service.