SMART Technologies ULC General Data Protection Regulation (GDPR) Compliance
What is the GDPR?
The General Data Protection Regulation (GDPR) is a legal framework created to protect personal data of individuals living in the European Union (EU). The GDPR provides guidelines for companies that collect and process the personal information of their EU customers or clients.
The GDPR has three objectives [i] :
- To provide rules for the protection of natural persons with regards to the processing of their personal data, and rules relating to the free movement of personal data.
- To protect the fundamental rights and freedoms of natural persons and their right to have their personal data protected.
- To ensure the free movement of personal data within the EU is neither restricted nor prohibited for reasons connected with the protection of natural persons with regards to the processing of personal data.
The GDPR privacy legislation is effective of May 25th, 2018 and replaces the 95/46/EC Directive on Data Protection.
For complete information about the GDPR, visit https://ec.europa.eu/info/law/law-topic/data-protection.
Does SMART comply with GDPR?
Where is SMART’s Data Processing Addendum (DPA)?
If your company requires a DPA with SMART, click here
Why does SMART need my personal data?
SMART collects, retains, transmits, and processes your personal data to provide products and services to you, which includes sales and marketing activities related to those products and services . When you purchase and install a SMART product, we process your personal data as far as necessary in order to provide these products and services to you.
What data collected by SMART is covered by the GDPR?
The GDPR applies to the processing of personal data about individuals, (meaning natural persons, not companies) in the EU. It does not apply to general company information such as the company’s name, address, or email (for example, email@example.com), or any data that has been anonymized so that it cannot uniquely identify a specific individual.
Personal Data covered by the GDPR includes:
- An individual’s legal name
- An individual’s identification number
- A home address, or telephone number
- An email address which includes an individual’s legal name, for example: firstname.lastname@example.org
- An identification card number
- Location data (for example the location data function on a mobile phone)
- An Internet Protocol (IP) address or other online identifier
- Data specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Data not covered by the GDPR includes:
- An organization’s (government, company, school, etc.) information
- Anonymized data
By design, SMART’s products pseudonymizes the majority of a user’s data and most of the analytics we collect are anonymous.
Who is the Data Controller and Data Processor in our relationship when using SMART’s software?
You, the customer, are the Data Controller. You own your data and you control your data. In all of SMART’s products you, as the customer, determine and control what information to upload, what activities to carry out (create SMART Notebook® files, start a class, invite students, add a quiz or homework) and when to remove such information [ii] . Thus, in this relationship SMART is the Data Processor and we not own your data; we simply process your data on your behalf so that we can provide the requested services to you [iii] .
SMART is however, the Data Controller in relation to our use of your personal purchase data and any kind of processing for which SMART collects your consent (e.g. opt-in for marketing, promotions, etc.).
How does SMART comply to the GDPR as the Data Processor?
As the Data Processor SMART will respect your rights, which include:
|Right to Withdraw Consent and Restrict Processing||
At any time you may withdraw your consent for SMART to collect, retain and process your personal data. If you are a customer this typically means you will no longer be able to use our products. If you are a user, you must contact the customer who purchased the product from SMART (e.g., your school, your corporation) who will then pass this request on to SMART.
NOTE: Data required for tax and legal reasons will not be affected by withdrawal of consent.
|Right to be Informed||
SMART will inform you about what information we collect, transmit and process.
|Right of Data Quality, Access and Rectification||
SMART will strive to maintain accurate personal data and will respond to customer requests to access the personal data being processed and to correct any inaccurate or incomplete information within 30 days.
|Right of Data Portability||
SMART provides customers with the ability to obtain and reuse their personal data (typically self-generated content) for their own purposes.
|Right of Data Deletion (‘right to be forgotten’)||
SMART will only keep personal data for as long as required to provide the service, or as required for tax and legal reasons. SMART adheres to a document retention policy to ensure this. SMART will respond to customer requests to delete personal data within 30 days.
|Right of Data Protection||
SMART will ensure personal data is transferred for its specific purpose and subsequently used only for that purpose. SMART will only transfer personal data outside of the EU to countries whose legal regime is deemed by the European Commission to provide for an adequate level of personal data protection or in accordance with adequate contractual security measures, such as Standard Data Protection Clauses. SMART uses internal controls to limit access to your personal data by setting access based on job function and role, using the concept of ‘need-to-know’ to match access privileges to defined responsibilities. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives.
|Right of Notification||
If SMART becomes aware of a personal data breach, it shall without undue delay, and where feasible, no later than 72 hours after having become aware of it, notify the affected customer and the supervisory authority (if it was for data where SMART was the Data Controller) in accordance with Article 33 of the GDPR, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons [iv] . SMART’s communication of a breach shall be in clear and plain language and contain a minimum of:
What is my role under the GDPR?
Under the GDPR framework, if you are a SMART customer, you are considered the ’Data Controller’. As the Data Controller you are responsible for obtaining the appropriate consents from your users before sharing or allowing them to directly share their personal data. SMART does not control what data you or your users decide to share, you do. SMART will only communicate and take directions from its customers, not the customer’s users.
As the Data Controller, you may find guidance related to your GDPR responsibilities by checking the website of your national or lead data protection authority as well seeking independent legal advice relating to your status and obligations under the GDPR.
Does SMART store personal data outside of the EU?
Yes, but like the 95/46/EC Directive on Data Protection, the transfer of personal data outside the EU under the GDPR is permitted only to countries whose legal regime is deemed by the European Commission to provide for an adequate level of personal data protection . Transfers are also permitted when concluding Model Clauses that adequately protect the data.
The European Commission has so far verified the following non-EU countries as providing adequate data protection [vi] :
- Faroe Islands
- Isle of Man
- New Zealand
- United States of America (limited to the EU-US Privacy Shield framework)
Who is SMART’s Data Protection Officer (DPO)?
All privacy and DPO requests may be directed to:
Attention: Glenn Carbol, Legal Counsel
SMART Technologies ULC
3636 Research Road NW, Calgary, AB T2L 1Y1
Toll free (U.S./Canada): 1-888-427-6278
Outside of North America: +1-403-245-0333
Who can I contact for access, record, or deletion requests?
All customer requests may be directed to:
Who can I contact with a complaint about SMART’s GDPR compliance?
If we did not resolve your concerns, you may complain to the Information Commissioner’s Office about the way in which SMART has handled your personal data. You can do so by contacting:
First Contact Team
Information Commissioner’s Office
email@example.com // 03031 231113
[i] (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016, Chapter 1, Article 1).
[iv] Art. 33 GDPR Notification of a personal data breach to the supervisory authority
Last Updated: July 5, 2018