At GamaLearn we value the privacy, security of our customers’ data and we are excited to share the news that after months of dedicated efforts and rigorous preparations, we have successfully achieved General Data Protection Regulation (GDPR) compliance. This significant milestone showcases our commitment to safeguarding your personal information and upholding the highest standards of data protection.
This article aims to provide clarity on the GDPR and the rights it gives individuals, including teachers, students and website users, in relation to their personal data.
What exactly is the GDPR?
The GDPR is a comprehensive data protection law enacted in Europe that governs the processing and transfer of personal data of individuals within the European Union (“EU”).
Widely regarded as one of the most stringent data privacy and security laws in the world, the GDPR sets specific guidelines for the collection, use, and storage of personal data in order to protect the fundamental rights and freedoms of EU citizens.
Does the GDPR apply to us?
The scope of the GDPR extends beyond the EU and affects companies operating outside the EU that offer goods or services to, or monitor the activities of, individuals in the EU (also known as “data subjects”).
As a result, even though GamaLearn is based outside the EU, the GDPR applies to us when we offer our services (such as SwiftAssess) to EU users.
Under the GDPR we play two primary roles – data controller and data processor. The controller determines the purposes and means by which data is processed. The processor does not itself decide how and why personal information should be handled – instead, it processes personal data only under the controller’s authority.
As a controller, we collect personal data from our websites, assessment management platform, and social media accounts.
As a processor, we handle personal data our clients give us (e.g. data about your students’ grades) to provide our services to you.
What does the GDPR protect?
The GDPR protects “personal data,” which is any information related to an identified or identifiable natural person. It is a broad term that may include many different things, such as name and surname, email and IP addresses, cookie files, telephone number, ethnicity, gender, etc.
What rights do teachers, students, and website users have?
Under GDPR, individuals residing in the EU have a number of rights in relation to the processing of their personal data. Specifically, these rights are listed in Chapter 3 of the GDPR and include the right to be informed, the right to access, the right to rectification, the right to erasure, the right to object, the right to data portability, the right to restriction of processing, and the right not to be subject to automated decision making and profiling.
If data subjects wish to exercise these rights, they can submit a request to the data controller. According to the GDPR, the data controller must comply with the request within one month of receiving it. However, in situations where the request is complex or there are a large number of requests to be processed, this period may be extended by up to two months.
- Right to be informed
Teachers, students, and website users have a right to know about the collection and processing of their personal data at the time such information is collected. To comply with this transparency requirement, GamaLearn provides data subjects with the following in our privacy policies:
- name and contact details of our company;
- purposes of the processing;
- lawful basis for the processing, including our legitimate interests;
- categories of personal data obtained;
- recipients or categories of recipients of the personal data;
- information on transfers of personal data to third countries or international organizations;
- the retention periods for personal data;
- rights of individuals in respect of the processing;
- source of the personal data (if it is not obtained from the individual it relates to);
- details if there is a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
- details of the existence of automated decision-making, including profiling (if applicable).
- Right of access
According to the GDPR, the data subject has a right to obtain confirmation that we process their personal data, as well as receive a copy of such personal data and some additional information about the processing.
The additional information includes:
- purposes of the processing;
- categories of personal data;
- recipient(s) of the information, including recipients in third countries or international organizations;
- length of time that the personal data is stored for (or the criteria used to determine that period);
- data subject’s right to request rectification or erasure, restriction or objection, relative to their personal data being processed;
- data subject’s right to lodge a complaint with the supervisory authority;
- source of the personal data if it hasn’t been collected from the data subject;
- information of any automated decision-making, including profiling and, if so, the logic and potential consequences involved;
- if and where personal data has been transferred and information on any safeguards in place.
We are always dedicated to aiding you in exercising your right of access and will provide you with all the essential information upon request.
- Right to rectification
Under the GDPR, the data subject has the right to rectify inaccurate personal data and to complete insufficient personal data. Where necessary, we will take steps to validate the information provided by you to ensure that it is accurate before amending it.
If you discover any inaccurate information about yourself, you may request us to rectify it.
- Right to erasure (“right to be forgotten”)
The data subject has the right to request us to delete personal data, and we have a corresponding obligation to erase such information without undue delay if one of the following grounds applies:
- personal data is no longer necessary for the purpose for which it was collected;
- the data subject withdraws consent, and there is no other legal ground for processing;
- the data subject objects to the processing of personal data and there are no overriding legitimate grounds for the processing;
- personal data have been unlawfully processed;
- for compliance reasons, i.e. to meet our legal obligations;
- where the personal data was relevant to the data subject as a child.
- Right to object
Under this right, you may send us a request to object to the processing of your personal data (entirely or in part) at any time. This right to object is an important aspect of data protection as it gives individuals greater control over their personal data and how it is used.
Individuals can exercise their right to object in any situation where their personal data is processed, including where the processing is carried out for the purposes of direct marketing or profiling. The right to object means that individuals can request that their data no longer be used for such purposes and that the processing of their data be stopped. It’s worth noting that the right to object is not absolute, and in some situations prescribed by applicable legislation we may continue processing your personal data.
- Right to data portability
The data subject has the right to ask to provide their personal data in a “structured, commonly used and machine-readable format” and to transfer that data to another data controller.
Where feasible, you can also request personal data to be transferred directly from our systems to those of another provider. It’s important to note that this right only applies to personal data provided to the controller with the individual’s consent or for the performance of a contract, and if the processing is carried out by automated means (i.e. excluding paper files).
By exercising the right to data portability, individuals can easily transfer their personal data to another service provider, making it easier to switch providers and benefiting from increased competition in the market.
- Right to restriction of processing
Under the GDPR, data subjects have a right to limit the processing of their personal data, with several exceptions.
In particular, teachers, students, and website users can exercise the right to a restriction of processing of their personal data in the following cases:
- where they contest the accuracy of the data until we have been able to verify its accuracy;
- as an alternative to erasure in the circumstances that the processing is unlawful;
- where they need the data for legal claims, but we no longer require it;
- while a decision on an objection to processing is pending.
If we receive a request to restrict the processing, we will decide if such a request should be allowed under the GDPR, depending on the circumstances of each case. Where a restriction of processing is in place, we may store but not process personal data without your consent.
- Right not to be subject to automated decision-making and profiling
Under the GDPR, automated decision-making happens when the decisions are made about you by technological means without any human involvement. In turn, profiling is done when your personal aspects are being evaluated to make predictions about you, even if no decision is taken.
As data subjects, teachers, students, and website users have a right not to be subjects of profiling or automated decision-making and can insist on human intervention where appropriate. You also have the right to express your point of view and contest decisions.
However, there are also some exceptions to this right. In particular, automated decision-making and profiling may occur if they:
- are necessary for a performance of a contract;
- are authorised by law;
- are based on your explicit consent.
In addition to the rights outlined in Chapter 3 of the GDPR, there are several other rights of data subjects that are not explicitly mentioned in this chapter, but are still important protections under the regulation.
- Right to lodge a complaint
Articles 77-79, 81 of the GDPR provide for a right of a data subject to lodge a complaint with a relevant supervisory authority in the EU member state of his or her habitual residence, place of work, or place of the alleged infringement. Such complaints are to be investigated, and the supervisory authority should inform the concerned person of the outcome of the proceedings.
Besides the above, the data subject also may bring the action before the national court or – in some specific cases – ask for the ruling of the Court of Justice of the European Union.
- Right to compensation
Article 82 of the GDPR provides for a right of compensation, according to which the data subject may receive compensation if conditions specified in Article 82 are met.
For any inquiries regarding GDPR compliance, we encourage you to visit our dedicated page https://gamalearn.com/gdpr/ which provides comprehensive information and resources to address your questions and concerns related to data protection. We are committed to ensuring transparency and providing the necessary guidance to help you navigate GDPR requirements.