Our Commitment to You and the Protection of Your Data
Preparing for the GDPR
- Continuing to invest in our security infrastructure, so that the level of security offered is appropriate to the risk, including but not limited to the features of the service listed in our Security page.
- Making sure we have the appropriate contractual terms in place. Ensuring we can support international data transfers by maintaining our Privacy Shield self-certifications, and offering an updated GDPR-compliant Data Processing Addendum (DPA). Ensuring that third party services TalentCards may use, listed as Attachment 3 in our Data Processing Addendum, fully meet the privacy and security requirements of TalentCards customers, as reflected in their GDPR compliance programs, Privacy Shield certifications and their DPAs – mutually signed with us.
- Ensuring that there are confidentiality terms at the contracts of our personnel that is involved in the processing personal data.
- Enhancing our policies, controls and product offerings, including new tools/product features for data portability and data management for supporting our customers for exercising the data subjects’ rights.
Our Security Infrastructure
International Data Transfers: Privacy Shield
TalentCards and Enhanced Rights of Data Subjects
TalentCards has an ethical, legal and professional duty to ensure the information it holds conforms to the principles of confidentiality, integrity, privacy and availability. In other words, the information that we are responsible for is safeguarded where necessary against inappropriate disclosure, is accurate, timely and attributable, and is available to those who should be able to access it. TalentCards complies with statutory law and international regulation regarding privacy and security issues. We have successfully completed a GDPR compliance program internally so as to be fully compliant with GDPR, prior to when the new legislation comes into force (May 25, 2018).
We have set up a small GDPR Q&A to help you with your roadmap towards compliance, providing a high level overview of the regulation, discussing its main impact and helping you avoid some common GDPR pitfalls and fallacies.
Besides strengthening and standardizing user data privacy across the EU nations, GDPR imposes new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located. On this page, we’ll explain our methods and means of achieving GDPR-compliance, both for ourselves and for our customers.
The GDPR’s updated requirements are significant and our team has worked hard to ensure that TalentCards fully meets them before May 25, 2018. Measures to achieve this include:
Protecting our customers’ information and their users’ privacy is extremely important to us. As a cloud-based company entrusted with some of our customers’ most valuable data, we’ve set high standards for security. Our cloud infrastructure utilizes Amazon servers and AWS S3 storage with AES-256 encryption. Amazon is active participant in the Privacy Shield program, an industry leading cloud provider that is heavily certified in privacy and security, also offering GDPR-compliant DPA. All communications are encrypted using a highly secure version of SSL/TLS with strong ciphers, resulting in A+ security rating.
On top of that we have invested in building a robust privacy and security team, adhering to NIST recommendations and are in the process of enhancing our set of tools for detecting software vulnerabilities prior to production release, assessing our software and deployments, monitoring our infrastructure, protecting customer data, ensuring disaster recovery, business continuity and high availability. In accordance with GDPR requirements around security incident notifications, TalentCards will continue to meet its obligations and offer contractual assurances.
To comply with E.U. data protection laws around international data transfer mechanisms, we already take part in the transatlantic Privacy Shield program that ensures that data from EU customers are properly handled when located on US servers.
TalentCards will never employ subprocessors that retain facilities or may perform processing in countries that are not contained in the list of countries for which the European Commission has explicitly affirmed on the adequacy of the protection of personal data.
The rights of the TalentCards customers (undertaking the administrator role in the service) and their end users as data subjects are important to us. We are committed to supporting the new, enhanced under GDPR, data subject rights for all our users, regardless of their location or nationality.Right of access
As a TalentCards end user or customer, you may also easily access all the personal data kept for you through the “Profile” page, while all activity in the service is also instantly available as the application is started.Right to rectification
All TalentCards end users can delete their personal TalentCards account and all profile data associated with it through the mobile app profile management page by selecting the pencil appearing next to their name to activate the “Edit profile” screen with the trashcan icon at the top right of the screen and then confirm the “Delete your account?” message.
TalentCards customers may terminate their TalentCards service and ask for their personal data to be erased or returned to them by contacting Epignosis. They are free to terminate their subscription at any time, in which case Epignosis will permanently delete their account and all data associated with them, including backups according to the data retention policy and period agreed with the Customer.
The TalentCards group administrator may also delete a specific user or a set of users in order to satisfy a data subject’s request by means of the “Mass actions” feature as explained here.
Also, as a TalentCards customer you may also contact us at the email provided at the bottom of this page if you want your data to be deleted upon your account cancelation; we will permanently delete your account and all data associated with it within at most thirty days and typically much sooner.Restriction of Processing
As a TalentCards end user, you may exercise the right to request restriction of processing by requesting from your respective group administrator to render you “Inactive”.
The administrator can satisfy this request via the user management tab of the administration panel, following the process described in the previous paragraph and selecting in the final step of the process the “Make active/inactive” mass action. Thus, it is possible to immediately satisfy the respective data subject’s request for the restriction of processing.Right to object
Any end user may oppose the processing of personal data which takes place without consent. Regarding the eLearning process, the right to object of the end user is mapped either to the restriction of processing or to the right to erasure; how to satisfy both of these rights has been documented in this page. Marketing emails and newsletters are sent to the TalentCards customers only; these are never sent to the end users of the service. If you are a TalentCards customer, you may opt out of inclusion of your data in our marketing by removing yourself from the mailing lists using the footer in the newsletters and marketing emails that you receive. Similarly to the end users, you may opt out from the service by deleting your account as explained above.Right of data portability
Data export can be done at any time through the administration panel of the application. Any TalentCards user has the right to receive his personal data in a structured, commonly used and machine-readable format. TalentCards supports exporting in multiple formats, including XLS, of all TalentCards data. The TalentCards group administrator may export the requested data at any time through the respective export options of the web panel as explained here.
Furthermore, we will be happy to export your account data to a third party at any time upon your request, which you may send at the email provided at the bottom of this page.
If you are a TalentCards customer, you may want to ensure that the users of your group have provided consent for the processing of their personal data.
In case as a customer you cannot acquire consent by the end users on your own, then it is recommended that you add users by means of group code: The administrator may copy a group's unique code and share it - through any means of communication that is external to the TalentCards service - with the people he wants to invite to the service to access that group's content. This way, users not consenting to being imported into the service, can simply ignore the invitation and their personal data will not be imported to TalentCards.
In case as a customer you have acquired consent by the end users on your own, or alternatively you rely on some other lawful basis for importing the end users into the service, then you can easily invite them by means of email or SMS; or import them into TalentCards; or add them manually by selecting one of the “Import Users” or “Add User” options of the administration panel, following these steps.
If the end users choose to withdraw consent for the service, this is essentially equivalent to the removal of the user from the service. Therefore, it suffices for the user to remove himself from the service through his profile page or alternatively to ask from his group administrator to follow the erasure process explained earlier in “Right to Erasure”.
Fulfilling our privacy and data security commitments is important to us. So we’re glad to help you prepare for all the changes the GDPR brings. If you have any questions about how TalentCards can help you with compliance, or you have any privacy-related concerns or requests, please reach out by contacting us at: privacy at talentcards dot com.