Last Updated: July 5, 2018
The General Data Protection Regulation (GDPR) is a legal framework created to protect personal data of individuals living in the European Union (EU). The GDPR provides guidelines for companies that collect and process the personal information of their EU customers or clients.
The GDPR has three objectives[i]:
The GDPR privacy legislation is effective of May 25th, 2018 and replaces the 95/46/EC Directive on Data Protection.
For complete information about the GDPR, visit https://ec.europa.eu/info/law/law-topic/data-protection.
If your company requires a DPA with SMART, click here
For an updated list of the data we collect, process and transfer to sub-processors, click here
SMART collects, retains, transmits, and processes your personal data to provide products and services to you, which includes sales and marketing activities related to those products and services . When you purchase and install a SMART product, we process your personal data as far as necessary in order to provide these products and services to you.
The GDPR applies to the processing of personal data about individuals, (meaning natural persons, not companies) in the EU. It does not apply to general company information such as the company’s name, address, or email (for example, firstname.lastname@example.org), or any data that has been anonymized so that it cannot uniquely identify a specific individual.
Personal Data covered by the GDPR includes:
Data not covered by the GDPR includes:
By design, SMART’s products pseudonymizes the majority of a user’s data and most of the analytics we collect are anonymous.
You, the customer, are the Data Controller. You own your data and you control your data. In all of SMART’s products you, as the customer, determine and control what information to upload, what activities to carry out (create SMART Notebook® files, start a class, invite students, add a quiz or homework) and when to remove such information[ii]. Thus, in this relationship SMART is the Data Processor and we not own your data; we simply process your data on your behalf so that we can provide the requested services to you[iii].
SMART is however, the Data Controller in relation to our use of your personal purchase data and any kind of processing for which SMART collects your consent (e.g. opt-in for marketing, promotions, etc.).
As the Data Processor SMART will respect your rights, which include:
|Right to Withdraw Consent and Restrict Processing||
At any time you may withdraw your consent for SMART to collect, retain and process your personal data. If you are a customer this typically means you will no longer be able to use our products. If you are a user, you must contact the customer who purchased the product from SMART (e.g., your school, your corporation) who will then pass this request on to SMART.
NOTE: Data required for tax and legal reasons will not be affected by withdrawal of consent.
|Right to be Informed||
SMART will inform you about what information we collect, transmit and process.
|Right of Data Quality, Access and Rectification||
SMART will strive to maintain accurate personal data and will respond to customer requests to access the personal data being processed and to correct any inaccurate or incomplete information within 30 days.
|Right of Data Portability||
SMART provides customers with the ability to obtain and reuse their personal data (typically self-generated content) for their own purposes.
|Right of Data Deletion (‘right to be forgotten’)||
SMART will only keep personal data for as long as required to provide the service, or as required for tax and legal reasons. SMART adheres to a document retention policy to ensure this. SMART will respond to customer requests to delete personal data within 30 days.
|Right of Data Protection||
SMART will ensure personal data is transferred for its specific purpose and subsequently used only for that purpose. SMART will only transfer personal data outside of the EU to countries whose legal regime is deemed by the European Commission to provide for an adequate level of personal data protection or in accordance with adequate contractual security measures, such as Standard Data Protection Clauses. SMART uses internal controls to limit access to your personal data by setting access based on job function and role, using the concept of ‘need-to-know’ to match access privileges to defined responsibilities. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives.
|Right of Notification||
If SMART becomes aware of a personal data breach, it shall without undue delay, and where feasible, no later than 72 hours after having become aware of it, notify the affected customer and the supervisory authority (if it was for data where SMART was the Data Controller) in accordance with Article 33 of the GDPR, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons[iv]. SMART’s communication of a breach shall be in clear and plain language and contain a minimum of:
Under the GDPR framework, if you are a SMART customer, you are considered the ’Data Controller’. As the Data Controller you are responsible for obtaining the appropriate consents from your users before sharing or allowing them to directly share their personal data. SMART does not control what data you or your users decide to share, you do. SMART will only communicate and take directions from its customers, not the customer’s users.
As the Data Controller, you may find guidance related to your GDPR responsibilities by checking the website of your national or lead data protection authority as well seeking independent legal advice relating to your status and obligations under the GDPR.
Yes, but like the 95/46/EC Directive on Data Protection, the transfer of personal data outside the EU under the GDPR is permitted only to countries whose legal regime is deemed by the European Commission to provide for an adequate level of personal data protection . Transfers are also permitted when concluding Model Clauses that adequately protect the data.
The European Commission has so far verified the following non-EU countries as providing adequate data protection[vi]:
All privacy and DPO requests may be directed to:
Attention: Glenn Carbol, Legal Counsel
SMART Technologies ULC
3636 Research Road NW, Calgary, AB T2L 1Y1
Toll free (U.S./Canada): 1-888-427-6278
Outside of North America: +1-403-245-0333
All customer requests may be directed to:
If we did not resolve your concerns, you may complain to the Information Commissioner’s Office about the way in which SMART has handled your personal data. You can do so by contacting:
First Contact Team
Information Commissioner’s Office
email@example.com // 03031 231113
[i] (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016, Chapter 1, Article 1).
[iv] Art. 33 GDPR Notification of a personal data breach to the supervisory authority