The UK’s data protection framework is changing on 25th May 2018, when the existing Data Protection Act 1998 will be replaced with the European Union General Data Protection Regulation (“GDPR”) (2016/679). Whilst the UK will soon be leaving the EU, the replacement data protection legislation being progressed through Parliament is very closely aligned to the requirements of GDPR. (“My EP Assignments”) provides services to its customers, and does not collect any personal information other than login information and student course and lesson numbers. This GDPR statement has been prepared to provide key information about these various personal data processing activities to our customers.

Data Protection by Design and Default

Article 25 of GDPR requires that data processing activities provide data protection by design and default. My EP Assignments has achieved this requirement by ensuring that its application has been designed in accordance with industry practice, using trusted technologies, and has been subject to penetration testing to ensure that vulnerabilities are being properly managed, and configurations remain effective.

My EP Assignments utilizes resilient data centers which are subject to formal ISO27001 certification.

Article 35 of GDPR requires that formal Data Protection Impact Assessments (“DPIA”) are undertaken by organization where there is a “high risk to the rights or freedoms of natural person”. My EP Assignments has assessed that there are no high risks to individuals who may use our program.

Legal Basis for Personal Data Processing

Article 6 of GDPR requires that the lawfulness of data processing be advised. My EP Assignments uses “legitimate interests” as the basis for the secure processing and storage of its customer data in order to deliver the My EP Assignments solution to them. This includes the communication of information related to our solution or similar matters. We occasionally communicate with non-customers and will only do so based upon the “explicit consent” which we have been provided with by the data subject, either through a positive confirmation on a web form, or by their communication preferences shared from social media channels. We provide clear methods for data subjects to remove or vary their consent if they wish to do so.

Customer Documented Processing Instructions

Article 28 of GDPR requires that our customers should formally communicate their data processing requirements to My EP Assignments. In the event that a customer does not provide such written instructions to My EP Assignments (a) this omission does not remove their obligation to do so, and (b) My EP Assignments will deliver the software solutions in accordance with its published service definitions and other related materials.

Data Controller and Data Processor

My EP Assignments acts as:

  • Data Controller (as per GDPR Article 24) for the (i) personal data relating directly to its customers and necessary for the management, provision and operation of its solution, and (ii) for its own employee management purposes, or
  • Data Processor (as per GDPR Article 28) in respect of the personal data which may be loaded into My EP Assignments solution by its customers.

Each customer is responsible for ensuring that they have an appropriate legal basis for processing personal data within My EP Assignments solution and will fully indemnify My EP Assignments in the event of any claim of any sort being brought for not having a valid basis.

Children’s Personal Data

The My EP Assignments solution is not directed towards children under the age of 13. If you learn that a child under the age of 13 has provided their personal information to us without having parental consent, please contact us immediately so that we can take appropriate action. In accordance with Section 5 above, should My EP Assignments customer select to upload children’s personal data into their deployment of My EP Assignments solution then they will be required to evidence that the have a valid legal basis for doing so.

Sensitive Personal Data

Article 9 of GDPR specifies a set of personal data categories which are considered to be “sensitive”, and which require special consideration by Data Controllers. The solutions provided by My EP Assignments does not knowingly collect or process any sensitive personal data. In accordance with Section 5 above, should a My EP Assignments customer select to upload sensitive personal data into their deployment of My EP Assignments then they will be required to evidence that the have a valid legal basis for doing so.

Data Subject Rights

Articles 16-21 of GDPR provide data subjects with several rights in relation to their personal data, including:

  • Right of access by the data subject (Art.15)
  • Right to rectification (Art.16,19)
  • Right to erasure (Art.17,19)
  • Right to restriction of processing (Art.18)
  • Right to data portability (Art.20)
  • Right to object to processing (Art.21)

Where My EP Assignments is acting as Data Controller (see 4(a) above), then it will receive, validate, record, progress and respond to any such data subject requests received.

Should My EP Assignments, acting as Data Processor (see 4(b) above), then it will advise the applicant of the customer’s details that should be used to make their request. As a responsible Data Processor, My EP Assignments will assist its customers with complying with valid requests.

Should a data subject decide to exercise their rights, they should contact My EP Assignments through

Record Keeping & Breach Reporting

My EP Assignments confirms that it securely retains and manages data which records the use of our solutions, including user credentials. Should a user require assistance with information contained within our data processing records, please contact us.

My EP Assignments will promptly act to notify either the customer or the ICO (as applicable to our role) in the event of a data breach being suspected (as per Article 33), and if acting as Data Controller will also inform affected data subjects (as per Article 34).

Removal of Personal Data

It remains the customer’s responsibility to remove all personal data prior to terminating their service provision with My EP Assignments. Should the customer not do this, then My EP Assignments will securely purge their data at the point when the resources are to be redeployed – but this does not take place instantly and customers are strongly recommended to (a) remove their own personal data beforehand, or (b) contact My EP Assignments if assistance is needed to do this.