In addition, Fiction Express may process personal data on behalf of the (i) Independent Student as a Data Processor for which we make available herewith the relevant Data Processor Addendum ("DPA").
1. Identity of the Data Controller
Fiction Express will act as the Data Controller with respect to certain personal data indicated below. For these purposes, the information of Fiction Express as Data Controller is as follows:
- Data Controller: Fiction Express Education SL
- VAT nº: B65689804
- Address: Carrer Estruc 9, 08002 Barcelona
- Contact: firstname.lastname@example.org
2. Data processing
Fiction Express may provide the Service using unique registration codes printed in textbooks and similar documents and/or materials. These registration codes have been provided in the past to a distribution partner ("Distribution Partner") by Fiction Express and may be used in accordance with the Distribution Agreement signed between the Distribution Partner and Fiction Express.
When Fiction Express enters into a Distribution Agreement with a Distribution Partner that establishes a new way of registering students and from a data protection perspective will act as the Data Controller of the student and teacher contact details involved during registration and the management of our relationship with them, the data provided during the account set-up phase and necessary for the proper management during the term of the subscription as determined below.
a) Data collected and purpose
- Students: each textbook has a unique registration code printed on it. Students access the platform via the URL printed in their books. Each code is initially validated, each code can only be activated once. Once the code is validated, in order to proceed with the registration, the student accesses the registration page and we ask them to provide the following personal data: first and last name, e-mail, password, age (under or over 14 years old), school name, district, state/province. Only when a student selects the option "I am under 14 years old", two new fields appear, in which the legal guardian checkboxes must be correctly filled in and completed by the student's legal guardian.
- Teachers: to register and participate as a member of Fiction Express, we ask the teacher to provide the following personal information: first and last name, e-mail, password, school name, district, state/province.
b) Legal basis
We use the Teacher and Student personal data to manage the contractual relationship and provide our Services efficiently and to obtain more information about the school in order to sell the full Fiction Express licence in the coming year.
3. Retention period
We keep this personal data for the duration of the contractual relationship and subsequently store it in a secure backup file for the corresponding legal periods for the purpose of responding to any legal, fiscal and administrative liability that may arise from the contractual relationship.
4. Data sharing
Fiction Express informs that in order to fulfil the purposes described above it may share the personal data indicated in paragraph 2 a) with: Our third-party service providers for providing their services which we indicate below:
- Rocket Science Group Mailchimp (United States): mailing service provider. Mailchimp are located outside the European Economic Area (EEA) in countries that may not provide adequate general safeguards for the protection of personal data. However, Mailchimp provides the European Commission's Standard Contractual Clauses providing adequate safeguards. The Standard Contractual Clauses are available at: Mailchimp, Data Processing Addendum.
- Zoho Corporation (United States): provider of CRM services. Zoho are located outside the European Economic Area (EEA) in countries that may not provide adequate general safeguards for the protection of personal data. However, Zoho has provided the European Commission's Standard Contractual Clauses providing adequate safeguards. The Standard Contractual Clauses can be consulted at: ZOHO, Data Processing Addendum.
- Sentry Inc (United States): bug tracking service. Sentry Inc (United States): Bug tracking service. Sentry are located outside the European Economic Area (EEA) in countries that may not provide adequate general safeguards for the protection of personal data. However, Sentry has provided the European Commission's Standard Contractual Clauses providing adequate safeguards. The Standard Contractual Clauses can be consulted at: https://sentry.io/legal/dpa/1.0.0/#data-transfers.
- Amazon Web Services (Ireland): hosting service. You can consult the Data Processing Addendum at AWS GDPR Data Processing Addendum.
- Hotjar is a web analytics tool that collects data on visitor interaction through heatmaps, session recordings, and surveys, providing valuable insights for analyzing and optimizing the user experience. Hotjar is located in the European Union (EU). The company is based in Malta, a member country of the EU. Hotjar ensures the security of transferred data. The company implements robust security measures to protect the collected data’s confidentiality, integrity, and availability. Additionally, it complies with privacy and data protection standards established by the European Union regulations, such as the General Data Protection Regulation (GDPR). The Standard Contractual Clauses can be consulted at: Hotjar Data Processing Agreement.
- Authors, when a School requests us to do so, we share with our authors the name of the Resource Manager and the School, to allow our authors to communicate with them to share some time with him/her and the students.
- Fiction Express Group companies to manage service provision, accounting and reporting purposes, analyse and improve our services and customer service.
- Third party professionals with whom we must share information to investigate suspected fraud, harassment or other violations of any law, rule or regulation, or website policies.
- Investor/Buyer. Fiction Express may share personal data, in addition to its group companies, with any company interested in buying or buying Fiction Express or a part of its business and, accordingly, give access to any national or international auditors to carry out their due diligence where such processing is essential to the successful completion of the business transaction. As indicated in article 21 of Spanish data protection law, if the transaction is not completed, the data must be immediately deleted by the receiving entity.
If the School's representative agrees to receive marketing communications from us, we may send them via:
- Email/transactional email: all news about new books and new features or general communications will be via email.
- Postal mail: from time to time, we may send letters to schools, flyers or any information deemed interesting for schools, parents and/or students related to our Service.
If the Independent Student do not wish to receive commercial information about us, it is possible to unsubscribe by sending an email to email@example.com indicating the opt-out from receiving commercial communications; by clicking on the unsubscribe link in our email communications or by opting out from the user panel (E-mail preferences). Please, remember that opting out of all emails means that we will never be able to communicate with you and your experience with the resource may not be as desired.
We have a certified secured Site under a https protocol. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect personal information, we cannot guarantee its absolute security.
Account information for Fiction Express subscribers is password-protected so that only subscribers have access to this personal information. Subscribers may edit their account information on the user panel on the Site. We recommend that you do not divulge your password to anyone. It is your responsibility to ensure that students at your establishment keep their passwords secure. Fiction Express does not have access to your password neither to your students’ data and we will never ask you for your password in an unsolicited phone call or in an unsolicited email. Also remember (and remind your students) to sign out of your Fiction Express account and close your browser window when you have finished your activities when using a public computer. This is to ensure that others cannot access your personal information and/or correspondence if you share a computer with someone else or are using a computer in a public place such as a library.
7. Data subject rights
Resource Managers and all school contacts, as data subjects, have the following rights under data protection laws in relation to their personal data:
- Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about them. This enables you to have any incomplete or inaccurate data we hold about them corrected, though we may need to verify the accuracy of the new data they provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove their personal data where they have successfully exercised their right to object to processing (see below), where we may have processed their information unlawfully or where we are required to erase their personal data to comply with local law. Note, however, that we may not always be able to comply with their request of erasure for specific legal reasons which will be notified, if applicable, at the time of your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation that makes you want to object to the processing in this area, which you consider may impact on your rights and freedoms. You also have the right to object to where we process your personal data for direct marketing purposes. In some cases, we can demonstrate that we have compelling legitimate grounds for processing your information that override your rights and freedoms.
- Request restriction of processing of your personal data. This enables them to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where your use of the data is unlawful but they do not want us to erase it; (c) where your need us to hold the data even if we no longer require it as they need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of their personal data or to a third party (right to data portability). We will provide you, or a third party you have chosen, with your personal data in a structured, commonly used and machine-readable format. Please note that this right only applies to automated information that you initially provided us with your consent for us to use or where we use the information to perform a contract with you.
- Withdraw consent at any time where we rely on consent to process your personal data. However, this will not affect the processing that is required for the performance of the contract with Fiction Express or for our legitimate interests, nor the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide you with certain products or services. We will inform you if this is the case at the time you withdraw your consent.
The aforementioned rights may be exercised by contacting us at firstname.lastname@example.org. We may request a copy of the ID card or equivalent supporting document to verify the identity of the data subject for the purpose of processing the request for rights.
- Updated February 2021 -