When our clients use Campus 365 for managing their administrative records and arranging learning activities, they often submit individuals’ (e.g., students’, parents’, and teachers’) personal data through Campus 365. In most instances, we act as a processor under the General Data Protection Regulation (GDPR) with regard to such personal data.
If we receive personal data of individuals located in the European Economic Area (EEA), such personal data may be transferred outside the EEA to ensure the operation of Campus 365 and our daily business activities. Such transfers are conducted only for specific purposes, such as hosting, service provision, communication, payment processing, and outsourcing. We do not transfer or use personal data for unlawful purposes that are not permitted by the GDPR and other applicable laws.
To ensure that we process personal data in consistency with the standards of the EEA, we make sure that we comply with the rules of the GDPR that govern international data transfers (Chapter 5 of the GDPR). Below, we explain in detail how we ensure that the personal data processed by us outside the EEA is adequately protected.
Effective Date: November 1st, 2018
What does the GDPR say?
The GDPR stresses that transfers of personal data from the EEA to third countries outside the EEA require special consideration. According to the GDPR, international transfers may take place only when there is an adequate level of protection to the fundamental right of individuals to data protection.
To maintain high standard of privacy protection and to ensure that the level of protection afforded to individuals is not weakened when their data is transferred outside the EEA, the GDPR sets a number of conditions that should be met by companies willing to transfer personal data outside the EEA.
If the recipient country is not subject to an adequacy decision by the European Commission, the GDPR requires companies to ensure certain safeguards for the transferred personal data. Articles 46 and 49 of the GDPR list mechanisms that constitute such adequate safeguards, namely:
- Legally binding instruments approved by public authorities and bodies;
- Binding corporate rules drafted in accordance with the GDPR requirements;
- Standard data protection clauses approved by the European Commission or an EU Member State’s supervisory body;
- An approved code of conduct;
- An approved certification mechanism;
- Contractual clauses between controllers and processors approved by supervisory authorities; or
- Data subject’s consent.
How do we ensure compliance?
To ensure that the processing of personal data is carried out in accordance to the highest data protection standards, we use the most frequent mechanism to legitimize international data transfers, namely, the standard contractual clauses (controller to processor) approved by the European Commission (the “SCC”). The data processing agreement that our clients conclude with us (the “DPA”) is based on the SCC and a copy of the SCC is provided as an Exhibit 1 to the DPA. Our DPA is available at https://www.campus365.io/
Moreover, we comply with all data protection principles listed in the DPA, such as:
- Processing personal data for limited specific purposes that are compatible with the purpose of transferring;
- Processing only a proportional amount of personal data;
- Processing personal data only in accordance with controller’s instructions;
- Providing details about our processing activities;
- Providing information to individuals concerned;
- Implementing appropriate security measures;
- Allowing individuals to exercise their rights; and
- Implementing appropriate supervision and enforcement mechanisms.
If you have any questions about our data protection practices or would like to receive further details regarding international data transfers, please contact us by email at firstname.lastname@example.org or by post at E-15/1-A, E-Block, Phase-5, Arhangarh, New Delhi, INDIA.