Online Partner

Appendix

Instructions for handling personal data

2019-06-18

In addition to what is already stated in this agreement, the Personal Data Assistant must also follow the instructions below:

Personal data processing

Purpose The system itself is for a secure test situation, to perform tests digitally but make cheating impossible by surfing the web and the like.
Categories of personal data The following categories may appear in the processing of personal data.

  1. Personal data attributable to the Personal Data Controller’s staff, mainly contact information;

Name, surname,

Email Address,

Group membership

  1. Personal data attributable to the Personal Data Controller’s students, mainly contact information; and

Name, surname

Email address

Group membership

Categories of registered The categories of registrants include the Personal Data Controller:

  1. Staff;

Employees

  1. Individuals;

Pupils

Special safety requirements The personal data assistant and possibly assistants shall take technical, administrative and organizational measures to ensure a level of safety appropriate to the risk, including;

  1. the ability to continuously ensure the confidentiality, integrity, availability and resilience of the information system and e-services,
  2. the ability to restore availability and access to personal data within a reasonable time in the event of a physical or technical incident; and
  3. a procedure for regularly testing, examining and evaluating the effectiveness of the technical and organizational measures to ensure the safety of treatment.
Logs The Personal Data Assistant and Sub-Assistants shall be responsible for,

  1. the documentation of the access (logs) shows the measures that have been taken with information about a registered person,
  2. the logs indicate at which unit the measures were taken,
  3. the logs indicate the time at which the measures were taken,
  4. the identity of the user and the data subject is stated in the logs,
  5. systematic and recurring random checks of the logs are made, and
  6. checks of the logs are documented.
Transfer of personal data to third countries As part of the Personal Assistant’s performance of the services delivered in accordance with the Service Agreement, deidentified personal data related to support matters and personal data in the form of contact information such as name, telephone number and e-mail address attributable to the Personal Data Officer’s staff may be transferred to the Personal Assistant’s subcontractor.

(Any assistant in the United States must be affiliated with the Privacy Shield.)

Thinning time The person responsible for personal data shall determine the thinning times (number of years) for personal data. The thinning times for the ChromEx system are 2 years.
Convenient handling Personal data may be processed by the Personal Data Assistant if required to provide the services in accordance with the Service Agreement.

This may, from time to time, include, for example:

  1. Establish remote access to the Personal Data Controller’s system to investigate and remedy technical problems; and
  2. Process support matters, calls and other support requests from the Personal Data Controller.

ANNEX 2

List of assistants

On the web resource https://www.chromex.io/en/privacy there is always an updated list of current assistants and a detailed description of the treatment performed when using ChromEx.