SMART Technologies ULC General Data Protection Regulation (GDPR) Compliance

Last Updated: May 15, 2018

What is the GDPR?

The General Data Protection Regulation (GDPR) is a legal framework created to protect personal data of individuals living in the European Union (EU). The GDPR provides guidelines for companies that collect and process the personal information of their EU customers or clients.

The GDPR has three objectives[i]:

  1. To provide rules for the protection of natural persons with regards to the processing of their personal data, and rules relating to the free movement of personal data.
  2. To protect the fundamental rights and freedoms of natural persons and their right to have their personal data protected.
  3. To ensure the free movement of personal data within the EU is neither restricted nor prohibited for reasons connected with the protection of natural persons with regards to the processing of personal data.

The GDPR privacy legislation is effective of May 25th, 2018 and replaces the 95/46/EC Directive on Data Protection.

For complete information about the GDPR, visit https://ec.europa.eu/info/law/law-topic/data-protection.

Does SMART comply with GDPR?

Yes.

Where is SMART’s Data Processing Addendum (DPA)?

If your company requires a DPA with SMART, click here

What Data Does SMART Collect?

For an updated list of the data we collect, process and transfer to sub-processors, click here

Why does SMART need my personal data?

SMART collects, retains, transmits, and processes your personal data solely to provide products and services to you. When you purchase and install a SMART product, you provide consent for SMART to collect and process your personal data for this purpose. You may withdraw this consent at any time. If you withdraw your consent however, SMART may not be able to sell you products or provide you with certain services.

What data collected by SMART is covered by the GDPR?

The GDPR only applies to personal data about individuals, (meaning natural persons, not companies). This means it applies to any data that SMART collects about an individual living in the EU. It does not apply to general company information such as the company’s name, address, or email (for example, support@company.com), or any data that has been anonymized or pseudonymized so that it cannot uniquely identify a specific individual.

Personal Data covered by the GDPR includes:

  • An individual’s legal name
  • An individual’s identification number
  • A home address, or telephone number
  • An email address which includes an individual’s legal name, for example: name.surname@company.com
  • An identification card number
  • Location data (for example the location data function on a mobile phone)
  • An Internet Protocol (IP) address or other online identifier
  • Data specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Data not covered by the GDPR includes:

  • An organization’s (government, company, school, etc.) information
  • Anonymized or pseudonymized data

By design, SMART’s products pseudonymizes the majority of a user’s data.

Who is the Data Controller and Data Processor in our relationship?

You, the customer, are the Data Controller. You own your data and you control your data. In all of SMART’s products you, as the customer, determine and control what information to upload, what activities to carry out (create SMART Notebook® files, start a class, invite students, add a quiz or homework) and when to remove such information[ii].

SMART is the Data Processor. SMART does not own your data; we simply process your data on your behalf so that we can provide the requested services to you[iii].

How does SMART comply to the GDPR as the Data Processor?

As the Data Processor SMART will respect your rights, which include:

Right to Withdraw Consent and Restrict Processing

At any time you may withdraw your consent for SMART to collect, retain and process your personal data.  If you are a customer this typically means you will no longer be able to use our products. If you are a user, you must contact the customer who purchased the product from SMART (e.g., your school, your corporation) who will then pass this request on to SMART.

NOTE: Data required for tax and legal reasons will not be affected by withdrawal of consent.

Right to be Informed

SMART will inform you about what information we collect, transmit and process.

Right of Data Quality, Access and Rectification

SMART will strive to maintain accurate personal data and will respond to customer requests to access the personal data being processed and to correct any inaccurate or incomplete information within 30 days.

Right of Data Portability

SMART provides customers with the ability to obtain and reuse their personal data (typically self-generated content) for their own purposes.

Right of Data Deletion (‘right to be forgotten’)

SMART will only keep personal data for as long as required to provide the service, or as required for tax and legal reasons. SMART adheres to a document retention policy to ensure this. SMART will respond to customer requests to delete personal data within 30 days.

Right of Data Protection

SMART will ensure personal data is transferred for its specific purpose and subsequently used only for that purpose. SMART will only transfer personal data outside of the EU to countries whose legal regime is deemed by the European Commission to provide for an adequate level of personal data protection or in accordance with adequate contractual security measures, such as Data Processing Addendums. SMART uses internal controls to limit access to your personal data by setting access based on job function and role, using the concept of ‘need-to-know’ to match access privileges to defined responsibilities. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives.

Right of Notification

If SMART becomes aware of a personal data breach, it shall without undue delay, and where feasible, no later than 72 hours after having become aware of it, notify the affected customer and the supervisory authority in accordance with Article 55 of the GDPR, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons[iv]. SMART’s communication of a breach shall be in clear and plain language and contain a minimum of:

  1. Contact details of the Data Protection Officer or other contact person,
  2. A description of the nature of the breach,
  3. Likely consequences of the breach,
  4. Measures the organization has taken or proposes to take to address the breach
  5. Advice on steps data subjects can take to protect themselves, and
  6. The measures SMART has taken or proposes to take to address the breach.

What is my role under the GDPR?

Under the GDPR framework, if you are a SMART customer, you are considered the ’Data Controller’. As the Data Controller you are responsible for obtaining the appropriate consents from your users before sharing or allowing them to directly share their personal data. SMART does not control what data you or your users decide to share, you do. SMART will only communicate and take directions from its customers, not the customer’s users.

As the Data Controller, you may find guidance related to your GDPR responsibilities by checking the website of your national or lead data protection authority as well seeking independent legal advice relating to your status and obligations under the GDPR.

Does SMART store personal data outside of the EU?

Yes, but like the 95/46/EC Directive on Data Protection, the transfer of personal data outside the EU is permitted only to countries whose legal regime is deemed by the European Commission to provide for an adequate level of personal data protection[v]. Transfers are also permitted under standard commercial contractual clauses that adequately protect the data.

The European Commission has so far verified the following non-EU countries as providing adequate data protection[vi]:

  • Andorra
  • Argentina
  • Canada (commercial organizations)
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Jersey
  • New Zealand
  • Switzerland
  • Uruguay
  • United States of America (limited to the Privacy Shield framework)

Since SMART and its sub-processors only store and process your data in the EU, Canada and the United States (with Privacy Shield companies) we comply with the GDPR data transfer rules. For added peace of mind, SMART is diligently working towards signing data protection addendum’s (DPAs) with all its sub-processors.

Who is SMART’s Data Protection Officer (DPO)?

SMART is not required to appoint a DPO because it is not a public authority, it is not a Data Controller, nor does SMART process any special categories[vii] of personal data.

All privacy requests may be directed to:

SMART Technologies ULC
3636 Research Road NW, Calgary, AB T2L 1Y1
Toll free (U.S./Canada): 1-888-427-6278
Outside of North America: +1-403-245-0333
Attention: Legal Department
Web: https://home.smarttech.com/legal/privacy-policy.

Who can I contact for further information about SMART’s GDPR compliance?

All privacy requests may be directed to:

SMART Technologies ULC
3636 Research Road NW, Calgary, AB T2L 1Y1
Toll free (U.S./Canada): 1-888-427-6278
Outside of North America: +1-403-245-0333
Attention: Legal Department

Who can I contact for access, record, or deletion requests?

All customer requests may be directed to:

Who can I contact with a complaint about SMART’s GDPR compliance?

If we did not resolve your concerns, you may complain to the Information Commissioner’s Office about the way in which SMART has handled your personal data. You can do so by contacting:

First Contact Team
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow Cheshire
SK9 5AF
casework@ico.gsi.gov.uk  // 03031 231113

[i] (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016, Chapter 1, Article 1). 

[iii] Ibid.

[iv] Art. 33, 42 GDPR Notification of a personal data breach to the supervisory authority

[vii] Art. 9 Processing of special categories of personal data