EFFECTIVE: May 25, 2018
Statement of Data Privacy
Castle provides testing and training design, development, and delivery services to certification and licensure organizations, corporations, educational institutions, government agencies, and trade and professional associations. On behalf of its clients, Castle collects certain personal data from testing and training users, whether those individuals are residents of the United States, the EU, or any other country. Castle may also collect personal information from visitors to our website.
This personal information includes, but is not limited to, name, contact information (e.g. email), demographic information, information proving eligibility for Castle’s services, ADA/accommodations-related information, scheduling information, and testing-related information and results. Castle uses this data to fulfill the education and assessment services under contracts with our clients, the organizations with which you have a contractual relationship. Examples of our services include eligibility verification, proving identity, contacting you for testing-related services, and facilitating an exam. We may share your data with the organization(s) from whom you are seeking your credential(s) and/or their authorized agents, the test site administering your exam, and our service agents, but we will not provide it, or sell it, to any third party who is unrelated to Castle. We only share information necessary to securely fulfill the required services. This Policy provides an overview of how we obtain, store, and use your personal information. It is intended to provide a general overview and answer questions you may have about specific privacy issues.
The Policy applies to everyone, regardless of where they reside, who has dealings with Castle that results in the collection of personal information. However, please be aware that if you reside in the European Union (“EU”), this explanation and summary of the Policy is specifically designed to meet the requirements of the EU General Data Protection Regulation (“GDPR”), which became effective on May 25, 2018.
The Policy is described here in a concise, transparent, intelligible, and easily-accessible form. It is set forth in a series of specific components describing how the Policy operates and how it meets certain privacy rights.
Identity of the Data Controller
Castle is the data controller for certain data that we collect. In these situations, Castle conducts a variety of data analyses related to testing outcomes using your anonymous personal information on an aggregated basis.
However, in most instances, Castle merely functions as the data processor or the data collection agent for our clients (e.g., the test sponsors or credentialing bodies with whom you have contracted), who are the data controllers. The data controller is the entity that collects and processes personal data, or arranges for such actions taken on its behalf by its agents. The data controller is responsible for deciding the purposes for which personal information is used and processed, and the means by which such processing is done. Thus, it is the data controller’s responsibility to inform you in advance of the processing of your personal information and to explain your privacy rights. You should make any inquiries and/or requests about your data directly to the actual data controller, if you have that information. If you request it, Castle will pass along your inquiries and/or requests to the relevant data controller. As a data processor, Castle will follow the instructions we receive from our data controller clients in responding to your request.
You may contact Castle by writing to Castle Worldwide, Attn: Test Delivery, 6001 Hospitality Court, Suite 100, Morrisville, NC 27560, or by sending an email to: firstname.lastname@example.org.
How does Castle collect or obtain your information?
Castle collects your personal information, or receives it from one or more data controllers, in the following ways: (1) through applications when registering for credentialing services; (2) when scheduling testing events; (3) during testing activities; (4) through interactions with a credentialing program’s online portal; and/or (5) from client credentialing organizations and/or their authorized delegates.
What personal information does Castle collect?
Castle may collect your name, contact information (e.g. telephone, email , account password), demographic information, photograph, biometric data, information proving eligibility for Castle’s services, ADA/accommodations-related information, scheduling information, and testing-related information and results. If payment is required as part of Castle’s services, Castle routes the credit/debit card transaction through secure, 3rd party service providers; however, Castle does not see or retain any payment card information.
What are the legitimate interests Castle has for collecting/using your personal information?
We collect and use your information because you have contracted with and/or given your affirmative consent to the credentialing body and/or directly to Castle. We use the information given to us by you and/or the credentialing body to fulfill the testing service(s) that you contracted to receive. These services can include: taking a proctored test or practice test; verifying that you, and only you, access confidential testing materials; conveying your test results, location, and time of testing to the credentialing body for their decision on certification, and to aggregate anonymous testing statistics pooled from many test takers to help ensure that examinations are properly constructed, valid, and reliable.
How does Castle use your personal information?
Castle uses your personal information to fulfill the education and assessment services contracted with our clients, the organization with which you have a relationship, such as eligibility verification, proving identity, contacting you for testing-related services, and facilitating an exam. In other situations, where Castle itself is the data controller, we will obtain affirmative consent from you to collect and use your personal information.
Disclosure of your personal information to third parties
Castle may disclose your personal information to the credentialing body and/or its authorized agents, to the test site administering your exam, to our service agents, and to others for whom you give consent to share your test information and/or results. We will not provide it, or sell it, to any third party who is unrelated to Castle.
Do we sell personal information to third parties?
No, Castle will never sell your personal data to any third party that is unrelated to Castle.
How long will we retain your personal information?
Castle does not retain personal information longer than is necessary, taking into account any legal obligations we have (e.g., to maintain records for tax purposes), as well as any other legal basis the credentialing body has or we have for using your personal information (e.g. your consent, performance of services to you and/or our clients, or our legitimate interests as a testing organization).
How do we secure your personal information?
No method of securing information transmitted over the Internet, or method of electronic storage, is 100% secure; therefore, Castle cannot guarantee the absolute security of any personal information. However, In securing personal information, Castle utilizes generally-accepted technical and organizational measures to protect personal data against loss, misuse, or alteration throughout collection, transmission, processing, and storage. If you have any questions about security of your personal information, you can contact us at email@example.com.
For those providing information outside the United States:
Castle transfers your personal information to our offices/servers in the United States in order to process it, as well as to store the information for future use. When Castle transfers personal data, we take all reasonable steps to ensure that the information is protected, including protection by contractors and/or subcontractors, and to ensure that your information is not shared in any manner that is inconsistent with this Policy. Specifically, we have provided in our agreements that any personal information leaving the EU will be transferred to us for processing in compliance with the GDPR.
What are your rights?
Your rights in relation to your personal information are to: (1) be informed about its use; (2) have access to your information; (3) correct your personal information; (4) have your personal information deleted in certain situations; and (5) restrict how we use your personal information.
The right to be forgotten is limited in a testing environment; in most situations, previous test results are exempt from this right because they may be necessary to establish, exercise, or defend legal claims, or they are required by the credentialing body to exercise various business obligations/rights related to your test results (e.g., when you may take a retest, when your credential is due to expire, or for other similar business purposes for which you agreed when you registered for a test).
You also have the right to have your personal information ported to others; however, because Castle’s use of your personal information is limited to fulfilling the education and assessment services for which you contracted with our clients, it is usually not technically feasible for Castle to honor such a request because we are not able to exchange that information with another entity with which we have no direct interface or where Castle has no any existing business reason to exchange data (e.g., another testing organization that requires the test taker to register directly with it).
You are also entitled to know if Castle is using any automated decision-making (including profiling). Castle does not use any such automated technologies in its processing of your personal information
How to exercise your rights regarding the collection and use of your personal information
You have the right to withdraw your consent at any time during or subsequent to your use of our website by emailing Castle at firstname.lastname@example.org. However, any data processing performed by Castle prior to your withdrawal of consent cannot be undone. In situations where the data controller is another entity, you will need to exercise your rights directly with that entity, who will notify Castle of its handling of your request so that we can follow its instructions.
You also have the right to object to Castle’s collection and/or use of your personal information, or to request access to your information as well as to request that we correct any information we have or to remove you from our records. If your personal information changes (e.g., postal code, phone, email or postal address), you can change any online, physical contact, and/or other personal information by contacting Castle as shown above. If you wish to correct/update/delete information or no longer desire to receive information from Castle, you can notify us by using any of the information in the Contact section of this Policy. We will respond to your request to access within 30 calendar days.
You may file a complaint with Castle by emailing us at email@example.com, and Castle will respond without undue delay, within at least 30 calendar days, unless we inform you that additional time will be required. In addition, you have the right to file a complaint with your relevant Supervisory Authority (i.e., Data Protection Authority).
How does Castle obtain your consent?
At the end of this Policy, you will be asked to indicate your affirmative consent by agreeing to its terms and conditions, and thereby allowing Castle to collect and use your personal information. In other situations, Castle relies on the consent you have given the credentialing entity or the contractual rights that entity has with you.
Castle does not knowingly collect information from children under the age of 13. If you have reason to believe that Castle collected or is in possession of personal information from someone under 13 years of age, please contact us at firstname.lastname@example.org.
Special Notice to California Residents
California residents have the right to request in writing from businesses with whom they have an existing formal business relationship: (a) a list of the categories of personal information, such as name, e-mail and mailing address and the type of services provided to the customer, that a business has disclosed to third parties (including affiliates that are separate legal entities) during the immediately preceding calendar year for the third parties’ direct marketing purposes; and (b) the names and addresses of all such third parties. If you qualify to request the above information, please contact us by e-mail to email@example.com. We will respond to such requests for information access within 30 calendar days following receipt at the e-mail, unless we notify you that additional time will be required. Please note that we are only required to respond to each customer once per calendar year.
Additionally, California law requires that we indicate whether we honor “Do Not Track” settings in your browser concerning targeted advertising. “Do Not Track” is an online procedure that is currently under development. Because it is not yet finalized, we adhere to the procedures set out in this Policy and do not monitor or follow any Do Not Track browser requests. However, Castle may provide follow-up notifications to test takers on behalf of our clients in order to provide certificants with information about recertification or other certification requirements. You may request withdrawal from such communications by writing to the credentialing entity.
Export Control Policy
Castle intends to operate strictly in compliance with all laws governing export control. Service may be denied to any organization or individual that is located in, under the control of, or a national or resident of any sanctioned or embargoed country or on the List of Specially Designated Nationals or any similar list maintained by an agency of the United States government (“SDN List(s)”). As a condition of service, you agree that your personal information provided to Castle may be used to check against SDN Lists.