Udacity and the General Data Protection Regulation
Last Updated: September 14, 2023
What is the name and address of the Udacity headquarters that is responsible for European business?
Udacity's European headquarters is in Ireland. Our business address is:
Udacity EMEA Holdings Ltd. 70 Sir John Rogerson's Quay Dublin, Ireland D02R296
Who is your nominated supervisory authority?
Because Udacity's European headquarters is in Ireland, the Irish Data Protection Commission (Irish DPC) is our nominated supervisory authority.
Is Udacity a controller or processor of data?
Udacity is a processor of some data and a controller of other data.
Udacity's role as a processor: Udacity acts as a processor for enterprise clients who are the controllers of names and email addresses of their employees that are registered on Udacity’s learning platform. Udacity processes the provided names and email addresses for the purposes of registering user accounts, communicating with account holders to provide technical support and collect voluntary feedback, and processing certificates of completion for those who successfully complete one of our programs.
What are Udacity's data responsibilities as a processor versus a controller?
Udacity is committed to protecting personal data with appropriate technical and organizational measures and is certified under the ISO 27001 standard for information security.
Udacity's role as a processor: The enterprise client is responsible for upholding the rights of their employees that use Udacity’s learning platform, while Udacity acts on behalf of the client. For example, the enterprise client can add names/emails to the list, delete them, or change them through the enterprise management interface of the platform. Udacity will only process the names and email addresses as instructed by the enterprise client in accordance with the Data Processing Agreement signed by the parties.
Udacity's role as a controller: Udacity is the controller of data that is generated by or collected from users of the platform. Udacity allows users to make data rights-related requests directly through a web-based automated request system.
What personal data is collected by Udacity?
Udacity collects personal information directly from the users of our learning platform: when they use our services, make a purchase from us, sign up for email updates, upload or post to public forums, submit requests or questions to us via forms or email, and request customer support and technical assistance.
What is the purpose of the data processing?
In the context of Udacity's role as a processor: Udacity processes the names and email addresses provided by enterprise clients for the purposes of registering user accounts, communicating with account holders to provide technical support and collect voluntary feedback, and processing certificates of completion for those who successfully complete a skills training program.
Which subprocessors does Udacity use? And where is the data processed?
Udacity uses the following subprocessors to process the personal data controlled by enterprise clients:
- AWS (Amazon Web Services, Inc.) (Cloud Infrastructure)
- Google Cloud (DoiT International) (Classroom Experience)
- Okta, Inc. (Single Sign-on Authentication)
- Qualtrics, LLC (an SAP America Inc. company) (Survey Tool for Collection of User Feedback)
- Zendesk, Inc. (Customer Service and Support)
- Blueshift Labs, Inc. (Communication Management)
- Gainsight, Inc. (Customer Success Platform)
- Tableau Software LLC (Salesforce) (Data Visualization Platform)
- Cloudflare, Inc. (Global Content Delivery Network)
- Segment.io, Inc. (Twilio Inc.) (Customer Data Platform)
- Cockroach Labs, Inc. (Distributed Database)
- Spektra Systems LLC (Microsoft Azure Resource Management for Classroom Labs)
In each instance, the location of the processing is in the United States, except for Cloudflare Inc which is in the United States as well as Globally distributed endpoints matching user location.
Where is the data stored?
Data is stored in cloud storage within Amazon Web Services. Specifically, Udacity stores data in US West 2 located in Oregon.
How do you honor data subject rights requests?
Our enterprise clients can add, delete, or correct any of the information they share directly on the Udacity platform. Additionally, Udacity is responsible for upholding the data rights of individuals who request access, rectification, erasure, restriction of processing, or portability of their personal data that was generated by or collected from them. Udacity allows individuals to make data rights-related requests directly through a web-based automated request system.
Is data exported out of the EU? How do you ensure that exported data is appropriately safeguarded (i.e., in view of the Schrems II decision and the invalidation of the Privacy Shield Framework)?
Yes. European personal data may only be exported out of the EU if a valid international data transfer mechanism is employed to ensure that data transferred internationally is appropriately safeguarded. Udacity uses the Standard Contractual Clauses for international data transfer from EU to US.
Is the data encrypted in transit, at rest, and in storage?
What information security policies protect consumer data?
Udacity is certified under ISO 27001 and 27017. Udacity maintains an information security management system, including robust policies, procedures, and training to protect consumer data.
What security / organisational measures have you implemented post Schrems II to ensure that data is adequately protected?
The Schrems II decision invalidated the European Commission's adequacy decision for the EU-US Privacy Shield Framework, on which more than 5,000 U.S. companies relied to conduct trans-Atlantic trade in compliance with EU data protection rules. However, the decision upheld the validity of Standard Contractual Clauses provided that sufficient technical and organisational measures are used by the data importer to protect against government access to EU personal data. Udacity relies on Standard Contractual Clauses in combination with strong technical and organisational measures, including data encryption in transit and at rest, to protect data imported to the U.S.
What is your data retention policy?
Udacity retains learner data until a valid request is received to delete it. This enables Udacity to verify whether a learner has completed a skills training program upon request in the future. A learner can request deletion of their personal information at any time through our web-based automated request system accessible from their Udacity account.
Why is the data retained indefinitely by Udacity (unless a student requests deletion)? How does this comply with GDPR?
GDPR requires personal data of data subjects to be held no longer than required to serve the purpose for which the data was collected. In the case of learner data, the purpose for which the data was collected was to deliver online skills training programs that provide the technical skills needed for the careers of the future. Unless Udacity receives a valid request to erase the learner data, the learner data is retained permanently. This allows the learner's record of participation and progress in the program to be maintained. If the data were deleted, we would have no record of an individual's completion and performance within the program.