GDPR COMPLIANCE POLICY
Policy Owner: Joe Wallace
Effective Date: Aug 1, 2023
Application
This policy applies to all employees, contractors, and vendors while doing business with EdPower and others who have access to the European Union (EU) and the European Economic Area (EEA) data subject information (“personal data”) in connection with EdPower ’s operating activities.
Policy
EdPower is committed to protecting the security, confidentiality, and privacy of its information resources including EU and EEA personal data in accordance with the requirements set forth in the General Data Protection Regulation (EU) 2016/679 (“GDPR”, “Regulation”). Personal data shall only be processed when there is a legal basis to do so, data shall be managed to ensure that security, confidentiality, and privacy are maintained, and data will be used only for authorized purposes. All employees and contractors of EdPower share the responsibility for safeguarding personal data to which they have access.
When performing commercial activities in support of EdPower products and services that impact EU/EEA personal data, EdPower may engage in certain activities which may require it to receive, store, process, transmit, create, or access and use data which may trigger compliance requirements with the provisions applicable to GDPR. This policy and the GDPR Policies adopted hereunder are intended to support the mission of EdPower and to facilitate data processing activities that are important to EdPower by:
-
Ensuring compliance with requirements imposed by GDPR and EdPower ’s regulatory obligations
-
Providing for the establishment of GDPR Policies that set forth, among other things, the required technical, physical, and administrative safeguards to maintain the security, confidentiality, and privacy of personal data
-
Setting forth the roles and responsibilities necessary for EdPower to meet its obligations with respect to activities related to the processing of personal data in accordance with GDPR
Roles and Responsibilities
Policy Adoption
EdPower shall, in cooperation with relevant stakeholders, develop and adopt necessary and appropriate GDPR Policies, which will include, among other things, the technical, physical, and administrative safeguards required to ensure the confidentiality, integrity, and privacy of personal data, and protect personal data against reasonably anticipated threats or hazards and unauthorized uses or disclosures. All relevant EdPower stakeholders shall cooperate with EdPower in the development and implementation of the GDPR Policies.
The EdPower Information Security and Data Privacy Policies are a component of the GDPR Policies and implement controls which support GDPR compliance.
Responsible Person
Joe Wallace, CEO, jwallace@myedpower.com, 208 258 2570 has been assigned responsibility for overall oversight of EdPower’s GDPR compliance program.
Data Protection Officer
The Data Protection Officer (DPO) shall have the responsibilities set forth in this Policy and GDPR Article 39. The DPO is tasked with daily and ongoing oversight and management of EdPower’s GDPR Compliance Program, which includes the following responsibilities:
-
Monitoring EdPower’s internal compliance with GDPR
-
Providing guidance at the earliest stage possible on all aspects of data protection
-
Keeping EdPower stakeholders appraised of changes to GDPR and other relevant laws and regulations
-
Assisting the controller or processor in monitoring internal compliance with the Regulation, including:
-
Collecting information to identify processing activities
-
Analyzing and checking the compliance of processing activities
-
Informing, advising and issuing recommendations to the controller or the processor
-
Acting in an independent manner, and ensuring there is no conflict of interest in other roles or interests that the DPO may hold
-
Maintaining inventories of all personal data stored on behalf of the data controller or processor
-
Responding to security, privacy, and data access requests and complaints from data subjects
-
Managing data security and critical business continuity issues that could impact personal data
-
Providing guidance, as requested, to the data controller to complete a data protection impact assessment (“DPIA”)
-
Providing guidance on responding to accidental or malicious activity that could impact personal data
-
Cooperate with the supervisory authority as needed
-
To act as the contact point for the supervisory authority on issues relating to processing, and to consult, where appropriate, with regard to any other matter
The Data Protection Officer is: Joe Wallace, CEO, jwallace@myedpower.com, 208 258 2570
Article 27 Local Representative
For entities operating outside of the EU, Representatives must be named (a Representative is defined in Article 4 as “a natural or legal person established in the [EU] who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under the GDPR.”). Representatives must be established in one of the EU Member States where the data subjects whose personal data the company processes are located. Companies operating in the UK must also appoint a UK Representative. Primary responsibilities include:
-
Serving as the contact point for all issues related to the company’s processing of personal data under the GDPR, including as a contact point for supervisory authorities
-
Understanding current data protection laws, legal or compliance requirements, and interfacing with regulatory authorities
Representative(s) is/are:
EU Representative: Education Elephant representative
UK Representative: Education Elephant representative
Implementation
Data Protection
All personal data requires a legal basis for processing and will be accessible on a strict need-to-know basis. Personal data is to be kept confidential and must be protected and safeguarded from unauthorized access, modification and disclosure.
-
Storage and Transmission: Personal data must be encrypted, with strong cryptography, whenever stored on or transmitted by EdPower systems.
-
Disposal: Paper records must be securely shredded prior to disposal. Electronic media must be securely wiped, sanitized or physically destroyed prior to disposal or reuse
-
Awareness Training: Relevant personnel will receive appropriate training on their information security and data privacy responsibilities with regard to GDPR and the handling of personal data as well as the Data Subject Access Request (DSAR) procedure
-
EdPower will not transmit EU or UK PII to any third-party or vendor until an appropriate Data Protection Addendum has been fully executed by EdPower and the third-party.
-
The company shall retain Record of Processing Activity in accordance with Article 30 of the GDPR. Records shall include:
-
the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
-
the purposes of the processing;
-
a description of the categories of data subjects and of the categories of personal data;
-
the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
-
where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
-
where possible, the envisaged time limits for erasure of the different categories of data;
-
where possible, a general description of the technical and organizational security measures referred to in Article 32(1).
Breach Notification
Notification of any reportable unauthorized use or disclosure of personal data will be sent to affected parties in accordance with the GDPR notification requirements and the Incident Response Policy.
Data Subject Access Requests (DSAR/SAR)
Subject to the exceptions noted below in this policy, EdPower will comply with any SAR concerning the following rights of the data subject:
-
Access (a copy of the personal data undergoing processing)
-
Rectification of personal data (correction of data stored or processed)
-
Erasure (‘right to be forgotten’)
-
Restriction of processing
-
Notification regarding rectification or erasure
-
Data portability (In the event of a Data Portability Request, EdPower will export the customers data in an industry-standard format and make it internet accessible for download only by the data subject)
-
Objection to processing (withdrawal of consent to processing)
-
Automated individual decision-making, including profiling
-
Do Not Sell requests under the CCPA
SAR when EdPower is the data controller:
-
A SAR must be made via EdPower support system by sending an email to support@myedpower.com to initiate the SAR process.
-
Where required, the data subject must provide reasonable evidence of their identity in the form of valid identification of identity, for example, email verification.
-
When submitting the SAR via the interface, the data subject must identify the SAR type that is being requested, e.g., erasure.
-
If a SAR is submitted by an agent, the submission must include the identification of the data subject.
SAR when EdPower is the data processor:
-
A SAR must be made via EdPower support system by sending an email to support@myedpower.com to initiate the SAR process.
-
The controller must identify the SAR that is being requested.
SAR requirements:
-
The date by which the SAR is submitted, identification is verified, and the specification of the SAR request type must be recorded; EdPower will acknowledge any manual requests within 10 business days.
-
EdPower has one month from the initial request date to complete the request. There are very limited circumstances in which an extension to that one month will be provided.
-
The SAR application will be documented and can be audited through EdPower’s internal processes.
EdPower as the data processor
-
The date by which the SAR is submitted, identification is verified, and the specification of the SAR request type must be recorded; EdPower will acknowledge any manual requests within 10 business days.
-
EdPower has one month from the initial request date to complete the request. There are very limited circumstances in which an extension to that one month will be provided.
-
The SAR application will be documented and can be audited through EdPower’s internal processes.
EdPower as the data controller
-
The date by which the SAR is submitted, identification is verified, and the specification of the SAR request type must be recorded; EdPower will acknowledge any manual requests within 10 business days.
-
EdPower has one month from the initial request date to complete the request. There are very limited circumstances in which an extension to that one month will be provided.
-
The SAR application will be documented and can be audited through EdPower’s internal processes.
SAR Exemptions
-
EdPower may withhold information requested under SAR in accordance with Article 23 of the GDPR or any similar exemption under applicable law. Any such exemption must be reviewed and approved by the Data Protection Officer or CEO
SAR Limits
Where permitted by law, such as Article 15 of the GDPR, for any further copies of personal data collected by EdPower that are requested by the data subject, EdPower may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic format.
Compelled Disclosure
EdPower governs the compelled disclosure of customer Personally Identifiable Information pursuant to valid third-party legal demands for such information, such as court orders, search warrants, subpoenas, government investigations, and similar demands.
Upon receipt of legal demands for information, EdPower will immediately notify the CEO, and Data Protection Officer. EdPower will investigate the demands, and if it is determined at EdPower’s sole discretion that they are valid, we will search for and disclose the information that is specified and that we are reasonably able to locate and provide. We are unable to process overly broad or vague demands, and we will not disclose information that is not specifically demanded, except in response to follow-up demands.
EdPower may contact customers if we are compelled to disclose their information pursuant to valid legal demands for such information, but we are not required to do so, and in some instances, we may be legally prohibited from doing so.
All external communications with customers, regulators and law enforcement shall be approved by EdPower.
Enforcement
The CEO and Data Protection Officer are responsible for the enforcement of this policy. Employees who may have questions should contact the Data Protection Officer as appropriate.
Disciplinary Action
Failure to comply with any provision of this policy may result in disciplinary action, including, but not limited to, termination.
Reporting
All suspected violations or potential violations of this policy, no matter how seemingly insignificant, must promptly be reported either to CEO or Data Protection Officer immediately, or via the incident reporting process at support@myedpower.com.
As long as a report is made honestly and in good faith, EdPower will take no adverse action against any person based on the making of such a report. Failure to report known or suspected wrongdoing of which you have knowledge may subject you to disciplinary action up to and including termination of employment.
Version History