SMART Technologies ULC General Data Protection Regulation (GDPR) compliance

What is GDPR?

The General Data Protection Regulation (GDPR) is a legal framework created to protect the personal data of individuals living in the European Union (EU). The GDPR provides guidelines for companies that collect and process the personal information of their EU customers or clients.

GDPR has three objectives [i] :

  1. To provide rules for the protection of natural persons with regards to the processing of their personal data and rules relating to the free movement of personal data.
  2. To protect the fundamental rights and freedoms of natural persons and their right to have their personal data protected.
  3. To ensure the free movement of personal data within the EU is neither restricted nor prohibited for reasons connected with the protection of natural persons with regards to the processing of personal data.

The GDPR privacy legislation is effective as of 25 May 2018 and replaces the 95/46/EC Directive on Data Protection.

For complete information about GDPR, visit https://ec.europa.eu/info/law/law-topic/data-protection.

Does SMART comply with GDPR?

Yes.

Where is SMART’s Data Processing Addendum (DPA)?

If your company requires a DPA with SMART, click here

Why does SMART need my personal data?

SMART collects, retains, transmits, and processes your personal data to provide products and services to you, which includes sales and marketing activities related to those products and services . When you purchase and install a SMART product, we process your personal data as far as necessary in order to provide these products and services to you.

What data collected by SMART is covered by GDPR?

GDPR applies to the processing of personal data about individuals (meaning natural persons, not companies) in the EU. It does not apply to general company information such as the company’s name, address, or email (for example support@company.com), or any data that has been anonymised so that it cannot uniquely identify a specific individual.

Personal Data covered by GDPR includes:

  • An individual’s legal name
  • An individual’s identification number
  • A home address or telephone number
  • An email address which includes an individual’s legal name, for example: name.surname@company.com
  • An identification card number
  • Location data (for example the location data function on a mobile phone)
  • An Internet Protocol (IP) address or other online identifier
  • Data specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person

Data not covered by GDPR includes:

  • An organisation’s (government, company, school, etc.) information
  • Anonymised data

By design, SMART’s products pseudonymises the majority of a user’s data and most of the analytics we collect are anonymous.

Who is the Data Controller and Data Processor in our relationship when using SMART’s software?

You, the customer, are the Data Controller. You own your data and you control your data. In all of SMART’s products you, as the customer, determine and control what information to upload, what activities to carry out (create SMART Notebook® files, start a class, invite students, add a quiz or homework), and when to remove such information [ii] . Thus, in this relationship SMART is the Data Processor and we do not own your data; we simply process your data on your behalf so that we can provide the requested services to you [iii] .

SMART is however, the Data Controller in relation to our use of your personal purchase data and any kind of processing for which SMART collects your consent (e.g. opt-in for marketing, promotions, etc.).

How does SMART comply with GDPR as the Data Processor?

As the Data Processor, SMART will respect your rights, which include:

Right to Withdraw Consent and Restrict Processing

At any time you may withdraw your consent for SMART to collect, retain, and process your personal data. If you are a customer, this typically means you will no longer be able to use our products. If you are a user, you must contact the customer who purchased the product from SMART (e.g. your school, your corporation) who will then pass this request on to SMART.

NOTE: Data required for tax and legal reasons will not be affected by withdrawal of consent.

Right to be Informed

SMART will inform you about what information we collect, transmit and process.

Right of Data Quality, Access, and Rectification

SMART will strive to maintain accurate personal data and will respond to customer requests to access the personal data being processed and to correct any inaccurate or incomplete information within 30 days.

Right of Data Portability

SMART provides customers with the ability to obtain and reuse their personal data (typically self-generated content) for their own purposes.

Right of Data Deletion (‘right to be forgotten’)

SMART will only keep personal data for as long as required to provide the service, or as required for tax and legal reasons. SMART adheres to a document retention policy to ensure this. SMART will respond to customer requests to delete personal data within 30 days.

Right of Data Protection

SMART will ensure that personal data is transferred for its specific purpose and subsequently used only for that purpose. SMART will only transfer personal data outside of the EU to countries whose legal regime is deemed by the European Commission to provide for an adequate level of personal data protection or in accordance with adequate contractual security measures such as Standard Data Protection Clauses. SMART uses internal controls to limit access to your personal data by setting access based on job function and role, using the concept of ‘need-to-know’ to match access privileges to defined responsibilities. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives.

Right of Notification

If SMART becomes aware of a personal data breach, it shall without undue delay, and where feasible, no later than 72 hours after having become aware of it, notify the affected customer and the supervisory authority (if it was for data where SMART was the Data Controller) in accordance with Article 33 of the GDPR, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons [iv] . SMART’s communication of a breach shall be in clear and plain language and contain a minimum of:

  1. Contact details of the Data Protection Officer or other contact person,
  2. A description of the nature of the breach,
  3. Likely consequences of the breach,
  4. Measures the organisation has taken or proposes to take to address the breach
  5. Advice on steps data subjects can take to protect themselves, and
  6. The measures SMART has taken or proposes to take to address the breach.

What is my role under GDPR?

Under the GDPR framework, if you are a SMART customer, you are considered the ’Data Controller’. As the Data Controller, you are responsible for obtaining the appropriate consent from your users before sharing or allowing them to directly share their personal data. SMART does not control what data you or your users decide to share; you do. SMART will only communicate and take instruction from its customers, not customers' users.

As the Data Controller, you may find guidance related to your GDPR responsibilities by checking the website of your national or lead data protection authority as well seeking independent legal advice relating to your status and obligations under GDPR.

Does SMART store personal data outside of the EU?

Yes, but like the 95/46/EC Directive on Data Protection, the transfer of personal data outside the EU under GDPR is permitted only to countries whose legal regime is deemed by the European Commission to provide for an adequate level of personal data protection . Transfers are also permitted when concluding Model Clauses that adequately protect the data.

The European Commission has so far verified the following non-EU countries as providing adequate data protection [vi] :

  • Andorra
  • Argentina
  • Canada
  • Faroe Islands
  • Guernsey
  • Israel
  • Isle of Man
  • Jersey
  • New Zealand
  • Switzerland
  • Uruguay
  • United States of America (limited to the EU-US Privacy Shield framework)

Who is SMART’s Data Protection Officer (DPO)?

All privacy and DPO requests may be directed to:

Attention: Melanie Tucker, Data Protection Officer and Legal Analyst

SMART Technologies ULC
Suite 600, 214-11 Ave SW, Calgary, AB T2R 0K1 CANADA 
Toll free (US/Canada): 1-888-427-6278
Outside of North America: +1-403-245-0333
Web: https://www.smarttech.com/legal/privacy-policies.

Who can I contact for access, record, or deletion requests?

All customer requests may be directed to:

Customer support 

Who can I contact with a complaint about SMART’s GDPR compliance?

If we did not resolve your concerns, you may complain to the Information Commissioner’s Office about the way in which SMART has handled your personal data. You can do so by contacting:

First Contact Team
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow Cheshire
SK9 5AF
casework@ico.gsi.gov.uk // 03031 231113

Last updated: 23 February 2024