(Last Updated: May 17, 2018)
The European Union’s new General Data Protection Regulation (GDPR) comes into effect on May 25, 2018. We are excited about this development because we believe it will help protect users’ rights to privacy and transparency. We are heartened to see these policies gaining wider traction and adoption as the principles of data protection by design and by default have been core to our approach as we’ve built out the TechChange learning platform over the past 7 years.
Consistent with our history of prioritizing user privacy and data security, TechChange will continuously strive to meet the requirements of the GDPR for all users, regardless of citizenship or location. We believe that this commitment to security will allow our partners to focus on building great online communities without the added concern of user privacy and data security.
The following is not exhaustive in its coverage of TechChange’s compliance with GDPR, but highlights some of the most important aspects of how we work in relation to the law. From this page, users should understand their rights when using the TechChange platform, the responsibilities of TechChange to keep their data secure, and the procedures and processes TechChange has put in place to handle implementation of the law.
Personal Data and Personally Identifiable Information
At the heart of GDPR is how data about users is used and what rights users have over data that a company has about them — whether this data is volunteered by the user or collected by other means. In particular, the GDPR is concerned with the handling of personal data, which is defined as:
any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to physical, physiological, genetic, mental, economic, cultural, or social identify of that natural person.
The definition of “personal data” is broader than the terms “Personally Identifiable Information” (PII) or “personal information”, which are defined terms in other legal systems such as the United States. For example, some jurisdictions define PII as a name in combination with a limited sub-set of sensitive data fields such as social security number, driver’s license number, etc. Given our historical commitment to privacy and data security, TechChange strives to incorporate the full scope of GDPR protections—including with respect to personal data—regardless of a user’s citizenship or location. However, there may be instances where local legal requirements necessitate us distinguishing between personal data and PII.
TechChange only requires a minimal amount of personal data to use the platform, which may or may not also meet the definition of PII in certain jurisdiction. Specifically, TechChange requires users to provide a name, email address, and a username. We do not collect external identification numbers or political, demographic, biometric, or genetic data.
We are also only allowed to collect data that we have an explicit and legitimate purpose for collecting. We do our best to make the use for data collection clear and welcome any feedback on places where we can improve. Please feel free to email us at privacy@techchange.org with any questions or requests for clarification.
We only collect personal data and/or PII with explicit consent from users and make reasonable efforts to pseudonymize this information whenever possible — which generally means we store personal data and/or PII in a single database and replace references to a user’s specific personal data and/or PII with a unique identifier in other databases to minimize the potential to identify users from non-personal data and/or PII. We never sell any data to anyone.
You can read more about our handling of personal data and PII on our Data Security & Practices page.
Data Subject Rights
As a user of our platform, you have a number of rights that give you control over your data and your account. The following is a brief highlight of some of the key rights provided by GDPR and is not inclusive. There are more rights that we feel are less relevant to our platform that you can read about here. Though they are not listed below, we are compliant with those rights too and welcome questions and will do our best to further clarify on this page as needed.
Right of Access
You have the right to access a copy of any data that TechChange has about you. If you make such a request, we will take all reasonable steps to provide you with a copy of all relevant data within 30 days. You have the right to know what data we collect, why we collect it, and how we store it. We have documented all of these and made them publicly available on our Data Security & Practices page.
Right to Rectification
You have the right to request that TechChange corrects any inaccurate personal data about you. In most cases, you will be able to do so on the platform without assistance from TechChange. However, if you need assistance or find you are unable to correct this data yourself, we will gladly help you with your request!
Right to Erasure
You have the right to request that TechChange deletes your account and your data on the platform and on any processors. We will take all reasonable steps to delete your account and all relevant data within 30 days, unless we must maintain it to comply with a legal obligation. This means that you will no longer have access to your account, any courses in which you were enrolled (free or paid), and any of your learning data. This does not prevent you from creating another account in the future.
Processors
Under GDPR definitions, TechChange is a Controller of data. In offering our learning platform, we use a number of Processors that handle personal data. All of the Processors we utilize either have guaranteed GDPR compliance by May 25, 2018 or have already demonstrated compliance. If we find a Processor is not in compliance with GDPR (whether admittedly or by apparent violations), we will take all reasonable steps to remove this Processor as soon as possible and request deletion of any personal data they retain. We provide Processors with only the minimum required personal data to perform their function and pseudonymize, anonymize, or encrypt data whenever possible.
In the interest of transparency, we maintain a list of the processors we use, what we use them for, and what personal data they may have access to that is available on our Data Security & Practices page.
Data Breaches
TechChange takes industry standard measures to prevent data breaches. As with any online service, however, it is impossible to guarantee that data is completely safe. If we should learn that we have had a data breach, we will take the following measures immediately:
- We will work to mitigate the breach to minimize the chance of personal data and/or PII being compromised.
- We will notify relevant law enforcement agencies.
- We will notify the relevant supervisory authority within 72 hours if we believe personal data and/or PII has been compromised.
- We will notify individual users as soon as possible if we believe their personal data and/or PII has been compromised unless prohibited by law.
- We will investigate the cause and breadth of the breach in an effort to prevent further attacks.