General Data Protection Regulation (GDPR)

Last Updated March 2022

Welcome to Schoox’s General Data Protection (GDPR) page. The information here serves to supplement our privacy statements and to provide information on how Schoox supports the GDPR. Information in the sections below helps you to gain an understanding of the GDPR, your rights as a European Union data subject, and the technical and organization measures Schoox has implemented to ensure the security and privacy of your personal data under the regulation.

Overview

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a legal framework that establishes the rules relating to the collection, processing and free movement of personal data of individuals who live in the EU.

Exercising Your Rights

Schoox provides its Learning Management System to individuals through their respective employers. Individuals can access their account at Schoox.com and direct access, delete and correct requests to their employers. In this role, Schoox is a “data processor” under GDPR.

Schoox as a “data controller” under GDPR will respond to consumers’ verifiable requests within 30 days following receipt of request.

Consumers can make up to two verifiable requests for access or data portability within a 12-month period. To exercise any of your rights, please contact us at [email protected] or via our webform available on our website.

For the purpose of this notice:

Data Controller means an entity that determines the purpose and means of processing of personal data

Data Processor means an entity which processes personal data on behalf of the data controller

Personal Data means an identifiable living individual whose personal data is collected, stored or processed by an organization.

Data Subject Rights

If you are an EU resident, and Schoox is processing, and/or transmitting your personal data, then you - as data subject, are afforded the following rights under GDPR:

  1. Right of Access: you have the right to obtain from us, as controllers, confirmation as to whether personal data concerning you are being processed, and, where that is the case, access to the following personal data and information:

    • the purposes of the processing
    • the categories of personal data concerned
    • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in third countries or international organizations
    • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
    • the existence of the right to request from us rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing
    • the right to lodge a complaint with a supervisory authority (for a list of supervisory authorities, see link here
    • where the personal data is not collected from you, any available information as to their source
    • the existence of automated decision-making, including profiling, along the lines indicated by Article 22(1) and (4) GDPR, and meaningful information about the logic involved, as well as the
    • significance and the envisaged consequences of such processing for you.
  2. Right to Rectification: you have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning him or her. Considering the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

  3. Right to Erasure ("Right to be Forgotten"): you have the right to obtain from us the erasure of your personal data without undue delay, and we have the obligation to erase personal data without undue delay when:

    • your data is no longer necessary for the purposes for which it was collected or processed
    • you withdraw consent and no other legal basis exist for processing
    • you object to the processing and there are no overriding legitimate grounds for processing
    • your personal data has been unlawfully processed, or
    • your personal data is to be erased for the purpose of meeting a legal obligation
  4. Right to Restriction of Processing: you have the right to obtain from us the restriction of processing where one of the following applies:

    • you contest the accuracy of the personal data, until this is verified
    • the processing is unlawful, but you do not want your personal data erased
    • we no longer need the personal data, but you require them to establish, exercise or defend a legal claim
    • you have objected to processing but there is a need to verify whether our legitimate grounds override your rights to object
  5. Right to Data Portability: where your personal data have been processed on the basis of your consent or for the performance of a contract, and carried out by an automated means, you have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format and have the right to transmit those data – or have directly transmitted - to another controller.

  6. Right to Object: you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on a legitimate ground point (e) or (f) of Article 6(1), including profiling based on those provisions. In this case, we can no longer process your personal data unless we show that there is a compelling legitimate ground for the processing which override your interests, rights and freedoms or for our establishment, exercise or defense of legal claims.

Schoox’s Commitment to Data Security and Privacy per GDPR Guidelines

Article 32 of the GDPR requires that controllers and processors have adequate levels of security in place for ensuring the confidentiality, integrity, availability, for processing of personal information and other related activities. Specifically, Article 32 requires Schoox to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. In support of this Schoox has implemented and supports the following processes to ensure the protection of your privacy.

Privacy by Design: Schoox is dedicated to ensuring the security of your personal data and adhering to compliance with applicable data protection laws. Schoox adheres to the following principles relating to the processing of personal data under GDPR:

  • Lawfulness, fairness and transparency: Personal data is processed lawfully, fairly and in a transparent manner
  • Purpose Limitation: Personal data is collected only for specified, explicit and legitimate purposes and not used in any way that is incompatible with those purposes
  • Data minimization: Personal data processed is adequate, relevant and limited to what is necessary for purposes for which they are processed
  • Accuracy: Personal data is accurate and kept up-to-date
  • Storage limitation: Kept only for as long as necessary for the purposes for which they are processed, and
  • Integrity and confidentiality: Personal data is processed in a way that ensures the security of data, using adequate technical and organizational controls

For further information on the types of information collected and for the purposes it is held please review our Privacy Notice.

Schoox's Security and Privacy Provisions

Schoox’s commitment to confidentiality, integrity, and availability – known as the CIA triad of information security, consists of the following initiatives:

  • Third Party Selling or Transfer: Schoox does not transfer or sell any personal client academy data to Third parties and does not transfer to third parties who do not have adequate privacy protections.
  • Encryption: Schoox utilizes industry standard encryption protections for both Transit and at Rest for the Schoox Academy Application.
  • Automated Decision Making: Schoox does not input or enact any automated decision (AI or Machine Learning) on Personal or Client Academy Data at this time.
  • Internal Training: Schoox conducts annual security awareness and privacy protection training for all employees.
  • Internal Controls: Schoox has implemented a comprehensive set of internal controls relating to the protection for storing, processing and/or transmission of personal data for EU data subjects, as well as a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational.
  • Annual risk assessment initiatives for assessing relevant risks to the organization and taking necessary action for reducing risk exposure.
  • Monitoring of relevant third-party providers, as necessary for which Schoox has a business relationship within terms of storing, processing, and/or transmitting personal data for EU residents.

Data Transfers

Schoox takes appropriate steps to ensure that personal data transferred out of EU countries to the US and any other country without adequacy provisions, are protected through technical and organizational measures. Due to the invalidation of the Privacy Shield Frameworks, Schoox additionally employs the updated Standard Contractual Clauses (SCCs) for such transfers.

Please view the following information and supporting links below to learn more about Schoox’s commitment to your privacy.

Contact Us:

For any questions or requests concerning the GDPR please contact us at: [email protected]