As a provider of online assessments, TestReach takes data privacy very seriously and understands that personal data is private and that any use of such data needs to follow data protection principles and applicable law.
Please note that we may disclose individuals’ information to trusted third parties, eg hosting providers, for the purposes set out and explained in this document. We require all third parties to have appropriate technical and operational security measures in place to protect your personal data, in line with Irish and EU laws on data protection.
We are not responsible for the content or the privacy policies for any websites to which we provide external links.
Data Privacy Legislation, Data Controllers and Data Processors
Data protection provides rights to individuals with regard to the use of their personal data by organisations, including TestReach. Irish and EU laws on data protection govern all activities we engage in with regard to our collection, storage, handling, disclosure and other uses of personal data.
Compliance with the data protection rules is a legal obligation. In addition, our compliance with the data protection rules helps individuals to have confidence in dealing with us and helps us to maintain a positive reputation in relation to how we handle personal information.
The data protection rules that apply to us are currently contained in the Data Protection Acts 1988 and 2003, in the ePrivacy Regulations 2011 and in related legislation (together the “DPAs”). As and from 25 May 2018, the applicable rules will be contained in the EU General Data Protection Regulation (EU Regulation 679/2016) (the “GDPR”) and in related Irish data protection legislation which gives effect to the GDPR.
“Data Controllers” are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed, who/which make independent decisions in relation to the personal data and/or who/which otherwise control that personal data.
“Data Processors” are people who or organisations which hold / process personal data on behalf of and for the purposes specified by the Data Controller.
“Personal Data” means any information relating to an identified or identifiable natural person.
Data Protection Principles
The eight data protection rules (also known as the data protection principles) that apply to our organisation are that:-
We must process personal data fairly, lawfully and transparently. This obligation includes that we must have a valid legal basis for our processing of personal data whether the consent of the person has been given, or that the processing is necessary for our legitimate interests (as long as these interests do not outweigh the rights of data subjects) or some other legal basis set out under the DPAs or (when applicable) the GDPR). It also means that we must be transparent with individuals about our processing of their personal data.
We can only collect personal data for specified, identified and legitimate purposes.
We can only then process the personal data that we have collected for the purposes which we have identified or for purposes that are compatible with the purposes that we have identified.
The personal data that we collect and process must be adequate, relevant and limited to what is necessary for the purposes.
The personal data that we collect and process must be accurate and (where necessary) kept up to-date.
We must not keep personal data any longer than is necessary, bearing the purpose for which we collected it. This includes that we should keep personal data in a form which permits identification of the data subject for no longer than is necessary.
We must keep personal data safe and secure from unauthorised access, deletion, disclosure or other unauthorised uses. This includes not just keeping data safe and secure from persons outside our organisation, but also from people within our organisation who have no need to access or use the personal data. We must also be careful when transferring personal data outside the European Economic Area (“EEA”, being the EU plus Norway, Liechtenstein and Iceland), and make sure that we have a valid legal basis on which to transfer that data. Transfer can include using a cloud server that is located outside the EU or allowing people who are located outside the EEA access to personal data that is stored within the EEA.
We must comply with data subjects’ rights of information about, and (separately) access to, their personal data and with their other data protection rights, including rights to correct or erase their personal data, rights “to be forgotten”, rights to object to processing (including profiling), rights against automated decision-making and (under the GDPR) rights to data portability.
Personal Data Security
We take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
We have put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data will only be transferred to a data processor if he agrees to comply with those procedures and policies, or if he puts in place adequate measures himself. In addition, we have appropriate written agreements in place with all of our data processors.
We maintain data security by protecting the confidentiality, integrity and availability of the personal data, defined as follows:
- Confidentiality means that only people who are authorised to use the data can access it.
- Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
- Availability means that authorised users should be able to access the data if they need it for authorised purposes.
We follow strict security procedures in the storage and disclosure of your personal data, and to protect it against accidental loss, destruction or damage. TestReach uses third party vendors and hosting partners to provide the necessary hardware, software networking, storage, and related technology required to run our application. The data you provide to us is protected using modern encryption, intrusion prevention, and account access techniques.
(1) Information We Collect Via Our Website or at Events
1.1 What Personal Data We Collect Via Our Website or at Events
When, on behalf of your organisation, you register your details on our website, when expressing an interest in obtaining additional information about our products and services, eg to request a demo or download information, you enter various information such as name, company name, email address, phone number, and other contact details. You may also provide us with similar information at an event such as a trade fair or meeting for the purposes of obtaining additional information about our products and services.
In addition, TestReach records information about your interaction with TestReach systems and personnel, such as which resources you access or download via our Website, at what events we met you, etc. This information is recorded within our Customer Relationship Management (CRM) system. This CRM is a web-based application that is only accessible by authorised users (access via username and password), where hosting servers may be located outside of the EU.
1.2 How We May Use Personal Data We Collect Via our Website or at Events
We may use this Personal Data to perform the services requested, for example, if you fill out the “Request a Demo” web form, we will use the information provided to contact you or your organisation about your request. This data processing is necessary to provide or fulfil a service requested by or for you / your organisation.
We may also use this Personal Data for marketing purposes, for example, we may use information you provide to contact you, on behalf of the organisation you represent, to further discuss your organisation’s interest in the service and to send you, on behalf of your organisation, information regarding TestReach such as our products, services, or items of interest. This data processing for marketing purposes is a legitimate business interest and we are contacting you on behalf of the organisation you represent.
We will not share your personal data with any third party for marketing purposes.
1.3 Retention of Personal Data We Collect Via Our Website or at Events
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for and for up to seven (7) years afterwards or otherwise permitted by applicable laws. We may also retain your information during the period of time needed to complete our legitimate business operations, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
1.4 Consent to Use of Personal Data We Collect Via Our Website or at Events
When, on behalf of your organisation, you register for services on our Website, or you provide us with your details at an event, you will receive periodic email newsletters and communications from TestReach to assist you in learning about assessment technologies and the TestReach solution / services. In registering on our Website or otherwise providing us your personal details, you consent to receipt of such correspondence. The personal information you provide will only be visible to you, TestReach and its authorised contractors.
You can always choose not to provide this personal information. If you choose not to provide essential information you might not be able to receive the service or information that you request.
If you do not want to receive communications from us, please follow the unsubscribe instructions at the bottom of the email or newsletter you receive, which are clearly marked (this method is the quickest way to expedite your unsubscribe request). Alternatively, you may submit a request by sending an email with details to email@example.com or by contacting your account manager.
In compliance with the U.S. CAN-SPAM Act of 2003 and other applicable legislation, TestReach maintains an opt-out list of email addresses (also known as a "suppression list"). This list of addresses may be used internally in TestReach or provided to contractors conducting email broadcasts on TestReach's behalf, but only for the express purpose of suppressing these addresses from promotional email broadcasts conducted by TestReach directly or on TestReach's behalf.
1.5 What Non-Personal Data We Collect Via Our Website
Like most websites, we gather statistical and other analytical information collected on an aggregate basis relating to all visitors to our Website. This non-personal data comprises of information that cannot be used to identify or contact you.
Information collected may include your browser type and language, or the city or region or country from which you accessed our Website, as well as the ways you interact with our Website, such as pages visited, time spent on pages, the number of clicks and the domain names. We may also use third-party analytic providers and technologies, including cookies and similar tools, to assist.
The information collected from cookies in your Web browser includes standard information from you (such as browser type and browser language), your Internet Protocol (“IP”) address, and the actions you take on the TestReach website (such as the Web pages viewed and links clicked).
Cookies are small text files that are transferred to your computer’s hard drive through your web browser to enable us to recognise your browser and help us to track visitors to our site. A cookie contains your contact information and information to allow us to identify your computer when you travel around our site for the purpose of helping tailor the experience to meet your needs. Most web browsers automatically accept cookies, but, if you wish, you can set your browser to prevent it from accepting cookies. The “help” portion of the toolbar on most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. The cookies we use do not detect any information stored on your computers.
Certain information in relation to web usage is revealed via our internet service provider who records some of the following data. The information we receive depends upon what you do when visiting our site:
(a) The logical address of the server you are using.
(b) The date and time you access our site.
(c) The pages you have accessed and the documents downloaded.
(d) The previous Internet address from which you linked directly to our site.
(e) Some of the search criteria you are using.
1.6 How We May Use Non-Personal Data We Collect Via our Website
We use this non-personal usage information to operate and improve our Website, to improve the information we are supplying to our users, to find out how many people are visiting our sites and for statistical purposes. Summary statistics allow us to assess the number of visitors to the different sections of our site, discover what information is most and least used, inform us on future design and layout specifications, and help us make our site more user friendly.
We process this information given our legitimate business interest to improve the TestReach website and our customer’s experience with it.
We will make no attempt to identify individual visitors, or to associate the usage / technical details listed above with any individual. We will only use this information for statistical and other administrative purposes. You should note that usage / technical details, which we cannot associate with any identifiable individual, are not “personal data” within the meaning of the GDPR.
1.7 Access and Other Rights that You Have Regarding Personal Data We Collect Via Our Website or at Events
You may request access to your personal information in order to review, correct or delete any personal information TestReach retains about you by:
- sending an email request to firstname.lastname@example.org
- send a request by post to Data Privacy, TestReach, NexusUCD, Block 9-10 Belfield Office Park, Clonskeagh, Dublin 4 Ireland
- or calling TestReach on +44 (0)20 34758684
In your request, please clearly state what personal information you would like to have access to. TestReach will respond to requests within 30 days.
EU residents have rights to access personal information stored about them and to limit its use and disclosure. This includes the right to request access to and rectification or erasure of personal information or restriction of or objection to processing, as well as the right to data portability and to withdraw consent to processing of personal information. TestReach shall address such requests in accordance with applicable data protection laws. All such requests should be directed to TestReach using the above contact information.
1.8 International Transfers Relating to Data We Collect Via Our Website or at Events
If/ when we transfer your personal data out of the EEA, for example because we may use a software application such as a CRM that is hosted on servers based in the US, we ensure an adequate degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
1.9 Retention of Data We Collect Via Our Website or at Events
TestReach retains personal information for as long as is necessary to provide its services which includes prudent, limited duration archive retention, for compliance with legal obligations, to enforce our rights under agreements and as permitted under applicable data protection law. Retention periods will therefore reasonably vary based upon the nature of the personal information involved.
(2) Information We May Collect From You During the Recruitment Process
TestReach is committed to protecting the privacy of personal data provided to us during recruitment processes. The information below outlines our privacy practices with respect to recruitment, namely how TestReach processes personal data provided to us when considering applicants for employment, contracting or internships, and it is not a contract or agreement.
TestReach has legitimate interests in processing personal data of applicants to make recruitment decisions, which we balance against applicants' interests and rights to privacy. TestReach will always process your personal data in accordance with applicable laws. You should read this information carefully and contact us with any questions before providing us with personal data.
2.1 Information We May Collect From You During the Application Process
During the application process, we will request various information including personal details, contact information, qualifications, and experience and may conduct interviews and engage in correspondence with you. For some TestReach roles, we use assessments to help determine job fit, in which case we will ask you to take such assessments.
You don't have to provide what we ask for, but it might affect your application in some jurisdictions if you don't.
2.2 Information We May Collect After Making a Job Offer To You
If we make an offer of employment, contracting or internship, we will ask you for information so that we can carry out pre-engagement checks. These pre-engagement checks vary by jurisdiction but may include references from prior employers, identity confirmation, right to work in the jurisdiction you are being engaged in, and criminal or other background checks. We use third-party processors to do such checks, consistent with applicable laws. We will treat such information with care, and will delete the results of background checks after reviewing them. You do not have to agree to these checks but in most jurisdictions, it's likely that your offer of employment or contracting will be conditional on them.
2.3 How We Store and Use Your Personal Data Related to Recruitment
TestReach takes security seriously and we have in place appropriate technical and organizational measures to protect the security of personal data we process, including that of recruitment applicants. Please be aware that due to the inherent nature of the internet, there is no guarantee that emails are secure and all emails and internet transmissions are done at the user's own risk.
We will use the contact details you provide to us to contact you to progress your application. We use your personal data for purposes of our legitimate interests in relation to considering you for a position, including:
- evaluating your suitability for the role you have applied for,
- HR recruitment recordkeeping,
- ensuring compliance with applicable laws,
- and conducting pre-engagement and background checks, as described above.
The information you provide during the process will only be used for the purpose of reviewing your application, considering you for another job role, or to fulfil legal or regulatory requirements if necessary.
2.4 Use of Third Parties As Part of the Recruitment Process
We use third-party systems (Data Processors), for example Dropbox, to store and process information during the recruitment process. Third parties are required to keep your data confidential. We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes.
We may also share personal data in response to a subpoena, court order, or legal process, to the extent permitted and required by law; to protect your security or the security of other persons including for national security or law enforcement purposes, consistent with applicable law; or in connection with a sale, joint venture or other transfer of some or all of the assets of TestReach, provided that the acquirer commits to using personal information in a manner consistent with applicable law.
2.5 Retention of Data Relating to Recruitment
TestReach will only retain your personal data for as long as is necessary to fulfil the purposes for which it was collected, or as required or permitted by applicable law.
If you apply for a position but we do not take you on as an employee, contractor or intern, we keep the personal information you provide us as part of your application for a period of around one year, (or sooner if you request it), in case we want to re-approach you or you re-apply. If there is a legal requirement to maintain it, we will keep it for longer.
If you join us as an employee, contractor or intern, we keep information gathered during the recruitment process indefinitely while you remain engaged by us. When you join, or before if you request it, we will share with you our employee privacy notice which explains how we handle your personal data as a TestReach employee, contractor and intern and what is the process after you leave. If you want us to delete your personal data at any time, please make a request to your HR contact.
2.6 Seeing the Recruitment Data we Hold On You
If you want to see a copy of the data we hold on you, we will share it subject to any legal restraints. Please make such requests to your HR contact or by email to email@example.com
If you consider that any data held about you is inaccurate, you can use the same procedure to request us to rectify it.
(3) Information Collected When You Take an Assessment on Our System or Contact TestReach for Technical Support
An assessment may consist of a test, exam, quiz, survey, or other kind of assessment. TestReach provides assessment services as a service provider to our customers. Our customers are the companies or organisations that offer the assessment for delivery via the TestReach software application – they are the examiners. In this case, the TestReach customer / examiner (“Examiner”) is the Data Controller and TestReach is the Data Processor in respect of the processing of personal information described in this Section (3).
When you take an assessment on the TestReach system, the Examiner may collect, receive or store personal information through our service on candidates including names, contact details, demographic and other information. The Examiner decides what information they ask for, collect and store. This information may include details relating to special adjustments that need to be made on our system for your specific exam, for example allowing additional time for candidates with reading difficulties.
If you take an assessment on TestReach via a browser, TestReach also automatically records the IP address, browser header data (user agent) and other similar information about the computer used to take the assessment. We also record user access and activity data within our system (eg when you login, when you log out, when you answered a question, etc.) for audit-trailing and security purposes. If you use the TestReach Desktop App to take an assessment, we may also record further information including details of other processes running, RAM and CPU usage statistics, installed drivers, peripherals on your computer and actions taken during the assessment. If you are taking an assessment using Remote Invigilation, we will also record a video of you taking your test, taken from your own computer webcam. We do this for the purposes of ensuring the integrity of the assessment process and the video may also be used for the purposes of helping us improve our application and the overall experience of candidates.
When an assessment is administered to you by or on behalf of the Examiner, we collect and may score your responses and derive an assessment score and the Examiner may use this data collected to generate reports about your results. Providing personal data is voluntary, but usually necessary if you wish to take the assessment. You should raise with the Examiner any concerns you have regarding personal data that you are asked to provide as part of the assessment process.
When you use TestReach software to author, mark, moderate or administer assessments on behalf of an Examiner, personal information as described above can also be recorded and is treated in the same way as information for people taking assessments.
Certain assessments may be administered through independent testing centers. These centers may have their own privacy policies that may be different from this policy. TestReach is not responsible for these privacy policies or the conduct of independent testing centers. If you have any questions or concerns about an independent testing center's collection or use of any of your personal information, please talk to the Examiner or independent testing center directly.
By taking or authoring, marking, moderating or administering an assessment on the TestReach system, your personal information and the information listed above will be transmitted by TestReach to the Examiner (Data Controller).
The Examiner is responsible for ensuring that the personal information collected from you and processed as part of the assessment process is collected and processed in accordance with applicable data protection laws. TestReach acts in accordance with the Examiner’s instructions.
TestReach may ask you to provide personal information when contacting us with support or troubleshooting questions, which we will use for identification purposes and to help respond to your queries.
TestReach uses the above information for its internal business purposes (such as maintaining and improving our products), to correspond with you regarding the issue and to improve the support experience. For example, we may use information provided in interactions with our support personnel to improve our help documentation. All personal information received as part of the support process is treated in the same way as information for people taking assessments.
3.1 International Transfers Relating to Assessment-Related Data
As standard, assessment-related data on TestReach is stored and processed on servers based within the EU and TestReach does not as part of our general business, transmit information to servers in any locations outside of the EU.
Sometimes on request from an Examiner, there may be a requirement to run assessments for candidates who are physically based in geographies outside of the EU. In this case either those candidates are provided with access to TestReach via the internet, and all data is still stored and processed on servers based in the EU, or offline access may be required for those candidates via the TestReach Offline Assessment Portal or via storing information on the candidate’s own local computer.
When offline assessment access is required, as directed by the Examiner, specific candidate information such as first name, last name and email address is downloaded (transferred) onto computers in the candidate’s own location for the purposes of taking their test(s). These computers may be located in or provided by a test centre. These centres may have their own privacy policies that may be different from this policy. TestReach is not responsible for these privacy policies or the conduct of independent testing centres. If you have any questions or concerns about an independent testing centre's collection or use of any of your personal information, please talk to the Examiner or independent testing centre directly.
Answer data from any exam and video data from remotely invigilated exams may also be stored on a local computer in the candidate’s own region, which may be outside of the EU, if they are working offline or if their internet connectivity goes down during an online exam. At some point when that computer is next connected, the exam data / video data will be uploaded onto TestReach central servers, which are located in the EU and all data stored locally on the computer used, will be deleted.
On an occasional basis, a member of TestReach staff or a contractor or agent of TestReach, may need to access your assessment-related data from a country outside of the EU, for example a technical support consultant who is trying to troubleshoot a problem. This may require your assessment-related data to be downloaded onto a local computer on a temporary basis, where that resource is located. This data would be used purely for the purposes of resolving a technical issue, providing our assessment service or making improvements / enhancements to our assessment service or candidate experience.
3.2 Access and Other Rights that You Have Regarding Assessment-Related Data
TestReach’s customers (Examiners) store personal information within our systems and therefore if you want to receive access to, limit the use of, or limit disclosure of, your personal information received by TestReach as part of an assessment process administered by an Examiner, you should ask for this via the Examiner.
Any requests received by TestReach relating to the right to to correct or erase assessment-related personal data, the right “to be forgotten”, the right to object to processing (including profiling), the right against automated decision-making and (under the GDPR) the right to data portability, will be forwarded to the Examiner, as the Data Controller, who will deal with the request, as TestReach does not own the data.
3.3 Retention of Assessment-Related Data
Where our Examiner customers store personal information within our service, the Examiner is the Data Controller and determines and is responsible for the length of time during which personal information is retained. TestReach acts in accordance with the Data Controller’s instructions.
All video data is held by TestReach for a period of 6 weeks after which is it deleted, unless we are specifically requested by the Examiner to hold it for longer, for example in the case of an appeals process.
Disclosing Information to Others
TestReach does not sell or rent personal information (including your email address) it collects to others; however, it may disclose personally identifiable information in the following situations and where applicable in compliance with and limited by the requirements of the Privacy Shield principles, EU and Swiss data protection law and other commitments made by TestReach to good privacy practice:
(a) in response to a subpoena, court order or legal process, to the extent permitted and required by law;
(b) to protect your security or the security of other persons including for national security or law enforcement purposes, consistent with applicable law;
These organisations and individuals assist us in providing services to customers and prospects, including the provision of data storage and hosting services, customer relationship management software, technical support and consulting or other services, and may as instructed by TestReach access, store, use or process personal information when providing services to TestReach.
(e) when you request it, for instance if you have asked us to do this as part of an effort to connect you with experts who can help you.
By providing us with your personal information, you give your consent for your personal information to be transmitted in the situations outlined above. You may withdraw this consent at any time by contacting us as described in this privacy notice.
As Data Controller, the Examiner is responsible for ensuring that transmittal of your personal information collected from you as part of the assessment process is in accordance with applicable data protection laws. TestReach acts in accordance with the Examiner’s instructions.
Aggregation and Quality Assurance Use
TestReach may from time to time use assessment or Website personal information collected, for the purposes of maintenance and operation of services provided to you, including for internal quality assurance purposes, for instance to ensure that new releases of software behave as expected.
TestReach has a formal data security policy that keeps track of any such data and carries out internal exercises to ensure that it is not misused.
TestReach may statistically aggregate data in non-person specific form, and subject to applicable law use this data for operations management, quality control, security and marketing purposes and to improve the quality of our future products and services, and subject to applicable law pass this to Examiners. Such activities carried out on any personal information provided for assessment purposes are upon the instructions of the Examiner for which TestReach acts as Data Processor.
When the changes are material, we will also inform you in advance of any changes taking effect in our newsletter and/or otherwise prominently positing a notice of such changes or by directly sending you a notification of changes.
TestReach is committed to working with individuals to obtain a fair resolution to any complaints or disputes about privacy and personal information.
How to contact us
- sending an email request to firstname.lastname@example.org
- sending a request by post to Data Privacy, TestReach, NexusUCD, Block 9-10 Belfield Office Park, Clonskeagh, Dublin 4 Ireland
- or calling TestReach on +44 (0)20 34758684
As our TestReach is located in Ireland and we conduct our data processing here, we are regulated for data protection purposes by the Irish Data Protection Commissioner.
You can contact the Data Protection Commissioner as follows:
- Go to their website www.dataprotection.ie
- Phone on +353 57 8684800 or +353 (0)761 104 800
- Email email@example.com
- Address: Data Protection Office – Canal House, Station Road, Portarlington, Co. Laois, R32 AP23. Or 21 Fitzwilliam Square Dublin 2. D02 RD28 Ireland.