# Legal information notes
# GDPR
# Foreword
Blockchain Certified Data reminds that it falls to its Clients, data controllers, to comply with all the obligations incumbent upon them, in particular under Regulation (EU) 2016/679 of the European Parliament and of the Council of April 17, 2016 (hereinafter the "GDPR") and Law 78-17 of January 6, 1978, as amended (hereinafter the "Loi Informatique et Libertés - French Data Protection Act").
To collaborate and to comply with the GDPR and the French Data Protection Act, as the publisher of the BCdiploma solution and as the subcontractor of the personal data of its Clients, Blockchain Certified Data decided to provide its Clients with clarifications and information to facilitate the implementation of the BCdiploma solution and the respect of their obligations regarding the protection of personal data.
For this purpose, this document contains information intended for its Clients, based on the technical items held by Blockchain Certified Data and the initial analysis it has carried out.
These items shall not engage the responsibility of Blockchain Certified Data as to their completeness and/or accuracy.
They are provided for information purposes only and cannot replace the analysis to be carried out by the Client, who should make a prior assessment of their relevance in the light of the context and project items, and possibly adapt them on a case-by-case basis.
# Information of natural persons whose data are processed (GDPR)
The use of the BCdiploma solution is intended to enable you to issue certified, dematerialized and authenticated certificates. The processing of the personal data of the natural persons concerned is carried out within this framework.
It, therefore, falls to you to ensure that the natural persons concerned by this processing have been informed of this processing and its terms and conditions.
As the collection of personal data necessary to draw up the certificate is - a priori - carried out directly with the person concerned, you should ensure that the formal requirements of articles 13 of the GDPR and 32 of the French Data Protection Act are respected.
This information must be provided before processing. We, therefore, recommend the following as an example:
- For natural persons concerned in the future : To provide the information notice along with the registration file, administrative entry form, general terms, and conditions of sale, etc., whether on paper or online.
- In other cases: To ensure that you communicate this information notice before any use of the BCdiploma solution by email or other internal means of communication.
# Complete information standard notice
The following is an example of a complete information notice to be provided to the natural persons concerned, according to the following procedures:
- link to a page with detailed information;
- information page with foldout menus ;
- contextual information pop-up for online forms.
Data controller
The following information has been sent to you so that you may be aware of the personal data protection undertakings of [Name of the Institution]
located at [to be completed with your address]
, which acts as a controller for the processing of personal data referred to below.
Purposes
[Name of the Institution]
shall process personal data for the following purposes:
- drawing up and issuing certified certificates relating to the end-user (learner, student, employee, etc.), in particular in a dematerialized manner;
- making them available to the end-user through a specific internet link;
- managing, authenticating, storing and retaining these certified certificates through a public blockchain;
Legal basis
The legal basis for such processing of personal data shall be the legitimate interests pursued by [Name of the Institution]
namely, [e.g. :
- simplifying, automating and reducing the costs of issuing and retaining certificates;
- guaranteeing the authenticity of the certificates issued by
[Name of Institution]
and preventing their forgery; - other reason...]
Mandatory nature
Your identity data that we collect, as well as those that are collected subsequently (data relating to the drawing up of your certificate), are necessary for the aforementioned processing operations. Consequently, if you refuse to provide us with this data, such refusal will make it impossible to draw up and issue your certified certificate in a dematerialized manner.
Data Recipients
The recipients of your data are all authorized departments from [Name of the Institution]
, our subcontractors, and all persons to whom you have previously sent the URL link issued to you, allowing access to the diploma or certified certificate. We remind you that the decision to provide the URL link is entirely your own and will be made exclusively under your control and responsibility.
Furthermore, and for all practical purposes, we inform you that your data is encrypted and that only this encrypted data is recorded in a public blockchain. Consequently, other participants in the blockchain, especially miners, will only have access to encrypted data so that they cannot read your data.
Retention time
Your data are stored in the blockchain so that they are retained for the entire lifetime of this blockchain.
Transfer
We would like to bring to your attention that your data may be shared with recipients located in third countries outside the European Union, which may or may not have an equivalent level of data protection.
This primarily concerns our subcontractors, such as those responsible for hosting services.
If applicable, these data transfers are governed by the following appropriate safeguards:
- Cross-border flow agreements established in accordance with the standard contractual clauses for data controllers to processors approved by the European Commission on June 4, 2021, through the implementation decision no. 2021/914, which is currently in effect;
- Certification of subcontractors located in the United States under the EU-US and Swiss-US Data Privacy Framework (currently in effect) and the commitments resulting from it. You may request details of the safeguards in place by contacting
[Address of the DPO or the department responsible for exercising rights]
.
Additionally, for your information, please note that any individual to whom you have previously shared (in the context of your personal activities) the personal URL link to your certified attestation, wherever they may be in the world—including third countries outside the European Union with or without equivalent protection—could access and view your certified attestation, and thus your data “in clear form.”
Your rights
As per the applicable regulations on the protection of personal data, you have the right to access, query, rectify and delete information concerning you, to limit the processing, and the right to the portability of data concerning you.
You also have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data on which the legitimate interest of [Name of the Institution]
, is based, as well as the right to object to commercial canvassing.
In addition, you also have the right to formulate specific and general guidelines concerning the retention, deletion and communication of your data after your death. As for the general directives, they must be addressed to a third party to be designated by Decree.
The communication of specific post-mortem instructions and the exercise of rights shall be made by post to the following address [To be completed]
or by email to the following address [To be completed]
. You can prove your identity by any means. In case of doubt as to the identity of the data subject, [Name of the Institution]
may request additional information that appears necessary, including a photocopy of an identity document bearing your signature.
If you feel, after contacting us, that your rights regarding your data are not being respected, you may submit a complaint to the Commission Nationale Informatique et Libertés - National Commission on Informatics and Liberty.
# FERPA
In the event that the customer using the BCdiploma solution is an institution subject to the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), BLOCKCHAIN CERTIFIED DATA SAS acknowledges that, for purposes of the Terms of Use accessible above, BLOCKCHAIN CERTIFIED DATA SAS may be designated as a "school official" with a "legitimate educational interests" in the Customer Data and Professional Services Data as those terms are defined by FERPA and its implementing regulations. BLOCKCHAIN CERTIFIED DATA SAS agrees to comply with the limitations and requirements imposed by 34 CFR 99.33(a) on school officials.
Customer acknowledges that BLOCKCHAIN CERTIFIED DATA SAS is not authorized to use the data certified by the Customer on the BCdiploma platform for contacting the holders of credentials generated through the BCdiploma platform, and that it is the Customer's responsibility to take the steps required by the applicable regulations with said persons.
# nLPD
When the client user of the BCdiploma solution is an institution subject to the new Federal Act on Data Protection (nLPD) in Switzerland, which came into effect on September 1, 2023, BLOCKCHAIN CERTIFIED DATA SAS acknowledges that, for the purposes of the Terms of Use accessible above, it commits to complying with the obligations and requirements imposed by the nLPD regarding the protection of personal data.
BLOCKCHAIN CERTIFIED DATA SAS integrates the principles of "Privacy by Design" and "Privacy by Default" in the development and implementation of its services. This means that we incorporate the protection and respect of users' privacy from the design stage of our products and services, by taking all necessary measures by default to protect data and limit its use, without requiring any action from the users.
In the event of a data security breach, BLOCKCHAIN CERTIFIED DATA SAS commits to promptly notifying the Federal Data Protection and Information Commissioner (PFPDT), in accordance with the requirements of the nLPD.
The Client acknowledges that BLOCKCHAIN CERTIFIED DATA SAS is not authorized to use the data certified by the Client on the BCdiploma platform to contact the holders of attestations produced via the BCdiploma platform. It is the responsibility of the Client to carry out, with said individuals, the steps required by the applicable regulations, particularly regarding informing the concerned persons and respecting their rights.