On May 25, 2018, the EU General Data Protection Regulation (GDPR) became effective, bringing new global data protection rights for citizens of the European Union. Now that GDPR has come into effect, we want to provide a statement on our work to comply with new regulations and ensure that our customers who use Inspera Assessment can continue to do so with confidence.
Over the coming months, we plan to add additional functionality to our product and APIs to make it easier for you to process Data Subject Requests with us.
What we have done about GDPR as a Data Processor
At Inspera, we have already done extensive work to protect the privacy and security of our customers (and of our staff and learners):
- We have Data Processing Agreements (DPAs) with customers in place that regulate how personal data is defined and how we process this data.
- DPAs also regulate sharing of personal data. By design, Inspera Assessment uses only few sub-processors and we have a DPA in place with each of them (see Data Processing Agreement link at bottom of page).
- Inspera Assessment follows a privacy by design solution for learners to minimise personal data processing (see Data Privacy By Design link at bottom of page).
- Upon termination of an account, all data connected to that account is immediately anonymised within a period of maximum 180 days.
- We have implemented the following technical and organisational measures for data security by design (see Data Security link at bottom of page).
Changes to Inspera Assessment service to become GDPR compliant
Inspera is also committed to providing more tools for its customers and users to control data captured in Inspera Assessment:
- Provide greater transparency about privacy modes and options that are enabled for our customer’s accounts:
- Minimisation (personal information such as name and email is registered) to handle situations where there is no integration with an authentication system and/or an exam enrollment system.
- Pseudonymisation (only storing pseudonymised identifiers) to balance privacy concerns with data quality.
- Anonymisation (all personal data are irreversibly anonymised) to ensure that no information is possible to track to a specific
- Offer a data controller API for downloading staff and learner data for an institution with minimisation or pseudonymisation privacy mode.
- Offer a data controller API for anonymising learner data.
The functionality above will be available for our customers by 31st of October 2018 at the very latest.
Questions or Concerns?
Please contact us at firstname.lastname@example.org for more information.
Data Processing Agreement | Security Statement | Privacy Notice