Please click here for PDF version: NWEA MAP Growth GDPR Overview
Introduction
The European Union's new General Data Protection Regulation (GDPR) went into effect on May 25, 2018. It replaced the Data Protection Directive 95/46/EC and contains several new protections for EU data subjects. It also contains new requirements for organizations like NWEA and for our partners (controllers). More recently, the Court of Justice of the European Union ("CJEU") issued a judgment regarding Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems. The purpose of this overview is to provide our educational partners ("partners") with a high-level description of how NWEA MAP Growth complies with the GDPR and how partners as controllers have a role in supporting NWEA's compliance.
As a data processor, NWEA understands its obligations to comply with the GDPR. Our GDPR program includes:
Data Subject Requests: Partners as controllers are primarily responsible for verifying and responding to data subject requests (e.g. data portability, erasure, access and rectification) and notifying NWEA if the partner receives a request that affects personal data processed by NWEA. If NWEA receives a data subject request it will direct to the applicable partner as the controller for response and fulfillment and direction as to the action to be taken by NWEA in response to that request, except in cases where NWEA is required to respond directly to the data subject.
Data Portability Right. GDPR gives data subjects the right to receive personal data concerning them. Controllers must provide the data in a commonly used and "machine-readable" format, and data subjects have the right to transmit that directly to a competitor. In support of this, MAP Growth allows controllers to download MAP Growth data for a data subject in .CSV format, which the partner can then provide to the data subject. Please note that data subject requests to NWEA for personal data under this section of the GDPR will be directed to the applicable partner (the controller) for response and fulfillment and direction as to the action to be taken by NWEA in response to that request, except in cases where NWEA is required to respond directly to the data subject.
Right to Erasure. The GDPR recognizes the right to erasure. Controllers must erase personal data without undue delay if the data is no longer needed and notify third parties, including processors, to erase the personal data. Data subjects also have the right to withdraw consent. In the event a partner receives either a request to erase or a withdrawal of consent from a data subject or determines that the data is no longer needed, partner shall send a written request to NWEA via email to legalservices@nwea.org and include the following: (i) requestor's name, title and contact information; (ii) the name of requesting school or entity with NCES # (if applicable); (iii) a request to erase the data subject's information; (iv) the data subject's first and last name; and (iv) an attestation that requestor is duly authorized and has legal capacity to execute the request.
Right to Rectification & Access. In the event a data subject requests to rectify inaccurate personal data, NWEA will work with the administrator of the applicable partner to correct such information.
Data Security. As a processor of personal data, NWEA develops and implements privacy and information security measures designed to protect the confidentiality, integrity and availability of personal data provided by its partners, including those of any students. In doing so, personal data is processed in a manner to ensure the appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. Further information on MAP Growth's data security measures can be found in NWEA's MAP Growth Security Whitepaper located here: https://legal.nwea.org/map-growth-information-security-whitepaper.html. NWEA also conducts information security and privacy employee training, including GDPR training to applicable internal departments that have access to personal data subject to GDPR.
Breach Notification. In the event a breach of security leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed by NWEA, NWEA will notify the applicable controller without undue delay and, where feasible, not later than 72 hours after becoming aware of the confirmed incident. Controller is responsible for determining whether to notify the applicable supervisory authority and any affected individuals. Under the GDPR, notification to individuals is not required if: (i) the breach is unlikely to result in a high risk for the rights and freedoms of the data subject; (ii) appropriate technical and organizational protections were in place at the time of the confirmed incident (e.g. encrypted data); or (iii) notification would trigger disproportionate efforts (instead a public information campaign or similar measures should be relied on so that affected individuals can be effectively informed).
Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems FAQs
Below are some frequently asked questions regarding the Court of Justice of the European Union ("CJEU") judgment regarding Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems.
1) The CJEU examined the validity of the EU-U.S. Privacy Shield and declared the Privacy Shield invalid, how does this impact NWEA?
NWEA does not participate in the EU-U.S. Privacy Shield.
2) What is used for the transfer of data to the US?
As set forth above, NWEA relies on explicit consent obtained from data subjects by the partner controller based in the EU. The European Data Protection Board states that the transfer of data based on consent is still a viable derogation. NWEA uses the Standard Contractual Clauses in addition to consent. The Schrems II decision did not invalidate the Standard Contractual Clauses. However, partners are required to determine the adequacy of such Standard Contractual Clauses to cover such transfer in light of Schrems II and the rulings of their applicable data supervisory authority.
3) How should I obtain consent?
Partners should seek the advice of local legal counsel to create and obtain explicit consent in accordance with your local laws. For data transfers from EU countries, please refer to Section 8 of the European Data Protection Board Frequently Asked Questions for further information. A sample explicit consent template to process data form can be found here: https://legal.nwea.org/explicit-consent-to-process-data.html. However, this template is for informational purposes only and should not be used for GDPR explicit consent compliance purposes.
4) Where does NWEA store my data?
Data is stored in the United States.
5) Does NWEA have plans to store data in the European Union?
Currently, NWEA does not have plans to store data in the European Union.
Additional questions regarding NWEA's MAP Growth GDPR program can be sent to legalservices@nwea.org.
NWEA Legal Services Team
Document Last Modified: October 23, 2020