SmarterU Legal Agreements
Last Updated: March 19, 2018
This is the most Recent Version
This document is a non-legalese summary of our perspective on GDPR compliance, designed for your convenience. Please refer to our terms & services for our binding legal agreements.
The GDPR (General Data Privacy Regulation) is a European Union regulation that establishes a new framework for handling and protecting the personal data of EU-based residents.
Organizations processing personal data of EU-based individuals will be required to comply with the GDPR by May 25, 2018.
GDPR defines three main groups in relation to cloud applications such as SmarterU.
Any information related to a person, that can be used to directly or indirectly identify the person is considered Personal Data. This can include data such as a person’s name, photo, or email address.
Yes.
SmarterU is a product of Neovation Corporation, a Canadian company which is already subject to Canada’s strict PIPEDA (Personal Information Protection and Electronic Documents Act) legislation. Thanks to PIPEDA, Canada has Adequacy status with European privacy laws. It is expected that adequacy will continue following the GDPR.
In addition, SmarterU’s terms & conditions are specifically designed to meet GDPR requirements.
The Data Subjects have a series of rights which must be enforced by the Data Controller and/or Data Processor.
Responsibility: Data Controller
A Data Subject must provide clear and unambiguous consent, which is distinguishable from other matters, using clear and plain language.
SmarterU recommends that the Data Controller obtain consent from the Data Subject prior to uploading their data to SmarterU, or providing the Data Subject with login credentials.
Responsibility: Both
In any situation where a data breach is likely to “result in a risk for the rights and freedoms of individuals”, then a notification must be issued within 72 hours of first becoming aware of a breach. Data Controllers must notify the Data Subjects, and Data Processors must notify the Data Controllers.
SmarterU will notify the Data Controller immediately upon becoming aware of a data security breach, or potential breach.
Responsibility: Data Controller
A Data Subject may request confirmation if their personal data is being processed, and if so, where and for what purpose. Further, a Data Subject may request a copy of the personal data in an electronic format.
In order to comply with a Data Subject’s request, a Data Controller can request a data file from SmarterU for specific users.
Responsibility: Data Controller
A Data Subject has the right to request their personal data to be erased, and to cease processing it. This right is limited in the case of the Data Subject being an employee of the Data Controller, as that data is required for the purposes of employment.
Upon termination of an account, SmarterU will delete all account data (including Personal Data), however de-personalized, and aggregated data will be retained.
Responsibility: Data Controller
A Data Subject has the right to request their personal data in an electronic format, and transmit it to another controller. This right is limited in the case of the Data Subject being an employee of the Data Controller, as that data is required for the purposes of employment.
In order to comply with a Data Subject’s request, a Data Controller can perform an export, or request a data file from SmarterU for specific users.
Responsibility: Both
Both the Data Controller and Data Processor have a responsibility to embed privacy controls into technology and service offerings, as well as limiting the access to personal data to those needing to act out the processing.
SmarterU practices Privacy by Design within the platform and service offerings.
Responsibility: Data Controller
The Data Controller may be required to have an assigned DPO.
As SmarterU is not a public authority, or an organization that engages in large scale systematic monitoring, or has 250 or more employees, then the assignment of a DPO, as defined by the GDPR, is not required.
