What personal data do we collect and why?
At Brights, we care about your right to privacy. Brights will collect personal data about you within the scope of the services we provide. To ensure that the personal data we handle is processed responsibly and securely, we work actively with personal data issues. The collection and subsequent processing of your data is necessary in order for us to fulfil our obligations towards you in accordance with the User Terms or as further needed to fulfil the data processing purpose. We may need to keep certain data about you to fulfil legal obligations, such as those imposed by labor laws or accounting regulations. You will find more detailed information in our summary, such as what types of personal data about you Brights processes, for what purpose, based on what legal basis, and for how long. You will find the summary here.
You are always welcome to contact us if you have any questions about our processing of your personal data.
How do we access your personal data?
If you are a learner at Brights, the information that we have stored about you has either been provided to us by yourself, or from your employer. If you are attending a training at Brights and have gone through an assessment and/or recruitment process that has been handled by a subcontractor, they will collect your information on behalf of us. We might also store information about you in connection to workshops, surveys or other activities that are set out in order for us to provide the services to our client.
If you are a client or trainer at Brights, we may collect or receive information about you from other sources such as public registers, professional networks such as LinkedIn or via our own network.
Who will we share your personal data with?
In some cases, we might share your personal data with external parties. The external parties are other companies within our Group, vendors to Brights, authorities that we are under a legal obligation to provide with certain information, or clients when applicable. When we share your personal data with an external party, it will only be for those purposes for which the data was initially collected. We will always take the necessary precautions to ensure that the external party processes your data in a correct and secure manner, such as by entering into binding agreements with our vendors.
Your personal data may be shared with the following external parties:
Entities within our Group – We may share your information with other entities in Akind Group (the Group that Brights belongs to). This may occur when another Group company provides services to us that may result in processing your data on our behalf or when we work in group-wide applications.
Vendors - Your personal data may sometimes be shared with our vendors who perform services on our behalf and based on our instructions. These may be vendors of IT, vendors used for teaching, vendors used for consulting, and vendors used for facility.
Authorities – If required by national or international legislation, we may need to share your personal data with authorities.
Clients – Brights provide business to business skills solutions, meaning or services are carried out on behalf of our client. The client may be your current or future employer. If you are participating in an upskilling or reskilling training, we will share information about your participation and development with your employer during the program. If you are an employee with our client, where we provide learning consulting, we may collect insights and data about you which we will share with the client. The client is responsible for how they handle the data that they receive. If you have questions about how our clients handle your personal data, we recommend that you turn directly to them. Brights is happy to assist you in contacting them.
You are always welcome to contact us for more detailed information about which external parties we share your personal data with.
Where do we process your personal data?
We always do our best to make sure that your personal data is not stored or otherwise processed in countries outside of the EU/EEA. However, your personal data may be transferred or processed at our suppliers in Canada, Norway, Switzerland, the UK, or the USA. In such circumstances, either a decision on an adequate level of protection is applied, in accordance with Article 45 of the General Data Protection Regulation, or appropriate protective measures are applied in accordance with Article 46 of the General Data Protection Regulation in the form of the European Commission's decided standard contractual clauses. If your data is transferred or handled in countries outside the EU/EEA, we will ensure that we have taken sufficient security measures (such as Standard Contractual Clauses (SCC), contractual, organizational and/or technical safeguards) which mean that your data is handled in a way that achieves a sufficient level of protection according to applicable regulations. If you would like a copy of the safeguards used or if you would like more information about where your personal data is processed, you are always welcome to contact us.
Brights must document a lawful basis for each processing of personal data, in accordance with Article 30. If there is no legal basis, the processing is not lawful and thus not permitted. Private companies and organizations can rely primarily on these following four bases:
- Performance of contract
- Legal obligation
- Legitimate interest
When using legitimate interest as a basis, we always conduct a balancing test from which we assessed that our legitimate interest in carrying out the processing outweighs your interest in not processing your personal data. What Brights’ legitimate interest is in each type of processing is stated in the detailed summary available here.
What rights do you have?
Applicable privacy regulations provide you with several rights when your personal data is processed. Below you will find a short description of those rights. What rights you have may vary depending upon the purposes for which we are processing your data. You can easily do this by contacting email@example.com.
Right to information – You have the right to receive information about our processing of your personal data. Information about the processing of personal data must be provided by us as the data controller both when the data is collected and when you request access to it, which you can read more about under the heading “Right to access” below.
If something happens with your personal data that could affect you negatively, we have an obligation to inform you about this.
Right of access - You have the right to receive confirmation from Brights whether we process personal data related to you and, if this is the case, to obtain information about the processing. You also have the right to request a copy of the personal data we store about you free of charge.
Right to withdraw your consent - In cases where our processing of your data is based on your consent, you always have the right to withdraw your consent. You can easily do this by contacting firstname.lastname@example.org. Until you withdraw your consent, we have a legal basis and thus the right to process your personal data. After your consent is withdrawn, we will stop processing your personal data.
Right to rectification – You always have the right to demand that Brights corrects incorrect information about you that you consider to be incorrect or incomplete. In some cases, you can change the information you have entered in profile pages about yourself.
Right to object - You have the right to object to Brights’s processing of your personal data, such as when it concerns direct marketing (including profiling). In all cases where we process your personal data based on our legitimate interest (including profiling), you have the possibility to object to the processing. If you object and notify us, we will stop processing your personal data.
Right of restriction - In some cases, you have the right to request that Brights restricts the processing of your personal data. This is true if, for example, you claim that the personal data we process is inaccurate. You can then request a restriction of processing for the time that we need to verify whether the personal data is correct. In that case, we may only (in addition to the storage itself) process the data upon your consent. It applies except for establishing, asserting, or defending legal claims, to protect someone else’s right, or to protect an important public interest.
Right to erasure - In some cases, you have the right to request that Brights delete your personal information. This applies to the following cases (among others):
- If the personal data is no longer necessary for the purposes for which it was collected.
- If you withdraw your consent and we no longer need to retain your information for other purposes, such as legal obligations.
- If you object to a processing based on legitimate interest and you reason for objection outweighs our interest.
- If you object to our processing of your data for direct marketing and we no longer need to keep your personal data for other purposes.
- If your personal data is processed in an illegal manner.
- If your personal data needs to be erased based on a legal obligation.
Please note that we may have an obligation to save your information anyway, for example due to an agreement with you or legal requirements. We will only save your personal data for this purpose and not use it for any other purpose.
Right to data portability - If we process your personal data with your consent or performance of a contract which you have entered with us, you have the right to require Brights to disclose the personal data that you have provided to us in a structured format. If you wish to exercise your rights, you are always welcome to contact us.
Right to lodge a complaint - If you are dissatisfied with the way Brights processes your personal data, you are always entitled to lodge a complaint with a supervisory authority, in particular in the Member State where you have your domicile or place of work or where the alleged infringement was committed (stated in Article 77 of the GDPR).
Changes in our privacy information