Who are we?
We (“This Is Language Ltd”, “TIL” and/or “us” or “we”) ) are an EdTech company who provide online services (the “Services”) to schools and other educational establishments (“School” or “you”) to help them teach Modern World Languages. We are a company registered in England and Wales whose registered office is at 41 Cornmarket Street, Oxford, England, OX1 3HA United Kingdom with company number 07792177.
What are our legal documents?
Terms and Conditions - For all of our School clients. These contain the legal terms and conditions on which we provide our Services to the Schools.
GDPR Compliance Statement - For all of our School clients based in the EEA. It explains how we process the Personal Data that you hold within the School that you share with us.
Usage Policy - For all users of our Services and visitors to our website. It explains what standards we expect of you when you use our website, such as the copyright to our videos.
You are currently reading our GDPR Compliance Statement
Who should read this GDPR Compliance Statement?
This Statement should be read by all of our School clients based in the EEA. It explains how we process the Personal Data that you hold that you share with us (“School Personal Data”).
In order to carry out our Services for our clients, TIL needs certain limited Personal Data about teachers and students which it obtains from its schools and as a result is a Data Processor for the purposes of Data Protection Law.
TIL has appointed two Data Protection Managers who will deal with all requests and enquiries concerning TIL’s uses of School Personal Data and endeavour to make sure that all School Personal Data is processed in compliance with this Policy and with the GDPR.
Requests and enquiries should be sent to the Data Protection Managers at firstname.lastname@example.org
The GDPR sets out specific principles around the handling of Personal Data with which TIL complies:
We only process Personal Data for the specific purpose of providing the services to our clients.
We only process the absolute minimum of Personal Data to provide the services.
As much as possible we keep Personal Data accurate and up-to-data (though we do expect teachers to let us know of name changes, spelling errors or class changes etc).
We only keep Personal Data for as long as is necessary to perform the services of the contract.
We make absolutely sure that all Personal Data collected and held is kept as secure as possible against any data breach.
The types of Personal Data processed by TIL will include:
Names, email addresses, telephone numbers (where given) and passwords (cryptographically hashed) of teachers.
Names or aliases, email addresses or usernames and passwords (cryptographically hashed) of students.
TIL is given this Personal Data by the School via its teachers and IT staff. We do not share Personal Data with any third parties. However some Personal Data may be transferred to third-party software services such as AWS (where we host the website), Xero (where we process accounts) and Campaign Monitor (from where we send out our newsletter). All such third-party software services are we believe GDPR compliant.
We do not keep your Personal Data for longer than is necessary to carry out the contract. All Personal Data will be deleted within a year after the termination of the contract.
TIL makes use of a number of publicly viewable leaderboards on our Website. We use these to encourage students, classes and teachers. All leaderboards are reset each week. Clients can choose to opt out of being displayed in any leaderboard.
Our website is hosted in the EEA and as such School Personal Data is not normally transferred outside of the EEA. However, some of our third party software services (such as Xero where we process accounts and Campaign Monitor from where we send out our newsletter) are hosted outside the EEA. Where School Personal Data is transferred outside the EEA in these cases it is always to third party software services which are hosted in countries which have the sufficient level of data protection as is required by the GDPR. Such third parties all have publicly available GDPR statements.
We take the protection of School Personal Data extremely seriously and we always have, even before the GDPR. In particular we have taken appropriate technical and organisational steps to ensure the security of School Personal Data, including company policies around the use of technology and devices and access to third party management software. All TIL employees and contractors have a copy of this policy, have been made aware of their duties under the GDPR and have received relevant training in how to protect your Personal Data. Such duties include but are not limited to:
Email - as much as possible we avoid transferring any Personal Data over email.
Printouts - we make every effort not to print out any Personal Data. If we do for the purposes of carrying out the services we will shred such data once it is no longer needed.
Storage - any Personal Data the company holds is stored on secure local devices or in third-party cloud services which are GDPR compliant.
Backups - TIL carries out backups of our Database on a daily basis. These backups are automated.
Disposal - when Personal Data is no longer needed for the purposes of carrying out the contract such Personal Data will be securely deleted and disposed of.
Sharing Personal Data - no Personal Data may be shared informally and only those employees or contractors who need access to Personal Data will be given access to it.
We are a small company and all of our employees are appropriately trained up in this policy. TIL is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful and fair handling of all Personal Data, respecting the legal rights, privacy and trust of individuals with whom we deal.
All Personal Data breaches must be reported immediately to TIL’s Data Protection Managers. If a Personal Data breach occurs that is likely to result in a risk to the rights and freedoms of our clients, the Data Protection Managers will liaise with the School to ensure that the Information Commissioner’s Office is informed of the breach without delay and, in any event, within 72 hours after having become aware of it.
This Policy shall be deemed effective as of 16 May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.