GDPR Compliance Statement

The new General Data Protection Regulation (GDPR) brings new responsibilities to both data controllers and data processors who offer services to people within the European Union (EU). 

School Cloud Systems are committed to high standards of data security and privacy. We have taken steps to ensure our services comply with the GDPR as of 25th May 2018.

In this article

Overview

We've always taken data security and data privacy very seriously. We welcome the new GDPR as we believe it clarifies individual privacy rights and brings greater responsibilities onto organisations who control or process data. 

The GDPR brings new regulations on how organisations manage personal data. Personal data is any information which could be used directory or indirectly to identify a person.

How we've prepared for GDPR

  • We've identified the personal data held and collected on our systems and undertaken a review to ensure this is appropriate for the service we offer.
  • We've reviewed how data is removed from the Room Booking System to ensure compliance with the Right to Erasure.
  • We've updated our Terms & Conditions, and Privacy Notice to include appropriate clauses for GDPR which is effective from 25th May 2018.
  • We've introduced a new End-User Privacy Notice which is effective from 25th May 2018.
  • We've coordinated with our suppliers to ensure we have agreements with them which include appropriate clauses for GDPR.

Data held on Room Booking System

We act as data processors for any data held on the Room Booking System by you, your organisation, or end-users of your organisation (such as administrators or users). Personal data includes, but is not limited to: user account data, hirer information (if you opt to input this into the system) and any personal data inputted into custom fields. It is your obligation as the data controller to ensure there is lawful basis for processing. We do not share this data with third-parties, though we may access this data as part of making improvements to our service and providing support to customers when requested.

We also act as data controllers when we create aggregated statistical data which may be derived from personal data, but is not considered personal data in law as it cannot be used directly or indirectly to identify a person.

What personal data we hold

  • Admin Account Data: first name, surname, email address, external ID
  • User Account Data: first name, surname, department, email address, external ID
  • Attendee Data: first name, surname, email address
  • Hirer Information: first name, surname, organisation name, email address, telephone, postal address, postcode

Where data is held

All data held on the Room Booking System is within the European Economic Area (EEA). We do not transfer this this data outside of the EEA.

We host with one of the top managed hosting providers in the United Kingdom. We maintain a rolling three months of backups which are encrypted using AES-256. 

Please click here for a list of sub-processors.

How data is kept secure

We employ appropriate technical and organisational security measures for the types of data we store. Our managed hosting provider, ANS, is ISO 27001 & ISO 9001 accredited and ranks amongst the very best in the industry. They offer physical security such as 24/7 security staff, extensive CCTV covering the building and each aisle, intruder alarms, proximity card readers and perimeter prison fencing. 

We apply the latest patches to our servers keeping your data safe and secure with multiple levels of password protection - the servers themselves and the database each are password protected. Additionally the servers are behind a redundant pair of Cisco hardware firewalls. Annual vulnerability scanning is provided by ANS.

Subject access requests from end-users

As data processors, we are obliged to pass on to you, the organisation, any subject access request by an end-user and not respond directly to the end-user. An end-user could be a user or administrator of the system. We will assist the organisation in responding to any subject access request.

What happens if you stop using the system

This section takes effect as of 25th May 2018

While it's rare for an organisation to stop using the Room Booking System, we only retain personal data for as long as necessary. You can retrieve a copy of all personal data using the export features within the administration panel while the system remains active during your trial period or paid licence period.

We delete personal data 30 days following termination of your licence or after six months of inactivity if you have a trial system. We terminate the licence 60 days after the renewal date if no payment has been received for the renewal.

Features to help comply with GDPR

Permanent user deletion

Administrators with sufficient permissions can delete individual users and other administrators using the administration panel of the system. This permanently removes the user, including any bookings made by the user and anywhere the user was listed as an attendee of another user's booking. Bookings can be transferred to another user, if desired, prior to the deletion by contacting our support team.

Exports for data portability

It's possible to export data added to the Room Booking System to spreadsheets to satisfy data portability. You can export all bookings, including data entered into any custom field, plus export all users and all administrators.

Data held about Organisations

We act as data controllers for any data we collect about customers in order to provide the Room Booking System service and support to your organisation. Customer personal data includes, but is not limited to: technical contact details, finance contact details, phone call details, and the content & attachments of any emails sent to us.

Where data is held

Data is stored on production systems hosted by ANS and in backups hosted by AWS. Please click here for a list of sub-processors.

Transfers of customer personal data

While we're based in the UK, we use suppliers outside the EEA to run our business. Customer personal data (though not end-users such as parents, students or teachers) may be transferred outside the EEA to suppliers who demonstrate sufficient safeguards on data using agreements containing Standard Contractual Clauses.

Where a legal basis of processing applies, we may share your personal information with a third-party processor, FreshDesk, that we engage with to provide you with products and services you required. This third party may need to process your personal information on our behalf to provide such services.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.