OAT is the Controller and determines why and how Personal Data is used in relation to the Processing of your Personal Data. The terms “we”, “us” or “our” used in this Policy refer to OAT.
Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the “GDPR”):
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Subject” means a natural person whose Personal Data is Processed.
“Personal Data” means any information relating to an identified or identifiable natural person. Examples: name, contact information, email address, birthdate, photographs, nationality, government identification numbers, clients/customers numbers. Encrypted information also constitutes Personal Data.
“Process/-ing/-ed” means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
This Policy describes the Personal Data that we collect from you, or that you provide and how such Personal Data may be used or disclosed by us.
Please read the following carefully in order to understand our policies and practices regarding your Personal Data and how we will treat it.
Individuals concerned by this Policy
This Policy relates to the collection and use of the Personal Data relating to the following categories of Data Subjects:
- representatives, employees, contact persons or any other related persons of OAT’s suppliers, third party service providers and subcontractors;
- employees, shareholders, investors, directors, board members, signatories, contact persons, representatives, beneficial owners and any other related individuals of existing and prospective clients/customers; and,
- any third party individual on whom OAT may collect and Process Personal Data.
Current clients of OAT are not covered by this Policy. Information on the way OAT Process Personal Data of clients using the TAO platform can be found at https://www.taotesting.com/about-us/cookie-policy/.
Most of the Personal Data we Process is information that is provided to us by the Data Subjects. However, in some cases, we may Process Personal Data received from a third party with the Data Subjects’ knowledge.
Through this Policy, all Data Subjects whose Personal Data is Processed by OAT are receiving information concerning, among other things, the purpose of the Processing, the disclosure of their Personal Data, the Data Subjects’ rights, etc. prior to the beginning of the Processing.
Personal Data we collect and use about you
We collect several types of information from and about you, including, for example:
- identification data (such as name, family name, date and place of birth, gender, clients/customers numbers);
- contact information (such as phone and fax numbers, home and professional address, email address, country of (tax) residence);
- other relevant personal details (nationality, citizenship);
- government identification numbers (social security numbers, tax number, copy of ID card);
- types of services received/provided or of products bought/sold;
- financial and banking information (notably linked to bank account number);
- education related data (such as test results, grades, accommodations); and
- any other Personal Data reasonably related to the conduct of OAT’s business.
Why we collect and use this Personal Data
When you interact with us, we may collect Personal Data from you in order to allow us to provide certain services to you such as answering to your questions or providing marketing information.
You may also directly provide your Personal Data to us through any interaction that you may have with one of OAT’s employee (e.g., when giving a business card, etc.).
We may also collect and use Personal Data if it is provided to us by your employer, your company or a company to which you are otherwise related to in the context of an agreement or relationship between us and your employer or such company.
We will Process your Personal Data for the purposes listed below on the basis of one or more of the following:
- the performance of any contractual obligations towards the Data Subjects, including but not limited to, relationship management, managing accounts and providing or receiving products and services;
- for compliance with legal obligations, including but not limited to, compliance with applicable commercial law, as well as compliance with requests from or requirements of regulatory and enforcement authorities; and
- for the purposes of the legitimate interests pursued by us or by a third party that are necessary, for instance, for OAT to carry out its daily activities, for fraud and other criminal activity prevention, payment verification, to implement changes in our corporate structure or ownership, to create statistics and tests, to manage risk, litigation (including disputes and collections), accounting, audits, tax returns, as well as for direct marketing purposes relating to OAT products and services, including the development of commercial offers by OAT aimed at the Data Subject and in accordance with applicable law applicable to the sending of commercial communications.
- in the case of further processing for a purpose other than those listed above, we undertake to provide you with prior information about this other purpose.
Disclosure of your Personal Data
To achieve the purposes listed above, the Data Subjects’ Personal Data may be transmitted to third parties, in particular another subsidiary of OAT such as Open Assessment Technologies Corp, its commercial partners, third party service providers or other contractors and subcontractors. To meet legal and regulatory obligations, we may also share these Personal Data with public organizations, administrative or legal authorities and supervisory bodies.
Certain third parties mentioned in the preceding paragraph may be located in countries outside the European Union that do not offer a level of protection equivalent to the one granted in the European Union. The Data Subjects are informed that Personal Data transfers to such third parties will, depending on the nature of the transfer, either:
- be covered by appropriate safeguards such as standard contractual clauses approved by the European Commission, in which case the Data Subjects may obtain a copy of such safeguards by contacting OAT (this is the case for transfers of your Personal Data to Open Assessment Technologies Corp which is located in the USA); or
- be authorized under applicable data protection law, as the case may be, as such transfer is consented to by the Data Subjects or is necessary for the performance or execution of a contract concluded in the Data Subjects’ interest or for the establishment, exercise or defense of legal claims or for the performance of a contract between OAT and the Data Subjects.
Personal Data security
We have implemented administrative, technical and physical safeguards to protect your Personal Data from loss, misuse, unauthorized access, disclosure, unauthorized alteration or unlawful destruction. In addition, we require IT and security service providers to put in place appropriate technical and organizational security measures in respect of any of your Personal Data.
You have the following rights regarding the use of your Personal Data by us (subject to applicable exemptions):
- right to access the Personal Data held about you and receive additional information about how it is Processed;
- right to correct any inaccurate and complete any incomplete Personal Data;
- right to delete your Personal Data from our systems, e.g., where the Personal Data is no longer necessary in relation to the specified purposes;
- right to restrict the Processing of your Personal Data in certain circumstances, e.g., where you contest its accuracy or object to its Processing;
- right to receive your Personal Data in an interoperable format, or have it directly transmitted to another organization;
- right to withdraw your consent at any time where you have provided us with your consent to the Processing of Personal Data (in particular regarding the receipt of commercial communications);
- right to object the Processing of your Personal Data, in certain circumstances and considering other regulatory requirements, in particular where we rely on legitimate interests, including for profiling; and
- right to lodge a complaint with the competent European Union Data Protection Authority (which generally is located in the country you are located).
We will respond to individual complaints and questions relating to privacy and will investigate and attempt to resolve all complaints. OAT will only be able to answer favorably to any of the above requests related to the right to oppose, right of erasure and right of restriction provided that it does not interfere with or contradict legal obligations of OAT (e.g., a legal obligation to keep the related Personal Data) or due to any other impediment that would justify that OAT would not be able to grant such requests.
We undertake to handle each request free of charge and within a reasonable timeframe of 1 month.
These rights may be exercised by contacting OAT at the following email address: firstname.lastname@example.org
Personal Data Retention
For the data necessary for the performance of any contractual obligations, the data will be kept for the duration of the contract. When we collect data for compliance with legal obligations and for the purposes of the legitimate interests pursued by us or by a third party, the data will be kept as long as the law permits it. We keep the personal data for the durations mentioned here above unless the law forces us to keep it for a longer period of time.