We only collect data to give our clients the best possible service.
The data we collect may include:
Personal information such as name, address, date of birth and other contact details.
Depending on payment method for our products or services, we may need credit or debit card information and/or your bank account number and sort code.
Feedback on the Daly Exercise website and services provided for improvement and compliance purposes.
When you visit the Daly Exercise website we collect device information such as the IP address of your device, your device model and its settings and network information using Google Analytics for UX and UI purposes.
How long do you keep my personal data?
This depends on the type of data we collect from you and in turn how we use it. When we decide what data we need to to keep, we strongly consider the information necessary to provide you with our products/services. We always ensure we can meet certain statutory obligations.
Do you share user data with third parties?”
Cookies are small files that are stored on a users computer when they visit websites (including dalyexercise.ie). The cookies hold a small amount of information on a users visit. Cookie data helps site owners to provide you with a more personalised service.
How does Daly Exercise collect data from cookies?
We collect data in a way which does not identify you. We collect cookies from the following site:
Can you enable or disable cookies?
Yes, you can clear or delete cookies from your browsers configuration settings at any time. The www.allaboutcookies.org guide will help you understand cookies and how to control them.
Get in touch with Daly Exercise if you have any data deletion requests per your rights as a citizen under GDPR regulation.
We respect the privacy of children, and do not collect any more personal information than reasonably necessary to enable them to participate in the activities we offer at our Mobile Application.
With respect to our online information collection practices from children under 13 years of age: We collect the following types of personal information directly from children online:
1 - First and last name
Use and Sharing of Information
The information we collect from children is used:
1 - For record keeping
2 - To enable them to participate in certain functions of our site, such as exercise homework and feedback functions between teachers and students.
We do not have any agreements with outside organizations to collect personal information at our site, and we do not share children’s personal information with anyone other than those who provide support for the internal operations of the Web site and our agents (e.g., contractors who provide fulfilment services or technical support to the Web site). All third parties with whom we share information have agreed to maintain security and integrity of personal information, and have agreed not to use the personal information.
Parents can (1) review the information that we have collected from their children online, (2) prevent the further use or maintenance of such information, and (3) direct the deletion of their children’s personal information by:
1 - Calling us at the telephone number provided above
2 - E-mailing us at the above email address
3 - Writing to us at the above address, or
4 - Contacting the School
To read more about GDPR, please go to https://ec.europa.eu/info/law/law-topic/data-protection_en.
Daly Exercise has been GDPR compliant since August 2018.
Who is subject to GDPR?
Individuals, organisations and companies that control or process personal data are subject to GDPR. In broad terms, there are three different actors:
- Data subjects (students, families, school employees)
- Data controllers (the school)
- Data processors (systems like Daly Exercise+)
As a data processor, we do not decide the purpose or lawfulness of the data we process and store. We are trustees acting on our customers’ behalf. As data controllers, schools remain ultimately responsible for documenting and deciding how data enters our systems.
However, GDPR regulations do impose new and stricter regulations on processors. We will fully comply with these requirements for all of our services, including Daly Exercise+.
How is GDPR different from previous data protection laws?
Key areas of difference centre on increased accountability for companies, greater access to personal data for individuals, and higher penalties for non-compliance. GDPR explicitly lays out key rights of data subjects:
- right to be informed
- right of rectification
- right of erasure
- right to restrict processing
- right of data portability
- right to object
- right of access
These rights form the framework for interactions between the data subject, controller, and processor. While the controller (school) remains responsible for respecting these rights, the processor (us) may assist in accomplishing these tasks.
The penalties for non-compliance are not insubstantial. A school found in violation of GDPR may be assessed fines worth up to 4% of total annual revenue. The Information Commissioner’s Office (ICO) is responsible for enforcing GDPR and has a broad range of powers to do so.
What kind of data is covered, and what information are schools allowed to collect?
All personal data concerning an individual (data subject) is included under GDPR. Specifically, personal data that allows an individual to be identified — for example name, address, phone number, photo, etc. — is included under GDPR.
Even if personal data has been encrypted, pseudonymised, or anonymized, it may still fall under the scope of GDPR if the data can still be used to identify a specific individual.
Examples of personal data that our schools collect and store includes:
- E-mail Addresses
- Phone Numbers
- ID Numbers (passport, national ID, SSN)
GDPR specifies six lawful bases for collecting personal data:
- Written contract
- Legal obligation
- Vital interests
- Public tasks
- Legitimate interests
For most schools, the legal basis for data collection relates to either legal obligations as learning institutions, or to legitimate interests. Most of the bases require that the data processing is necessary, i.e. if you can reasonably achieve the same results and purpose without processing data, then you do not have a lawful basis.
Is Daly Exercise+ GDPR-compliant?
Yes. Daly Exercise+ has been designed from the start with personal data protection in mind, and we pride ourselves on offering schools, students, and parents the highest level of security.
As a part of our commitment to GDPR, Daly Exercise+ will:
- Ensure organisational and technical security for all services.
- Offer support when your users exercise their data subject rights.
How does my school become GDPR-compliant?
We cannot directly advise our schools on GDPR compliance, aside from recommending that you seek legal advice as soon as possible, and appoint a team to begin reviewing your current data processing practices. Most of our schools in Europe will be required to appoint a Data Protection Officer (DPO), who oversees your compliance requirements and reports directly to senior management.
In general, GDPR requires you to explicitly record and evaluate how personal data is processed and used. At a minimum, you will need to fully review user data end-to-end, justify why you hold it (using one of the legal bases), for how long you will retain it, and conduct a security review. The purpose of every data point you hold must be defined. When adopting new technology platforms that involve personal data, you will need to perform a Data Protection Impact Assessment (DPIA). You are expected to monitor and ensure that the systems you use are GDPR compliant.
Lastly, because individual rights have been strengthened under GDPR, we strongly recommend making your users aware of their rights, and establishing clear procedures for responding when users exercise those rights.
I have heard that Daly Exercise+ is not secure enough under GDPR! Is this true?
GDPR does not specify precise security requirements for cloud-based services. As a data processor, we have a shared responsibility with our schools (controllers) to provide appropriate organisational and technical security, and be able to demonstrate it. GDPR strengthens the liabilities and penalties for companies that are unable to demonstrate those security protocols.
We invite customers to perform their own audits.
We are careful not to provide explicit detail about our security measures but our standard protocols include:
- Application security: traffic encryption, strongly hashed passwords, safeguards against vulnerabilities such as cross site scripting, SQL injections, phishing and others.
- Network security: firewalls and systems to detect suspicious behaviour, stop malicious attempts to gain access, or compromise the resilience of the service (e.g. DDOS attacks).
- Physical security: preventing unauthorized access to infrastructure processing personal data.
- Procedural security: IT management processes to minimize the risk of human errors, or testing regimes to identify software weaknesses before releasing new features to our cloud services, or policies to ensure data is only processed on instruction from our customers.
How does Daly Exercise+ obtain personal data about users, and how is it used?
User data is submitted to our platforms in two ways:
1 - directly by the users
2 - by representatives authorised by the users (e.g. the school technology director obtains data and then uploads it to our platform)
We use personal data under our protection only when we receive direct instructions from the customer. The data stored on our systems belongs directly to our customers, and only a handful of Daly Exercise staff have access to personal data under strict confidentiality and security. We process personal data independently only if it is vital to the integrity or security of the service, or to analyse or evaluate the quality of the service provided.
Can any of our users request data deletion under the “right to be forgotten”?
Likely not. A data deletion request is valid only if the lawful basis of the processing is Consent (see above), or if the original purpose is no longer valid.
We strongly recommend that our schools implement clear processes for evaluating these kinds of requests. If a data subject is granted the right to be deleted, Daly Exercise will, either through our software or our support services, help execute these rights and confirm the deletion.
When does Daly Exercise delete personal data?
Daly Exercise+ deletes personal data when instructed by our customers, or if the contract between us and the customer is terminated. All personal data relating to everyone apart from school administrators are deleted on a yearly basis in July.
An instruction to delete a user in our services can either be manually performed in the platform by a customer representative or upon request to our support team.
When users are deleted in our systems, there are safeguards in place to prevent errors leading to an irreplaceable loss of data. In many cases customers will have to manually confirm the deletion of customer data, including personal data.
Are we required to provide the personal data that we store on a user when requested?
To a limited degree, yes. Your users have strong rights to transparency, information, and data access. Any data subject can request a copy of all personal data stored, provided that it does not adversely impact other users, or if the data is not already directly available. Please note this is not an absolute right. There are other laws in place that require you to protect the data subject and others from accessing certain kinds of information. Again, we strongly recommend that you implement a clear process for evaluating this kind of request. If you grant a data subject the right of access, we will, either through our software or our support services, help execute these rights.
Our systems were built for transparency across all stakeholder groups, so the majority of data stored about a user is directly accessible via the individual user profile.
Can a user contact Daly Exercise directly (e.g. student, parent, teacher) to exercise his rights under GDPR?
No. Under GDPR, the data subject (user) rights are between him and the controller (our customers). Any data subject requests from end users to Daly Exercise+ will be handed over to the customer. Daly Exercise will cooperate in good faith with customers to ensure they can exercise the rights of the data subjects in a prompt manner.
Does Daly Exercise+ send data to third parties?
No, unless we receive instruction / confirmation from our customers or have a legal obligation to do so.
Will Daly Exercise notify users if a data breach has occurred?
Depending on the nature of the data breach, our customers might be required to promptly notify both the users affected and the supervising authorities. Daly Exercise+ is required to notify its customers when becoming aware of a data breach, and to help them in fulfilling obligations in notifying users.
Can I require a cloud service provider, like Daly Exercise+, to only host personal data in my country?
One of the GDPR’s primary objectives is the free flow of personal data inside the European Economic Area (EEA), under one common regulation. In most cases, restricting vendors in processing data across the EEA would not be permitted under GDPR.
Does Daly Exercise+ process data outside the EEA? Is it allowed to process data outside the EEA?
GDPR does not forbid personal data to flow outside the EEA, but expects that any data processing outside the EEA is done following the same principles.
In addition, controllers or processors that process data outside the EEA must provide detailed information about the nature of the processing. In some cases, they must also allow customers or users to object to the processing.
Does GDPR impact customers outside the EU?
Not legally. The EU, obviously, has no legislative power over other jurisdictions. GDPR does not offer any rights or freedoms to data subjects located outside the EU, and does not put obligations on non-EU customers that do not process data on EU/EEA data subjects.
However, Daly Exercise+ offers, for the most part, the same services and same level of security to all our customers. In other words, no matter where your school is located, you will benefit from our approach to security of personal data under GDPR.
Designed by OUTOFTHEBOX