GDPR in educational technology, the case of Simbound

(Resource last updated 15th May 2024) The European Union has set May 25, 2018 as the date when the General Data Protection Regulation (GDPR) will come into full effect. This is a set of data protection guidelines that all companies that operate within the European Union, and manage personal data, must adhere to.

Author Profile

Simbound Administrator

Publish date:
2018-04-02

  • GDPR Compliance
  • Data Privacy, GDPR
Simbound logo with symbol of fingerprint

The timing for GDPR is right, as more and more educational institutions are using third-party technology providers to deliver various education and training programs. Some of these technologies include: email, social networks, learning and project management services in the cloud, and specialized software for e-learning, media, and content. This means that an increasing amount of personal information about students and professors resides with organizations or individuals outside of the school's internal networks.

This ongoing transfer of personal information is necessary for technology companies to identify individual users, provide relevant services, and evolve their offerings and services. There's nothing wrong with the transfer of personal data, as long as it's properly managed and controlled, the user has access to their own personal data, and the data doesn't end up being misused or in the wrong hands. This is what the GDPR is trying to enforce.

Prerequisites

At Simbound, we have been committed since day one to a research and development culture of minimal personal data invasiveness, data transparency and portability, and a path of minimal effort assigned to you when you want to know, access and modify the amount and type of data stored about you as a user of our simulations.

In GDPR terminology, this practice is called 'Privacy by Design'. This is a workable personal data policy for a data-dependent company, and we have never had users indicate that we are asking for too much of their personal data or that they are concerned about how we manage their data. The fact that we've been using Privacy by Design from day one helps us, in some ways, to comply with policies like GDPR quite easily.

In order to provide its services, the Simbound website requires access to a range of your personal information. In order to understand how you, as a user of Simbound, will be affected by the GDPR, we will take a look at the range of personal data we store when you use our digital marketing simulations, and also list some of the measures we are working on to ensure that your personal data is protected and easily accessible.

We classify the various types of personal information we collect through the Simbound website into three categories:

1. Personal Data which is Mandatory

In no particular order of importance, you must provide the following information when using Simbound's online services: your email address, your first and last name, your country, your time zone, the name of your university or company or organization.

A vast majority of our users use the simulation with this basic level of personal information. The most important personal information stored with Simbound is a person's name and email address.

Most users are asked or encouraged by their tutors to enter their institutional email when registering for the simulation. While institutional email addresses tend to change over time, as universities and companies retire email addresses when students graduate or employees terminate their employment, personal email addresses tend to have a longer lifespan. With this in mind, we realize that the majority of email addresses stored in the Simbound system are school or workplace email addresses, with the current distribution of personal/institutional email addresses being approximately 30/70. The 30/70 ratio is a good indicator that users trust Simbound with their work contact information.

A small fraction of the registered email addresses, estimated at less than 3%, are created by users solely for the purpose of registering on the Simbound website. From a privacy perspective, these email addresses have little value as users rarely use these emails after they have finished using the simulation.

2. Optional Personal Data

In order to enhance some aspects of the end user experience, several optional personal data upload features are provided by Simbound. These are not mandatory, meaning that users do not give up any core benefits derived from using the simulation if they choose not to supply Simbound with this kind of data. This includes: a personal photograph, a short description of themselves (bio) and a link to their public social media profiles such as Twitter, LinkedIn. Thus, we give each Simbound user the right to refuse the transmission of sensitive personal data, which is characterized by a high degree of privacy.

2.1 Payment or Financial Related Data

In some cases payment is carried out online by users of our website for gaining access to various resources or protected sections of our website. This happens through various methods: online payment by credit card, a transfer initiated by the customers bank (wire or telegraphic transfer). These transactions are carried out by carefully vetted payment processing companies and in all cases Simbound receives the minimum amount of information required to process a transaction.

Data which we do not ask/store

It is important for you to know that Simbound does not ask to receive and does not store other types of highly sensitive personal data such as physical addresses, copies of ID or other similar documents, date of birth, income, medical or cultural (religious) information, marital status, kinship and other data beyond the scope of identifying a user within our system.

Outbound Marketing Practice and Business Contacts Data

Simbound very rarely sent unsolicited e-mail and in the few cases when it did there was a highly rigorous research and targeting process involved beforehand to match the interest and line of work of those which we contacted with our offering. Over 99% of e-mails sent by Simbound whether these were periodical notifications, or promotional e-mails were sent to people which have opted in to receive communications from Simbound. We have made every effort to safeguard commercial sensitive data and to not abuse data which we have had access to. When it comes to marketing carried out through e-mail we have always clearly identified our company as the source of e-mails and provided an easy way for people to unsubscribe their e-mail addresses from our e-mail communications. Further Simbound has not directly engaged in behavioural/psychometric advertising techniques, although it has used on several occasions 3rd party digital marketing services which at the time claimed that they were using behavioural marketing as a business model.

Simbound mock email

Notice the big Unsubscribe button included in a recent newsletter. It stands out, even on mobile 

Playing by the rules

Through different commercial partnerships with a host of business simulations companies, Simbound has had access to databases consisting of various amounts of personal information. As these providers also offer marketing simulations and possess groups of contacts which are interested in receiving specific communications on products and services, there is intrinsic business value in reaching out to them as they could be interested in the Simbound offering. Although we have had access to this information ever since 2010, we have not once sent unsolicited e-mail to these groups of contacts and we have respected agreements with former or current commercial partners which acted as resellers of our simulations.

Personal Data Protection Mechanism   

We want to make it clear from the onset that your personal data is safe with us and that Simbound does not engage in any sort of personal data transfer without your consent. Our website is managed by professional web hosting companies located in the EU so they themselves are subject to the GDPR and access to the databases containing personal information is made through multiple layers of security which helps us to protect and to identify any potential suspicious usage of personal data stored through our website. If we will notice any suspicious activity, we will send you a notification within 72 hours, as this is one of the GDPR requirements.

We identify all those who access the personal data which we store as we issue individual security certificates to each Simbound website administrator or employee each certificate being unique to each person. Access to the server administration clients and the databases are carried out over Virtual Private Networks (VPN), making it very difficult for someone outside of the Simbound network to intercept, corrupt or in any way interfere with your personal data if they don’t hold the right credentials.

In the future we will be looking at new ways in which to give you an easy way to access and to manage all your personal data at each and every moment. This means that you, as the holder of your data will be able to quickly update, delete or share the personal data which is stored through the Simbound website.

Further Information

Simbound© is owned by the Apollo Edtech SRL company which is registered with the The Romanian National Supervisory Authority For Personal Data Processing having certificate number 0018682 issued on 18/08/2011. Romania is a full EU member since 2007.

Remember to always be cautious whenever you will be sharing personal information over the internet.

Sim Bot Robot waving a thank you sign