The General Data Protection Regulation is to come into effect on 25th May 2018. In short, this legislation will regulate the way that individuals’ data is handled by companies within the European Union. We wrote a post in March to explain some of the important distinctions between TutorCruncher and clients of TutorCruncher, as well as the data relationship between a Data Processor, a Data Controller, and a Data Subject. This previous post also highlights some key terms and the relevant functionality to be made available within the TutorCruncher system to allow users to be compliant with GDPR.
In this post, we would like to demonstrate the key ways in which TutorCruncher allows our clients (companies using TutorCruncher) to act in accordance with the stipulations of GDPR, covering both areas of explicit consent and data erasure (also known as the right to be forgotten).
Please note that as per our terms and conditions, TutorCruncher provides its clients the means to be compliant with GDPR. However, responsibility for operations and use of these tools in compliance with GDPR lies solely with the company.
Additionally, please note that this article’s content in no way constitutes legal advice. If you are looking for legal clarification on GDPR and how your company can comply with incoming legislation, you will need to speak to a lawyer familiar with the GDPR legislation.
- TutorCruncher allows its users to set up their company’s terms and conditions on their account.
- With active terms and conditions, people need to provide explicit consent. Companies are able to monitor who has consented, who has not yet consented, and who has declined terms and conditions.
- Companies are able to permanently erase data, thereby honoring a person’s people’s right to be forgotten.
Explicit consent to terms and conditions
A fundamental part of the GDPR legislation is the importance of gaining explicit consent from your users in order to hold and use their data. TutorCruncher allows you to add your terms and conditions to your account and ensure that users consent to the use of their data in line with your terms and conditions.
To add your terms and conditions to your company account, the designated Data Controller should proceed from within TutorCruncher to System > Settings > Terms and Conditions. From here, you are able to add your company’s terms and conditions to your company account. When you have active terms and conditions on your account, users will be able to consent to them at the point of their account creation in the following ways:
- A Data Subject’s account is added by an administrator to the system
- A Data Subject signs up for an account
In case 1, whenever a user is added to the system with their email address, they will receive a Welcome Email. This Welcome Email will by default include a link to a page where users can click ‘I agree’ or ‘I don’t agree’ to your company’s terms and conditions.
In case 2, whenever a user creates an account and logs in for the first time, they will be automatically shown the terms and conditions screen and will need to consent in order to continue.
In both cases, if a user selects ‘I agree’, they will be able to proceed with using the system. Once this has happened, a field on the user’s profile saying ‘Consented to data storage’ will show as ‘Given’.
If a user selects ‘I don’t agree’, then the Data Controller will receive an email indicating that a specific user has not consented to terms and conditions and has therefore requested their data to be deleted (see below re: Data Erasure). Any account which is still active with withdrawn consent will be flagged to the Data Controller, and the ‘Consented to data storage’ field will show ‘Requested data erasure’.
If a user has not yet selected ‘I agree’ or ‘I don’t agree’, the ‘Consented to data storage’ field will show ‘Not yet given’.
Please note that as a Data Controller you will need to ensure that your Welcome Emails are active and include the default link to allow users to consent to your terms and conditions when their data is added to your account.
Recapturing consent to terms and conditions
When adding/editing your terms and conditions via System > Settings > Terms and Conditions, there is a mandatory drop-down which asks you whether or not you require your users to consent again to your terms and conditions.
If you select ‘No’, then the ‘Consented to data storage’ field will remain unchanged on your Data Subjects’ accounts.
If you select ‘Yes’, then all users in your database will receive an automated email asking them to accept once more your terms and conditions. The ‘Consented to data storage’ field will then be set to ‘Not yet given’ until each user actions their consent.
TutorCruncher let’s you filter all users by the ‘Consented to data storage’ field so that you can verify who has consented, who has not yet consented, and who has declined to consent.
Please note that it is the responsibility of the Data Controller to ensure they have added their Terms and Conditions to their account in order to gather consent. The ‘Consented to data storage’ field will be hidden on accounts which have not added terms and conditions.
Data Erasure/Right to be forgotten
In the event that a user does not agree to your terms and conditions, you can erase their account from your system. Additionally, when a user is logged in, they are able to request their account be erased by clicking their avatar in the top-right, selecting ‘Account’, and then selecting ‘Request Account Erasure’. Both of these actions will notify the Data Controller of a user’s declined consent/erasure request via email.
When an admin proceeds to a user’s profile and presses ‘Delete’, the user is moved to the System > Rubbish Bin. From here, a user can be recovered if it is necessary for the Data Controller to do so. Additionally, the Data Controller has the option to ‘Permanent Delete’ a user which will irreversibly erase their data. All of the fields on the user’s profile will be erased, and any other links to their data (such as on an invoice or a lesson) will now say ‘Deleted User’.
Please note that the responsibility for Data Erasure lies solely with the Data Controller and not with TutorCruncher. If you are unsure as to whether you need to erase user data in line with a request or a right to be forgotten, you will need to speak to a qualified lawyer.
If you need further information regarding this, you can contact our Data Controller by emailing email@example.com. Click here to read Part 3 of our GDPR blog series.
Glossary of Terms
Consent - freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data
Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data
Data Processor - the entity that processes data on behalf of the Data Controller
Data Subject - a natural person whose personal data is processed by a controller or processor
Right to be Forgotten - also known as Data Erasure, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data