DuoTrainin Privacy Notice

Last update: 26 February 2018

DuoTesting s.r.o. (LLC) trading under the brand name DuoTrainin – Your Learning Organisation, hereafter referred to as ‘DuoTrainin’, controls personal data within the scope of the services that we provide, supported by its marketing activities.

In our responsibility of Data Controller, DuoTrainin ensures that data subjects’ rights according to the GDPR are observed.

What this privacy policy covers
This policy covers how DuoTrainin treats personal data that we collect, receive and control, including data related to past use of DuoTrainin products and services.

Personal data is data about you that is personally identifiable like your first and last name, address, email address, or phone number, and that is not otherwise publicly available.

Lawful base

DuoTrainin uses the lawful base of CONSENT for the controlling of personal data.

How we collect personal data
We collect and control personal data in several different ways. For example, we might ask for your personal details when you sign up to one of our online products or services. Or we register your contact information when you write to or call us to make a purchase or ask for a service. In addition, when you ask to be included in an email mailing list to be made aware of a new DuoTrainin product or service, sign up for DuoTrainin Internet service packages, we collect and store the data you provide with our data processors DigitalOcean, WP Engine and SendGrid  (see paragraph ‘Data Processors’).

To make our web services easier to use and save time; some areas of the DuoTrainin website may allow you to create a "DuoTrainin ID" using your personal data. Next time you order something from DuoTrainin or register a new product (or for organisations: register a new user), you can simply enter your email address and password—the system will automatically locate the remaining data required.

On our knowledge website YourLearningOrganisation we control an individual’s email address when an individual subscribes him/herself to our blog feed. We also control First Name, Last Name and email addresses of individuals for marketing purposes. Sources for this data are social media marketing channels such as Linkedin, Twitter and Facebook.

When you browse DuoTrainin's website, you are able to do so anonymously. Generally, we don't collect personal information when you browse — not even your email address. Your browser, however, does automatically tell us the type of computer and operating system you are using.

Cookies
Cookies are pieces of information that a website sends to your computer while you are viewing the website. These pieces of information allow the website to remember important information that will make your use of that website more useful. DuoTrainin uses cookies for a variety of purposes. For instance, DuoTrainin uses cookies to remember and process the items in your shopping cart. You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings. If you turn cookies off, you will not have access to many DuoTrainin features that enhance your browsing experience.

How we control personal data

We control personal data to keep people up to date about the latest product launches, software updates, special offers, and other useful information, which may be of interest. This may sometimes include information from other technology companies about products and services that can add value to your DuoTrainin products. Occasionally, we may also use personal data to contact you to take part in market research surveys, so that we can measure customer satisfaction and develop better products and services.

DuoTrainin has other cooperating partners in various countries, with whom your personal information may be shared. For example, we give postal or freight companies this information so they can deliver your products efficiently. The information they receive is for shipping and delivery purposes only. All our partners have been instructed to comply with our Privacy Policy & Privacy Notice.

At times we may be required by law or legal process to disclose your personal information. In cases when disclosure is necessary for the public interest, we may respond positively as well.

Data retention

For the DuoTrainin system, the retention period of the data is equal to the period an individual wants to make use of our services. When an individual informs us that he/she no longer wants to make use of our services, or when an individual is removed from our system by his/her employer, or by any other organisation that (originally) added the individual, the personal data of this individual is removed from our system within a fortnight.

For YourLearningOrganisation, an individual can unsubscribe him/herself by clicking the appropriate link in the email received in case he/she no longer wants to receive any post updates or newsletter. The removal of his/her personal data is instant.

Access to your personal data

There are many ways that you can help to protect the security of your information as well. For instance, never give out your password, as this is what is used to access all of your account information. Also remember to sign out of your account and close your browser window when you finish surfing the internet, so that other people using the same computer won't have access to your information.
You always have access to the information we have about you. If you would like to review personal data that DuoTrainin may have about you, please email us at support@duotrainin.com.

Right to be forgotten

Any individual has the right to object, or to withdraw consent at any time and can send us his/her request to this effect in text form (e.g. by email). We respond to such a request within a fortnight.

Data Protection Officer (“DPO”)

DuoTrainin confirms that it has appointed a DPO within the meaning of the GDPR, and undertakes to identify the DPO upon request in text form (e.g. by email).

Data Protection Impact Assessment (“DPIA”)

We have executed a DPIA, which is reviewed by means of an information audit at least every six months, or sooner when we add services or make any other significant change to which, and the way in, we collect, receive and control personal data. This includes a potential change in the lawful base we use to control personal data.

Data security

DuoTrainin is bound by data secrecy, i.e. any persons employed by DuoTrainin in the processing of data on DuoTrainin’s behalf shall commit themselves to confidentiality and not process the data without authorisation.

Company wide awareness
To make sure your personal information remains confidential, we make sure that every DuoTrainin  co-worker is aware of, and follows the DuoTrainin privacy guidelines, based on our DPIA and as recorded in this Privacy Notice. All DuoTrainin co-workers are obliged to follow our GDPR Awareness course.

Data breach

In case of a data breach, defined in the GDPR as ‘The destruction, loss, alteration, unauthorised disclosure of, or access to people's data’, DuoTrainin will report it within 72 hours after having found out about it to the local country data regulator and to the people it impacts in case the breach could have a detrimental impact on those who the data is about.

Children

DuoTrainin does not knowingly solicit personal information from children or send them requests for personal information.

Data processors

Our data processors are:

●        For DuoTrainin: Digital Ocean, 1875 S Grant Street, Suite 530, San Mateo, CA 94402, USA. Data centre Frankfurt https://www.digitalocean.com/

●        For YourLearningOrganisation.com: WP Engine, Irongate House, 22-30 Duke's Place
London, EC3A 7LP, United Kingdom. Tel: +44 (0) 20 3770 9704 https://wpengine.com

●    For system email and email marketing purposes: SendGrid, 1801 California Street, 1801 California St, Denver, CO 80202, USA www.sendgrid.com

The personal data is stored either in Frankfurt, Germany by Digital Ocean (for DuoTrainin.com) or in London, United Kingdom by WP Engine (for YourLearningOrganisation.com). and SendGrid (for system email and email marketing purposes).

The personal data for DuoTrainin.com processed by DigitalOcean is subject to the ‘Agreement on the processing of personal data (Controller-Processor Agreement) complementing the Terms of Service Agreement on cloud infrastructure services between DuoTesting s.r.o. and DigitalOcean, LLC ("Main Contract")’ of March 6, 2017, signed by DuoTrainin on January 15, 2018.

The personal data for YourLearningOrganisation.com is subject to WP Engine’s privacy policy: https://wpengine.com/legal/privacy/ and Acceptable Use Policy: https://wpengine.co.uk/legal/aup/

WP Engine provides safeguards under the Privacy Shield Framework:

‘We (and our subsidiary companies WP Engine (UK) Limited and WP Engine Ireland Limited) participate in and have certified our compliance with the EU – U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Frameworks, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov/list.’

On January 15, 2018, WP Engine have confirmed to us in writing that they are ‘actively working on issues surrounding GDPR and how our business will operate after the May deadline. We will, of course, be compliant with these regulations by the time that deadline passes.’

The personal data for system email and email marketing purposes is subject to SendGrid’s privacy policy: https://sendgrid.com/policies/privacy/

On 23 February 2018, SendGrid have confirmed in writing:

SendGrid will be GDPR compliant by May, 25, 2018 [DT: this is the date the EU GDPR comes into effect]. Please note that SendGrid does not – and does not currently have plans to – use servers or data centers in the European Union to process email. Thus, SendGrid cannot restrict data to the EU. However, neither current EU law nor the GDPR require this. Instead, what is required is that SendGrid must provide "appropriate safeguards" for data that it hosts and processes on its US servers (see Art 46 of the GDPR here). SendGrid offers a Data Processing Addendum (DPA) to provide such adequate safeguards, which includes provisions for when GDPR goes into effect.’

On 26 February 2018 we have signed the aforementioned Data Processing Addendum (DPA) to ensure that adequate safeguards are applicable to the personal data processed by SendGrid on behalf of DuoTrainin.