Personal data protection policy - app.pix.fr and app.pix.org

Last updated: 29/10/2020

Our Personal data protection policy for users of pix.fr, pix.org, app.pix.fr and app.pix.org describes how Pix processes visitors’ and users’ personal data when they use our platform. The Personal data protection policy forms an integral part of the General terms and conditions of use of the Pix platform.

Preamble

In order to exercise your rights in terms of personal data protection, you must contact the Data Protection Officer at the organisation which is responsible for the processing (the “controller”). When you connect to app.pix.fr or app.pix.org, most often the Pix GIP (“Groupement d’Intérêt Public”: a French legal status for a special interest group or company) is responsible for the data processing (namely, it is the “data controller”) and so you should send your request to dpd@pix.fr.

However, an organisation (i.e. an educational institution, training organisation, employer, a public employment service, etc.) may ask you to complete a customised test on Pix or take the Pix Certification test after registering with a centre, in which case they may be responsible for a portion of the data processing. In the above cases, your request should be addressed to the aforementioned organisations.

The following section describes the data processing purposes for which Pix GIP is the controller, and those for which it is the processor.

Pix GIP as data controller

Personal data

As part of its relationships with users, Pix GIP, as the data controller, may need to process the following personal data relating to a user’s identity: surname(s), first name(s), email address, log-in credentials and usage logs, and Pix application data (test answers, test results).

When creating a user account, users are informed that the data on the form (surname(s), first name(s), email address) are mandatory, with the exception of pupils and students who can gain access by providing the following data on the form: surname(s), first name(s) and date of birth. Otherwise, a user’s request cannot be processed.

Processing purposes

These data are processed for Pix GIP’s requirements relating to:

1) Evaluating and developing digital skills:

Personalising placement tests based on estimated level
Updating Pix profiles with the results of the various tests taken
Recommending tutorials

2) Certifying digital skills, when required, including:

Personalising certification tests based on placement results
Publishing results on the candidate’s account

3) Users managing their activities on Pix, where necessary:

Users managing their participation in customised tests and/or sending their results and/or their Pix profile
Users managing their certifications

4) Administrative management of the services, including:

Creating, managing and monitoring user accounts
Managing, monitoring and creating an evidentiary record of the contractual relationship
User access to the Pix service
Technical support to Pix users
Communicating useful information on how to use the Pix App service
Mailing out the Pix App newsletter (optional)

5) Quality monitoring, management and ongoing improvement, including:

Statistical monitoring of uses, management dashboards, communicating information on the different uses of Pix
Monitoring the uses for service quality purposes
Managing and tracking complaints made by candidates regarding the running of certification sessions
Managing and monitoring satisfaction
Continually improving content and services via user feedback
Improving the algorithms
Establishing a panel to monitor the digital skills level
Producing anonymised data sets useful for public research in education

The user is informed and they accept that their data will be processed for the aforementioned purposes.

Legal basis for processing

Data are processed on the following legal bases: user’s consent, implementation of the general conditions of use, Pix GIP’s legitimate interest in implementing management processing and the processing required to develop their business activity, and legal obligation.

Recipients

Recipients of the data are Pix GIP, its authorised personnel and potential processors.

Pix GIP’s processors

Pix GIP uses technical service providers to whom it sub-contracts the following activities, making them likely recipients of Pix users’ personal data:

hosting data and processes from Pix platform data and its secondary sites
online service for managing user help tickets
online service for sending emails to users
online service for forms intended for users and prospective users
online tool for collaborative working for Pix teams
online internal instant messaging service for Pix teams
online service for aggregating application logs

All of Pix GIP’s processors host their data in France or in the European Union. All the user data processed on the Pix platform are hosted in France, with the exception of some logs (pseudonymised data hosted in Germany), and data which users or partners send to us in the requests they initiate independently from the Pix platform, such as service requests via a form or support requests via the user help platform (hosted in other European Union countries).

Furthermore, Pix GIP integrates personnel into its teams working as part of an IT development service.

Lastly, Pix GIP uses partners, which it has authorised as “Pix certification centres”, to whom it entrusts the necessary processing involved in organising and implementing the certification sessions. In this regard, the approved Centre acts as a processor for Pix GIP’s requirements as the controller.

The processors are available on the list of processors.

Storage

Data will be stored for a maximum period of 5 years starting from the date the user last accessed the account, and will be archived in accordance with the timescales prescribed in law (5 years), unless Pix GIP is obliged otherwise by law.

Exercising rights

Any person who is the subject of data processing (the “data subject”) has the right to be informed, to access, correct and erase their data, a right to restrict processing, to the portability of their data and to object to processing for legitimate reasons, where these rights are exercised within the limits of the legal obligations imposed upon Pix GIP.

Furthermore, the user has the right to formulate specific and general instructions concerning the storage, erasure and communication of their data after their death. General instructions can be sent to a third person who will be appointed by Decree.

An email should be sent to dpd@pix.fr to communicate specific post-mortem instructions or to exercise rights. A photocopy of a signed piece of ID and supplementary information may be required in the event of any doubt regarding the user’s identity.

Lastly, the user has the right to bring a claim before the French supervisory body, the “Commission Nationale de l’Informatique et des Libertés” (hereinafter the “CNIL”) and to withdraw their consent at any time.

Cookies

The user is informed that, when they access the Pix platform, one or several cookies may be installed automatically on their device.

Cookies are a parcel of data which are used to record information relating to the user’s browsing on a website or application.

The Pix platform only uses cookies for visitor statistical monitoring purposes to pix.fr and pix.org (visitor figures).

Pix GIP as processor

Furthermore, Pix GIP is likely to process users’ personal data as a processor to a “prescriber” organisation when said organisation prescribes activities on the Pix platform to some of its members and wishes to receive the results thereof.

Prescribed activities may include:

a customised test,
a request for the Pix profile status to be sent,
a certification test.

In this case, the prescribing organisation, in its capacity as the data controller, is responsible for complying with the obligations incumbent upon it concerning personal data protection, in accordance with the agreement between them and Pix GIP, where applicable.

Prescribing customised tests and sending Pix profiles

Pix GIP acts as a processor when an organisation prescribes a customised test to some of its members or proceeds with collecting Pix profiles.

In this case, the organisation concerned is the data controller, and Pix GIP is entrusted with the data processing related to the purpose of sending and disseminating the evaluation results to the prescribing organisation, including:

Sending the prescribing organisation the customised test results, data on progress made on the customised test, and/or the full Pix profile.

The user is informed thereof by the prescribing organisation and accepts that their customised test results data and/or Pix profile may be sent by Pix GIP to the organisation prescribing the user’s customised test and with which there is a direct link, in principle: academic, school or professional (but which may be of another kind, for example: association member), at the request of the organisation which would like the user to participate in an evaluation exercise, set up for one or several groups of their personnel through the Pix Orga service offered by Pix GIP.

Prescribing Pix certification tests

In a similar manner, Pix GIP acts as a processor when an organisation prescribes certification tests to some of its members.

In this regard, the prescribing organisation is the data controller and Pix GIP is entrusted with the data processing related to the purpose of “Sending and disseminating evaluation results to the prescribing organisation”, including “Sending the prescriber the certification results”.

The prescribing organisation shall fulfil its obligations to the users to which it prescribed the certification, specifically in terms of gaining their consent for Pix GIP to send the certification results to the recipients it has chosen.

Updates

This policy may be updated by publishing a new version on the pix.fr and pix.org sites. Users are required to check this page regularly in order to ensure that they are aware of any changes made to this policy.

Users must notify Pix through support.pix.org if the personal data concerning them needs to be corrected or updated.

Security measures

Pix GIP undertakes, in accordance with the data protection regulations, to take all necessary precautions regarding the type of data and risks presented by the data processing in order to maintain the security of the data files.

It implements all appropriate technical and organisational measures to protect personal data, taking into account current knowledge, implementation costs, the nature, scope, context and purpose of the data processing, and the risks, varying in degree of probability and severity, for the rights and freedoms of natural persons, in order to guarantee a security level which is proportionate to the risks. Based on needs, these measures include among others:

personal data encryption;
means to guarantee the ongoing confidentiality, integrity, availability and resilience of the systems and processing services;
means for restoring personal data availability and access thereto within appropriate timescales in the event of a physical or technical incident;
a procedure aimed at regularly testing, analysing and evaluating the effectiveness of the technical and organisational measures used to ensure processing security.

___

Table of contents