Digication Compliance to the General Data Protection Regulation (GDPR)
1. Introduction to this Privacy Notice
The GDPR is a comprehensive European Union (EU) data privacy law. Along with standardizing user data privacy across the EU member states, the GDPR places requirements on some organizations that handle EU residents’ personal data, regardless of where the organizations are located.
While using Digication, personal information you or your organization (if your account is being administered and controlled under an Enterprise subscription) has provided will be hosted on our platform and shared with us. Upon registration or first login with Digication, you will be required to acknowledge receiving this Privacy Notice before you can access Digication.
Digication provides the additional information below to inform you of your rights and our practices and responsibilities in processing your personal data under the GDPR. This Privacy Notice only applies when (a) you are based in the EU and (b) you are a user of Digication.
We may update this Privacy Notice from time to time to reflect changes in our practices or in the law but if we do so, we will provide you with access to an updated copy of the Privacy Notice as soon as possible. This Privacy Notice was last updated on January 1, 2021.
1.1 Not familiar with the GDPR?
You can learn more about it here: https://gdpr.eu
We’ve included simplified definitions of some of the key terms at the end of this document. A full list is available here: GDPR definitions
1.2 Who are we and what is our role?
We are Digication, Inc., a company incorporated in Delaware (with registered number 4154794), and have our principal place of business at 10 Dorrance Street, Suite 700, Providence, RI 02903, United States.
When you have been provided access to the Digication platform through an Enterprise subscription Digication is the processor of your personal data and your organization will be the controller of some of the personal data that is hosted on the Digication platform and your organization is responsible for providing you with a separate privacy notice before you access our platform. We have no liability for your organization’s privacy notice or their privacy practices. If your organization terminates its subscription, Digication may agree to assume the controller role.
When you have not been provided access to the Digication platform through an Enterprise subscription we are the controller of some of the personal data provided by you, but you may also be the controller of some of your personal data in other instances.
2. What kind of personal data does Digication store about users?
2.1 General
We do not actively collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we actively collect any information about criminal convictions and offenses. ePortfolios are a vehicle for self-expression, and you may choose to include personal details in the content you create on Digication. We ask you to remain mindful when including personal information in your ePortfolios or deciding to publish your content publicly within your organization or publicly online.
2.2 User account data
Basic personal information stored when creating your account:
- Your first and last names
- Your username
- Your email address (in rare cases, an email address may not be required.)
When you log in and use Digication, we will also store:
- Your IP address (no longer than 90 days)
Additional optional personal information which may be stored about you:
- A unique identifier (also known as SyncID or Account ID), which may be an ID number in use at your organization or a repeat of basic information, such as username or email address. This information is typically used to manage course and group enrollment on an organizational level and when used is provided by the subscribing organization for accounts established under an Enterprise Plan.
- Additional information that your organization has provided to be associated with your account(s), such as graduation date, major, credit information, or additional account metadata.
Additional User Generated Content we may store on your behalf:
- Digication is an ePortfolio platform. The nature of an ePortfolio platform includes the ability for users to store, share, and publish personal information to others. Such information is considered “User Generated Content” (UGC). Users have the ability to control the level of privacy for UGC posted on their ePortfolios, for responses to discussion posts, and for comments made on ePortfolios.
- UGC includes:
- Information you may have added to your user profile (including preferred notification email address, support email address, website link, and/or profile image).
- Content created, edited, and managed by you (or other users) for personal and educational goals, including any or all of the following: ePortfolios, ePortfolio comments, discussion posts, and comments, and coursework submitted to assignments.
- The above basic information and the additional information are referred to together as ‘user account data’.
2.3 Support tickets
When you contact us for support, those requests are saved as support tickets. Support tickets may contain user account data details as well as troubleshooting details you provide about your computing environment and the issue you were experiencing.
2.4 Additional Contact Details
We also store contact information gathered as part of activities you may engage in through our websites, such as filling out an inquiry form.
3. Why does Digication store this data and what legal basis do we rely on?
3.1 General
Where you access the platform via an enterprise subscription, your organization has the responsibility to explain to you what personal data will be used, why it is stored on our platform, and the legal basis that the organization applies for its uses of your personal data. Therefore, section 3 only applies when we are the controller of your personal data.
When we are the controller of your personal data, we will only use your personal data for the purposes it was collected unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
When we are the controller of the personal data and we rely on the legal basis of contractual necessity and you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you (e.g. the subscription agreement).
3.2 User account data
The basic information we collect and store about you is the minimum amount of data required to fulfill the terms of the subscription and allow you to use Digication. If you are an Individual subscription user then we rely on the legal basis of contractual necessity as we cannot fulfill the subscription otherwise. If you are an Enterprise subscription user then your organization is responsible for providing you with a note of the legal basis that it relies on.
Additional information provided by you serves to allow you to personalize your account, and create content as part of coursework or for personal use. If you are an Individual subscription user then we rely on the legal basis of legitimate interests, as it is in your interests to be able to use the platform in these ways. If you are an Enterprise subscription user then your organization will provide you with a note of the legal basis that it relies on.
Additional information provided by your organization (where applicable) is used to manage your account, further educational goals, and facilitate assessment activities. This does not apply if you are an Individual subscription user. If you are an Enterprise subscription user then your organization is responsible for providing you with a note of the legal basis that it relies on.
3.3 Support Tickets
When you contact us for support, those requests are saved as support tickets. Support tickets may contain user account data details as well as troubleshooting details you provide about your computing environment and the issue you were experiencing. We use this information to investigate, document, and resolve technical difficulties you may experience while using Digication.
3.4 Automated decision-making
Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. We do not anticipate that any decisions will be taken about you using automated means, however, we will notify you in writing if this position changes.
4. Where is Digication data stored and how is it protected?
- Digication user data is stored in the United States on secure servers in the cloud.
- Our main infrastructure provider (AWS) has provided us with documentation showing that they are GDPR compliant.
- We hold your data in as few places as necessary.
- Our employees will not create any unnecessary additional data sets.
- Our employees are trained in data security and they will always take reasonable steps to ensure your data is kept as accurate and up to date as possible.
- We regularly scan for software and infrastructure vulnerabilities using various test and auditing tools as part of our software development and quality assurance processes.
Please note that our service providers may also host, process, or store data in the US (or otherwise outside the UK or the EEA). Where they do this, we will ensure that we have put appropriate safeguards in place to protect your personal data in accordance with the GDPR (e.g. standard contractual clauses, etc.).
5. How long does Digication store user data?
In general terms, we will retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including the purposes of satisfying any legal, accounting, or reporting requirements.
Below are the general retention periods that are applied by us, but these may differ if you are an Enterprise subscription user and your organization has agreed to different retention periods with us – we recommend that you ask your organization what the retention periods are in that instance.
Digication user account data is held for the lifetime of an account, or until a valid request for deletion is made.
Support tickets are held until a valid request for deletion is made.
Contact details gathered as part of activities through our websites will be retained until a user makes a request to us to have data held about them deleted.
Please note that we may not always be able to comply with your request to exercise your rights for specific legal reasons which will be notified to you, if applicable, at the time of your request. Additionally, it may be that the data your request relates to has been co-authored or co-created with other users and therefore we may be unable to comply with your request.
We also store contact information gathered as part of activities you may engage in through our websites, such as filling out an inquiry form.
6. Does Digication share user data with third parties?
6.1 Necessary Third-party Services
Third-party partners help us provide some of the features and content included in Digication. These services are used by Digication for cloud hosting data, error and performance tracking, generating email notifications or other system emails, and when users upload content, for processing user’s files and media uploads and capture.
Your ability to opt-out doesn’t apply where the sharing of your personal data is with a third party who is acting as our agent (such as our service providers who perform services that help us to run our business). Digication won’t provide your personal data to a third party under these circumstances until a thorough security review of the third party vendor has been completed and it has been determined that the vendor complies with the Principles.
We may provide your personal data to third parties where there is a legal obligation to do so, for example to regulators, government departments, law enforcement authorities, tax authorities, and any relevant dispute resolution body or the courts.
We may also provide your personal data to third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Notice.
We will provide information about you to any other person who is legally authorized by you to act on your behalf.
We do not distribute or otherwise share with any third party any personal information that any individual or organization provides to us before that individual or organization registers to use Digication. Digication does not sell, distribute or share user data with third parties for any marketing or sales purposes.
6.2 Optional Third-party Services
You or we may need to share your personal information with one or more of our third-party partners in order for you to access and use such features or content, for example, you may need to authenticate with a third-party service such as Google Drive in order to access the content you have stored there that you wish to add to an ePortfolio. You can opt out of the sharing of this information by not accessing these features or content.
7. How is data destroyed?
Individual user data is removed using standard operating system and database queries, and this happens within 30 days after the account is marked for deletion.
8. Your data protection rights under the GDPR
8.1 General
Under the GDPR you have the right at any time to request access to, correction, or erasure of personal data or to restrict or object to the processing of your data as well as the right to data portability.
If you are an Enterprise subscription user, please direct your requests to your organization. If you are an Enterprise subscription user and you send a request to us, we may then send that request on to your organization.
If you are an individual subscription user, please direct all requests to Digication by email to support@digication.com.
Please note that we may not always be able to comply with your request to exercise your rights for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Additionally, it may be that the data your request relates to has been co-authored or co-created with other users and therefore we may be unable to comply with your request.
Here is some more information on your data protection rights under the GDPR.
You may:
Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you as a controller.
Request correction of the personal data. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we or your organization may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us or your organization to delete or remove personal data where there is no good reason for us to continue to process it. Please see the procedure below for implementing this right.+
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Every Digication user (data subject) has the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of his or her habitual residence, place of work, or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her violates the provisions of the GDPR. We would, however, appreciate the chance to deal with your concerns before you approach a supervisory authority so please contact us in the first instance.
8.2 No fee is usually required
You will not usually have to pay a fee to exercise your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
8.3 What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
8.4 How can I make a request regarding my personal data?
If you are located in the EU and wish to exercise your rights under the GDPR, such as your right to access, request corrections, or request the removal of your personal data, please see the information below for Enterprise Plan users (if an organization has provided your account) or Individual Plan users (if you are the subscriber.)
If you access Digication through an Enterprise Plan subscription provided by a school, university, or another organization
Contact your organization’s Digication administrator to make your GDPR data request. (If you are not sure who to contact at your organization, please contact Digication at support@digication.com and we will help connect you with the appropriate contact at your organization to receive your GDPR data request.)
Your organization, as the controller of your account, must authorize Digication to take action on the data request. Once authorization is given, the data request will be treated as a priority.
Upon receiving an access request Digication will create an inventory of all data we hold that is currently associated with your account. This will include: Digication user account details, all assets created or collaborated upon, submitted work, or support tickets.
In the case of a deletion request, a data inventory will be offered to your organization so they can discuss any implications of deleting this data with you. Following an agreement between you and your organization, they will contact Digication to request the removal of your data. Upon receipt of their authorized written instruction, we will remove all data required as a priority.
Finally, we will notify your organization when the request has been completed.
If you access Digication through an Individual Plan subscriber account:
Please contact us at support@digication.com to make your GDPR data request.
If access or deletion is requested Digication will create an inventory of all data we hold that is currently associated with your account. This will include: Digication user account details, all assets created or collaborated upon, submitted work, and support tickets.
If after viewing the inventory you want us to delete the data then you will need to confirm via email.
Once we have received your written instruction to delete your data, we will remove it without undue delay and notify you when the process is complete.
Please note: Users who chose to make their ePortfolios public should be aware that deletion of a public ePortfolio does not automatically remove any cached information held by search engines. This saved information may not be deleted by the search engines and the search engines will be controllers of this information in their own right.
If you have any queries in relation to this Privacy Notice please contact us at support@digication.com.
9. GDPR Definitions
A few useful (simplified) GDPR definitions - see also this list of full GDPR definitions.
- 'personal data' means any information relating to an identified or identifiable human being (such a person is also called a ‘data subject’);
- ‘processing’ means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, including but not limited to: collection, recording, correction, organization, storage, compression, or processing of media files, retrieval, dissemination or otherwise making available, restriction, erasure or destruction;
- ‘controller’ means the person, organization, or other entity which determines the purposes and means of the processing of personal data;
- ‘processor’ means a person, organization, or other entity which processes personal data on behalf of the controller;
- 'third party' means a person, organization, or entity other than the data subject, controller, and processor