EXIN Privacy Statement Version June 26, 2019
This privacy statement explains how EXIN handles the personal data that we collect for the performance of our services. EXIN respects your privacy and is committed to protecting and handling your personal data with the greatest care.
Last updated: June 26 2019 What's new?
1. Who are we?
Since 1984, EXIN is a leading independent exam- and certification institute, with offices in various countries that conducts exams all over the world. EXIN offers independent exam, certification and accreditation services, and assesses competencies of professionals.
In principle, EXIN Holding B.V. (“EXIN”), established in Utrecht at the Arthur van Schendelstraat 650, the Netherlands, is as data controller responsible for the processing of all your personal data.
This applies when you subscribe to one of EXIN’s examinations or assessments, or when you are personally accredited by us. It also applies when you subscribe to an examination through one of our partners (such as an accredited examination organization) or cooperate or have contact with a local EXIN office.
However, if you participate in an e-CF® NEXT personal Profile Assessment through a third party, such as your employer, an HR advisor, an intermediary organization or any other agent (“Assessment Organization”), then this party will be primarily as data controller responsible for the processing of your data.
In that case, EXIN will process your data only on the instructions of the third party. This means that the third party will determine for which purposes your data are processed, who has access and how long they will be retained. The third party is the first contact point for matters related to the processing of your data, and for more information on the processing of your data you can contact your Assessment Organization. However, EXIN is as data controller responsible for the processing of data related to your e-CF® NEXT Personal Profile Assessment in so far as EXIN uses these data for statistical analysis. Read more about this topic under “Statistical Analysis” in Section 3.
2. Which data does EXIN collect?
EXIN collects and processes the following personal data:
- For all of our services: your name, job title and contact information;
In order to make use of our services or to be accredited by us, you must be registered with us. We will ask you to provide personal data, including your name, job title, home address, e-mail address and other contact information. The information we ask you to provide depends on the service. The provision of specific data can be required to use our products and services. This will be shown when the information is requested. If your employer or Accredited Training Organization or Accredited Exam Organization creates an account on your behalf, we will also register the name of that employer or Accredited Training Organization or Accredited Exam Organization. The same applies if you subscribe to an examination through one of our partners, such as an Online Proctoring or Computer Based Test Agency.
You will receive a temporary password, which enables you to log on to your Candidate Portal or to our secure online platform. You will have to change this password after you log on for the first time. Your password is captured encrypted only and is not legible by us.
- Examinations: the examination to which you subscribe, payment information, attendance during the examination, examination results and certificates obtained by you, and any fraud that may have been detected;
If you subscribe to an examination, we will register the type, time and location of that examination, payment information (costs of the examination, payment method, whether payment is made by you or by a third party like your employer), your attendance during the examination, your examination work, the evaluation of the examination, the result of the examination, the related certificate and other information provided by you to us in the context of the examination. We also register any fraud detected and other infringements of the examination rules that are relevant for certification.
- e-CF® NEXT Personal Profile: information provided by you online and the results of the e-CF® NEXT Personal Profile Assessment;
If you are taking an e-CF® NEXT Personal Profile Assessment, we will register the type of assessment you take, your answers to the questions, the time the answers were given and the assessment result. In principle, we will only collect and process data to create an e-CF® NEXT Personal Profile.
- Accreditation of Trainers or Supervisors or an individual acting on behalf of an Accredited Training Organization or Accredited Exam Organization: information relating to your accreditation.
If you are accredited by EXIN as a trainer, supervisor or order person, we will collect and process your contact information. Read more under “Contact Information” in Section 2. If you are a trainer, we will also collect and process information on previous education, certificates, work experience as indicated in your curriculum vitaes, et cetera.
3. For which purposes will your data be processed?
EXIN collects and uses your personal data:
- To activate and manage your user account or login to our portals and online platforms, and to enable you to use related functionalities;
Your user data will allow you to log on safely to your online examination account, the Candidate Portal. Once you are logged in, you can easily change your contact information. Through your account you can also review your examination results or download certificates. It also allows you to add documents to your account, such as evidence or certificates of training programs attended elsewhere. And finally, you can subscribe and unsubscribe to our newsletter through your account.
- To supply examination services to you;
If you take an examination with us, we will use your data to:
- Administer and assess examinations;
- Issue personal examination results, certificates and digital badges (the latter through EXeed.pro);
- Save your examination results to our examination database and manage that database;
- Meet all requirements applicable to administering and assessing examinations;
- Establish if any fraudulent acts have been committed during the examination;
- Take measures if fraud or other infringements of the rules and regulations for examinations were detected; measures taken either to prevent further fraud or infringement in the future, or to enforce the rules and regulations for examinations;
- Verify the authenticity of certificates and/or digital badges and give requests or information about them;
- Evaluate examinations and develop new examinations (read more under “Statistical Analysis” in Section 3).
- Help our partners improve the training course you took to prepare for the examination.
- To allow you to take an e-CF® NEXT Personal Profile Assessment;
With your user data, you can log on safely to the e-CF NEXT Platform. If you participate in an e-CF® NEXT Personal Profile Assessment, we will use your data, primarily in assignment To map your competencies and test your competency levels;
- To save the results of the e-CF® NEXT Personal Profile Assessment to our assessment database and manage that database;
- To process the results of the assessment in a report and share it with you and/or our e-CF® NEXT customer.
Next to that, we will enable e-CF® NEXT customer to use analytical tools to analyze your data. Our e-CF® NEXT customer is responsible for using these data in compliance with statutory provisions and agreements made with you, if any.
- For our own administration;
We use your personal data for internal administration purposes, such as record keeping and to comply with our legal and fiscal obligations.
- To provide personal accreditation services;
If you are personally accredited with EXIN as a trainer, supervisor or order person or seek for such accreditation, we will use your data to register and assess the accreditation.
- To provide information and reply to your questions;
If you ask us any questions or if we need to provide information to you (e.g. regarding exams, results, cancelations, etc.), we will use your data to contact you.
- To perform statistical analyses and publish aggregated reports based on these;
EXIN performs statistical research on general trends in the use of our services and the results of assessments and examinations. For this purpose, we use aggregated information only, decoupled from your name, e-mail address and phone number. For these research activities, we have created a separate database in which we combine and subject to research the following data of our candidates, in so far as you have provided them earlier in the process: function, organization type, year of birth, city or region you work in and data we collect and process when you take part in an examination or assessment, including the results.
The research results are reported at an aggregated level and accessible to those persons within EXIN who are authorized to take cognizance of them or may be provided to third parties for scientific research. We use the reports for the evaluation and improvement of our services. We also share the results of our analyses with third parties like e-CF® NEXT customers that (wish to make) use of our services. In that context, we communicate only general conclusions that cannot be traced back to individuals or specific Assessment Organizations. Next to that, we enable e-CF® NEXT customers to use analytical tools for comparing data of their candidates with aggregated data of other candidates
- To send you our newsletter or for personalized offers on examinations or other EXIN services;
Results of statistical analyses will not be used for marketing activities targeted especially at you, unless with your prior consent. Also, we will only use the results of your e-C® NEXT Personal Profile Assessment and examinations for sending you special offers or promotions by e-mail that match your competences, level of education and working experience, if you have given us permission to do so. You can unsubscribe from these messages at any time, in which case EXIN will immediately stop sending them. However, we will in such case continue to use your data at an aggregated level for statistical analyses. Read more about this topic under “Statistical Analysis” in Section 3.
- To comply with statutory rules and regulations.
EXIN collects, stores and uses your data to comply with EXIN’s legal and fiscal obligations.
4. Legal basis for processing personal data
EXIN processes your personal data to provide our products and services to you, to comply with legal obligations we are subject to, if it is necessary for our legitimate interests or the interests of a third party, or on the basis of consent.
When we process your personal data for our legitimate interests or the interests of a third party, we have balanced these interests against your legitimate interests. Where necessary we have taken appropriate measures to limit implications and prevent unwarranted harm to you. Our legitimate interests may, for example, include our interest of improving our product and services. More information on the balancing tests we perform is available upon request. Where we process your personal data for our legitimate interests or the interests of a third party, you have the right to object at any time on grounds relating to your particular situation (please see Section 11 “Your rights” below).
Where we process your personal data on the basis of your consent, you may withdraw your consent at any time by following the specific instructions in relation to the processing for which you provided your consent, by adjusting your setting (if available) or by reaching out to us.
Where we process your personal data for a purpose other than that for which we collected it initially (and we rely on a legal basis other than consent or complying with legal obligations for this new purpose), we will ascertain whether processing for this new purpose is compatible with the purpose for which the personal data were initially collected.
5. In which way does EXIN obtain data?
EXIN obtains your personal data in several ways.
We obtain personal information about you when you apply for one of our services.
If the application is performed by your employer or through one of our partners, e.g. an accredited examination center, Prometric or Pearson VUE, Online Proctoring Service Providers or by our e-CF® NEXT Customer, we will receive your data through that party. Next to that, we will receive personal information about you in the provision of our services, which is when you take an examination or participate in an e-CF® NEXT Personal Profile Assessment: when you take an examination or fill out an assessment form, you will give us information about your education, diplomas, working experience or share professional documents with us.
EXIN also receives personal data through your EXIN examiners, assessors and experts who assess your competencies and through the reference check after you have given us permission to do so.
Aside from that, we obtain information about you by linking the results of statistical analysis to your results, again only with your explicit consent. Data collected by EXIN through its websites can be matched with data you have shared with EXIN at another time, for example when the supervisor fills in the attendance list for an examination.
6. Who has access to your data?
In view of the purposes mentioned above, or in the context of its service provision EXIN may share, pass on or in any other way make accessible your personal data to EXIN group companies, other service providers and third parties for scientific research.
We have an authorization policy for our systems so that persons and organizations only have access to your data in so far as this is necessary for the performance of their tasks and within the framework of the purposes mentioned. All these individuals and organizations have agreed to treat your data confidentially and with the greatest care.
Aside from that, the extent to which we share your data and with whom depends on the service required.
To take exams we use certain service provides such as Computer Based Testing Agencies (located in the U.S. and Japan) and Online Proctoring Service Providers (located in the U.S.)
In order to assist our partners in improving their training courses and to enable them to provide you feedback on your examination, the results of your examination will be shared with the provider of the training course you took to prepare for the examination.
Every individual who has your name and certificate number may use our website to verify the authenticity of your certificate.
If you register as a trainer or supervisor through a partner accredited by EXIN, your data will be accessible to that partner. If you have been accredited as a trainer for specific programs that we offer in collaboration with a third party, we will share your data with that third party.
e-CF® NEXT Personal Profile Assessment
In case of an e-CF® NEXT Personal Profile Assessment, the e-CF® NEXT Customer requesting the assessment will have full access to the results. If several organizations are involved in the e-CF® NEXT Personal Profile Assessments (e.g. your employer and an intermediary organization), these organizations will possibly exchange information about you, depending on the agreements you made with them.
Parties that have access to your data may be established in countries that have a milder privacy regime than the Netherlands. If such is the case, EXIN will ensure that appropriate measures are taken and that all statutory rules and regulations are observed. For transfers of personal data outside the European Economic Area, EXIN will use European Commission approved mechanisms, such as the Privacy Shield certification, and Standard Contractual Clauses as safeguards, such as the “(EU-)controller to (Non-EU/EEA-)controller” Decision 2004/915//EC (see Article 46 GDPR). If you wish to receive a copy of these safeguards, please contact us.
EXIN shall implement appropriate technical and organizational measures to ensure an appropriate level of security against unlawful use, unauthorized access, alteration or unlawful destruction of your personal data. EXIN has an Information Security Management System based on ISO / IE 27001.
8. Retention Period
EXIN retains your personal data as long as necessary in view of the purposes set out above, or as long as prescribed by law. Based on these purposes, EXIN has determined three separate retention periods for different sorts of personal data consisting of 6 months, 7 years and 30 years.
Personal data that has no purpose to be archived will be deleted or anonymized within 6 months. For example, if you take part in an e-CF® NEXT Personal Profile Assessment through an e-CF® NEXT Customer, EXIN will delete your data once the agreement between EXIN and the e-CF® NEXT Customer terminates.
Personal data that is required for EXIN to comply with EXIN’s legal and fiscal obligations will be kept for 7 years, after which they will be deleted or anonymized.
After such 7 years, EXIN will only keep records of personal data that are needed to provide you with evidence of the certificates obtained by you and other information relevant for certification (e.g. registrations of any fraud detected and other infringements of the examination rules). EXIN will delete or anonymize these records after 30 years, or sooner when requested by you in accordance with Section 11 “Your rights”.
10. Links to other websites
On our website, you can find several links to websites of third parties. If you follow these links, you will leave the EXIN website. Although all links have been selected with care, EXIN cannot be held responsible for the use of data by these organizations. To learn more, read the privacy statement of the website you visit, if available.
11. Your rights
You may contact our Privacy Office (please see below) to exercise any of the rights you are granted under applicable data protection laws, which includes (1) the right to access your data, (2) to rectify them, (3) to erase them, (4) to restrict the processing of your data, (5) the right to data portability and (6) the right to object to processing.
1. Right to access
You may ask us whether or not we process any of your personal data and, if so, receive access to that data in the form of a copy. When complying with an access request, we will also provide you with additional information, such as the purposes of the processing, the categories of personal data concerned as well as any other information necessary for you to exercise the essence of this right.
2. Right to rectification
You have the right to have your data rectified in case of inaccuracy or incompleteness. Upon request, we will correct inaccurate personal data about you and, taking into account the purposes of the processing, complete incomplete personal data, which may include the provision of a supplementary statement.
3. Right to erasure
You also have the right to have your personal data erased, which means the deletion of your data by us and, where possible, any other controller to whom your data has previously been made public by us. Erasure of your personal data only takes place in certain cases, prescribed by law and listed under article 17 of the General Data Protection Regulation (GDPR). This includes situations where your personal data are no longer necessary in relation to the initial purposes for which they were processed as well as situations where they were processed unlawfully. Due to the way we maintain certain services, it may take some time before backup copies are erased.
4. Right to restriction of processing
You have the right to obtain the restriction of the processing of your personal data, which means that we suspend the processing of your data for a certain period of time. Circumstances which may give rise to this right include situations where the accuracy of your personal data was contested but some time is needed for us to verify their (in)accuracy. This right does not prevent us from continue storing your personal data. We will inform you before the restriction is lifted.
5. Right to data portability
Your right to data portability entails that you may request us to provide you with your personal data in a structured, commonly used and machine-readable format and to have such data transmitted directly to another controller, where technically feasible. Upon request and where this is technically feasible, we will transmit your personal data directly to the other controller.
6. Right to object.
You also have the right to object to the processing of your personal data, which means you may request us to no longer process your personal data. This only applies in case the ‘legitimate interests’ ground (including profiling) constitutes the legal basis for processing (see Section 4 “Legal basis for processing personal data” above).
At any time and free of charge you can object to direct marketing purposes in case your personal data are processed for such purposes, which includes profiling purposes to the extent that it is related to such direct marketing. In case you exercise this right, we will no longer process your personal data for such purposes.
You may withdraw your consent at any time by following the specific instructions in relation to the processing for which you provided your consent.
For example, you may withdraw consent, by clicking the unsubscribe link in the email, adjusting your communication preferences in your account (if available) or by changing your smartphone settings (for mobile push notifications and location data).
To exercise any of the abovementioned rights, please contact us using the contact details stated under Section 13 below.
12. How we look after this policy
13. Contact details
If you have any questions regarding this policy or the processing of your personal data, please contact us:
EXIN Holding B.V.
Attn. Privacy Office
Arthur van Schendelstraat 650
3511 MJ UTRECHT