Privacy Statement of EXeed - Version December 2018
This privacy statement explains how we handle the personal data that we collect for the performance of our services. We respect your privacy and are committed to protecting and handling your personal data with the greatest care.
1. Who are we?
EXeed™ is a brand name of EXIN. EXIN is a global independent exam and certification institute since 1984, having certified millions of ICT-professionals. EXIN has over 1.000 accredited partners in more than 150 countries worldwide. Under the brand name, EXeed™ EXIN operates an online badging platform (the “EXeed Platform”) which enables organizations (the “Badge Issuers”) to award badges to people who can then store and share those badges by use of their account.
EXIN Holding B.V., established in Utrecht at the Arthur van Schendelstraat 650, the Netherlands, is the data controller and responsible for the processing of all your personal data.
This applies when EXeed receives your personal data from a Badge Issuer and when you visit, use or subscribe to the EXeed Platform.
However, if you make payments via the EXeed Platform then the payment provider (Stripe Payments Europe Ltd.) will be the data controller and responsible for the processing of your payment information. In that case, EXeed does not receive any of your payment information. The payment provider is the first contact point for matters related to the processing of your data, and for more information on the processing of your data, you can contact the payment processor
2. Which data does EXeed collect?
EXeed collects and processes the following personal data:
- Your name, contact information, and badges: If you have been awarded a badge, a Badge Issuer will provide us your personal data, including your name, job title, home address, e-mail address and other contact information, and the badge awarded. The badge will hold information about the award criteria, the Badge Issuer, your name and the date on which the badge has been awarded.
- Log in credentials and personal description: When you subscribe to the EXeed Platform, we will register your log in credentials and your own personal description. When a badge has been issued to you, you will receive a temporary password, which enables you to log on to the EXeed Platforn. You will have to change this password after you log on for the first time. Your password is captured encrypted only and is not legible by us. When you have made your account on the EXeed Platform you are able to create your own personal description. This may include for example your name, job title, job experience and education. Such information will be stored by us.
3. For which purposes will your data be processed?
EXeed collects and uses your personal data:
- To activate and manage your user account and login to the EXeed Platform and to enable you to use related functionalities: Your user data will allow you to log on safely to the EXeed Platform. Once you are logged in, you can easily change your contact information and add your personal description. Through your account, you can also review the badges awarded to you. And finally, you can subscribe and unsubscribe to our newsletter through your account.
- To enable you to share and publish badges awarded to you: Your contact information, badges and personal description will be stored in order to enable you to save, share and publish this information with others. For our own administration. We use your personal data for internal administration purposes, such as record keeping and to comply with our legal and fiscal obligations.
- To provide information and reply to your questions: If you ask us any questions or if we need to provide information to you (e.g. regarding new badges awarded to you), we will use your data to contact you.
- To perform statistical analyses and publish aggregated reports based on these: EXeed performs statistical research on general trends in the use of the EXeed Platform. For this purpose, we use aggregated information only, decoupled from your name and contact details. For these research activities, we have created a separate database in which we combine and subject to research the following data: the number of views of the EXeed Platform and its pages, the number of times a badge has been published and on which media the badges have been published. The research results are reported at an aggregated level and accessible to those persons within EXeed who are authorized to take cognizance of them or may be provided to third parties for scientific research. We use the reports for the evaluation and improvement of our services and to share with (potential and existing) Badge Issuers.
- To send you our newsletter or for personalized offers: Results of statistical analyses will not be used for marketing activities targeted especially at you, unless with your prior consent. Also, we will only use the information you provide to us for sending you special offers or promotions by e-mail that match your competences, level of education and working experience, if you have given us permission to do so. You can unsubscribe from these messages at any time, in which case EXeed will immediately stop sending them. However, we will in such case continue to use your data at an aggregated level for statistical analyses. Read more about this topic under “Statistical Analysis” in Section 3.
4. Legal basis for processing personal data
EXeed processes your personal data to provide our products and services to you, to comply with legal obligations we are subject to, if it is necessary for our legitimate interests or the interests of a third party, or on the basis of consent.
When we process your personal data for our legitimate interests or the interests of a third party, we will take reasonable measures to prevent unwarranted harm to you. Our legitimate interests may, for example, include our interest in improving our products and services. More information on the balancing tests we perform is available upon request. Where we process your personal data for our legitimate interests or the interests of a third party, you have the right to object at any time on grounds relating to your particular situation (please see Section 11 “Your rights” below).
Where we process your personal data on the basis of your consent, you may withdraw your consent at any time by following the specific instructions in relation to the processing for which you provided your consent, by adjusting your settings (if available) or by reaching out to us.
Where we process your personal data for a purpose other than that for which we collected it initially (and we rely on a legal basis other than consent or complying with legal obligations for this new purpose), we will ascertain whether processing for this new purpose is compatible with the purpose for which the personal data were initially collected.
5. In which way does EXeed obtain data?
EXeed obtains your personal data in several ways. We receive personal data from the Badge Issuers such as your name, e-mail address and badge information. We also obtain personal information about your use or subscribe to the EXeed Platform, for example when you register for the EXeed Platform or add your own personal description to your account.
Next to that, we obtain information about you by statistical analysis. Data collected by EXeed through the EXeed Platform can be matched with data you have shared with EXeed at another time, for example your personal description.
6. Who has access to your data?
In view of the purposes mentioned above, or in the context of its service provision EXeed may share, pass on or in any other way make accessible your personal data to EXeed group companies, other service providers and third parties for scientific research.
For operating the EXeed Platform, EXeed uses the following service providers:
- Proxsys, located in the Netherlands, for the hosting of the EXeed Platform; and
- Oxagile, located in the US and Belarus, for the development and maintenance of the EXeed Platform.
We have an authorization policy for our systems so that individuals and organizations only have access to your data in so far as this is necessary for the performance of their tasks and within the framework of the purposes mentioned. All these individuals and organizations have agreed to treat your data confidentially and with the greatest care.
Parties that have access to your data may be established in countries that have a milder privacy regime than the Netherlands. If such is the case, EXeed will ensure that appropriate measures are taken and that all statutory rules and regulations are observed. For transfers of personal data outside the European Economic Area, EXeed will use European Commission-approved mechanisms, such as the Privacy Shield certification, and Standard Contractual Clauses as safeguards, such as the “(EU-)controller to (Non-EU/EEA-)controller” Decision 2004/915//EC or the “(EU-controller) to (Non-EU/EEA-)processor” Decision 2010/87/EU (see Article 46 GDPR). If you wish to receive a copy of these safeguards, please contact us.
EXeed shall implement appropriate technical and organizational measures to ensure an appropriate level of security against unlawful use, unauthorized access, alteration or unlawful destruction of your personal data. EXeed has an Information Security Management System based on ISO / IE 27001.
8. Retention Period
EXeed retains your personal data as long as necessary in view of the purposes set out above, or as long as prescribed by law. Based on these purposes, EXeed has determined separate retention periods for different sorts of personal data.
Personal data that has no purpose to be archived will be deleted or anonymized within 6 months (e.g. communication that is not responded to). If you choose to deactivate your account, your badges and other information relevant for certification will be deleted or anonymized promptly, but ultimately within 6 months.
Any account created by EXeed for you, as requested by a Badge Issuer, but not activated by you, will be deleted or anonymized (including any badges related to that account) 1 year after creation.
If you have not logged on to your account for 3 years, EXeed will notify you hereof and ask you whether you still want to use your account. If you have not responded to this notification within the time mentioned therein, your account (including your badges) will be deleted or anonymized.
Personal data that is required for EXeed to comply with EXeed’s legal and fiscal obligations will be kept for 7 years, after which they will be deleted or anonymized.
10. Links to other websites
On the EXeed Platform, you can find several links to websites of third parties. These links can be placed by EXeed or by the users of the EXeed Platform. If you follow these links, you will leave the EXeed Platform. Although all links placed by EXeed have been selected with care, EXeed cannot be held responsible for the use of data by these organizations or links placed by users of the EXeed Platforn. To learn more, read the privacy statement of the website you visit, if available.
11. Your rights
You may contact our Privacy Officer (please see below) to exercise any of the rights you are granted under applicable data protection laws, which includes (1) the right to access your data, (2) to rectify them, (3) to erase them, (4) to restrict the processing of your data, (5) the right to data portability and (6) the right to object to processing.
Right to access
You may ask us whether or not we process any of your personal data and, if so, receive access to that data in the form of a copy. When complying with an access request, we will also provide you with additional information, such as the purposes of the processing, the categories of personal data concerned as well as any other information necessary for you to exercise the essence of this right.
Right to rectification
You have the right to have your data rectified in case of inaccuracy or incompleteness. Upon request, we will correct inaccurate personal data about you and, taking into account the purposes of the processing, complete incomplete personal data, which may include the provision of a supplementary statement.
Right to erasure
You also have the right to have your personal data erased, which means the deletion of your data by us and, where possible, any other controller to whom your data has previously been made public by us. Erasure of your personal data only finds place in certain cases, prescribed by law and listed under article 17 of the General Data Protection Regulation (GDPR). This includes situations where your personal data are no longer necessary in relation to the initial purposes for which they were processed as well as situations where they were processed unlawfully. Due to the way we maintain certain services, it may take some time before backup copies are erased.
Right to restriction of processing
You have the right to obtain the restriction of the processing of your personal data, which means that we suspend the processing of your data for a certain period of time. Circumstances that may give rise to this right include situations where the accuracy of your personal data was contested but some time is needed for us to verify their (in)accuracy. This right does not prevent us from continue storing your personal data. We will inform you before the restriction is lifted.
Right to data portability
Your right to data portability entails that you may request us to provide you with your personal data in a structured, commonly used and machine-readable format and to have such data transmitted directly to another controller, where technically feasible. Upon request and where this is technically feasible, we will transmit your personal data directly to the other controller. The EXeed Platform also enables you to export your badges yourself.
Right to object
You also have the right to object to the processing of your personal data, which means you may request us to no longer process your personal data. This only applies in case the ‘legitimate interests’ ground (including profiling) constitutes the legal basis for processing (see Section 4 “Legal basis for processing personal data” above).
At any time and free of charge you can object to direct marketing purposes in case your personal data are processed for such purposes, which includes profiling purposes to the extent that it is related to such direct marketing. In case you exercise this right, we will no longer process your personal data for such purposes.
You may withdraw your consent at any time by following the specific instructions in relation to the processing for which you provided your consent.
For example, you may withdraw consent, by clicking the unsubscribe link in the email, adjusting your communication preferences in your account (if available) or by changing your smartphone settings (for mobile push notifications and location data).
To exercise any of the abovementioned rights, please contact us using the contact details stated under Section 13 below.
You can also contact us if you have any questions, remarks or complaints in relation to this privacy statement. However, if you have unresolved concerns you also have the right to complain to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) located in The Hague, The Netherlands, or, if you live or work in another EU member state, you can lodge a complaint with the supervisory authority of that EU member state.
12. How we look after this policy
13. Contact details
If you have any questions regarding this policy or the processing of your personal data, please contact us:
EXIN Holding B.V.
Attn. Privacy Office
Arthur van Schendelstraat 650
3511 MJ UTRECHT