GDPR Data Subject Rights

Last updated: January 1, 2025

1. Who This Applies To

This guide applies to individuals in the European Economic Area (EEA), United Kingdom (UK), and Switzerland whose personal data is processed by SMERP EDU. Similar rights may apply under other privacy laws (such as CCPA for California residents).

2. Your Rights Under GDPR

2.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, access to that data along with information about:

• The purposes of processing
• The categories of personal data concerned
• Recipients or categories of recipients
• The retention period or criteria for determining it
• Your other rights (rectification, erasure, restriction, objection)
• The right to lodge a complaint with a supervisory authority
• The source of the data (if not collected from you)
• The existence of automated decision-making, including profiling

Response time: Within 30 days of your request.

2.2 Right to Rectification (Article 16)

You have the right to correct inaccurate personal data and to have incomplete personal data completed.

How to exercise: For most data, you can make corrections directly in your account settings. For data you cannot edit yourself, submit a rectification request.

2.3 Right to Erasure / Right to Be Forgotten (Article 17)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for its original purpose
• You withdraw consent (where consent was the legal basis)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Deletion is required by law

Exceptions: We may retain data where necessary for:

• Compliance with legal obligations
• Establishment, exercise, or defense of legal claims
• Public interest in the area of public health
• Archiving purposes in the public interest, scientific/historical research, or statistics

2.4 Right to Restriction of Processing (Article 18)

You have the right to restrict processing of your personal data when:

• You contest the accuracy of the data (during verification)
• Processing is unlawful but you prefer restriction over erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing (pending verification of legitimate grounds)

When processing is restricted, we will only store the data (not process it) unless you consent or for legal claims.

2.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller when:

• Processing is based on consent or a contract; and
• Processing is carried out by automated means

Format: We provide data exports in JSON or CSV format.

How to exercise: Use the data export feature in your account settings or submit a portability request.

2.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or public interest. We must stop processing unless we demonstrate compelling legitimate grounds that override your interests.

Direct marketing: You have an absolute right to object to processing for direct marketing purposes. You can opt out of marketing communications at any time via email preferences or by contacting us.

2.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects, unless:

• It is necessary for a contract between us
• It is authorized by law
• It is based on your explicit consent

Our practices: SMERP EDU does not make solely automated decisions that produce legal or significant effects on individuals. Human oversight is involved in significant decisions.

2.8 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

3. How to Exercise Your Rights

3.1 Self-Service Options

Many rights can be exercised directly through your account:

• Access your data: View your profile and stored information in account settings
• Correct data: Edit your profile information directly
• Export data: Use the data export feature
• Delete account: Request account deletion in settings
• Marketing preferences: Manage in notification settings

3.2 Submit a Formal Request

For requests that cannot be handled through self-service, or if you prefer to submit a formal request:

Please include:

• Your full name and email address associated with your account
• The specific right(s) you wish to exercise
• Any details that help us locate your data
• Your preferred response format (if applicable)

3.3 Verification

To protect your privacy, we verify your identity before processing requests. We may ask you to:

• Confirm details only you would know about your account
• Respond from your registered email address
• Provide additional identification documents (for sensitive requests)

4. Response Timeline

5. Fees

Exercising your rights is free. However, we may charge a reasonable fee or refuse requests that are manifestly unfounded or excessive (particularly repetitive requests). If a fee applies, we will inform you before proceeding.

6. When You Are an End User

If your data is processed through SMERP EDU because your school or institution uses our service, your institution is the data controller. In this case:

• Contact your institution first to exercise your rights
• Your institution can request data exports or deletions through their admin panel
• We will assist your institution in responding to your request

If you need to contact us directly about data processed by an institution, please include the institution name in your request.

7. Children's Data

For children under 16 (or younger depending on the member state), parents or guardians may exercise rights on behalf of the child. Schools may also exercise rights as authorized by parents under their agreements with parents/guardians.

8. Right to Lodge a Complaint

If you believe we have not handled your request appropriately, you have the right to lodge a complaint with a supervisory authority. You can contact:

• The supervisory authority in your country of residence
• The supervisory authority in your country of work
• The supervisory authority where you believe the infringement occurred

For a list of EEA supervisory authorities, visit the European Data Protection Board website.

We encourage you to contact us first so we can address your concerns directly.

9. UK-Specific Information

For individuals in the United Kingdom, your rights under the UK GDPR are substantially similar to EU GDPR rights. The relevant supervisory authority is:

10. California Residents (CCPA/CPRA)

California residents have similar rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including:

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of sale (we do not sell personal information)
• Right to non-discrimination
• Right to correct inaccurate personal information
• Right to limit use of sensitive personal information

To exercise CCPA rights, contact us using the same process described above.

11. Contact Information