How Does GDPR Affect Me?
The GDPR provides users that reside in the EU with certain rights, specifically the Right to be Forgotten, the Right to Object, the Right to Rectification, the Right to Access, and the Right to Data Portability. Each of these rights are meant to safeguard the personal information of EU citizens, and SkyPrep provides the tools necessary to allow our users to be fully compliant with the GDPR requirements.
Below, we’ve summarized the key requirements for GDPR, and we’ve separated each point into different sections. The Customer refers to the Administrators of the platform and/or the body that subscribed to the SkyPrep service. The End-User refers to the end users of the SkyPrep platform, specifically the Learner and Manager roles. Finally, the Course of Action defines what we will do on our end to ensure your compliance.
The Right to be Forgotten: Users have the right to have their personal information completely deleted from SkyPrep and any third-party service that is required for the functionality of the SkyPrep platform.
- Customer: When a subscription plan is cancelled, all information associated with the platform will be kept for 90 days to ensure a smooth reconnection of service if the customer wishes to renew their subscription. Administrators are also able to delete user accounts on their platform, and by doing so, delete all information associated with that account. If immediate deletion of all information is required, the Administrator can contact us at firstname.lastname@example.org to request immediate deletion of all platform information.
- End User: Learners can contact any platform Administrator to request the deletion of their account.
- Course of Action: When a deletion is requested, the SkyPrep platform will fully remove all relevant personal information about the deleted user and/or platform. All associated backups will be deleted in accordance to this right, and all information will be deleted from any third-party service vendor that runs on the SkyPrep platform. We have also taken steps to ensure that all third-party vendors we use are GDPR compliant as well. These third-party vendors will be notified immediately upon your request, and all information regarding the deletion request will be removed from their servers.
The Right to Object: Users have the right to object to their personal information being stored and/or processed.
- End User: As part of our Terms and Conditions, we require that any user added to a platform be added with legally collected information. We also provide Administrators with a feature that allows a Terms and Conditions message to be displayed upon platform login, allowing explicit consent to be collected. If a user objects to receiving communications from the platform, they have the ability to disable all email notifications. Administrators also have the ability to turn email notifications off for their users and specify what information is collected.
- Course of Action: We provide a Terms and Conditions feature to allow our customers to present the relevant information to their users prior to them being logged into the system. Additionally, when a Learner disables their email notifications, we ensure that no emails are sent to the Learner through the platform. By default, only the full name and email of the Learner is required, but Administrators have full control over what information fields are shown on a user’s profile, together with whether they are required to be filled. In the event that a user objects to using their real name and/or email, Administrators have the ability to use pseudonyms instead of names, and usernames instead of emails.
The Right to Rectification: Users can correct any incorrect personal information regarding them.
- Customer: After signing up for a plan, Administrators have full access to their own profile information and can freely change all of the information at will.
- End User: If profile editing is enabled on the platform, Learners are also able to freely change all of the information on their profile. If profile editing is disabled, Administrators are still able to update the information for all users.
- Course of Action: We provide all the tools necessary to ensure that information is kept up-to-date, including, but not limited to, edits made individually to users, through bulk actions via a CSV template, and our API. When a change is made, the change is saved and is reflected throughout the platform and any third-party services in use.
The Right to Access: Users have the right to know what information about them is being stored/processed.
- Customer: When signing up for a plan, all personally identifiable information that we require is clearly shown. Administrators can also generate reports which show all of the information stored about users in the platform. Administrators also have complete control over what profile information fields are displayed and/or are required to be filled out by Learners.
- End User: If a learner requires information about what data is stored about them, they can contact any Administrator who would then be able to run a report on the user, showing all of their profile information and course progresses. Additionally, by navigating to their user profile, Learners are able to view the information fields and all the data within, even if profile editing has been disabled by Administrators.
- Course of Action: We provide all the necessary tools for Administrators to quickly pull all of the information saved about Learners in the platform. This includes single-user reports that display a user’s profile information and course progresses, as well as all-user reports that show the same information about every user in the platform.
The Right of Data Portability:: Users have the right to obtain and reuse their personal data for their own purposes across different services.
- Customer: The users (Learner/Manager) that are registered on your platform. These are the people who the GDPR rights apply to.
- End User: All platform Administrators are Data Controllers under the GDPR. Data Controllers are defined as anyone who determines the purposes and means of processing the personal data of the Data Subjects. Data Controllers are the ones who need to ensure that all requests regarding GDPR rights are carried out.
- Course of Action: We, SkyPrep Inc., are considered Data Processors. Data Processors are the body that process personal data on behalf of the Data Controllers. Under the GDPR, we are required to provide all Data Controllers with the means to be GDPR compliant, with the means highlighted in the previous section.
While we value your privacy, there may be instances where we need to log into your platform where personal information is stored. This will only happen when customer or technical support is required.
Great customer support is a cornerstone of our business philosophy and we access basic customer data such as names and emails to better personalize our approach and ensure the quickest resolution possible.
Similarly, when a technical issue is reported by an Administrator, our engineers will often need to access the platform to troubleshoot the issue. When doing so, we follow the principle of least access, meaning that the engineers are only permitted to view data that is directly related to the rectification of the reported issue. Furthermore, all access is logged and is only doable while on-site at the SkyPrep office during business hours.
Lastly, we ensure that all the tools we are directly integrated with are GDPR compliant, ensuring that your data remains private across all of the systems needed for SkyPrep to run. However, if you decide to utilize our API to build your own integration with a third-party, you will need to verify that they are GDPR compliant as well — this guarantee is only applicable to integrations built and/or used by SkyPrep Inc .