What is SchoolAdmin’s role under GDPR?
SchoolAdmin acts as both a data processor and a data controller under the GDPR.
SchoolAdmin as a data processor: When schools use our products and services to process EU personal data, we act as a data processor. For example, we will be a processor of EU personal data and information that gets entered or uploaded to the SchoolAdmin service. This means we will, in addition to complying with our schools' instructions, need to comply with the new legal obligations that apply directly to processors under the GDPR.
SchoolAdmin as a data controller: We act as a data controller for the EU customer information we collect to provide our products and services and to provide timely customer support. This customer information includes things such as customer name and contact information of school staff. We are not a controller of information that belongs to the school, such as their parent and student data.
What is the SchoolAdmin Data Processing Agreement ("DPA")?
Customers that handle EU personal data are required to comply with the privacy and security requirements under the GDPR. As part of this, they must ensure that the vendors they use to process the EU personal data also have privacy and security protections in place. Our DPA outlines the privacy and security protections we have in place. We are committed to GDPR compliance and to helping our customers comply with the GDPR when they use our services. We have therefore made our DPA available to all our customers.
Can a customer share the SchoolAdmin DPA with its customers?
Yes. The DPA is a publicly available document and customers who wish to share it with their customers to confirm our security measures and other terms may feel free to do so.
Are there unique DPA needs for individual countries?
The GDPR applies to all of the EU and we offer a DPA that is compliant in all EU countries.
Do we transfer data internationally?
The GDPR replicates the Data Protection Directive restrictions on transferring data outside the EU and prohibits the export of personal data outside of the EU to non-EU recipients unless the export meets certain criteria.
Although we are headquartered in the United States, SchoolAdmin has data centers in the EU. In certain circumstances, we will process personal data that originates from the EU in the United States. We provide a level of protection of privacy that complies with the EU rules.
How do we handle delete instructions from customers?
Customers have the ability to remove or delete information they have uploaded to our products. Likewise, customers may deactivate their account and request that all personal data we have collected and stored is deleted.