European Union Region Product Privacy Notice Addendum

Effective Date: 28 June 2022 

This European Union Region Addendum applies to you if you are located in the European Economic Area (“EEA”). This Addendum should be read in conjunction with our global Instructure Product Privacy Notice (“Privacy Notice”).  In the event of any conflicts, this Addendum will prevail.

This Addendum will inform you as to how we collect, process and use your personal data in connection with the use of our Products and in compliance with EU General Data Protection Regulation (“GDPR”) and applicable national data protection laws. This European Addendum is applicable when you use our Products in the European Economic Area (EEA) or in the United Kingdom (UK).

This European Annex concerns processing by us for our own purposes as a Data Controller. 

Whenever we provide our Products to our customers (such as Universities and other Academic Institutions, etc.), they act as Data Controllers in respect of personal data uploaded to our Products or otherwise processed in connection with the use of Products and Instructure only processes the personal data on behalf of the corporate customer. For more information about the type of information processed in this respect, please make sure to consult their specific privacy notice. 

1. Data Controller.

The Data Controller for the processing described in this European Annex is Instructure Global Limited.

Instructure Global Ltd

New Penderel House, 4th Floor

283-288 High Holborn

London, UK WC1V 7HP

0900 358 4330

To contact our Data Protection Officer, please use the following: privacy@instructure.com 

Information Collection.

We may collect, use, store and transfer different kinds of personal data about you. In most situations the information is collected directly from you when you use our Products or interact with us. When you interact with our Products, we may automatically collect technical and usage data about your equipment, browsing actions and patterns. To the extent cookies and similar technologies are used for the purposes of collecting technical data, please see our Cookie Policy for more information.

We have set out below, a description of the ways we use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate. 

When we offer our Product, Portfolium, directly to our consumer customers, the following type of personal data are collected:

When we offer our Products to our corporate customers (e.g., Universities or other Academic Institutions) we process the following type of personal data (as a Data Controller):

To the extent that we have referred to our legitimate interest as the legal basis for the processing of personal data specified above we have conducted a balancing test for those interests to ensure that our interest is not overridden by your interests or fundamental rights and freedoms. Please contact us by email at privacy@instructure.com if you wish to receive more information on the balancing test.

We do not engage in automatic decision making, advertising to students, or profiling. 

2. Disclosure of Information.

Commonly owned entities. We may share your personal data with companies under common ownership or control of Instructure, including affiliates and subsidiaries.  This processing is based on our legitimate interest to transmit personal data within the group for internal administrative purposes, such as for the purposes of alignment of business operations and providing our Products.

Third-party service providers. We may share your personal data with authorised third-party service providers for the sole purpose of providing you with our Products. For example, we may share information with service providers who host our Products. 

We do not permit our third-party service providers to use personal information we share with them for their own advertising or marketing purposes, or for any other purpose other than in connection with the services they provide to Instructure. 

As required by law. In certain circumstances, we may be required to disclose information, including personal data, for example, we may need to comply with legal or regulatory processes (such as a judicial proceeding, court order, or government inquiry).

Change of Control. We may share information about you in connection with or during negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.  In the event that information is shared in this manner, notice will be posted on our website at www.instructure.com.

3. Transfers to Third Countries.

Our affiliates and some of our third-party service providers are established outside the European Economic Area (EEA) and the UK, including in the US, so their processing of your personal data will involve a transfer of your personal data outside the EEA and the UK and that may allow access of state authorities to this data. However, to ensure that your personal data receive an adequate level of protection we have ascertained that sufficient safety measures have been implemented to allow for the transfer, including where the European Commission (or in the case of the UK, the UK government) have deemed the country to provide an adequate level of protection for personal data; or by use of specific contracts approved by the European Commission (Standard Contractual Clauses) which give personal data essentially equivalent protection as it has in EEA or the UK. 

If you require further information about our Affiliates and current third party service providers established outside the EEA or the UK and the safety measures in place to allow for the transfer of personal data, you can request it from us – please send your request to us by email at privacy@instructure.com.

4. Retention of Information.

We retain personal data we collect where we have an ongoing legitimate need to do so. When we have no ongoing legitimate need to process your personal data, we will either delete or anonymize it.

• We will retain your consumer data for account management purposes until you delete your account (or its content).
• The data about our corporate customers for purposes of contract management and customer relationship will be retained during our customer relationship and in accordance with applicable accounting and tax laws.
• Technical and usage data collected for analytics and product improvement purposes will be retained for a reasonable amount of time from the collection of data.
• Interaction data will be processed as long as the inquiry/support case has been solved.

Data may be retained for a longer period if we are legally obliged to do so, or if retention is necessary to establish, exercise or defend legal claims.

5. Your rights.

You have certain choices available to you when it comes to your personal data. Below is a summary of those choices, how to exercise them and any limitations.

Under certain circumstances, you have the right to:

• Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. (Art. 15 of GDPR) 
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. You may also change some of your personal information by editing your Product profile. (Art. 16 of GDPR)
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. (Art. 17 of GDPR)
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. (Art. 21 of GDPR)
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it. (Art. 18 of GDPR) Request the transfer of your personal information to another party (also known as data portability) where processing is based on our contract with you or on your consent. (Art. 20 of GDPR)
• Where our processing is solely based on your specific consent you have the right to withdraw your consent at any time. Such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal. (Art. 7 of GDPR)

If you wish to exercise any of the data protection rights that are available to you then please send your request to us by email at privacy@instructure.com and we will action your request in accordance with applicable data protection laws. 

You have the right to complain to your local data protection authority within the EU (or the ICO if you are based in the UK) if you are unhappy with our data protection practices. (Art. 77 of GDPR).

6. Security of Your Information.

We take reasonable steps to help protect your personal data in an effort to prevent unauthorised access, use, or disclosure. You can find more details about our security program by visiting our security webpage here and reviewing our Security and Due Diligence Documents.

Despite these measures, you should know that we cannot fully eliminate security risks associated with personal data. No method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee absolute security. Any content you post or input you provide while using our Products is at your own risk.