ClickView is GDPR Compliant
ClickView is now compliant with the EU General Data Protection Regulation (GDPR) and is supportive of our customers own GDPR compliance. ClickView customers can have confidence that ClickView’s handling of personal data is of the GDPR’s security standards.
In particular, in accordance with article 5 of the GDPR, ClickView will ensure that personal data is:
- Processed lawfully on the basis of Legitimate Interests
- Collected only for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Held only for the absolute time necessary and no longer
- Processed in a manner that ensures appropriate security of the personal data
ClickView’s steps to GDPR Compliance
ClickView has undertaken a review and audit of all of our systems and practices in connection with the personal data of our customers and have made the appropriate internal amendments in order to comply with the requirements of the GDPR.
In particular, ClickView have:
- Implemented appropriate documentation with customers and suppliers.
- Confirmed with our suppliers that each supplier itself has taken steps to achieve GDPR compliance.
- Reviewed and continue to monitor organizational access to personal data and measures to ensure compliance, including policies and procedures for staff and other personnel.
- Implemented and made appropriate changes to our security measures in accordance with the GDPR standards.
ClickView and the GDPR – Frequently Asked Questions
This document provides a summary of the new data protection requirements which apply under the GDPR from 25 May 2018 and how the GDPR applies to the services offered by ClickView.
What is the GDPR?
The GDPR is the new European Union Regulation about the protection of personal data and the rights of individuals in relation to their personal data.
When does the GDPR come into effect?
The GDPR takes effect on 25 May 2018.
Who does the GDPR affect?
The GDPR applies to organisations located within the EU and to organisations located outside of the EU if they offer goods or services to individuals in the EU.
ClickView’s GDPR compliance is subject to the personal data that we process and hold for individuals in the EU.
As ClickView have customers in the EU, compliance with the GDPR is irrespective of whether or not the UK retains the GDPR post-Brexit. Our data handling processes for organisations which are located in the UK are GDPR compliant. If the UK government implements new laws equivalent to the GDPR post-Brexit then ClickView will ensure that it will comply with any such laws.
What is personal data under the GDPR?
The GDPR applies to ‘personal data’ which means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What types of personal data does ClickView collect?
This personal data which ClickView collects depends on the type of customer account but typically includes individuals’ contact details such as name, email address, title, student or staff group, and institution name; technical identifiers, including user IDs and IP addresses; and video content and metadata, to the extent they contain personal data.
Our collection and processing of personal data is for the purposes of ClickView’s legitimate interest in the commercial provision of educational services and to the extent necessary for the performance of our services.
What is the difference between a data processor and a data controller?
The GDPR applies to data controllers and data processors. A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Our usual practice follows that ClickView is the Data Processor and ClickView customers are nominated as Data Controllers.
What are the rights of data subjects?
Data subjects are the individuals who are identified or identifiable by reference to the personal data they provide. Data subjects have the following rights under the GDPR:
- Breach Notification – Notification of a data breach is mandatory where it is likely to result in a risk for the rights and freedoms of individuals. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, without undue delay after first becoming aware of a data breach.
- The right to be informed – Individuals have the right to be informed about the collection and use of their personal data.
- The right to rectification – A right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
- The right to restrict processing – Individuals have the right to request the restriction or suppression of their personal data.
- The right to object – Individuals have the right to object to processing of personal data for direct marketing purposes.
- Right to Access -Data subjects have a right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller must provide a copy of the personal data, free of charge, in an electronic format.
- Right to be Forgotten – The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Data Portability – This is the right for a data subject to receive the personal data concerning them which they have previously provided in a commonly used and machine readable format and the right to transmit that data to another controller.
ClickView has and will implement procedures to ensure that it will comply with all data subject rights in accordance with the requirements under the GDPR.
What is ClickView’s legal basis for processing personal data?
The processing of personal data is lawful under the GDPR where one (or more) of the following six grounds have been met:
- Consent – The data subject has given consent to the processing for one or more specific purposes.
- Performance of a Contract – Where the processing is necessary for the performance of a contract or where it is necessary in order to “take steps” at the request of the data subject before entering into a contract.
- Compliance with a Legal Obligation – Where personal data is processed in order to comply with a legal obligation.
- Vital Interests of the Data Subject – Where personal data is processed in order to protect the vital interests of the data subject or another individual.
- Public Interest – Where the processing is necessary for the purpose of performing a task that is in the public interest or in the exercise of official authority vested in the data controller.
- Legitimate Interests – Processing personal data will be lawful where the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that the processing does not override the fundamental rights and freedoms of the data subject.
ClickView’s legal basis for processing personal data is through the legitimate interest in the commercial provision of educational services.
Does ClickView transfer personal data outside of the European Union?
ClickView currently stores personal data in data centers in Sydney, Australia using Microsoft Azure and Amazon Web Services cloud platforms.
In respect of personal data stored in Sydney, the European Commission’s set of model contractual “Standard Clauses” remains a valid approach to transfers of personal data from the EU to non-EU countries. ClickView has released a Data Processing Addendum that contractually commits us to comply with the EU’s data protection principles. Our ClickView customers can request a copy of this addendum by contacting firstname.lastname@example.org
In respect of personal data stored in the Microsoft Azure and Amazon Web Services cloud platform. Both Amazon and Microsoft provide extensive documentation regarding security practices, certifications and GDPR compliance commitments. GDPR compliance is included in ClickView’s contractual commitments with Microsoft and Amazon. Further information is available online from each party’s trust center resources at:
In addition, customer support teams located in London, United Kingdom and Sydney, Australia may access personal data solely for troubleshooting and maintaining ClickView’s services.
What security measures does ClickView have in place to protect personal data?
ClickView has implemented appropriate security measures to safeguard the confidentiality and integrity of customer data. These include tiered access to the platform, password access which is regularly changed, use of encryption software and recording systems which monitor platform access.
Does ClickView engage any sub-processors?
ClickView currently engages sub-processors to carry out Customer Relationship Management services and analytics services to assist us in the provision of our services. ClickView’s sub-processors are required to comply with our standard data processing addendum for suppliers which reflect the rights of ClickView customers as data controllers under the GDPR.
Customers may request details about the particular sub-processors used in their deployment and can request that they be notified of changes to those sub-processors and given a chance to object to any changes in the applicable sub-processors.
Can ClickView customers search for their personal data on our systems?
ClickView customers do not have access to search for their personal data on our systems. Only specified
ClickView employees are able to access this.
ClickView will comply with all requests to access personal data in accordance with the requirements of the GDPR.
Can ClickView customers delete their personal data from our systems?
ClickView customers cannot directly access our systems and delete the personal data we store. However,
they can request for part, or all of their personal data that we store on our systems to be deleted.
ClickView will comply with all requests to delete personal data in accordance with the requirements of the GDPR.
Can ClickView customers export their personal data from our systems?
ClickView customers cannot directly access our systems to export personal data. However, ClickView
customers can request for an exported version of all their personal data that we store on our systems.
For security reasons, ClickView will only comply with a request sent by the nominated ‘Key Contact’ (an individual that every ClickView customer nominates when joining ClickView).
Is ClickView maintaining Data Processing Records?
ClickView fully complies with the requirements under the GDPR to maintain records of processing
activities carried out on behalf of our customers. This includes the types of processing and any
transfers of personal data.
We contractually require our approved sub-processors to comply with the same requirements.
What if ClickView encounters an unauthorised breach of data?
ClickView will immediately report any personal data breach to our customers in full compliance with the GDPR.
Does ClickView have an EU data protection representative?
We have designated our UK entity, ClickView Limited, as our EU data protection representative. The contact information for our EU data protection representative is as follows:
4 Bath Place, London
Phone: 0333 207 6595
We hope you have found this document helpful and informative. For more information about GDPR compliance or our privacy program please contact us at email@example.com
This document is designed to help organisations understand the GDPR in connection with ClickView’s services. However the information contained in this document should not be construed as legal advice and organisations should obtain their own legal advice in respect of their own obligations under the GDPR.