BCdiploma Knowledge BaseBCdiploma Knowledge Base
User guide
Technical guide
API
Terms and Data
  • English
  • Français
User guide
Technical guide
API
Terms and Data
  • English
  • Français
  • Terms of Use (ToU)
  • Processing of users' personal data (Privacy notice)
  • Data protection notice

Data protection notice

GDPR

Foreword

Blockchain Certified Data ("BCD") reminds that it falls to its Clients, data controllers, to comply with all the obligations incumbent upon them, in particular under Regulation (EU) 2016/679 of the European Parliament and of the Council of April 17, 2016 (hereinafter the "GDPR") and Law 78-17 of January 6, 1978, as amended (hereinafter the "Loi Informatique et Libertés - French Data Protection Act").

To collaborate and to comply with the GDPR and the French Data Protection Act, as the publisher of the BCdiploma solution and as the subcontractor of the personal data of its Clients, BCD decided to provide its Clients with clarifications and information to facilitate the implementation of the BCdiploma solution and the respect of their obligations regarding the protection of personal data.

For this purpose, this document contains information intended for its Clients, based on the technical items held by BCD and the initial analysis it has carried out.

These items shall not engage the responsibility of BCD as to their completeness and/or accuracy.

They are provided for information purposes only and cannot replace the analysis to be carried out by the Client, who should make a prior assessment of their relevance in the light of the context and project items, and possibly adapt them on a case-by-case basis.

Information of natural persons whose data are processed (GDPR)

  1. The use of the BCdiploma solution is intended to enable you to issue certified, dematerialized and authenticated certificates. The processing of the personal data of the natural persons concerned is carried out within this framework.

  2. It is therefore your responsibility to ensure that the individuals concerned by this processing have indeed been informed of this processing and its terms, according to the methods of your choosing.

  3. As the collection of personal data necessary to draw up the certificate is - a priori - carried out directly with the person concerned, you should ensure that the formal requirements of articles 13 of the GDPR and 32 of the French Data Protection Act are respected.

Complete information standard notice

The following is an example of a complete information notice to be provided to the natural persons concerned, according to the following procedures:

  • link to a page with detailed information;
  • information page with foldout menus ;
  • contextual information pop-up for online forms.

Data controller

The following information has been sent to you so that you may be aware of the personal data protection undertakings of [Name of the Institution] located at [to be completed with your address], which acts as a controller for the processing of personal data referred to below.

Purposes

[Name of the Institution] shall process personal data for the following purposes:

  • drawing up and issuing certified certificates relating to the end-user (learner, student, employee, etc.), in particular in a dematerialized manner;
  • making them available to the end-user through a specific internet link;
  • the management, authentication, registration, and retention for the necessary duration of these digital certificates.

Legal basis

The legal basis for such processing of personal data shall be the legitimate interests pursued by [Name of the Institution]namely, [e.g. :

  • simplifying, automating and reducing the costs of issuing and retaining certificates;
  • guaranteeing the authenticity of the certificates issued by [Name of Institution] and preventing their forgery;
  • other reason...]

Mandatory nature

Your identity data that we collect, as well as those that are collected subsequently (data relating to the drawing up of your certificate), are necessary for the aforementioned processing operations.

Data Recipients

The recipients of your data are all authorized departments from [Name of the Institution], our subcontractors, and all persons to whom you have previously sent the URL link issued to you, allowing access to the diploma or certified certificate. We remind you that the decision to provide the URL link is entirely your own and will be made exclusively under your control and responsibility.

Additionally, you are informed that your personal data is encrypted. This encrypted data is stored in a decentralized environment and can only be decrypted using the URL link provided to you.

Retention time

Your data is retained by [Institution Name] for a period of [Duration].

Transfer

We would like to bring to your attention that your data may be shared with recipients located in third countries outside the European Union, which may or may not have an equivalent level of data protection.

This primarily concerns our subcontractors, such as those responsible for hosting services.

If applicable, these data transfers are governed by the following appropriate safeguards:

  • Cross-border flow agreements established in accordance with the standard contractual clauses for data controllers to processors approved by the European Commission on June 4, 2021, through the implementation decision no. 2021/914, which is currently in effect;
  • Certification of subcontractors located in the United States under the EU-US and Swiss-US Data Privacy Framework (currently in effect) and the commitments resulting from it. You may request details of the safeguards in place by contacting [Address of the DPO or the department responsible for exercising rights].

Additionally, for your information, please note that any individual to whom you have previously shared (in the context of your personal activities) the personal URL link to your certified attestation, wherever they may be in the world—including third countries outside the European Union with or without equivalent protection—could access and view your attestation.”

Your rights

As per the applicable regulations on the protection of personal data, you have the right to access, query, rectify and delete information concerning you, to limit the processing, and the right to the portability of data concerning you.

You also have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data on which the legitimate interest of [Name of the Institution], is based, as well as the right to object to commercial canvassing.

In addition, you also have the right to formulate specific and general guidelines concerning the retention, deletion and communication of your data after your death. As for the general directives, they must be addressed to a third party to be designated by Decree.

The communication of specific post-mortem instructions and the exercise of rights shall be made by post to the following address [To be completed] or by email to the following address [To be completed]. You can prove your identity by any means. In case of doubt as to the identity of the data subject, [Name of the Institution] may request additional information that appears necessary, including a photocopy of an identity document bearing your signature.

If you feel, after contacting us, that your rights regarding your data are not being respected, you may submit a complaint to the Commission Nationale Informatique et Libertés - National Commission on Informatics and Liberty.

FERPA

In the event that the customer using the BCdiploma solution is an institution subject to the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), Blockchain Certified Data ("BCD") SAS acknowledges that, for purposes of the Terms of Use accessible above, BCD may be designated as a "school official" with a "legitimate educational interests" in the Customer Data and Professional Services Data as those terms are defined by FERPA and its implementing regulations. BCD agrees to comply with the limitations and requirements imposed by 34 CFR 99.33(a) on school officials.

Customer acknowledges that BCD is not authorized to use the data certified by the Customer on the BCdiploma platform for contacting the holders of credentials generated through the BCdiploma platform, and that it is the Customer's responsibility to take the steps required by the applicable regulations with said persons.

PIPEDA

Blockchain Certified Data ("BCD") provides a SaaS solution to Canadian institutions and processes, on their behalf, personal data of Canadian citizens. As such, BCdiploma is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), and applies technical and organizational measures in accordance with the ten guiding principles of this legislation.

This notably includes:

  • An Information Security Management System (ISMS) compliant with the ISO/IEC 27001 standard
  • Hosting on Microsoft Azure, SOC 2 Type 2 certified, ensuring a high level of security and availability
  • Strengthened measures for encryption, access control, and data minimization
  • Transparent practices regarding data and support for the rights of data subjects (access, rectification, deletion)
  • A dedicated point of contact for any questions related to data protection: dpo@bcdiploma.com

BCD is committed to ensuring full compliance with PIPEDA, within the framework of providing its services to Canadian clients.

nLPD

When the client user of the BCdiploma solution is an institution subject to the new Federal Act on Data Protection (nLPD) in Switzerland, which came into effect on September 1, 2023, Blockchain Certified Data ("BCD") SAS acknowledges that, for the purposes of the Terms of Use accessible above, it commits to complying with the obligations and requirements imposed by the nLPD regarding the protection of personal data.

BCD integrates the principles of "Privacy by Design" and "Privacy by Default" in the development and implementation of its services. This means that we incorporate the protection and respect of users' privacy from the design stage of our products and services, by taking all necessary measures by default to protect data and limit its use, without requiring any action from the users.

In the event of a data security breach, BCD commits to promptly notifying the Federal Data Protection and Information Commissioner (PFPDT), in accordance with the requirements of the nLPD.

The Client acknowledges that BCD is not authorized to use the data certified by the Client on the BCdiploma platform to contact the holders of attestations produced via the BCdiploma platform. It is the responsibility of the Client to carry out, with said individuals, the steps required by the applicable regulations, particularly regarding informing the concerned persons and respecting their rights.

POPIA

Processing carried out through the BCdiploma solution complies with the requirements of POPIA (Protection of Personal Information Act, 2013) through the full set of measures implemented to ensure compliance with the GDPR, internal security policies aligned with ISO 27001, and the remediation of identified gaps between POPIA and the GDPR, namely:

• Roles: BCD acts as an “Operator,” processing data solely on the customer’s documented instructions, with the customer assuming the role of “Responsible Party” in accordance with POPIA obligations.

• Cross-border transfers: BCD hosts and processes data in Microsoft Azure datacenters located within the European Union (France, the Netherlands). Any cross-border transfer, including any remote access (support, maintenance, operations), is performed only to/from jurisdictions offering an adequate level of protection under POPIA, or otherwise is governed by appropriate safeguards and contractual commitments ensuring a substantially equivalent level of protection.

• Inclusion of juristic persons: BCD acknowledges that recipients may be natural persons or juristic persons and guarantees the same level of confidentiality, protection, and compliance in both cases.

• Personal data breach notification: In the event of a personal data security breach, BCD commits to notify, without undue delay and in any event no later than 72 hours after becoming aware of the breach, the competent authority as well as the affected data subjects.

• Sub-processors (“secondary Operators”): Sub-processors involved in hosting or processing are publicly disclosed and are bound by equivalent data protection obligations, in line with contractual commitments and POPIA requirements.

Prev
Processing of users' personal data (Privacy notice)