With the incoming GDPR legislation on 25th May 2018, TutorCruncher is making changes to the way we handle data and clarifying our terms and conditions. This covers both how we as a company (Data Controller) are data compliant with our clients, but also how we as a service provider (Data Processor) give tutoring companies that use us the means to be compliant with their users. These distinctions are outlined in detail below.
Please note that this article’s content in no way constitutes legal advice. If you are looking for legal clarification on GDPR and how your company can comply with incoming legislation, you will need to speak to a qualified lawyer.
TutorCruncher and its clients
We provide primarily B2B services, so our clients are typically companies. Many of our clients are not Data Subjects as they are companies/corporations, however the information we hold could be used identify a Natural Person. In this instance, TutorCruncher is a Data Controller. If a company signs up for a free trial of TutorCruncher, then they will be explicitly consenting to our use of the data they submit to effectively provide our services. This applies identically to a tutoring company making an enquiry. This consent means we will then continue to use this data in accordance with our terms and conditions in order to continue providing our service whilst respecting its privacy and integrity. We will share data with our 3rd party Data Processors in line with our terms and conditions. We reserve our right to re-market to potential customers.
When a company wants to begin paying for TutorCruncher, they will have to provide explicit consent to the terms and conditions of our billing in order to proceed. All of these terms and conditions are viewable via our website.
If a client of TutorCruncher wishes to invoke their Right to be Forgotten, we have the ability to permanently delete any data stored in our system. We lay out in our terms and conditions the basis on which we reserve the right to keep data if it is directly relevant to our ongoing operations. We have Customers who have returned to use TutorCruncher after a 5 year period of non-interaction, we will therefore hold data about leads for up to 5 years.
Companies using TutorCruncher and their clients
TutorCruncher provides services to companies who in turn work with their own users and have their own accounts to manage this data. In this instance, TutorCruncher is a Data Processor, the company managing an account with TutorCruncher is a Data Controller, and the user of the company’s services (such as tutors and clients) is a Data Subject. The upstream providers with which we work, Heroku, AWS, Mandrill, and others, are also Data Processors.
An example of the relevant GDPR terminology in practice
Tutoring Companies using TutorCruncher, as they are Data Controllers, can capture explicit consent from their Customers to use their data on their company account. Whenever a user is added to a company account, they will be asked to review the Data Controller’s terms and conditions before proceeding. These terms and conditions will be readily available to customers to download via the company account before, during, and after sign up. TutorCruncher, as a part of its service, will add an interface by which terms and conditions can be uploaded by the Data Controller.
Additionally, when a user makes a payment or saves their card details via TutorCruncher’s card payment system, they will have to confirm agreement of the Data Controller’s terms and conditions in order to complete the transaction. If you are a company that processes card payments through TutorCruncher, you are required to complete a Self-Assessment Questionnaire (SAQ) to make sure you are PCI compliant. Our card payment provider, Stripe, has already created a prefilled version of it for you to download. Simply log into your Stripe account and go to https://dashboard.stripe.com/account/compliance and download the form there.
If someone wishes to invoke their Right to be Forgotten, the Controller will be able to use functionality provided by the Processor in order to delete all relevant data. The responsibility and decision to enforce this right lies solely with the Controller aka the company.
If you need further information regarding this, they can contact our data controller by emailing firstname.lastname@example.org. Click here to read Part 2 of our GDPR series.
Glossary of Terms
Consent - freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data
Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data
Data Processor - the entity that processes data on behalf of the Data Controller
Data Subject - a natural person whose personal data is processed by a controller or processor
Right to be Forgotten - also known as Data Erasure, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data