Data Processing Policy

Hi! Welcome to StreetSmart! We are glad you use our platform in order to enable your organisation and its volunteers/youth workers to document their activities and member progress/behaviour more efficiently.

Using the StreetSmart web app and mobile app leads to the Processing of  Personal Data by Mobile School. Therefore, we have adopted this Data Processing Policy that we kindly request you to read.

You can be reassured that we will Process the Personal Data in the best interest of the youth workers and the youth. By reading this Policy, you will be properly informed about our legal responsibilities with regard the the Processing of Personal Data and the security measures we have adopted in order to ensure the Personal Data is processed in a safe way.

1. INTRODUCTION

StreetSmart is a solution developed by Mobile School VZW, a company incorporated and existing under the laws of Belgium, with registered office at BE-3000 Leuven, Brabançonnestraat 25, with VAT/company number BE-0478.688.664 (hereinafter ‘Mobile School’, ‘we’ or ‘us’).When you (hereinafter ‘you’ or the ‘Customer’) rely on StreetSmart Platform, we:
- shall have access to Personal Data; and,
- will have to Process Personal Data on your behalf.

This Data Processing Policy (hereinafter ‘Policy’) applies to the Processing of Personal Data by Mobile School for the Customer and determines:
- how Mobile School will manage, secure and process the Personal Data; and,
- Both parties’ obligation to comply with the Privacy Legislation.

By relying on the Services of Mobile School, you acknowledge to have read and accepted this Policy and consequently the way Mobile School processes the Personal Data.

2. DEFINITIONS

In this Policy, the following concepts have the meaning described in this article (when written with a capital letter):

App

The mobile app developed by Mobile School through which information of the minor is gathered in order to create and monitor insights on the Platform.

Controller

The entity (being in this case the Customer), which determines the purposes and means of the Processing of Personal Data;

Data Subject

The natural person (being in this case youth workers and minors) to whom the Personal Data relates;

Data Breach

Unauthorised disclosure, access, abuse, loss, theft or accidental or unlawful destruction of Personal Data;

End-user

The people authorised by the Customer to use the Platform and the App (mainly youth workers);

Personal Data

Any information relating to an identified or identifiable natural person (i.e. the Data Subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Platform

The platform developed by Mobile School. The platform is used to (non-limited): (i) centralise and summarise information that is being gathered via the App and (ii) create and monitor insights to enhance the youth worker’s activities with the minor and foster the connection and communication with the minor.

Privacy Legislation

(i) the Belgian Privacy Law of 30 July 2018 concerning the protection of individuals with regards to the processing of personal data, (ii) the General Data Protection Regulation 2016/679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, (iii) Directive 2002/58/EC of the European Parliament and Council of 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (‘e-privacy directive’) and/or (iv) the (future) Belgian legislation regarding the implementation of European privacy legislation;

Process/ Processing

Any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, including, but not limited to: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data;

Processor

The entity (being in this case Mobile School) which Processes Personal Data on behalf of the Customer as Controller;

Services

All services, provided by Mobile School to the Customer implying the Processing of Personal Data, including but not limited to: providing a right of access to the Platform, a license to the App and all support related thereto.

Sub-processor

Any processor engaged by Mobile School.

The Policy includes the following annexes:

Annex I

Overview of (i) the Personal Data, which parties expect to be subject of the Processing, (ii) the categories of Data Subjects, which parties expect to be subject of the Processing, (iii) the use (i.e. the way(s) of Processing) of the Personal Data, the purpose and means of such Processing and (iv) the term(s) during which the (different types of) Personal Data shall be stored;

Annex II

Overview and description of the security measures taken by Mobile School in order to protect the Personal Data that are being processed during the performance of the Services.

Annex III

Overview of the Sub-processors on which Mobile School relies for the Processing of Personal Data.

3. USE OF THE SERVICES

3.1 Parties agrees that:
- In accordance with the Privacy Legislation, the Customer shall be considered the ‘Controller’ and Mobile School the ‘Processor’.
- Mobile School acts as a facilitator of the Services. Therefore, the Customer shall be responsible on how and to what extent it makes use thereof;
- The Customer is responsible for all acts and ommissions of the End-users (i.e. in case the End-user does (not) take sufficient measures to protect its account on the App/Platform) . The Customer shall inform the End-users of the applicable Privacy Legislation, this Policy and/or all other relevant legislation and assure the End-user acts in compliance with them;
- Mobile School allows the Customer to make adjustments and/or changes  to the Personal Data and shall never consult or adjust these Personal Data itself, unless the Customer requests Mobile School to do so;
- The Customer is responsible for the material and/or data provided by the Data Subject. The Customer is, as Controller, thus responsible for complying with the Privacy Legislation and/or any other regulations with regard to aforementioned material and/or data;
- The Customer shall comply with all laws and regulations (such as but not limited with regard to the retention period or rights of the Data Subject (cf. Article 10)) imposed on it by making use of the Services.

3.2 The Customer shall, in the interest of the minors it works with, avoid any misuse of the Services, the Platform and/or the App. In case of misuse by the Customer or the End-Users, the Customer agrees that Mobile School can never be held liable in this respect nor for any damage that would occur.

4. OBJECT

4.1 The Customer acknowledges that as a consequence of making use of the Services, Mobile School shall Process the Personal Data.

4.2 Mobile School shall always Process the Personal Data in a proper and careful way and in accordance with the Privacy Legislation and other applicable rules concerning the Processing of Personal Data. More specifically, Mobile School shall adopt all necessary security measures (cf. Annex II) and provide all its know-how in order to perform the Services in accordance with the rules of art.

4.3 We assure that we shall only Process the Personal Data upon your request and in accordance with your instructions unless any legal obligation states otherwise.

4.4 You keep full control concerning the following: (i) how Personal Data must be Processed by Mobile School, (ii) the types of Personal Data Processed, (iii), the purpose of Processing, and (iv) the fact whether such Processing is proportionate.

4.5 Due to the fact that you mainly collect Personal Data from minors, Mobile School requests you to assure that the collection of that Personal Data is lawful. Therefore, it is important that you inform the Data Subject of your own privacy policy/privacy principles in a language that is easy to understand for everyone (including minors).

5. SECURITY OF PROCESSING

5.1 As the interests of minors are impacted, Mobile School takes the security of the Processing activities very seriously. Taking into account the state of the art, Mobile School implements appropriate technical and organisational measures for the protection of (i) the Personal Data – including protection against careless, improper, unauthorised or unlawful use and/or Processing and against accidental loss, destruction or damage – (ii) the confidentiality and integrity of Personal Data, as set forth in Annex II.

6. SUB-PROCESSORS

6.1 The Customer agree that Mobile School may engage third-party Sub-processors in connection with the performance of the Services. In such case, Mobile School shall ensure that the Sub-processors are at least bound by the same obligations by which Mobile School is bound under this Policy.

6.2 The current Sub-processor(s) on which we appeal for the performance of the Services are listed in Annex III, which includes the identities of those Sub-processors and their country of location. We shall update the list whenever a Sub-processor changes (e.g. a new Sub-processor was added, a Sub-processor was substituted, etc.) and will notify you when (significant) changes are made. If you wish to exercise your right to object, please notify us in writing by the latest within thirty (30) days after the list was updated.  

6.3 If the objection is well founded, Mobile School will use reasonable efforts to (i) make available a change in the Services or (ii) recommend a commercially reasonable change to your use of the Services to avoid Processing of Personal Data by the objected new Sub-processor without unreasonably burdening you. If we are, however, unable to make available such change within a reasonable period of time (which shall not exceed thirty (30) days following your objection, you may terminate the the Services if:
- You cannot use the Services without appealing on the objected new Sub-processor;
- Such termination only concerns the Services which cannot be provided by Mobile School without appealing to the objected new Sub-processor;
- You notify us of your wish to terminate the the Services to Mobile School within a reasonable time.

6.4 Mobile School takes responsibility for the acts and omissions of its Sub-processors to the same extent as if it would be performing the Services itself, directly under the terms of this Policy.

7. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

7.1 Mobile School assures the Customer that a transfer of personal data to a third country or international organisation shall always be subject to (i) an adequacy decision by the Commission or (ii) the following safeguards:
- Closing a data transfer agreement with the third country recipient, which shall contain the standard contractual clauses, as referred to in the 'European Commission decision of 5 February 2010 (Decision 2010/87/EC)'. Before the transfer takes place, the recipient of personal data/processor of Mobile School in the third country has to guarantee Mobile School that an adequate level of privacy compliance is ensured in this third party country; and/or;
- Binding corporate rules. As it is the case for standard contractual clauses, the recipient of personal data/processor of Mobile School in the third country has to guarantee Mobile School that an adequate level of privacy compliance is ensured in the third party country; and/ or;
- Certification mechanisms.

8. CONFIDENTIALITY

8.1 Mobile School shall maintain the Personal Data confidential and thus not disclose nor transfer any Personal Data to third parties, without your permission, unless when such disclosure and/or transfer is required by law or by a court or other government decision (of any kind). In such case Mobile School shall, prior to any disclosure and/or announcement, inform you in full transparency on the scope and manner thereof.

8.2 We ensure you that our personnel, engaged in the performance of the Services, is informed of the confidential nature of the Personal Data, are well aware of their responsibilities and are bound by written confidentiality agreements. We ensure that such confidentiality obligations survive the termination of the employment contract.

8.3 We ensure you that the access of our personnel to the Personal Data is limited to such personnel performing the Services in accordance with the Policy.

9. NOTIFICATION

9.1 We will use our best efforts to inform you as soon as reasonably possible when we:
- Receive a request for information, a subpoena or a request for inspection or audit from a competent public authority in relation to the Processing of Personal Data;
- Have the intention to disclose Personal Data to a competent public authority;
- Determine or reasonably suspect a Data Breach has occurred in relation to the Personal Data.

9.2 In case of a Data Breach, we:
- Notify you without undue delay after becoming aware of this Data Breach. In the event you wish so, we shall provide – to the extent possible – assistance with respect to your reporting obligation under the Privacy Legislation;
- Undertake – as soon as reasonably possible – to take appropriate remedial actions to make an end to the Data Breach and to prevent and/or limit any future Data Breach.

10. RIGHTS OF DATA SUBJECTS

10.1 Mobile School shall promptly notify you if we receive a request from a Data Subject invoking its privacy rights under the Privacy Legislation. Mobile School shall not respond to any such data subject request without your prior written consent.  

10.2 If a Data Subject requests to exercise his/her rights, you must assist the Data Subject in its request. Only if you do not have the ability to correct, amend, block or delete the Personal Data (as required by Privacy Legislation), we shall assist you (as long as commercially reasonable).

11. LIABILITY

11.1 Parties are each individually liable towards authorised supervisory authorities and/or Data Subjects for claims and/or fines that are the result of their own breach of or non-compliance with (i) the provisions of this data processing policy, and (ii) the Privacy Legislation or other applicable rules concerning personal data. Mobile School and the Customer indemnify each other in this regard.

11.2 The liability of Mobile School for a breach of this data processing policy is limited as described in the applicable contractual documentation (i.e. the Terms of Service).

12. RETURN AND DELETION OF PERSONAL DATA

12.1 Upon termination of the Services, the accounts of the Customer will be deactivated and the Personal Data shall no longer be available for the Customer.

12.2 However,  Mobile School shall retain the Personal Data for the remainder of the calendar year to ensure export requests or reactivation request of the Customer can be fulfilled. Mobile School shall never access the inactive Personal Data. As soon as the calendar year ends, Mobile School will anonymise the Personal Data, which will then solely be used for statistical purposes.

12.3 In case a Data Subject’s profile is being removed from the solution, all Personal Data relating thereto will immediately be anonymised as well.

13. CONTROL

13.1 Mobile School is willing to provide you with all information, required to allow verification if we comply with the provisions of this Policy.

13.2 In this respect Mobile School shall allow you to carry out inspections – such as but not limited to an audit – and provide the necessary assistance thereto.

14. TERM

14.1 This data processing policy lasts as long as the Services has not come to an end.

Annexes:

- Annex I – Overview of Personal Data
- Annex II – Description of security measures
- Annex III – List of Sub-processors

Annex I – Overview of Personal Data

I. Overview of the Personal Data, which parties expect to Process:
General

✓ First name and surname
✓ Nickname
✓ Email address
✓ Photograph
✓ Device’s IP address

✓ All other Personal Data voluntarily provided by the Data Subject to the Customer
✓ Telephone number
✓ Address
✓ Gender
✓ Date of birth

From the minors specifically:

✓ Nationality
✓ Language
✓ Vital status (alive/passed away)
✓ Legal status (citizen/immigrant/asylum seeker/refugee)
✓ Home status (homeless/slum/accommodation center/refugee camp/on the move)
✓ Residence permit (yes/no/unknown)
✓ ID card (yes/no/unknown)
✓ Passport (yes/no/unknown)
✓ Temporary residence permit (yes/no/unknown)
✓ Birth certificate (yes/no/unknown)
✓ Skills
✓ Contact persons (teacher/partner/parent/sibling, etc.)
✓ Evaluations

Reports
✓ Participation location
✓ Attended activities
✓ Activity overview (movement & sports/arts & crafts/culture & religion/music)
✓ Mood (average positivity and activeness and registered moods (negative-active/positive-active/negative-inacitive/positive-inactive)
✓ Average confidence and learning status
✓ Notes (including details, address, mood, date, topic, life event and visibility)
✓ Social map
✓ Goals (started and ended goals (realised/failed/canceled/started), goal types, goal evaluation statuses)

From the youth workers specifically:

✓ Job title

Reports
✓ Participation location
✓ Attended activities
✓ Activity overview (movement & sports/arts & crafts/culture & religion/music)
✓ Mood (average positivity and activeness and registered moods (negative-active/positive-active/negative-inacitive/positive-inactive)
✓ Average confidence and learning status
✓ Notes (including details, address, mood, date, topic, life event and visibility)
✓ Social map
✓ Goals (started and ended goals (realised/failed/canceled/started), goal types, goal evaluation statuses)

Remark:
• These Personal Data are not considered special categories of Personal Data in accordance with the Privacy Legislation, nor Personal Data relating to criminal convictions and offences.
• The list includes the standard Personal Data which are being Processed via the Services. However, you can change the Personal Data that are being collected discretionally (e.g. reduce or extend the amount of Processed Personal Data). Mobile School cannot be held responsible for any such changes made by the Customer (e.g. adding special categories of Personal Data).

II. The categories of Data Subjects whose Personal Data shall be Processed:

o Minors
o Contact persons of the minors (teacher, partner, parent, sibling, etc.)
o Youth workers

III. The use (= way(s) of Processing) of the Personal Data and the purposes and means of Processing:

Use of Personal Data:
o Collect
o Store
o Structure and analyse
o Retrieve
o Consult
o Align, combine and create
o Transfer
o Update
o Erase and destroy

Means of Processing:
o Platform
o App

Purpose of Processing:
o Hosting
o Support

IV. The term(s) during which the (different types of) Personal Data shall be stored:

Mobile School shall retain the Personal Data as long as the Services has not been formally terminated. Upon termination of the Services, the accounts of the Customer will be deactivated and the Personal Data shall no longer be available for the Customer. However,  Mobile School shall retain the Personal Data for the remainder of the calendar year to ensure export requests or reactivation request of the Customer can be fulfilled. Mobile School shall never access the inactive Personal Data. As soon as the calendar year ends, Mobile School will anonymise the Personal Data, which will then solely be used for statistical purposes. In case a Data Subject’s profile is being removed from the solution, all Personal Data relating thereto will immediately be anonymised as well.

Annex II – Description of security measures

I. Description of the technical and organisational security measures taken by Mobile School.

Mobile School warrants and undertakes in respect of all Personal Data it Processes on behalf of the Customer that, at all times, it maintains and shall continue to maintain appropriate and sufficient technical and organisational security measures to protect such Personal Data or information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing. Such measures shall include, but are not limited to:
• Data ‘at rest’ is encrypted using the AES-256 algorithm;
• Data ‘in transit’ is encrypted, while being transferred, using the TLS 1.3 protocol;
• End-user credentials are stored in a separate MySQL 8.0 database. End-user passwords are hashed with the PBKDF2 algorithm;
• Data collected and stored on the Platform is stored in a separate MySQL 8.0 database;
• Daily backups of the data are stored in an AWS private network for 7 days and are encrypted using the aforementioned mechanisms;
• Data Subjects who are deleted from the Platform their personal data will be erased – only evaluations will be kept for statistical purposes without any possibility of identifying the Data Subject;
• Any media (photgraphs, possible videos, etc.) are stored on ‘AWS S3’ and thus not publicly available – these files are only accessible through AWS Cloudfront CDN, thereby using URLs which expire after 5 minutes.
• In case the mobile app is being used without internet connection, partial information from the Data Subject is stored on the mobile phone itself. This data is encrypted and can only be accessed when the Customer of the app (the Dat Subject) enters a pin code which was configured during the setup phase of the app. Once the mobile app connects to the internet or is deleted by the Customer of the app, the encrypted data is deleted as well;
• Databases in the AWS cloud run in a private network, access is only accepted from the backend system which runs in the same private network. These accesses are secured by using credentials which have minimum privileges required by the system to fullfill business functions;
• Schema changes to the databases are not done manually but automatically by the backend system with SQL scripts implemented by developers and tested on QA and staging environments before running them in production;
• The backend system runs in a private network, each instance of which runs in an isolated Docker container. This additional isolation prevents possible attackers who might have gained access to the private network from accessing or modifying backend system runtime memory or configuration;
• All communication coming from the internet via the AWS APIs is done via HTTPS protocol;
• Authorisation and authentication mechanisms are implemented using the OpenId Connect protocol and Keycloack. This protocol and open source application are widely adopted and mature, thus strengthening the overall system security;
• Developers that access the AWS cloud in order to monitor or upgrade the infrastructure have their own set of credentials and authentication is done via 2-factor method. For 90 days, an audit is maintained, tracking access and actions of developers in the AWS cloud.

Annex III – List of Sub-processors

I. Sub-processors on which Mobile School appeals for the performance of the Services:

Name: Amazon Web Services EMEA (SARL)
Type of processing: Hosting of the cloud
Country: Germany

Name: Halcyon
Type of processing: Development
Country: Romania