DIGITAL PLATFORM SECURITY POLICY
ENTITY RESPONSIBLE FOR THE PROCESSING
The entity responsible for processing the user’s academic and professional data of a personal nature will be:
- In the case of private and concertado schools, the educational centre or school to which the student or teacher employed by the same belongs.
- In the case of state primary and secondary schools, the education department of the Autonomous Community where the educational centre is located.
For this reason, the centre will fulfil the legal obligations set out in the data protection regulations which include, among others, duties of data processing and authentication as well as attending to users’ rights. Santillana will assist the data processing officer in compliance with the data protection regulations.
SANTILLANA: IN CHARGE OF THE PROCESSING
The data of an academic and professional nature of a user, which the latter provides in the course of undertaking activity in the applications (hereinafter, Application) owned by Sanoma Educación S.L.U (hereinafter, Santillana) will be processed by Santillana as the entity responsible for processing with the sole end of managing the operability, accessibility and usability of the Application. Any educational centre that may have purchased the licence for an individual user to use the Application possesses the status of entity responsible for processing. This interpretation is consistent with the judgement set out by the Spanish Data Protection Agency in its Guide for educational centres.
By virtue of this status of being in charge of processing with regard to the processing of teaching staff and student data, Santillana meets the requirements set out in article 28 of Regulation (UE) 2016/679 of the European Parliament and Council, dated 27 April 2016 (henceforth, GDPR). Consequently, Santillana Educación accepts, among others, the following obligations:
- Accessing the data solely when it essential for the proper operation of the Application.
- Processing the data in accordance with the instructions it receives from the user to manage the Application and not to assign, apply or use the data for other ends.
- In the event that Santillana realises that one or other of the educational centre’s instructions infringes the data protection regulations, Santillana will inform the educational centre, which will be responsible for assessing whether the instruction infringes the data protection regulations and for taking the appropriate decisions.
- Ensuring that the people authorised to process the data have undertaken to respect confidentiality. This confidentiality obligation shall have an indefinite nature.
- Not disclosing, transferring, yielding or in any other way conveying users’ data of a personal nature whether verbally or in writing, by electronic means, on paper or by means of computer access, even for the purposes of their preservation, to any third party, unless there is prior authorisation or instruction on the part of the entity responsible for processing.
- Subcontracting to a third party only the functions, tasks and/or responsibilities stemming from the processing of personal data relating to the storage of the content generated, provided or entered into the Application.
- Transferring to the educational centre as quickly as possible any request to exercise data protection rights submitted by an affected party whose data have been processed by Santillana for the purpose of carrying out its functions.
- Supporting the educational centre in drawing up impact assessments relating to data protection and carrying out prior consultations of the oversight authority, when appropriate.
- Making available to the educational centre all the information required to show compliance with its obligations, as well as for the performance of audits and inspections carried out by the user or other auditor authorised by the former.
- Santillana has voluntarily assigned a Data Protection Officer whose email address is firstname.lastname@example.org.
- In the event that Santillana is obliged to transfer or permit access to personal data under the responsibility of the educational centre to a third party by virtue of EU or one of its applicable member state’s laws, it will notify the user of this legal requirement beforehand, unless it is prohibited from doing so for reasons of public interest.
- Once the usage licences purchased by the educational centre have expired, any data of a personal nature that users have provided in undertaking their activity in the Application will be returned to the former, Santillana not retaining any copy of them whatsoever. To this end, Santillana will grant users a period of fifteen (15) calendar days from the expiry of the licence, so that users may remove all the data belonging to them that are of interest to them. Once this period has elapsed, or if return of the data proves impossible, Santillana will embark on the total destruction or deletion of the same and of their storage media.
1. THIRD PARTIES
The educational centre authorises Santillana to subcontract some functions, tasks and/or responsibilities stemming from data processing to third parties such as other entities in the Sanoma group for the management or maintenance of the platform or Amazon Web Services for the storage of data and content generated, provided or entered into the Platform.
The subcontractors will have the status of subsidiary entities in charge of processing and will equally be obliged to comply with the obligations of the entity in charge of processing and the instructions given by the responsible entity. Santillana will remain fully responsible to the educational centre with regard to fulfilling the obligations.
Security measures. Santillana adopts and applies the appropriate technical and organisational measures to ensure a level of security that prevents their alteration, loss and non-authorised processing and access, taking into account the state of technology, the nature of the data being stored and the risks to which they are subjected, in accordance with the provisions of article 32 of the GDPR.
In the event of a security breach affecting the personal data in the computer systems used by Santillana for the delivery of services via the Application, Santillana will need to notify the educational centre, without undue delay, and in any event prior to a maximum period of 48 hours, of any security breaches to the personal data in its charge of which it may become aware, as well as all the relevant information for the documentation of the incident in accordance with the provisions of article 33.3 of the GDPR.
The user and the education centre are responsible for the truth, exactitude and up-to-date nature of the information provided via the Application; in this context, the use of false identities and the appropriation, in any way, of the identity of third parties (including the use of data, passwords and codes) is prohibited.
In the event that Santillana provides a user name, code or password enabling access to the Application, the user undertakes to store them with due care.
In the event of password loss, please follow the restoration procedure established on the Platform (for example, using the security question or using the email address submitted upon registration). If the problem persists, please contact your teacher or Santillana sales representative.
3. PROTECTION OF STUDENTS’ DATA
As the Spanish Data Protection Agency sets out in its Guide for Educational Centres, the centres do not need the consent of the data owners for the processing of such data provided that it is justified in the discharge of educational duties and in the enrolment of students. In this same context, publishers will have justification for processing personal data provided that they are not processed for purposes other than those envisaged in the service licence.
In any event, we recommend the attendance and oversight of students’ parents/tutors in the process of account activation (with greater emphasis on those aged under 14).
The data provided by students in registering and undertaking their activity in the Application will not be added to files under the responsibility of Santillana, being processed solely as the entity in charge of processing for the management of the Application. The educational centre that has purchased the licence for each individual user for use of the Application holds the status of entity responsible for processing.
For more information regarding the processing of your data, check with your pertinent educational centre.
4. PROTECTION OF TEACHERS’ DATA
Teaching staff who use our platforms will be able to use their Evocación and/or access licence credentials for the platform in question.
In the event that teachers decide to activate their account using their Evocación credentials, they may verify the terms and conditions of processing here.
Santillana, as the entity in charge of processing, will forward to the educational centre as quickly as possible any request to exercise rights in the field of data protection that teachers or students submit to us using the email address email@example.com.