General Data Protection Regulation (GDPR) Compliance
The Student Wellness App is fully compliant with the European Union's General Data Protection Regulation (GDPR). This document outlines how we protect your rights and handle personal data in accordance with EU law.
1. Data Controller Information
Data Controller: Student Wellness Solutions Pty Ltd
Registration: Victoria, Australia
EU Representative: GDPR Representative Services Ltd
Address: 123 Education Lane, Melbourne, VIC 3000, Australia
Email: gdpr@student-wellness-app.com
Phone: +1 (555) 123-4567
2. Lawful Basis for Processing
Educational Services (Article 6(1)(b) - Contract)
Processing necessary for the performance of educational services and platform functionality.
Legitimate Interests (Article 6(1)(f))
Improving educational outcomes, platform security, and service optimization.
Consent (Article 6(1)(a))
Optional features, marketing communications, and enhanced analytics.
Legal Obligation (Article 6(1)(c))
Compliance with educational regulations and data protection laws.
3. Your GDPR Rights
Right to Information (Article 13-14)
Transparent information about data processing purposes and your rights.
Right of Access (Article 15)
Request copies of your personal data and processing information.
Right to Rectification (Article 16)
Correct inaccurate or incomplete personal data.
Right to Erasure (Article 17)
Request deletion of personal data under specific circumstances.
Right to Restrict Processing (Article 18)
Limit how we process your data while disputes are resolved.
Right to Data Portability (Article 20)
Receive your data in a structured, machine-readable format.
Right to Object (Article 21)
Object to processing based on legitimate interests or direct marketing.
Right to Withdraw Consent (Article 7)
Withdraw consent for processing at any time where applicable.
4. Special Category Data Protection
Health and Wellness Data
Student wellness check-ins and emotional regulation data are considered special category data under Article 9 GDPR. We process this data based on:
- Explicit Consent (Article 9(2)(a)): Clear consent from schools and parents
- Substantial Public Interest (Article 9(2)(g)): Educational welfare and child protection
- Preventive Medicine (Article 9(2)(h)): Early intervention for mental health support
5. Children's Data Protection
Enhanced Protections for Minors
- Age Verification: Platform designed for ages 5-12 with adult supervision
- Parental Consent: School acts as agent for obtaining consent
- Best Interests: All processing considers child's best interests
- Data Minimization: Only essential data collected for educational purposes
- Retention Limits: Shorter retention periods for children's data
6. International Data Transfers
Adequacy and Safeguards
- Standard Contractual Clauses (SCCs): EU Commission approved clauses
- Binding Corporate Rules: Internal data protection standards
- Adequacy Decisions: Transfers only to approved countries
- Additional Safeguards: Encryption and access controls
7. Data Processing Records
Article 30 Processing Activities
- Educational Records: Student progress and wellness tracking
- User Management: Account creation and authentication
- Analytics: Platform usage and improvement metrics
- Communications: Educational content and support messages
8. Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) for:
- New features processing children's data
- Changes to data sharing practices
- Implementation of new technologies
- High-risk processing activities
9. Breach Notification
Article 33 & 34 Compliance
- Authority Notification: Within 72 hours to relevant supervisory authority
- Individual Notification: Without undue delay if high risk to rights
- Documentation: All breaches recorded with details and responses
- Prevention: Continuous security improvements based on incidents
10. Data Protection Officer
DPO Contact:
Name: Dr. Sarah Mitchell
Email: dpo@student-wellness-app.com
Phone: +1 (555) 123-4567 ext. 3
Address: 123 Education Lane, Melbourne, VIC 3000, Australia
DPO Responsibilities
- Monitor GDPR compliance
- Conduct privacy training
- Serve as supervisory authority contact
- Advise on data protection matters
11. Supervisory Authority
Lead Supervisory Authority:
Irish Data Protection Commission (DPC)
21 Fitzwilliam Square South
Dublin 2, D02 RD28
Ireland
Phone: +353 (0)761 104 800
Email: info@dataprotection.ie
12. Exercising Your Rights
Data Subject Request Form
To exercise your GDPR rights, please contact us using the following methods:
Online Form: Visit our data request portal at gdpr-requests.student-wellness-app.com
Email: gdpr@student-wellness-app.com
Phone: +1 (555) 123-4567
Post: GDPR Rights Team, 123 Education Lane, Melbourne, VIC 3000, Australia
Required Information
- Full name and contact details
- Specific right you wish to exercise
- Account or student information (if applicable)
- Proof of identity (copy of ID)
- Proof of authority (if acting on behalf of someone else)
Response Time: We will respond within one month of receiving your request. In complex cases, we may extend this by two additional months with explanation.
13. Complaints and Appeals
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe we have not complied with GDPR requirements.
Internal Appeals Process
- Contact our DPO if unsatisfied with initial response
- Escalate to senior management if needed
- Independent review by external privacy counsel
- Final appeal to supervisory authority
14. Regular Updates
This GDPR compliance statement is reviewed annually and updated as needed to reflect:
- Changes in data processing activities
- Updates to GDPR guidance and case law
- Feedback from supervisory authorities
- Results of compliance audits
15. Training and Awareness
Staff Training Program
- Annual GDPR training for all employees
- Specialized training for data handlers
- Regular updates on privacy developments
- Incident response training and drills