This Privacy Notice explains the use and processing of personal data by Education DESTY Limited, a company incorporated in Ireland with registered number 558198 whose registered office is at Aghagower, Westport, County Mayo, Ireland (“DESTY”, “we”, “us”, “our”) when you use this website https://www.educationDESTY.com and the resources provided on it.
1. DESTY Island
1.1 DESTY Island is the name given to our online learning programme that supports the growth of emotional resilience in children (each a “DESTY Child”).
1.2 A DESTY Child’s exploration of DESTY Island is entirely at the option of his/her parent or legal guardian. If your child’s school or a health/social care organisation (“Organisation”) is coordinating your child's access to DESTY Island they must seek your prior written permission before your child can begin their DESTY Island journey. Like all permissions, you can withdraw it at any time by contacting the relevant Organisation, or by contacting us using the Contact Us details below.
1.3 DESTY Island is a secure, encrypted, access controlled, portal which only DESTY trained mentors (e.g. a parent/guardian, carer, teacher or health/social care professional who completes the DESTY mentor online training and support programme (“DESTY Mentor”) can access.
1.4 Children do not have access credentials to DESTY Island and cannot themselves create any kind of user account on our services. Children’s access to and participation in DESTY Island is led, controlled and supervised by their DESTYMentor.Other than this supervised access to DESTY Island, our website and the services provided on our website are not intended for access or use by children.
1.5 We do not ask for any personal data on DESTY Island that directly identifies a DESTY Child.Progress through DESTY Island, including completion of workshop workbook assignments, does not require us receiving information that tells us the identity of a DESTY Child. However, as described in section 1.6 below, a DESTY Mentor or DESTY Child may set up a DESTY Island profile using a DESTY Child’s full name (although this is not required). Also, it is technically possible for us to imply personal data of a DESTY Child (e.g. if a DESTY Mentor designates him/herself as parent/guardian one might imply the identity of the DESTY Child if that parent/guardian cares for only one child). However, we do not do this and we maintain organisational and technical security measures intended to prevent anyone from doing this.
1.6 When beginning the DESTY Island programme DESTY Children are allocated by their Organisation and/or their DESTY Mentor an identification number which is matched to their ‘child pass’ (which is a user license).This information is encrypted on our servers. DESTY Mentors help DESTY Children create a DESTY Island profile which includes their name (first or nickname, or pseudonym), age, avatar (which is a cartoon image, not a representation of the child) and some other personalised (but non-identifiable) settings on DESTY Island. This information is automatically encrypted once inputted by the DESTY Mentor or the DESTY Child (under supervision by his/her DESTY Mentor).We don’t know the identity of DESTY Children from the identification/child pass number assigned to them, or their personalised settings.
1.7 CONSENT. We rely on parental / legal guardian explicit consent obtained:
1.7.1 from a DESTY Mentor who is the parent / legal guardian of the DESTY Child. This consent is obtained from the parent / legal guardian when assigning a child pass for a DESTY Child’s access to DESTY Island; or
1.7.2 by the Organisation or DESTY Mentor who coordinates the obtaining of parental / legal guardian explicit consent on our behalf before assigning a child pass to a DESTY Child.
Your consent may be withdrawn at any time by contacting us using the Contact Us details below. This will not affect the lawfulness of any processing of DESTY Child Data carried out before consent is withdrawn. If consent is withdrawn, the DESTY Child will not be able to participate in DESTY Island.
1.8 DESTY Mentors (e.g. parent/guardian, carer, teacher or health/social care professional) and/or the relevant Organisation is a controller (as this term is defined under data protection law) of personal data they collect when DESTY Children they care for take part in DESTY Island.
1.8.1 If you are a DESTY Mentor and also a parent or legal guardian of a DESTY Child, you may have certain legal responsibilities for the personal data of your DESTY Child;
1.8.2 If you are a DESTY Mentor but not a parent or legal guardian of the DESTY Child you and/or your Organisation may have certain responsibilities under applicable data protection laws (e.g. Article 13 and 14 of the GDPR (Regulation (EU) 2016/679) to provide your DESTY Children and/or their parents/legal guardians with information regarding your data protection practices and their data protection rights.
DESTY is only responsible for, and this Privacy Notice only deals with, DESTY’s own data protection and privacy practices. This Privacy Notice does not deal with DESTY Mentors’ or Organisations’ (e.g. education, health or social care bodies) data protection or privacy practices.
1.9 We do not share DESTY Child Data with any third parties except in the following very limited and controlled circumstances:
1.9.1 We use the services of trusted and ISO 27018 certified cloud service providers, located in the European Economic Area (‘EEA’) to host DESTY Island services. DESTY Children’s progress through DESTY Island will be hosted on these cloud services. We have contractual arrangements in place to keep all personal data and other information hosted on these services confidential and secure.
1.10 We do not transfer DESTY Child Data to third parties located outside of the EEA. However, it may sometimes be necessary to disclose DESTY Child Data to an Organization (i.e. your child’s school or a health/social care organisation) or your child’s DESTY Mentor if they are located outside the EEA in order to fulfil the purposes described in this Privacy Notice. In this case, we will only transfer DESTY Child Data where: (i) the non-EEA country has been deemed to provide an adequate level of protection for personal data by the European Commission; or (ii) we enter into specific contracts approved by the European Commission which are intended to give personal data the same protection it has in Europe.
1.11 We keep DESTY Child Data for no longer than is allowed under applicable data protection law and, in any case, no longer than DESTY Child Data is necessary for the purpose for which it was processed:
1.11.1 Each ‘child pass’ (user license) for DESTY Island expires 12 months after activation. Three months after this, we delete all DESTY Child Data unless a renewal child pass is purchased for the DESTY Child (with parent/legal guardian permission);
1.11.2 We retain a copy of any personal data contained in the permission received by us (described in section 1.2 above) for 7 years. Whilst this permission contains a parent/legal guardian’s name, email address and their role it does not include any DESTY Child Data.
1.12 If a child visits our website (not DESTY Island) from their own device we receive Technical Data and Usage Data (as described in section 3.1 below) regarding their visit, as is the case for all visitors to our website. We have no way of knowing from this information that the visitor is a child or a DESTY Child, as this type of information is collected from all website visitors. This processing of Technical Data and Usage Data is done for our legitimate interest to protect the security of our website and to see the aggregated and non-identifiable visits and usage of the website.
1.13 Please review the remainder of this Privacy Notice to find further information on our processing of DESTY Child Data and to understand your legal rights. The remainder of this Privacy Notice also explains our processing of personal data relating to other users of our website and services.
2 Whose personal data do we receive?
2.1 The type of personal data received and used by us depends upon whether you use one or more of our paid services or if you just browse our website. The categories of persons from whom we receive personal data are as follows:
2.1.1 DESTY Child: Children who take part in DESTY Island under the direct supervision of a DESTY Mentor. Please see section 1 above.
2.1.2 DESTYMentor: Parents/guardians, carers, educators or health/social care professionals who:(i) register for and/or undergo the DESTY mentor online training and support programme; (ii) who complete the DESTY mentor online training and support programme; and/or (iii) who access and use DESTY Island in respect of DESTY Children.
2.1.3 Organisations: Persons employed by schools, educational, health or social care bodies who book and/or pay for the DESTY Mentor online training and support programme and/or child passes (user licenses) for DESTY Island.
2.1.4 Retail customers: Persons who seek to purchase goods displayed in our online store.
2.1.5 Website visitors: Persons who access pages of our website.
3. The personal data we collect about you
3.1 Depending on the type of user of our website and services (as described in section 2.1 above), we will process different kinds of personal data which we have grouped together as follows:
3.1.1 Contact Data includes name; job title; occupation; role (e.g. teacher, parent, health professional); education institution; postal address, email address and contact number.
3.1.2 MentorData means personal data related to (i) training and ongoing development of persons undergoing the DESTY Mentor online training and support programme, including mentor training courses booked and completed; assignment status; access to DESTY Mentor webinars; access to DESTY Mentor dashboard; provision of programme feedback; and class discussion board; and (ii) ongoing support services of trained DESTY Mentors including personal data related to their access and use of DESTY Island and access and use of the DESTY Mentor dashboard.
3.1.3 DESTY Child Data personal data related to a DESTY Child as he/she works through the DESTY Island programme led and supervised by his/her DESTY Mentor, including (i) his/her name (i.e. first and/or surname, nickname, or pseudonym) and age; and (ii) to the extent any of the following reveals any personal data concerning the DESTY Child, image uploads and text submissions used to answer DESTY Island questions and progress reports.
3.1.4 Transaction Data includes details about purchases of our products and services (e.g. DESTY Mentor online training and support programme and ‘child passes’ purchased for DESTY Island). We do not receive payment card details. However, we receive a transaction ID provided by our payment gateway provider.
3.1.5 Technical Data includes internet protocol (IP) address, DESTY Mentor login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
3.1.6 Usage Data includes information about how you use our website and services.
3.1.7 Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
3.2 We also collect, use and share aggregated data such as statistical or demographic data for various purposes. Aggregated data may be derived from personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.
3.3 Where we need to collect personal data by law, or under the terms of a contract we have with you, and you choose not to furnish this when requested, we may not be able to perform the contract we have or are trying to enter into with you (e.g. where we need your mailing address to send you a product you are looking to buy).
4. How we collect your personal data
4.1 Direct Interactions: You may give us your personal data by filling in forms or by corresponding with us by post, phone, email or by other means.This includes the following circumstances:
- DESTY Child: If you are using DESTY Island with your teacher, parent or other adult (who we call a ‘DESTY Mentor’) we will keep on DESTY Island for your teacher or parent information that identifies you to you and your teacher so you can follow your journey on DESTY Island. You, your teacher or parent can put on your DESTY page your name (which can be your first and last names, a nick name, or a pretend name), your age and the answers you give to questions and games on DESTY Island.We generally can’t work out who you are from this information unless we go to a lot of effort. If you visit our website we will receive some information about your phone, tablet or computer which could discover who you are. We call this ‘Technical Data’, and this may include your computer’s IP address.We also collect information on the website pages you visit, we call this ‘Usage Data’. We don’t use Technical Data or Usage Data to check on you. We only use this information with other website visitors’ Technical Data and Usage Data so we can see what parts of our website are interesting people so we can make the services on our website even better.
- DESTY Mentor: We will collect (i) Contact Data when you use the‘contact us’ or ‘register your interest’ facilities on our website; (ii) Contact Data,Transaction Data, Mentor Data, Technical Data and Usage Data when you register for, book and use any of our paid for services.
- Organisation:We will collect (i) Contact Data when you use the ‘contact us’ or ‘register your interest’ facilities on our website; (ii) Contact Data, Transaction Data, Technical Data and Usage Data when you register for and book any of our paid for services.
- Retail customers: We will collect (i) Contact Data when you use the ‘contact us’ or ‘register your interest’ facilities on our website; (ii) Contact Data, Transaction Data, Technical Data and Usage Data when you access and/or make any purchase through our online store.
4.3 Third party sources: We may receive personal data about you from third parties as set out below:
4.3.1 Technical Data from the following parties:
(a) analytics providers such as Google based outside the EU;
5. How do we use your personal data?
We will only use your personal data when the law allows us to.We have set out below a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your personal data. Please Contact Us if you need details about the specific legal ground we are relying on to process your personal
5.2 Profiling. In order to provide you with the best service possible and direct targeted information and content specific to your needs we occasionally use some basic user profiling.For example, at the point of booking one of our training courses, a DESTY Mentor may be asked what his/her role is in relation to children, i.e. parent, educator or carer. This information is then used to direct the you to the appropriate learning content for you. We also use minimal profiling for marketing campaigns, again based on role and also geographic location in order to direct you to the appropriate marketing content.
5.3 Marketing. We will use your Contact Data and Marketing and Communications Data to send you marketing communications if you have requested information from us. You can opt out of any marketing communications from us at any time by using the “Unsubscribe” function at the bottom of the marketing email we send you or by emailing email@example.com.
5.4 We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
6. Disclosures of your personal data
6.1 We do not share DESTY Child Data with any third parties except as described in section 1.9 above.
6.2 For all other users of our website and services (except DESTY Children) we may share your personal data with the parties set out below for the purposes set out in the table in paragraph 4.1.
6.2.1 External third parties: Companies that provide products and services to us such as professional advisors, IT systems suppliers and support, helpdesk services, marketing platforms, survey tools, data storage, IT developers, payment processors, analytics companies, website hosting providers, courier /postage services and other service providers.
6.2.2 Public and Government Authorities: Entities that regulate or have jurisdiction over us such as regulatory authorities,law enforcement, public bodies and judicial bodies.
6.2.3 Corporate activity: Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Notice.
7. International transfers
7.1 The DESTY Island service and DESTY Child Data are hosted on servers located in the EEA. [We do not transfer DESTY Child Data to third parties located outside of the EEA].However, it may sometimes be necessary to disclose DESTY Child Data to an Organization (i.e. your child’s school or a health/social care organisation) or your child’s DESTY Mentor if they are located outside the EEA in order to fulfil the purposes described in this Privacy Notice. In this case, we will only transfer DESTY Child Data where: (i) the non-EEA country has been deemed to provide an adequate level of protection for personal data by the European Commission; or (ii) we enter into specific contracts approved by the European Commission which are intended to give personal data the same protection it has in Europe.
8. For all other users of our website and services (except DESTY Children) your personal data may be transferred, stored and accessed within the European Economic Area (“EEA”) or transferred to, stored in, and accessed from countries outside the EEA in order to fulfil the purposes described in this Privacy Notice. For transfers to countries outside the EEA, the data protection regime may be different than in the country in which you are located and will therefore be based on a legally adequate transfer method. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is given to it by ensuring at least one of the following safeguards is implemented:
8.1.1 Where the country has been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
8.1.2 We may use specific contracts approved by the European Commission which are intended to give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
8.1.3 Where service providers are based in the US, we may transfer data to them if they are part of the EU-U.S. Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
8.2 We will provide you on request a list of the countries located outside the EEA to which personal data may be transferred, and an indication of whether they have been determined by the European Commission to grant adequate protection to personal data. Where applicable, you are entitled, upon request to receive a copy of the relevant safeguard (for example, EC model contractual clauses) that have been taken to protect personal data during such transfer.
9. Data security
9.1 We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
10. How long we keep your personal data
10.1 We keep your personal data for no longer than is allowed under applicable data protection law and, in any case, no longer than the personal data is necessary for the purpose for which it was processed. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which we process personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. We also retain personal data if required by applicable law or regulation or is justified under applicable statutory limitation periods. Please see section 1.11 above for details on retention of DESTY Child Data.
11. Third Party Websites
12. Your legal rights
12.1 Under certain circumstances data subjects have rights under data protection law in relation to personal data, namely:
12.1.1 Request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
12.1.2 Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate personal data we hold about you corrected.
12.1.3 Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below), where we may have processed your personal data unlawfully or where we are required to erase your personal data to comply with local law. We may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
12.1.4 Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your personal data which override your rights and freedoms.
12.1.5 Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following circumstances: (a) if you want us to establish the data's accuracy; (b) where our use of the personal data is unlawful but you do not want us to erase it; (c) where you need us to hold the personal data even if we no longer require it as you need it to be retained to establish, exercise or defend legal claims; or (d) you have objected to our use of your personal data but we need to verify whether we have overriding legitimate grounds to use it.
12.1.6 Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the personal data to perform a contract with you.
12.1.7 Withdraw consent at any time if and to the extent we are relying on consent as the legal basis to process your personal data. This will not affect the lawfulness of any processing of your personal data carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will let you know if this is the case at the time you withdraw your consent.
12.2 Exercising your rights.To exercise one or more of your rights in respect of your personal data, please contact us using theContact Usdetails below. We will respond to your request(s) as soon as reasonably practicable, but in any case within the legally required period of time.
12.3 Contacting the data protection supervisory authority. Data subjects have the right to make a complaint at any time to the data protection supervisory authority. The Irish supervisory authority for data protection issues is the Data Protection Commission (www.dataprotection.ie). We would, however, appreciate the chance to deal with your concerns before you approach the Data Protection Commission so please contact us in the first instance using the information listed in Contact Us below.
12.4 Updating your personal data.It is important that the personal data we hold about you is accurate and current. Please keep us informed, using your account settings (if you have a user account on our website) or by using the Contact Us details below, if any of your personal data changes during your relationship with us.
13. Changes to this Notice.
We will change this Privacy Notice from time to time and any changes will be posted to the website. This version of the Privacy Notice was last updated on December 18th 2018 [or can be obtained by contacting us using the Contact Us details below].
14. Contact Us.
If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact us at firstname.lastname@example.org.