GDPR: A roadmap to successful compliance

On May 25, 2018, the European privacy law, the General Data Protection Regulation
(GDPR) comes into effect. The GDPR imposes new rules on companies, government
agencies, non-profits, and other organizations that process personal data of EU
citizens or operate within the EU. This means that GDPR applies no matter where
you are located.
We at PeopleCert believe that the GDPR is an important step forward for clarifying
and enabling individual privacy rights and a great opportunity to enhance and make
our business more efficient, by making the information we hold more accurate and
reliable. We are committed to GDPR compliance across our network when
enforcement begins May 25, 2018.
To this effect, PeopleCert has enhanced its processes to meet the new compliance
requirements under the GDPR as either a Data Controller or Data Processor
providing certification and examination services on its own behalf or on behalf of an
owner of examination content (“Data Controller”, “Data Processor”, and other key
terms are defined in Section A below).
Among other compliance measures, we use contractual obligations to enforce
compliance with all applicable data protection laws throughout our network, and
appropriate technical and organizational measures to protect personal data from
unauthorized use, access, disclosure, alteration or destruction.
We want to help you get started, learn more about your rights and obligations and
efficiently prepare for the GDPR.
To this effect we enhanced PeopleCert Procedures to accommodate the GDPR
compliance obligations and provide you with the appropriate implementation
guidelines. The PeopleCert GDPR Processor Procedures are attached hereby for
your ease of reference, and now onwards constitute an integral part of our Partner
Agreement.

© 2018 PeopleCert | All rights reserved

Process: Physical & Information Security | ID No: PIS_PO_WI_11-1ver01.1 / 23.05.2018 Page 1 of 7
 Section A – GDPR Key Information

#1: What is personal data?

Under GDPR, “personal data” means any information relating to an identified or
identifiable natural person. Among others, the following information is considered
personal data:

• Name, address and unique identifying numbers (e.g. passport number)

• Demographics such as age, gender, income or sexual preference;
• Behavioral data such web searches, purchase history and more;
• Biometrics
Aggregated and anonymized data is often out of its scope of the GDPR. However! If
data, even if anonymized, can somehow be tied back to an individual then this
information may be personal data.
# 2: Who is the data subject?
The “data subject” is an individual to whom personal data relates. For PeopleCert,
our main category of data subjects is our candidates. Trainers, invigilators, agents,
third party contractors are also data subjects under GDPR.
# 3: What is processing?
Processing includes, but is not limited to, collection, recording, use, storage and
transmission of data.
# 4: What is the difference between a Data Controller and a Data Processor?

• A “Data Controller” is a person or company who decides what type of data should
be collected, what purposes they are collected for and how this data will be
processed. In our case, PeopleCert is the Data Controller.
• A “Data Processor” is a person or company who processes personal data on behalf
of a Data Controller, following the instructions of the Data Controller. In our case,
each Partner who has signed a Partner Agreement with PeopleCert is a Data
Processor.
We capitalise these terms because it is important to pay attention to these roles to
understand how GDPR works. The GDPR introduces important new responsibilities
for both Data Controllers and Data Processors. The two parties will often have to
work together (sometimes on strict deadlines) to accommodate the requests of data
subjects and/or supervisory authorities.
# 5: What rights do data subjects have?
Data subjects decide how and when their data will be used, and the GDPR gives them
an enhanced set of fundamental rights. These include:
1. The right to access and modify their personal data.
2. The right to deletion of personal data when it’s no longer necessary for their
original purpose, including a ‘right to be forgotten’ for data that is outdated.
3. The right to lodge a complaint.

© 2018 PeopleCert | All rights reserved

Process: Physical & Information Security | ID No: PIS_PO_WI_11-1ver01.1 / 23.05.2018 Page 2 of 7
 4. The right of portability to another service provider, which means that
controllers may need to provide some or all personal data they have on a
subject when requested, in a portable format.
# 6: Do I need to ask for permission to collect and process personal data?
Yes, consent is important! Before you start collecting and processing personal data
you usually must ask for consent from the data subject. There are various exceptions
from this consent requirement, but you should be careful when you rely on them.
# 7: What happens if I don’t comply?
If you do not comply with GDPR you may face fines up to €20 million or 4% of annual
global revenue.

© 2018 PeopleCert | All rights reserved

Process: Physical & Information Security | ID No: PIS_PO_WI_11-1ver01.1 / 23.05.2018 Page 3 of 7
 Section B –Procedures and Obligations of a PeopleCert Data Processor

Working with PeopleCert as either Data Controller or Data Processor, you will act as
Data Processor or Data Sub-Processor and will be asked to collect and process
personal data for and on behalf of PeopleCert and/or you may receive personal data
from PeopleCert. This personal data is primarily that of examination candidates and
may also include other personal data, such as of PeopleCert employees.
This section describes how personal data may and may not be used by you as a Data
Processor. These procedures are in addition to your general obligations of
confidentiality and compliance with data protection laws under the Partner
Agreement, which apply to all personal data associated with the Partner Agreement.

 Authorized Use
As a Data Processor/ Sub-Processor, you are not permitted to process personal data
other than for the following purposes (or as otherwise authorized by PeopleCert):

• Exam administration: registration of candidates, administration of exams and

communication of results.
• Certification: handing out of certificates to successful candidates.
• Auditing: participation in audits performed by PeopleCert, a test owner or any
other authority legally authorized to do so.
• Legal compliance: processing required by law, judicial decision or government
request.

 Procedures & Obligations

1. Partners are strictly prohibited from using personal data for marketing purposes,
unless specific consent to this effect is given by the data subject.
2. Partners shall not transfer personal data to third-party processor(s) whether
established in the European Economic Area (EEA) or in third countries, unless such
transfer is expressly approved by the candidate and by PeopleCert.
3. Partners shall apply appropriate technical and organizational security measures
to safeguard personal data from unauthorized use, access, disclosure, alteration
or destruction, and such security measures shall be at least as comprehensive to
those applied to the Partner’s own data. Security measures may include the
encryption of data, the use of passwords when accessing Partner’s database, the
use of GDPR certified platforms and services, and the tutoring of employees who
have access to and process personal data.
4. Partners must notify PeopleCert immediately if a breach of the security of
personal data occurs.
5. Partners shall notify PeopleCert as soon as possible (and always within 48 hours)
if:
• Partner receives a request from a candidate (or other individual) for the
exercise of its rights under GDPR, as those are enumerated in Section A,

© 2018 PeopleCert | All rights reserved

Process: Physical & Information Security | ID No: PIS_PO_WI_11-1ver01.1 / 23.05.2018 Page 4 of 7
 paragraph 5 above (and Partner shall respond to such request as directed by
PeopleCert);
• Partner receives a request to provide access to personal data to a government
authority or other third party (and, to the extent permitted by law, Partner
shall respond to such request as directed by PeopleCert); or
• Partner is (permanently or temporarily) incapable of complying with any of the
obligations set out in these procedures. In this case PeopleCert will, at its sole
discretion, decide either to suspend the services or terminate its agreement
with Partner.
6. Upon termination or expiry of the Partner Agreement, Partner shall immediately
return all personal data and the copies thereof to PeopleCert, or shall, at
PeopleCert’s request, promptly destroy all Personal Data and shall certify to
PeopleCert that it has done so.

You can find further information in our Privacy Policy and dedicated FAQs section in
our new website www.peoplecert.org

© 2018 PeopleCert | All rights reserved

Process: Physical & Information Security | ID No: PIS_PO_WI_11-1ver01.1 / 23.05.2018 Page 5 of 7
DISCLAIMER
This section contains helpful tips intended to provide you with a general overview of
the rights and obligations of a Data Controller under the GDPR. This is not formal legal
advice. PeopleCert does not warrant the completeness, accuracy or suitability of this
Section C, and PeopleCert shall not be responsible for any loss or damage resulting from
use of the information in this section. For further information please contact your local
Data Protection Authority or legal advisor.

Section C: Helpful Tips for Data Controllers

In case you are collecting personal data within the EU (or about EU residents) for
other purposes and you are the one deciding what type of data should be collected,
for what it’s used and how it’s handled, then you are probably a Data Controller.
Personal data must be collected for specified, explicit and legitimate purposes, and
not processed in a manner that is incompatible with those purposes. As Data
Controller you’re responsible for the data you hold. This means that you need to take
steps to protect it and be able to demonstrate them to Data Protection Authorities.
In practice, you likely need to follow the below steps (among others):
1. Identify what personal data you have and where it resides. Personal data
must be adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed.
2. Inform data subjects of how you will process and store their data (see further
guidance below).
3. Manage how personal data is used and accessed. Personal data must be kept
up-to-date and for no longer than is necessary for the purposes for which the
personal data are processed.
4. Establish appropriate security controls to prevent, detect and respond to
unlawful processing, accidental loss, destruction or damage, data breaches
and vulnerabilities. Privacy is “by design”, which means that security controls
should be designed with data protection in mind. Measures of protection may
include the encryption of the data you collect, the use of passwords for
accessing your systems, as well as the tutoring of your employees on data
handling best practices.
5. Keep all required documentation and manage requests from data
subjects (for access to their data or otherwise).
6. Report breaches of data security to the relevant authorities, generally
within 72 hours.
Additionally, you need to make sure that the processors you use to handle the
personal information your company controls effectively protect your data (even if
those processors are also accountable under the GDPR).
Before you proceed with the collection of personal data you must:
a) Inform the data subject in writing in a clear, simple language that is easily
accessible, including about the following:
• Purpose of processing
• Categories of personal data concerned
• Recipients of personal data

© 2018 PeopleCert | All rights reserved

Process: Physical & Information Security | ID No: PIS_PO_WI_11-1ver01.1 / 23.05.2018 Page 6 of 7
 • Period of processing
• Information about the processor and of the controller

b) Make sure that you have obtained valid consent from the data subject.
Consent must be:
• Freely given
• Specific
• Unambiguous and distinguishable

© 2018 PeopleCert | All rights reserved

Process: Physical & Information Security | ID No: PIS_PO_WI_11-1ver01.1 / 23.05.2018 Page 7 of 7