Handshake recognises the importance of protecting the privacy and integrity of personal data. The individual user is always at the heart of Handshake’s decisions on data processing and compliance with data protection.
We’ve compiled the most frequent questions here for your convenience.
What is the GDPR?
- The European Union's General Data Protection Regulation (GDPR) which went into effect on May 25, 2018, aims to strengthen and standardise user data privacy across the EU nations and any organisations that handle the personal data of EU data subjects.
- It applies in the context of activities concerning data subjects (individuals to whom data relates) in the EU by a controller or processor not in the EU when the processing relates to the offering of goods or services to those data subjects whether or not payment is required.
- The Data Protection Act 2018 is the UK legislation which updates data protection laws in the UK, complimenting the GDPR.
Who needs to comply with the GDPR?
GDPR affects all businesses and organisations that process personal data relating to natural persons residing in Europe (and the UK). Personal data is defined broadly under the GDPR as “any Information relating to an identified or identifiable being.”
If you process personal data in relation to individuals, then you are classified under the GDPR as either a “data controller” or a “data processor”. A data controller is an entity which alone or jointly determines the terms and means of processing, whilst a data processor processes data according to the instructions of the data controller. Both data controllers and processors have obligations and are accountable for ensuring GDPR compliance in relation to data they process.
What is a Data Processing Agreement (DPA), and how do I ensure Handshake and my institution have one?
A Data Processing Agreement is an agreement a Controller must have with a Processor they transmit data to that is subject to GDPR.
You, as an institution (Controller), will be processing personal data for students who are protected under GDPR, and therefore you must have a GDPR-compliant Data Processing Agreement with Handshake (Processor) and any other vendors who process or store student data on your behalf. GDPR requires that you as the Controller are only using GDPR-compliant Processors, and having a DPA in place with your Processors contractually ensures that this is the case.
Additionally, we include DPAs in all Handshake contracts by default, so there aren’t any additional steps beyond that.
Where do I go for any other questions?
You can reach us at email@example.com for any questions about GDPR! For data or deletion requests, please contact firstname.lastname@example.org.