This Privacy Notice sets out how Purlos uses and protects any information that you give to us.
Who is Purlos?
Purlos is a provider of software and services to the education sector, and is the trading name of My Digital College ltd (registered business number 11287890) . To provide our software and services we collect, store, and process personal data about our customers, potential customers, suppliers, contractors, partners, and staff. We are also contracted to process information on behalf of our customers.
We are committed to ensuring that whenever we handle personal data, we do so in a transparent and reasonable manner, and in line with our legal obligations and the expectations of the individuals affected.
Is Purlos your Data Controller?
In order to answer this question, it is important to understand what a Data Controller is.
A Data Controller is an organisation which has determined that it needs to hold your personal data, exactly what information to collect from you and if there are any instances in which that data will be shared with others.
The Data Controller is responsible for informing you of your rights and giving you access to your data, if you request it.
Because Purlos acts as a Data Controller in some instances, and processes data on behalf of our customers in others, it might not always be clear who the Data Controller is in your case. The table below should help you decide:
|Purlos is your Data Controller if you are…||Your school, college, university or the company you work for is your Data Controller if you are…|
· A member of Purlos staff;
· An individual working for a customer of Purlos, who has been named as a contact for the purposes of the relationship with Purlos;
· An account manager or relationship manager of a supplier of products or services to Purlos;
· A contractor or associate, supplying a service to Purlos or working on behalf of Purlos to deliver its products and services;
· A personal who has consented to receiving products and services communications from Purlos and/or anyone has expressed an interest in Purlos products and services;
· A student or member of staff that has applied to or studies at a further or higher education institution which uses the Purlos ‘Retain’ admission product and/or associated Purlos products;
· A student or member of staff that has applied to or studies at a further or higher education institution, or other organisation which uses Purlos services to host or analyse data;
· A member of staff in an organisation which uses Purlos products to support their admissions process
The Data Protection Officer
Purlos has a designated Data Protection Officer which oversees the activities we undertake to ensure personal data is handed ethically and in line with our legal obligations worldwide.
Any questions about the way in which we collect, hold or process your data can be addressed to our Data Protection Officer at email@example.com. Our Data Protection Officer is David Bartlett.
What is personal data?
Personal data is any information about an individual from which the individual maybe identified. It might be possible to identify the individual through a single, specific identifier, such as a name; or by combining a number of different identifiers, such as job role and team. Some information is considered particularly sensitive because of the serious impact that it might have on the individual concerned, if the data was lost or stolen. This ‘special category’ data includes:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Sex life or sexual orientation;
- Genetic and biometric data (such as your fingerprint).
The personal data we collect
The following categories of personal data may be processed by Purlos:
- Identity Data such as your first name, last name, title, date of birth and gender;
- Contact Data such as your e-mail address, address, and telephone number;
- Financial Data such as bank account details and national insurance number;
- Transaction Data such as details of the software products and services you have obtained from us, purchase order details, and payments made to/from us;
- Education Data such as your educational history and qualifications;
- Technical Data such as your internet protocol (IP) address, login data, operating system and platform;
- Usage Data such as how and when you use our website, performance and other communication data;
- Marketing Data such as your marketing and communication preferences;
- Survey Data such as your comments and opinions provided in response to a survey
In addition, we may collect the following groups of data relating to job applicants, employees and ex-employees:
- Recruitment Data such as details of your employment history, training and skills development, nationality, entitlement to work in the UK, security clearances, criminal record (if your role requires this) and equal opportunities monitoring information.
- Employment Data such as the terms and conditions of your employment, salary, benefits, work patterns, attendance, holidays, sickness, disciplinary or grievance issues, medical or health conditions, disabilities for which Purlosneeds to make reasonable adjustments; and information about your private vehicle, driving licence, MOT and insurance documents if you drive on company business.
- Performance Data such as appraisals, performance reviews and ratings, timesheet information, performance improvement plans and related correspondence;
- Activity Data such as the websites our staff visit while using a Purlos computer or Purlos network, and the activity logs held within Purlos systems and databases;
- Communications Data such as the emails you send or receive via the Purlos email system;
- Emergency Contacts Data includes information about your marital status, next of kin, dependants, and personal and emergency contacts details to be used in the event of an emergency
We also collect, use and share Aggregated Data such as statistical or demographic data for business purposes. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
How we use your data
Your personal data is used by Purlos to support a range of different activities in our business. These are listed in the table below together with the types of data used and the legal bases upon which we are entitled to processing them, including where appropriate, our legitimate interests.
We are required to inform you of the legal basis for collecting and processing your personal information, where we are the Data Controller. These include:
- Performance of contract:In most cases, we will have a contract with you to either provide a product or service to you, or to receive something from you.
Examples are: employment contracts; associate contracts; Software and Services Agreements for the provision of our products and services; and procurement contracts.
We are also acting under the performance of contract if we collect or process your information for the purposes of entering into a contract, if you have expressed an interest in working with us.
- Legitimate interests: We may have a legitimate interest in processing certain personal data, which does not relate to the performance of a contract agreed with you. If we rely on our legitimate interests to justify processing your data, we will have conducted an assessment to evaluate the fairness of this; and will only undertake the processing if it is reasonable to do so and will not cause undue risk to you.
- Consent: Where we do not have a contract with you but would like to be able to contact you about our products and services, we will seek your consent to retain your contact details for that purpose. You have the right to withdraw your consent at any time.
- Legal obligation: We may be legally obliged to process certain information about you, for example to protect employee safety while travelling on Purlos business. In some cases, we are obliged to share personal information with third parties.
Table: How we use your data
|Purpose / Activity||Category of Data||Lawful Basis (including basis for legitimate interest)|
|To create an account and register you as a new customer|
|· Performance of a contract with you|
|To process and deliver your order including: recording your order details; keeping you informed about the order status; processing payments and refunds, collecting money owed to us; and assisting fraud prevention and detection.|
· Performance of a contract with you
· Necessary for our legitimate interests (e.g. to recover debts due to us)
|To manage our relationship with you, including: providing you with any information, products and services that you request from us; notifying you about changes to our products, services, events, terms and conditions or privacy notice|
· Performance of a contract with you
· Necessary for our legitimate interests (to keep our records updated and to analyse how customers use our products and services)
|To use data analytics to: improve our website, products, services, marketing, customer relationships and experiences; and for market research, statistical and survey purposes.|
|· Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)|
|To register you for email updates, and recommend products and services and events that may be of interest to you|
|To gather your opinions on our products and services, or on your educational experiences.|
|To select the right people into our business, and manage their employment with us, including job role and responsibilities, salary payments, progression, training, performance management, and disciplinary or grievance procedures.|
|· Performance of a contract with you|
To arrange travel for you on Purlos business and making appropriate safety arrangements for this, including monitoring your travel.
To advise you during any emergency affecting Purlos employees or offices.
· Emergency contact
· Performance of a contract with you
· Necessary to comply with a legal obligation
|To protect the security of commercial and personal sensitive information in our care by securing and monitoring activity within our network, internet and email.|
|· Necessary for our legitimate interests (protecting the data entrusted to us by customers and commercially sensitive information about our business)|
Our use of analytics and targeting advertising
We use a range of analytics and targeted advertising tools to deliver relevant website content and information to you. For example, we use tools such as Google Analytics to target and improve our marketing campaigns, marketing strategies and Website content. We may also use tools provided by other third parties to perform similar tasks. You can opt-out of the Google Display Advertising Features using Ad Settings or the Google Analytics opt-out browser add on. In addition, the Digital Advertising Alliance (which includes companies such as Google and Facebook) provides a tool called WebChoices that can perform a quick scan of your computer or mobile devices and adjust your browser preferences accordingly.
Where is my data processed and stored?
Our data is all stored in the EEA. We will never transfer your data outside of the EEA if you are a client form that area. When transferring data across borders, we ensure that appropriate safeguards are in place which are compliant with the high standards set by the EU General Data Protection Regulation. These apply to all internal and external transfers.
Currently our data is held within Salesforce data centres all within the UK. More details can be found on their compliance website which all complies with ICO standards. They have a 32-bit encrypted data service for any data being stored on their servers. The Salesforce Services use, or enable customers to use, industry accepted encryption products to protect customer data and communications during transmissions between a customer’s network and the Salesforce Services, including through Transport Layer Encryption (TLS) leveraging 2048-bit RSA server certificates.
Your data belongs to you; and your rights as the owner of your data are enforced by data protection legislation around the world. A brief summary of your rights is presented below:
- Access your data: You can access the information Purlos holds on you at any time, by making a Data Subject Access Request. The more specific you can be about what you want to know, the better. We will need to confirm your identity before we release information to you.
- Rectify your data: You can ask us to correct any information we hold about you that is inaccurate.
- Request erasure: You have the right to ‘be forgotten’, in certain circumstances. This right does not apply if it would prevent the performance of a contract with you, or if there is another legal requirement for us to retain your data. If erasure is not possible, you may be able to ask us to restrict processing.
- Request the restriction of processing of your data: You may ask us to suspend the processing your data under certain circumstances, for example pending a review of the accuracy of the data, or you have objected to our use of the data and we need to establish whether we may lawfully continue processing it.
- Request the transfer of your data: In some cases, you can ask us to transfer the data you originally provided to us to yourself or to another company. This only applies to information you provided directly, or that we observed about you through automated means.
- Object to the processing of your data: You can object to our processing of your data for direct marketing purposes, or on the basis of our legitimate interests (defined above). In some cases, we may have compelling legitimate grounds to process your data which override your rights and freedoms.
- Object to automated decision-making: You can also object to the processing of your personal information where profiling is being used to make assumptions about your behaviours or preferences; for example, to target marketing communications. You have the right not to be subject to automated decision-making and can require that any such decisions are reviewed by a human.
- You can lodge a complaint with the Supervisory Authority: If your data is being handled in a way that breaches data protection legislation, you can lodge a complaint with us at firstname.lastname@example.org. You also have the right to complain to the relevant Supervisory Authority. In the UK this is the Information Commissioner’s Office.
How to contact us
We take the handling of your personal data very seriously.
If you have any questions or concerns about the way in which we collect, hold or process your data, or simply wish to exercise your rights please contact us directly. The address for our Data Protection Officer is email@example.com.