To Campus Café Customers:
The following is a guide to understanding our compliance with GDPR requirements. While this law was enacted primarily for large data-gathering organizations, we understand that it has ramifications for Campus Café and its customers. It may also apply differently for on-premise vs cloud customers since the data storage, protection, and retrieval will vary. We will continue to monitor these regulations to ensure that we are in compliance wherever necessary. Below is a summary of our current understanding and policies with respect to this law.
1) Lawful, fair and transparent processing
We only store data for legitimate lawful purposes based on the requirements of each school for our cloud customers. We do not collect, solicit, or distribute any other information for any purpose.
We are not administrators of any of the data that is collected using Campus Café Software. We would expect the school to inform data subjects about any additional processing activities on their personal data.
2) Limitation of purpose, data and storage
We do not provide or share any data that we store for our customers with any third parties, except on rare occasions where we receive a written request from a customer (typically for conversion of data to another software provider like an LMS-learning management system).
We will delete any data that we store with a written request by one of our schools/customers. (e.g. databases). We typically delete conversion data as soon as it is no longer needed. If an individual person requests that data be deleted, we would only do so with a written request from the school, since there will be many conflicting federal laws and requirements for data storage historically (e.g. transcripts must be kept forever, financial information for 7 years. etc.)
3) Data subject rights
Students can access most of the information that is stored on them directly through the portals billing information, transcripts, attendance, personal information, etc., If the school has other internal notes, documents, or data that is collected on a person, they would be responsible to keep those persons apprised of such data storage. We will continue to monitor this requirement to ensure that authorized persons have access to their data.
We will correct any information that is in error only if such data is in our control upon request. We do not collect, solicit, or distribute any other information for any purpose.
Requests for deletion of data will be handled as outlined in section 2.
This will not be required since we do not ever intend to process personal data beyond the legitimate purpose for which that data was collected.
5) Personal data breaches
Please see the SLA (service level agreement) which contains specific requirements for handling and reporting data breaches. We believe our policies are in full compliance with this section.
6) Privacy by Design
Please see the SLA for privacy protections and security measures that are in place. We believe our policies are in full compliance with this section.
7) Data Protection Impact Assessment
Please see the SLA for data protection and security measures that are in place. This includes regular intrusion detection by an outside agency. We believe our policies are in full compliance with this section.
8) Data transfers
Please see the SLA for policies with regard to the transfer of data. We believe our policies are in full compliance with this section.
9) Data Protection Officer
Please see the SLA for policies on employee training with respect to the processing of data, data transfer, password protections, and other measures that may be in place. We believe our policies are in full compliance with this section.
10) Awareness and training
The staff at Campus Café Software meets regularly to maintain an awareness of issues surrounding the protection of customer data. We believe our policies are in full compliance with this section.