Effective: January 1, 2020
Who we are
Award is a telecommunications training company based in the United States. Award and its subsidiaries and affiliates, located in several countries, including Ireland, Canada and India, provide telecommunications training worldwide. Award and its subsidiaries and affiliates who collect, store, use, transmit and otherwise process personal data in connection with Award’s services are referred to herein as “we”, “our” or “us”. We provide training in several ways including: instructor-led training in classrooms, instructor-guided training via a web platform, eLearning via one or more Learning Management Systems (“LMS”) and other platforms, including our LTE University’s website, Award’s website at awardsolutions.com, and training that can be accessed through your computers and personal devices. Most of the web-based and eLearning training is hosted and delivered from Award’s principal location in Plano, Texas. Training is also delivered at several physical locations worldwide. And training is also delivered via the web from other countries, including Ireland and India.
Controller or Processor: We may have an agreement with your employer or its affiliated company to deliver training to its employees, contractors or customers and, in order to deliver training to such individuals, we will be given the names, email addresses, phone number and other personal data in order to facilitate the scheduling and delivery of the training to said individuals, verify attendance and completion of the training and/or to issue training completion certificates. If you reside in the Eurpoean Union (“EU”), European Economic Area (“EEA”), or in Switzerland, in a country where the EU General Data Protection Regulation (“GDPR”) applies, then, the company that makes the contract with Award will determine the purposes and means of processing the personal data given to us, that company will be classified as the “controller” of your personal data, and we will be classified as the “processor” of your personal data that said company or you provide to us. Our obligations and your rights with respect to your personal data will be subject to the direction and control of the controller, except as otherwise provided by applicable laws. In some instances, you may deal directly with us, such as when you purchase or take our complementary training from us directly or when you enroll directly with us for our services, products, other offering or for marketing or promotional communications. In such instances, if you are a data subject protected under the GDPR, we will be seen as the controller of your personal data that you share with us. In almost every case, we only need your name and email address for you to obtain our services. We encourage you to not provide any other personal data to us unless we specifically request the additional data from you.
Data we Collect, how we Collect it and for what Purposes
Personal Data: Personal data is data about an individual from which that individual can be identified. It does not include data where the identity of the person has been removed (anonymous data or aggregated statistical data). The following are the types of personal data we collect, how we collect it, and the purposes for which we collect the data.
Types of personal data
How we collect the data
Purposes for which we collect data
Your name and business email address, personal email address, personal address, job title, employer’s name, work address, work telephone number.
You provide the data in the profile you create on our website.
Your employer provides the data to us.
A third party provides the data to us, such as an affiliate of your employer or a reseller from whom you or your employer purchased our services.
You provide this data through direct interaction including, in person at seminars or other events, or in your feedback, email, fax, phone, mail, text, other media.
To communicate with you regarding our services or in response to your requests or as required under contracts. To schedule training delivery, to deliver training materials, to verify your attendance or completion of the training, or to deliver training certificates to you.
To send order or registration confirmation, reminders, scheduling changes, cancellation notices, and service messages. To perform a contract we made with you, your employer or its affiliates, or a reseller or other third-party company, to deliver services or products. To comply with our legal obligations, including our record retention obligations. To protect our legitimate interests, including network security and to prevent fraud, infringement, misappropriation and plagiarism.
User name and password that you use to log in to our system.
We or our system may generate this data at your request or at the request of your employer or its affiliates or at the request of a reseller or other third party from whom you purchase our services or materials.
To grant you access to our systems, to restrict access by unauthorized persons, and to protect our legitimate interests, including network security and to prevent fraud or theft of services or materials.
Your profile data including your interests and preferences.
From your profile that you created on our website or from requests you made to us or to third parties for our services or materials.
You provide this data through direct interaction including, in person at seminars or other events, or in your feedback, email, fax, phone, mail, text, other media.
To deliver marketing information and materials about course offerings and upcoming events. You will have an opportunity to opt out of receiving marketing communication from us.
Usage data and technical data including: (1) information about how you use our website or services, your feedback, postings, the comments you leave on message boards, blogs, publications and reviews relating to our system, services, materials or personnel; and (2) information from your use of our website, including internet protocol (IP) address, referral source, browsing history, length of visit, geographical location, items and number of pages or content viewed, copied, downloaded, stored or purchased.
Our system is configured to capture usage and technical information by use of server logs, cookies and similar technologies that automatically collect technical data when you use or visit our website.
This data may also be collected by use of third-party software and services that monitor or capture this data.
To protect and pursue our legitimate interests, including IT administration, monitor storage capacity, system protection, network security, to prevent fraud, infringement, misappropriation, plagiarism, to improve website usability, to enhance visitor and user experience on our website, and to recognize your computer when you visit our website.
Failure to Provide Requested Personal Data: You do not have to provide your personal data to us. If you do not provide the personal data we require, you will not be able to access our websites or LMS, receive our services, receive promotional offers or marketing communications from us and we will not be able to accomplish the purposes for which we collect the data, as discussed in the table above.
Aggregated Data and Non-Personal Data: We collect, use, share and otherwise process statistical data for several purposes, including to pursue our legitimate business interests. Aggregated data may be derived in part from your personal data but does not legally constitute personal data because it does not directly or indirectly reveal your identity.
Data we do not Collect: We do not collect or otherwise process information about children. We do not collect or otherwise process Sensitive Personal Data. “Sensitive Personal Data” is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying you, data concerning your health, data concerning your sex life or sexual orientation, or data relating to your criminal convictions or offenses. We do not collect or otherwise process your banking or payment card information. When you purchase our services, (a) you are directed to pay through a third-party payment service that processes your payment and for which we do not see or process your payment card information or (b) we issue an invoice that you pay by making an electronic funds transfer directly to a bank account, in which event we do not see or process your bank or other payment information.
Marketing Use and Opportunity to Opt Out or Unsubscribe: We may use your contact, usage and technical data to market our services and products to you. In most instances, you would have consented to our use of your personal data for marketing purposes either by requesting said information personally, through our website or through a third party.
We may use the information we obtain from the cookie in connection with the administration of our website, to improve our website’s usability and/or for marketing purposes. We may also use that information to recognize your computer when you visit our website and to personalize the website for you. Most browsers allow you to refuse to accept cookies. You can set your browser to refuse all or some browser cookies or to alert you when websites set or access cookies. Disabling or refusing cookies will have a negative impact upon the usability of the website, as some parts of the website may become inaccessible or not function properly.
Authorized Processing: Generally, processing of your personal data is authorized if and to the extent that at least one of the following applies: (1) you gave consent to process your personal data for one or more specific purposes; (2) processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract; (3) processing is necessary for compliance with a legal obligation to which the controller is subject; (4) processing is necessary in order to protect your vital interests or the vital interests of another natural person; and (5) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child.
How we Share or Disclose Personal Data
As described in the table above, we only use your personal data for legally permitted reasons. We will share your personal data with our employees and contractors who have a bona fide need to access the personal data in order to administer enrollment for our training classes, to schedule the training delivery, to deliver training materials, to deliver the training, to verify attendance and completion of the training, to issue certificates of completion, for sales communications, and other peripheral services, including invoicing.
In some instances, depending on your location and your purchases from us, we may engage subject matter experts and other personnel of our subsidiary and affiliates located Canada, Ireland, or India, and other contractors located within or outside the United States or EU, EEA or Switzerland, to deliver training services and materials to you, to facilitate the enrollment, scheduling and delivery of the training to you, to issue certificates of completion of the training to you, and for invoicing purposes in which event some of your personal data (usually your name and business email address) will be shared with subject matter experts and other personnel and contractors for said purposes and will or may be stored and otherwise processed at their offices, which may be outside the United States or EU, EEA or Switzerland.
We often use subject matter experts and other personnel from the following affiliates for the purposes shown: Award Solutions EMEA, Ltd - Dublin, Ireland: for training delivery and sales; Canada Award Solutions, Inc. – Vancouver, British Columbia, Canada: for training delivery, scheduling and invoicing; and Award Solutions India Private Limited – Bangalore, India: for training delivery, scheduling and invoicing.
We also utilize third-party tools and services, through which some of your personal data may be transmitted or otherwise processed, which may be hosted or accessed within and/or outside the United States, EU, EEA or Switzerland, in connection with performing our services and advancing our legitimate business interests, including the following: (a) telephone, teleconferencing and internet platforms for communications, conferences and meetings; (b) services that support our in-person and web-based training services, to enroll for, gain access to and join training sessions, to obtain credit for the training, and to participate in pre-training and post-training evaluations to measure knowledge acquired from the training; (c) using cloud-based storage services whose servers may be located in multiple countries, for storage, access and otherwise processing personal data; (d) email and document file hosting services whose servers may be located in multiple countries; (e) electronic transmission services whose servers may be located in multiple countries; (f) automated travel and expense management tools whose servers may be located in multiple countries, to manage travel for delivery of our services and process scheduling information; (g) sales tools to communicate with our customers’ personnel; (h) tools for invoicing purposes whose servers may be located in multiple countries; and (i) using vendors and service providers to manage, support, maintain and upgrade our websites, LMS and other systems.
How we Protect your Data
We are committed to protecting confidential information, including the privacy of your personal data, and we have invested significant resources, time, efforts and money to do so. We have implemented commercially reasonable security measures and other technical and organizational measures to protect against unauthorized access, use, reproduction, alteration, disclosure, dissemination and destruction of data.
The following are some of the central features of our information security program.
1. We implemented an information security policy and procedures to protect confidential, proprietary and personal data.
2. We utilize storage and transmission encryption technology to protect confidential, proprietary and personal data at rest and in transit.
3. Our premises are located in a building that provides physical security and controlled access. We also utilize third-party monitored security cameras and security alarms at our premises.
4. We require all of our employees and contractors that we use to perform services for us to be bound by written confidentiality and non-disclosure agreements under which they are bound to protect confidential information, including personal data, from unauthorized access, use and dissemination (“NDAs”).
5. We limit access to personal data to only those of our employees and contractors who have a bona fide need to know the data in order to perform their job functions.
6. We provide periodic training to our employees and contractors to educate them on these security requirements.
7. The companies that we use to provide support services, including IT services, are bound by NDAs and we restrict access to personal data on a need-to-know basis.
8. Our NDAs restrict disclosure of protected information on the “Principle of Least Privilege”, i.e., authorized personnel are given limited and controlled access to only the least amount of confidential information, including personal data, and the lowest level of user right that they can have to perform their essential duties in connection with the approved purposes for which the data was disclosed.
9. We also anonymize your personal data a reasonable time after we have completed using the data for the purpose for which it was initially disclosed to us. When your data has been anonymized, it is no longer identified with you.
10. In certain instances, we pseudonymize your personal data so that it can no longer be attributed to you without use of additional information, which additional information is kept separately and is subject to technical and organizational measures to ensure that the pseudonymized personal data is not attributed to you.
11. Our IT support team regularly monitors and tests our systems infrastructure to detect and correct vulnerabilities and detect and mitigate potential attacks.
12. We implement controls to identify, authenticate and authorize access to various systems or sites.
13. When we select third-party tools and services, we use diligent efforts to select nationally and internationally known and reputable providers who give assurances of network security and protection against unauthorized use and disclosure of confidential information, including personal data. If we use smaller, local or regional providers, we also rely on their assurances for these protections, including requiring them to sign an NDA. In any event, in all instances where we use third-party tools and services that may gain access to personal data, we take measures to ensure that appropriate safe guards and technical and organizational measures are in place to maintain network security and protect against unauthorized use and disclosure of confidential information, including personal data.
How Long do we Keep Personal Data
Typically, we retain your personal data for the period necessary to fulfill the purposes for which the data was given to us and for a reasonable time period thereafter, usually about three years, unless you request erasure earlier; after said time period elapses or upon your earlier request, if we are the controller, we will delete your personal data, except in the following circumstances:
(2) we may retain some of your personal data to the extent required by applicable laws and regulations, including laws requiring retention of records for certain specific periods of time;
(3) we may retain some of your personal data in order to comply with contracts under which we receive your personal data, such as contracts with your employer to provide training services to you, and to enforce our rights under said contracts, including for the statute of limitations periods;
We may delete your personal data if we believe that the personal data is incomplete, inaccurate, or that our continued use and storage are contrary to our obligations. In some instances, we may anonymize, pseudonymize or aggregate your personal data so that the data is no longer identified with you, but the data may remain in our archives for research or statistical purposes and may remain indefinitely for such purposes or if we determine it is not practical or possible to delete it.
Transmission of Data to Other Countries
In certain instances, personal data of data subjects who are protected under the GDPR will be processed outside the EU, EEA or Switzerland. We will transfer or process your personal data outside the EU, EEA or Switzerland only if the conditions laid down in the GDPR for such transfers and processing are complied with and applied in order to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined, including at least one the following conditions:
(2) Appropriate Safeguards: in the absence of an adequacy decision, the controller or processor may transfer personal data to a third country or international organization only if the controller or processor has provided adequate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Adequate safeguards may be provided as follows: (a) without specific authorization from a supervisory authority, by mechanisms including, among others, (i) binding corporate rules, (ii) standard data protection clauses adopted or approved by the European Commission, (iii) an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; or (iv) an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; or (b) subject to the authorization from the competent supervisory authority, the appropriate safeguards may be provided by, among other things, contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization. A “supervisory authority” is an independent public authority which is established by an EU Member State pursuant to the GDPR; and
(3) Derogations for Specific Situations: in the absence of an adequacy decision or of appropriate safeguards, a transfer or set of transfers of personal data to third country or international organization shall take place only on certain GDPR specified conditions, including one of the following conditions: (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s requests; (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; or (d) the transfer is necessary for the establishment, exercise or defense of legal claims.
Realities and Risk Assessment
Data Protection by Design and Default: Taking into account the cost of implementation and the nature, context, and purposes of processing your data, we have implemented appropriate technical and organizational measures and safeguards, such as pseudonymization, anonymization and aggregation, we employ the Principle of Least Privilege and we limit access to personal and confidential data on a bona fide need-to-know basis, in order to minimize the processing of your data and to meet our legal requirements and commitments to protect your personal data and other confidential information.
Realities: Unfortunately, no data transmission over the Internet, no electronic storage of data and no website, system or facility is fully secure or immune from cyberattack or compromise. Accordingly, and despite our efforts to protect your personal data from unauthorized access, use, or disclosure, we cannot guarantee or warrant absolute security of the personal data that you transmit to us.
Risk Assessment: After giving due consideration and assessment of (1) the limited nature and volume of your personal data (name and email address and no Sensitive Personal Data) that we may process at our location or transfer to or process in a third country, (2) our limited use of said data (for scheduling training and verification of attendance and completion of training), (3) the safeguards and implemented technical and organizational measures that are required to protect said data, and (4) our experiences within the United States and in the other countries where we have operated, we estimate that there is minimal or no risk of material damage to you from our use or other processing of said data within or outside the United States.
If you reside within the EU, EEA or Switzerland and are covered as a data subject under the EU GDPR, we may require your consent to process your personal data. In such instances where we process your data based upon your consent, we require that you freely give your consent for us to process your personal data. Other than your consent, we may also rely on other GDPR-approved bases for processing personal data, including contracts, legal obligations, and legitimate interests. In performing or enforcing our contracts, we will process privacy data of data subjects as provided in said contracts. In some instances, we provide complementary training to data subjects in return for using their personal data to send marketing materials on course offerings and discounts. In other instances, we may have an on-going relationship with a company with whom the data subject in employed and is our contact person for business communication and we will utilize that data subject business contacts for such communications. We rely on those legitimate interests as the legal basis to process your personal data for said purposes.
Consent Age Requirement: If you are under sixteen (16) years of age, your consent must be given or authorized by the person who holds parental responsibility over you. If you are subject to any law of any state or jurisdiction that sets this minimum age below sixteen (16) years [but in no event below thirteen (13) years of age], then, if you are under that statutory age but not less than thirteen (13) years of age, your consent must be given or authorized by the person who holds parental responsibility over you. Do not provide your consent or personal data if you are under thirteen (13) years of age. In any event, we have no obligation and we do not intend or desire to contract with you unless you are of the age set by applicable law for you to be bound by a contract with us.
Your Legal Rights
Under the GDPR, EU data subjects have certain legal rights (or you may also have those or similar rights under other applicable laws), including the following rights:
(1) Right to request access: this right enables you to obtain confirmation from the controller as to whether or not your personal data is being processed, and, if your personal data is being processed, to obtain from the controller access to your personal data, information showing that your personal data is being lawfully processed, and a copy of your personal data undergoing process, provided the right to obtain a copy does not adversely affect the rights and freedoms of others. For any additional copies, the controller may charge a reasonable fee based on administrative cost.
(2) Right to request rectification: this right enables you to obtain from the controller, without undue delay, the correction of inaccurate personal data and to have incomplete personal data completed – subject to our verification of the accuracy of the new personal data you provide to us.
(3) Right to erasure or to be forgotten: this right enables you to obtain from the controller the erasure of your personal data without undue delay in certain instances, including (a) where the personal data is no longer necessary for the purpose for which it was collected or otherwise processed, (b) you withdraw your consent on which the processing is based, (c) where you have established a right to object to our processing of your personal data and there is no legitimate grounds for us to continue to process your personal data, (d) where we may have unlawfully processed your personal data, and (e) where we are required by law to erase your personal data.
(4) Right to restriction of processing: you have the right to obtain from the controller restriction of processing of your personal data where one of the following applies: (a) where you contest the accuracy of the personal data, you may request the controller to restrict processing for a period to enable the controller to verify the accuracy of the personal data; (b) the processing is unlawful, you oppose the erasure of the personal data and request the restriction of the use of the data instead of erasure; (c) the controller no longer needs the personal data for processing but you need the data to establish, exercise or defend legal claims; (d) you object to processing based on certain specific grounds (see item 7 below) and request the restriction of processing pending verification of whether the legitimate grounds of the controller override your grounds to object. Where processing has been so restricted, you have the right to be informed by the controller before the restriction is lifted.
(5) Right of notification: this right enables you to obtain from the controller, upon your request, information about recipients to whom your personal data had been disclosed and to whom the controller communicated that the personal data has been rectified or erased or its processing restricted at your request.
(6) Right of portability: this right enables you (a) to receive your personal data that you provided to the controller, in a structured, commonly used and machine-readable format and (b) to transmit that personal data to another controller, where the processing was based on your consent and carried out by automated means and the exercise of this right does not adversely affect the rights and freedoms of others. In exercising this right, you may have your personal data transferred directly from one controller to another, where technically feasible.
(7) Right to object to processing: you have the right to object at any time to the following: (a) the processing of your personal data where the objection is based on (i) processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or (ii) processing that is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child, including profiling based on (i) or (ii); (b) processing of your personal data for direct marketing purposes, including profiling related to such direct marketing, in which event, your personal data may not be processed for such purposes. The term “profiling” means automated processing of personal data to evaluate a natural person’s personal aspects, in particular to analyze or predict performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
(8) Right to object to automated decision-making, including profiling: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This right shall not apply if the decision is necessary for entering into or performing a contract between you and a controller or is based on your explicit consent.
(9) Right to withdraw consent at any time: you have the right to withdraw your consent at any time. The withdrawal of your consent shall not affect the lawfulness of processing of your personal data based on your consent that was given before withdrawal of that consent.
All requests to us must be directed to our Data Security Office using the information provided below. We will respond to your requests for the exercise of your rights in the time required under applicable laws, giving due regard to our overriding obligations.
Irreversibility of Erasure: If we erase your personal data from our system, upon such erasure we will be unable to recreate your personal data. In such instances, we will not be able to issue to you certificates of completion of our training or to verify your attendance or completion of the training or to evidence any transaction or communication you had with us.
Overriding Requirements: Applicable laws may provide compelling, legitimate grounds for processing personal data for the establishment, exercise or defense of legal claims, which override a data subject’s interests, rights and freedoms. The data privacy laws in some countries may be less stringent than the laws of your country and the government, law enforcement and courts of some countries may be able to access your personal data in certain circumstances. Some court orders, subpoenas, administrative agencies’ orders, or contracts may require us to take certain actions with respect to personal data, including disclosing your personal data, that may be contrary to your requests and instructions and we may have to defer to the foregoing laws, orders or contracts in certain circumstances. Where we deem appropriate and permissible, we will seek protective orders to protect your personal data from such compelled disclosures. As a processor, we may be required to follow the instructions of the controller. A third-party contract under which we receive your personal data (e.g., a contract with your employer) or applicable laws may require us to retain business records, which may include personal data, for a period that is longer than the period allowed under other laws or regulations or that you prefer.
Presumption of Authenticity: We will rely on the data we have in our file to verify the accuracy of and honor or respond to your requests or instructions, including requests for revocation of your consent, request for rectification of your data or request for erasure of your data. In most cases, that will be your name or email address. We will assume that your request or instruction is authentic if it uses your name or email address that was provided in your profile created when you accessed our system or that was provided to us by a third party who had apparent authority to share your personal data with us, such as your employer or a reseller from whom you obtained access to our services. We rely on you to notify us of an inaccuracy in your information and to promptly correct your profile information or request rectification of your information. In some instances, we will request additional data from you to verify the authenticity of your requests.
In the event we determine the occurrence of a data security incident, if we are the controller of your personal data, we will notify the appropriate supervisory authority of the data breach, as is required under applicable laws or regulations; and if we are the processor, we will notify the controller of the data breach without undue delay. Where the personal data breach is likely to result in high risks to the rights and freedoms of natural persons, if we are the controller, we will notify you of the data breach without undue delay.
If you are a data subject covered by the GDPR, note that you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR. We would appreciate the opportunity to address your complaint before you escalate the matter to a supervisory authority proceeding, so please contact us with your complaint so that we can address it as soon as possible to mitigate any resulting damages.
Our core activities do not consist of processing operations that require regular and systematic monitoring of data subjects on a large scale and do not consist of processing on a large scale of Sensitive Personal Data and, consequently, we are not required under the GDPR to designate a data protection officer.
If you wish to restrict or stop our use of your personal data, for us to erase or rectify your personal data, or to otherwise communicate with us with respect to your legal rights affecting our use of your personal data, please contact our Data Security Office at:
Award Solutions, Inc.
5830 Granite Parkway, Suite 950
Plano, Texas 75024
+1 972 664 0727