Professional Documents
Culture Documents
GDPR Guidelines PDF
GDPR Guidelines PDF
GDPR Guidelines PDF
On May 25, 2018, the European privacy law, the General Data Protection Regulation
(GDPR) comes into effect. The GDPR imposes new rules on companies, government
agencies, non-profits, and other organizations that process personal data of EU
citizens or operate within the EU. This means that GDPR applies no matter where
you are located.
We at PeopleCert believe that the GDPR is an important step forward for clarifying
and enabling individual privacy rights and a great opportunity to enhance and make
our business more efficient, by making the information we hold more accurate and
reliable. We are committed to GDPR compliance across our network when
enforcement begins May 25, 2018.
To this effect, PeopleCert has enhanced its processes to meet the new compliance
requirements under the GDPR as either a Data Controller or Data Processor
providing certification and examination services on its own behalf or on behalf of an
owner of examination content (“Data Controller”, “Data Processor”, and other key
terms are defined in Section A below).
Among other compliance measures, we use contractual obligations to enforce
compliance with all applicable data protection laws throughout our network, and
appropriate technical and organizational measures to protect personal data from
unauthorized use, access, disclosure, alteration or destruction.
We want to help you get started, learn more about your rights and obligations and
efficiently prepare for the GDPR.
To this effect we enhanced PeopleCert Procedures to accommodate the GDPR
compliance obligations and provide you with the appropriate implementation
guidelines. The PeopleCert GDPR Processor Procedures are attached hereby for
your ease of reference, and now onwards constitute an integral part of our Partner
Agreement.
• A “Data Controller” is a person or company who decides what type of data should
be collected, what purposes they are collected for and how this data will be
processed. In our case, PeopleCert is the Data Controller.
• A “Data Processor” is a person or company who processes personal data on behalf
of a Data Controller, following the instructions of the Data Controller. In our case,
each Partner who has signed a Partner Agreement with PeopleCert is a Data
Processor.
We capitalise these terms because it is important to pay attention to these roles to
understand how GDPR works. The GDPR introduces important new responsibilities
for both Data Controllers and Data Processors. The two parties will often have to
work together (sometimes on strict deadlines) to accommodate the requests of data
subjects and/or supervisory authorities.
# 5: What rights do data subjects have?
Data subjects decide how and when their data will be used, and the GDPR gives them
an enhanced set of fundamental rights. These include:
1. The right to access and modify their personal data.
2. The right to deletion of personal data when it’s no longer necessary for their
original purpose, including a ‘right to be forgotten’ for data that is outdated.
3. The right to lodge a complaint.
Working with PeopleCert as either Data Controller or Data Processor, you will act as
Data Processor or Data Sub-Processor and will be asked to collect and process
personal data for and on behalf of PeopleCert and/or you may receive personal data
from PeopleCert. This personal data is primarily that of examination candidates and
may also include other personal data, such as of PeopleCert employees.
This section describes how personal data may and may not be used by you as a Data
Processor. These procedures are in addition to your general obligations of
confidentiality and compliance with data protection laws under the Partner
Agreement, which apply to all personal data associated with the Partner Agreement.
Authorized Use
As a Data Processor/ Sub-Processor, you are not permitted to process personal data
other than for the following purposes (or as otherwise authorized by PeopleCert):
1. Partners are strictly prohibited from using personal data for marketing purposes,
unless specific consent to this effect is given by the data subject.
2. Partners shall not transfer personal data to third-party processor(s) whether
established in the European Economic Area (EEA) or in third countries, unless such
transfer is expressly approved by the candidate and by PeopleCert.
3. Partners shall apply appropriate technical and organizational security measures
to safeguard personal data from unauthorized use, access, disclosure, alteration
or destruction, and such security measures shall be at least as comprehensive to
those applied to the Partner’s own data. Security measures may include the
encryption of data, the use of passwords when accessing Partner’s database, the
use of GDPR certified platforms and services, and the tutoring of employees who
have access to and process personal data.
4. Partners must notify PeopleCert immediately if a breach of the security of
personal data occurs.
5. Partners shall notify PeopleCert as soon as possible (and always within 48 hours)
if:
• Partner receives a request from a candidate (or other individual) for the
exercise of its rights under GDPR, as those are enumerated in Section A,
You can find further information in our Privacy Policy and dedicated FAQs section in
our new website www.peoplecert.org
b) Make sure that you have obtained valid consent from the data subject.
Consent must be:
• Freely given
• Specific
• Unambiguous and distinguishable