Additio complies with the Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27 2016, on the protection of individuals with regard to the processing of personal data (RGPD), and Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights, and provides the following information about the correct use and processing of personal data.
Who is the Data Controller?
Responsible: DIDACTIC LABS S.L. (hereinafter Additio)
Postal address: C/ Bescanó, 10, 17007 Girona (Spain)
Telephone: +34 972 18 32 14
Email: [email protected]
Privacy manager contact: https://additioapp.com/contacto/
Contact of the Data Protection Officer: [email protected]
When a Center or a Teacher contracts licenses for our products individually, Additio will be responsible for the data processing of the Center’s representative and also of the designated contact persons, or the corresponding teacher. On the other hand, the Center or the Teacher will be responsible for the data of teachers, students or students’ legal representatives processed as Additio will process this information on account of the Center or the Teacher that previously contracted our services.
Additio will hold responsibility for the collected data of people who reach us via website or others to send queries, also for the ones who requested to keep updated about activities, products or services.
Why do we process personal data?
We process the information provided by our clients to manage our services and products for the education sector.
In the event that you contact us through the contact form on our website, we will process your data to manage your query.
If you give us your consent, we may also process your data to send you information about our activities, products or services, and you have the right to oppose the processing of your data for promotional purposes at any time.
What is the legitimacy for data processing?
We process the data provided by our customers in order to manage our services and products for the education sector.
If you reach us through the contact form on our website, we will process your data to manage your query.
If you agree, we may also process your data to send you information about our activities, products or services. You have the right to cease the consentment about the management of your data for promotional purposes at any time.
What is the legitimacy for data processing?
The legitimacy to process the personal data of the contact persons designated by the Center or the Teacher who contracts our services individually, is based on the contractual relationship that we establish with them.
In the case of people who reach us through the contact form on our website, or of those people who have asked us to send them information about our activities, products or services, it will be the consent of the applicants that will legitimize data processing.
How do we get the data processed in the Additio application?
Some of the personal data we process via Additio comes from the registration of the APP users, but the vast majority of data proceeds from the Educational Centers and/or the Teachers management in Additio.
What data is processed in the Additio application?
-The categories of data that are processed are:
- Identification data
- Identification codes or keys
- Postal or electronic addresses
- Academic data
-The data is limited, since we only process the data required for the effective use of Additio.
-Specially protected data is not processed as it is underage students data, we are aware that this is extremely sensitive data, so we have placed special emphasis on dealing with such data with the maximum security guarantees.
When users sign in requested data is compulsory, as the service cannot be accessed without them.
How long will we keep the data?
The personal data provided when contracting our services will be kept as long as the contractual relationship with our clients lasts and during the periods required to meet our legal obligations, in regards of accounting and tax documentation for commercial purposes this period will last 6 years, in accordance with Article 30 of the Commercial Code, and for tax purposes it will last 4 years, in accordance with articles 66 to 70 of the General Tax Law.
The data of those interested in keeping track of our activities, products or services will be kept until they claim they no longer wish to get this information.
Students or students’ legal representatives data that we manage on behalf of the Center or the Teacher who has contracted us will be kept while the contract is effective.
As a security measure adopted against data loss, when a registered user unsubscribes or decides not to renew their license, their data will remain in the Additio database for fifteen months. However, the user can request a complete clear of the data by contacting [email protected]
Which recipients will your data be communicated to?
The data will not be communicated to third parties, unless it is required by law or specially granted for this purpose.
What are your rights when you provide us with your data?
- Anyone has the right to confirm whether we are processing their personal data or not.
- Interested parties have the right to access their personal data and to request the amendment of inaccurate data or, if required, its removal, when the data is no longer needed to fulfill the purposes it was collected for.
- In certain circumstances, the interested parties may request the limitation of the processing of their data, in which case we will only keep the information for the exercise or defense of claims.
- In certain circumstances and for reasons related to their particular situation, the interested parties may oppose the processing of their data. In this case, we will stop processing the data, except for compelling legitimate reasons, or the exercise or defense of possible claims.
- Interested parties have the right to the portability of their data.
- Finally, interested parties can contact the competent Control Authority to fill the claim they deem appropriate.
To exercise your rights, you can send us your request to our physical or electronic address.
What security measures do we apply?
In accordance with article 32 of the GDPR, we have adopted the necessary security measures to guarantee appropriate risk control considering the data processing that we manage, with mechanisms that ensure confidentiality, integrity, availability and permanent resilience of the system and treatment services. These measures include without limitation, those already mentioned, such as:
- Information on data processing policies to the employees.
- Daily backups.
- Data access control.
- Regular verification, evaluation and assessment processes.
How do we process data on behalf of third parties?
As mentioned in the chapter dedicated to the Data Controller, the Center or the individual Teacher who contracts our services will be responsible for the processing of the teachers, students and students legal representatives data in the Additio application. In these cases, Additio will process these data on behalf of the Center or the Teacher, who has contracted us, as the person in charge of the treatment, in accordance with the provisions of article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016 (GDPR). Therefore in Additio:
a. We will process personal data only if we receive documented instructions from the Data Controller, even if it is about personal data transfers to a third country or an international organization, unless we are required by the right of the Union or of the Member States we are subjected to. In such a case, we will notify the Responsible of this legal requirement before processing, unless this right forbids it due to important reasons of public interest.
b. We guarantee that the persons authorized to process personal data have agreed to respect their confidentiality or they are subjected to a statutory confidentiality obligation.
c. We apply the relevant technical and organizational measures to guarantee appropriate risk control considering the data processing that we manage in accordance with article 32 of the GDPR.
If it were necessary to subcontract any other treatment, this would only be contracted with entities that guarantee compliance with the GDPR and this contract will be communicated to the Responsible Party, indicating the treatments that are intended to be subcontracted and clearly and unequivocally identifying the subcontractor company and its data. Outsourcing may be implemented if the Responsible does not object within a period of 10 days of such communication.
e. When the affected persons exercise their right of access, rectification, removal and opposition, limitation, data portability and not to be subject to automated individualized decisions before Additio, taking into account our status as data processor, we will communicate it to the email address indicated by the Responsible. The communication will be immediately established and never later than the day after the working day the request was effected, along with other information that may be relevant to decide on the request.
f. We will help the Responsible ensure compliance with the obligations on data security established in articles 32 to 36 of the GDPR, considering the nature of the treatment and the information at our disposal, therefore if a breach of data security that constitutes a risk to the rights of individuals occurs, we will notify the Responsible without further ado with all the relevant information to document and communicate the incident accordingly.
If applicable, at least the following information shall be provided:
- A description of the nature of the personal data security breach, including, whenever possible, the categories and the approximate number of personal data records affected.
- The name and contact details of the Data Protection Officer or another contact in order to gather more information.
- A description of the potential consequences of the personal data security breach.
- A description of the steps adopted or proposed to amend the personal data breach of security, including, when applicable, the actions taken to mitigate any adverse effects. If it is not possible to provide the information all at once, it will be provided gradually without undue delay.
g. As chosen by the Responsible, we will delete or return all the personal data collected once the provision of data-processing services has been completed and we will remove the existing copies too, unless personal data preservation is required by the Union or Member States.
h. We will supply all relevant information to the Responsible, in pursuance of the obligations established in art. 28 of the GDPR, thus allowing and contributing audits, inspections included, by the Responsible or another auditor authorized by the Responsible.
As data processors, the typology of data we can process on behalf of the Responsibles will be: identification data, personal characteristics data and academic and professional data, about teachers, students and legal representatives of the students. Regarding our data processing, these are the ones needed for Additio’s proper operation, such as without limitation, the collection, organization, structuring, storage, preservation, queries, visualization and communication by transmission.
The Center and/or the Teacher have the obligation to gather the data they are going to process in Additio following the legal prescriptions established in the regulations regarding the protection of personal data, for which Additio will not assume responsibility for any breach, by the Center and/or the Teacher, of the obligations arising under the RGPD, the LOPDGDD, or any other current regulations, corresponding to uts activity and related to the performance of the contracted services or any other relationship established with Additio.
Do you have any more questions?
If you have any questions or you need to raise concerns, please send an email to [email protected]
In the event that Additio modifies this policy, changes will be announced to users before its effective date.
January 1, 2020