When our clients use Classe365 for managing their administrative records and arranging learning activities, they often submit individuals’ (e.g., students’, parents’, and teachers’) personal data through Classe365. In most instances, we act as a processor under the General Data Protection Regulation (GDPR) with regard to such personal data.
If we receive personal data of individuals located in the European Economic Area (EEA), such personal data may be transferred outside the EEA to ensure the operation of Classe365 and our daily business activities. Such transfers are conducted only for specific purposes, such as hosting, service provision, communication, payment processing, and outsourcing. We do not transfer or use personal data for unlawful purposes that are not permitted by the GDPR and other applicable laws.
To ensure that we process personal data in consistency with the standards of the EEA, we make sure that we comply with the rules of the GDPR that govern international data transfers (Chapter 5 of the GDPR). Below, we explain in detail how we ensure that the personal data processed by us outside the EEA is adequately protected.
The GDPR stresses that transfers of personal data from the EEA to third countries outside the EEA require special consideration. According to the GDPR, international transfers may take place only when there is an adequate level of protection to the fundamental right of individuals to data protection.
To maintain high standard of privacy protection and to ensure that the level of protection afforded to individuals is not weakened when their data is transferred outside the EEA, the GDPR sets a number of conditions that should be met by companies willing to transfer personal data outside the EEA.
If the recipient country is not subject to an adequacy decision by the European Commission, the GDPR requires companies to ensure certain safeguards for the transferred personal data. Articles 46 and 49 of the GDPR list mechanisms that constitute such adequate safeguards, namely:
– Legally binding instruments approved by public authorities and bodies;
– Binding corporate rules drafted in accordance with the GDPR requirements;
– Standard data protection clauses approved by the European Commission or an EU Member State’s supervisory body;
– An approved code of conduct;
– An approved certification mechanism;
– Contractual clauses between controllers and processors approved by supervisory authorities; or
– Data subject’s consent.
To ensure that the processing of personal data is carried out in accordance to the highest data protection standards, we use the most frequent mechanism to legitimize international data transfers, namely, the standard contractual clauses (controller to processor) approved by the European Commission (the “SCC”). The data processing agreement that our clients conclude with us (the “DPA”) is based on the SCC and a copy of the SCC is provided as an Exhibit 1 to the DPA. Our DPA is available at https://www.classe365.com/ classe365-personal-data-processing-agreement
Moreover, we comply with all data protection principles listed in the DPA, such as:
– Processing personal data for limited specific purposes that are compatible with the purpose of transferring;
– Processing only a proportional amount of personal data;
– Processing personal data only in accordance with controller’s instructions;
– Providing details about our processing activities;
– Providing information to individuals concerned;
– Implementing appropriate security measures;
– Allowing individuals to exercise their rights; and
– Implementing appropriate supervision and enforcement mechanisms.
If you have any questions about our data protection practices or would like to receive further details regarding international data transfers, please contact us by email at email@example.com or by post at Sprout On Web Pty. Ltd., 22-28 Edgeworth David Ave, Hornsby NSW 2077, Australia.