European Union and European Economic Area Resident Privacy Notice
Examity may receive, maintain, or transmit personal information (“PI”) (as defined below) in its course of business.
PI includes, but is not limited to, an educational institution’s name, student’s name, the name of the student’s parent or other family members, the address of the student or student’s family, personal identifier such as the student number or biometric record, other indirect identifiers, such as student’s date of birth, other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty, or information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates, as well as other personally identifiable information about other customers or employees, including, but not limited to, driver’s license number or state-issued identification card number, financial account number, credit card number, or debit card number with or without any required security code, that would permit access to an individual’s financial account.
Examity informs individuals about the purpose for which it collects and uses information about them, how to contact the organization with inquiries or complaints, the choices and means Examity offers individuals for limiting its use and disclosure, and how it is secured. This Notice is provided in a clear and conspicuous language when individuals are first asked to provide personal information while creating their profiles.
Examity does not intend to disclose customer’s personal information with a third party or use the collected information for a purpose that is incompatible with the purpose(s) for which this information was originally collected. If Examity wishes to disclose personal information collected to a third party, appropriate notice and choice will be issued to the individuals for whom the personal information pertains to.
Examity understands the need for security of personal data and has taken adequate measures to protect it from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Examity uses an SSAE-certified datacenter that adheres to the EU-US Privacy Shield Framework to manage and process data for its daily operations. Additional information on Examity’s security handling is available in Examity’s security policy, which can be obtained by contacting Examity.
4. Data Integrity
5. Access, Correction, and Deletion
Examity ensures that individuals have access to the personal data they have provided to Examity. Individuals will be able to correct, amend, or delete that information, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, where the rights of persons other than the individual would be violated, or as otherwise permitted by the GDPR. Examity employs role-based permissions to ensure adequate access and security is provided to the stored personal information.
6. Onward Transfer
Examity is responsible for taking all reasonable steps to protect data transferred to third parties. Examity requires such third parties to enter into contracts ensuring that your data is only processed for the limited and specified purposes consistent with your authorization. We require that the third-party recipients provide the same level of protection as reflected in the EU-US Privacy Shield principles as well as the GDPR and will take all reasonable and appropriate steps to ensure that the third-party recipient effectively processes the personal information. Upon request, we will provide a summary or a representative copy of the relevant privacy provisions of our contract with the third-party recipient.
Examity provides recourse mechanisms to individuals to assure compliance with the EU-US Privacy Shield Framework. Examity’s internal recourse and dispute resolution mechanism is comprehensive and provides a readily available, affordable and transparent way to address privacy concerns of individuals. Examity acknowledges the possibility, under certain conditions, for individuals to invoke binding arbitration.
Individuals with concerns or complaints regarding their privacy can reach out to our support team via phone, email and chat.
8. Dispute Resolution Mechanism
Examity is subject to the investigatory and enforcement powers of the Federal Trade Commission and will cooperate with the European Data Protection Authorities (“DPAs”) to avail dispute resolution mechanisms for individuals to whom the data relates. Examity shall cooperate with the DPAs in the investigation and resolution of complaints brought under the EU-US Privacy Shield Framework and will comply with any advice given by the DPAs where the DPAs take the view that Examity needs to take specific action to comply with the Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles.
Examity’s privacy policies and procedures shall be documented, reviewed yearly, and updated as necessary in response to environmental or operational changes affecting privacy of Examity’s PI. The yearly review of documentation will be handled by the CTO’s office and duly signed off by senior management. In addition to the internal review, Examity shall establish its security training to comply with the EU-US Privacy Shield Framework. All employees of Examity receive a copy of Examity’s data security policies and procedures during the onboarding process and are expected to read and fully comply with these policies and procedures when performing their job duties.
10. Privacy Shield and GDPR Contact Point
The Chief Technology Officer of Examity shall serve as the contact point for Privacy Shield and GDPR-related information requests, assessment and discussions.