Scope
Prometric LLC is a Delaware, USA, limited liability company with its principle place of business located at 1501 South Clinton Street, Baltimore, Maryland 21224 USA (hereafter, “Company”, “us” or “we”).
This Privacy Policy (“Policy”) has been drafted and implemented in accordance with the principles set forth herein, to describe our practices regarding the collection, use, processing, storage, disclosure and transfer of your Personal Data. It explains how we use, maintain and disclose Personal Data and information that we collect and/or have access to through the course of our business. This Policy covers test candidates, clients, contractors and partners about whom this organization processes data.
“Data Protection Law” designates any local applicable data protection law or laws depending on the territorial application of the law. This includes, but is not limited to, EU Regulation 2016/679 of the European Parliament and of the Council of 17 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
By “Personal Data”, we mean any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data Collected
Personal Data
For the purposes expressed in the following section of this Policy, Prometric collects Personal Data, including but not limited to the following:
- Personal contact details (name, address, telephone number, country-specific identification number, email address, login and password information);
- Date of birth and gender;
- Assessment details, including test candidate ID number, examinations taken and when, scores related to those exams, how many times an exam or any particular section of exams have been taken;
- Payment and financial institution information;
- Residence and country of citizenship;
- Photographs;
- Signature;
- Video recordings;
- Audio recordings (as permissible by law and only in specific jurisdictions);
- Information from identification, verification, or eligibility documents;
- Transaction and Relationship Information including elements that reveal candidate test patterns, test locations, test results, and information about how Prometric websites and applications are used.
Sensitive Personal Data
In addition, Prometric may process special categories of personal data as permitted by law. Such sensitive personal data is only collected for specific business-related purposes subject to the consent of the data subject. Such data is subject to enhanced security measures as required under relevant law. Such personal data may include:
- Race or ethnicity;
- Biometrics (fingerprint images and templates, facial images and templates)
- Health information or medical data;
- In some jurisdictions the definition of sensitive personal data may include additional categories of data, some which may be outlined under Personal Data, above.
U.S. Social Security Number Protection Policy Statement
Prometric collects Social Security numbers and other sensitive Personal Data only where required by the test sponsor for candidates. We have implemented reasonable technical, physical and administrative safeguards to protect the Social Security numbers and other sensitive Personal Data from unlawful use and unauthorized disclosure. Prometric associates and contractors are required to follow these established procedures, both online and offline.
Access to Social Security numbers is limited to those employees and contractors who have a need to access the information to perform contractual obligations for Prometric. Prometric will only disclose Social Security numbers to those test sponsors, service providers, auditors, advisors, and/or successors-in-interest who are legally or contractually obligated to protect them or as required or permitted by law.
Biometric Data
Prometric collects biometric data of test candidates where permissible by local law and where the service is selected by a test sponsor.
The Biometric Enabled Check-In System and Prometric’s remote proctoring platform, ProProctor, are designed to improve the security and integrity of the testing process in a way that protects test candidate privacy while confirming test candidate identity. These technologies are used for identity verification purposes, to detect and prevent fraud and misrepresentation, to maintain the integrity of the testing process, and improve the security of test centers and remotely-proctored exams. Prometric manages the security and confidentiality of all biometric data, protects it from unauthorized access, use, disclosure, or alteration, and retains and destroys the data in accordance with applicable law.
Medical Data
Prometric also receives, in very limited circumstances, medical data related to test candidates’ requests for testing accommodations. When it receives such health data the medical information will be stored in a secure manner with the utmost regard for the confidentiality of the information contained therein. Medical data is not retained for any longer than is necessary and in line with Prometric’s data retention policy.
The following safeguards are applied to the processing of medical data of data subjects:
- Limitations on access to prevent unauthorized consultation, alteration, disclosure or erasure
- Strict time limits for erasure in line with the company’s Records Management Schedule
- Specific targeted training for those involved in handling medical data
- Logging mechanisms to permit verification of whether and by whom personal data has been consulted, altered, disclosed or erased
- Encryption
Monitoring via Digital Video and Audio Recording
Prometric deploys Digital Video Recording (DVR or CCTV) throughout its network of test centers, in the remote-proctoring platform (“ProProctor”), and in some corporate offices, where permitted by applicable law, this includes audio recordings of the reception/locker, proctor/security check-in, and test lab areas. For ProProctor, Prometric collects video recordings that include audio recordings from the start of the check-in process and throughout the duration of the test. At times, this will include test candidate’s desk and workspace. This is necessary in order to protect the security of high-stakes proprietary test content, the integrity of the test delivery experience, to deter fraud and cheating, to protect against theft or pilferage, to monitor and restrict secure areas and/or Prometric departments, and for the security of staff and organization property. Access to the recorded material will be strictly limited to authorized personnel.
Purposes for Personal Data Collection
Personal Data is generally collected and processed for the purposes of the performance of a contract. In addition, it may be collected and processed based on the consent of the individual and may be used to comply with a legal obligation or for legitimate business purposes.
In most cases Prometric collects such Personal Data directly from the individual data subject. However, in other cases we may receive information from test sponsors or even from third party data suppliers to enhance our files and help us better understand our customers. When a candidate visits Prometric’s website, registers or takes an exam, uses our applications, or contacts us we also collect transaction information for customer service purposes. We treat this information as Personal Data when it is associated with information that has the effect of identifying an individual.
Performance of a Contract
As part of its performance of a contract, Prometric collects and processes personal data for the purposes of registering and scheduling you for a test, administering that test, fraud prevention, and processing the results.
Prometric will respond to candidate requests for information about tests and testing opportunities, facilitate registration for exams, and provide testing services to both candidates and test sponsors (including test scheduling and administration, security of the test content and results, test scoring, reporting and analysis of results, and customer service related thereto). Where permitted by law, Prometric may send exam candidates commercial communications and offers for additional testing or training services on behalf of test sponsors.
Legitimate Business Purposes
Prometric also uses Personal Data as needed to manage everyday business needs such as invoice processing and financial account management, backup purposes to facilitate business continuity, test center management, business planning, contract management, improvement of testing services provided to our customers, website administration, fulfillment, analytics, security and fraud prevention, corporate governance, disaster recovery planning, auditing, reporting and compliance with any legal or regulatory obligations.
Purposes specific to Biometric Data
On behalf of its test sponsors, Prometric will collect biometric data solely to: (1) administer the tests and verify identity, (2) protect privacy, (3) detect and prevent fraud and misrepresentation by unauthorized candidates, (4) maintain the integrity of the testing process, and (5) as required by law.
Disclosure of Personal Data
Prometric does not share Personal Data with third parties for their own marketing purposes. Prometric also does not transfer information to third parties who are not acting in a contractual capacity as Prometric’s agent or on Prometric’s behalf.
Prometric requires its subcontractors and vendors who have access to Personal Data to provide, at a minimum, the same levels of protection as provided by Prometric concerning Personal Data. Where Prometric is required to transfer Personal Data onward to a third party to further the performance of a contractual obligation, Prometric will remain liable for the proper use, processing, and storage of such data in a manner that is consistent with the purposes for which it was collected. We limit our sharing of all Personal Data as follows:
- Prometric may disclose Personal Data of test candidates to:
– Test sponsors; so that they can provide candidates with the accreditation, service, license or credential sought;
– Our service providers; to facilitate candidate and test sponsor requests and improve our services;
– Our affiliates and authorized test centers.
- Prometric may disclose Personal Data where necessary in furtherance of the sale or transfer of business assets, to enable payment processing, to enforce our rights, protect our property, or protect the rights, property or safety of others, or as needed to support external auditing, compliance and corporate governance functions.
- Prometric may disclose Personal Data where necessary to facilitate an investigation of cheating, unauthorized testing, or other misconduct or when legally required to do so (ex. response to a subpoena or summons; to cooperate with law enforcement or other legal proceedings in the countries where we operate).
As a matter of policy, Prometric does not disclose biometric data to any third party except as outlined herein. Prometric may disclose biometric data to a test sponsor, law enforcement agency, or a third party that is under contract with Prometric or compelled by applicable law to be involved in an investigation related to alleged misconduct solely for the purposes of an investigation of cheating, unauthorized testing, or other test candidate misconduct. Prometric may also disclose biometric data only in relation to lawful requests by regulatory, legal or government agencies with jurisdiction and/or authority to make such requests.
Retention and Storage of Personal Data
Prometric promulgates a comprehensive Records Management Program and Schedule that it adheres to for the purposes of retention, storage and destruction of all records created in the course of its business including those containing personal data. We also deploy a Data Management strategy that segregates data, to the extent feasible, based on regionally located data servers.
At all times Prometric protects personal data with operational, administrative, technical and physical security safeguards. Unless personal data is being used in connection with an active security investigation Prometric shall retain personal data for the lesser period of:
- five (5) years from the date of the last service, test or assessment; or
- the expiration of the purpose for which the personal data was collected; or
- the laws of the applicable jurisdiction where the data was collected.
Personal data shall only be retained for a greater period where (1) required by law or regulation for the purposes of recordkeeping requirements or (2) prescribed by contract and permissible under the laws of the applicable jurisdiction or (3) preservation is necessary due to pending or the potential for litigation.
All biometric data collected in computer-based test centers is securely transferred to and stored within Prometric’s secure data center in the European Union and is retained according to applicable law in the jurisdiction where it was collected. Biometric data collected via the ProProctor system is stored and secured in Microsoft Azure for a period of thirty (30) days.
Transfers of Personal Data
Prometric complies with all applicable data privacy laws with respect to Personal Data. This includes, but is not limited to, as required, providing disclosures on Prometric processes and procedures related to Personal Data (for example, this Privacy Policy and the statements contained herein), obtaining consent of the individual, adoption of standard contractual clauses with respect to the handling of Personal Data, and/or adherence to local data protection laws in the regions where Prometric conducts business. Where required by law, data subjects will be required to expressly consent to the collection, transfer and processing of their Personal Data.
Onward Transfers of Personal Data
Prometric’s employees, agents and contractors who have access to Personal Data and information are contractually required to protect the information in a manner that is consistent with this Privacy Policy and applicable data protection laws.
Personal Data that is transferred between our global corporate offices will only be done in furtherance of an authorized and legitimate business purpose. Where required by law Prometric also collects data subject consent through a clear disclosure notice and consent opt-in process in order to transfer Personal Data outside of the region where it was collected. By continuing to provide Prometric with Personal Data or utilize Prometric’s services after consent has been obtained a data subject continues to consent to the transfer of Personal Data until such consent is expressly withdrawn in writing.
Transfer of Personal Data Across Borders
In many instances, the use of third parties will also involve the transfer of personal data across country borders (within the EU / EEA or outside of the EU / EEA). Also, many business processes require the transfer of data between the Company and its affiliated entities internationally. Specific legal obligations apply when such transfers occur outside the EU / EEA. When transferring personal data across borders to third parties or internally outside of the EU / EEA:
- Prometric determines if there is a legitimate justification for the transfer of personal data (e.g., valid business reason);
- Prometric follows local legal requirements (e.g. notice to the individual, notification to data protection authorities if necessary, use of contractual safeguards such as EU Standard Contractual Clauses).
The transfer of personal data from Prometric in the EEA to other company affiliates established outside the EEA is permitted under Prometric’s intracompany transfer agreements (Standard Contractual Clauses). We also enter into data processing agreements with our clients and vendors as required under EU law or other relevant data protection legislation.
Data Subject Rights
As provided under relevant data protection law, a Data Subject for whom Prometric processes Personal Data may, at any time:
- request access, rectification, erasure, portability, restriction or objection to their Personal Data;
- make any inquiries, requests or complaints in relation to the use of their Personal Data;
- withdraw consent to the processing of their Personal Data; and
- other rights as required by applicable law(s).
Data Subject Access Requests may be made directly to Prometric at www.prometric.com/datasubjectrequests. All Data Subject Requests will generally be answered within thirty (30) days while more complicated requests may take up to two months.
Access & Correction
Prometric respects an individual’s right to access and correct their Personal Data. Data subjects have the right with respect to access to:
- obtain confirmation that Personal Data is/is not being processed;
- verify its accuracy and lawfulness of the processing; and
- correct, amend or delete the data where it is inaccurate or processed in violation of applicable law.
Data subjects may request access to their Personal Data and exercise their rights at any time; however, Prometric must be supplied with sufficient information to allow for verification of the identity of the individual making the request and/or exercising their rights.
Candidates may even update or self-correct certain Personal Data by logging into the account created upon registration and updating the information provided to Prometric.
Restriction to Access
Prometric will only restrict access to information to the extent that disclosure is likely to interfere with the safeguarding of important countervailing public interests, or to the extent that the requests for access become so excessive and/or repetitive as to cause an undue burden to the organizational resources that must be expended in order to fulfill such requests. In such a situation, Prometric may deny the request and/or fulfill the request through alternative means; or, charge a fee for excessively repetitive requests for access to cover the costs of its resources to fulfill such requests. In addition, where information is processed solely for research or statistical purposes and does not include Personal Data, access may be denied. Other reasons that Prometric may deny or limit access include:
- Interference with the execution or enforcement of the law or with private causes of action, including the prevention, investigation or detection of offenses or the right to a fair trial;
- Disclosure where the legitimate rights or important interests of others would be violated;
- Breaching a legal or other professional privilege or obligation;
- Prejudicing employee security investigations or grievance proceedings or in connection with employee succession planning and corporate re-organizations; or
- Prejudicing the confidentiality necessary in monitoring, inspection or regulatory functions connected with sound business practices, or in future or ongoing negotiations involving the organization.
Limiting Personal Data/Withdrawal of Consent
Individuals can always limit the information provided to Prometric. However, Prometric abides by the policies of its clients, the test sponsors, regarding the Personal Data of candidates that must be collected in order for Prometric to administer a test on behalf of the test sponsor. Individuals that do not wish to provide Personal Data required by the test sponsor will need to contact the test sponsor for further advice or instruction.
As permitted by applicable law, data subjects may also withdraw consent to the processing of Personal Data. However, exercising this right may prevent Prometric’s ability to deliver any further services or to proceed with legitimate business operations such as the delivery of an exam or processing of exam results and/or transcripts.
Commercial Emails/Direct Marketing
In some cases, Prometric may engage in marketing campaigns to propose products or services that may be of interest to existing or future candidates. Where required by applicable law Prometric will only engage in such marketing communications if the individual has provided their consent (i.e. opted in). Where not required by applicable law Prometric will provide an appropriate opt-out mechanism. Where a data subject has opted-in (either explicitly or implicitly as applicable) to a marketing communication they may opt-out of any such communication at any time.
To opt-out of commercial emails, simply click the link labeled “unsubscribe” at the bottom of any email sent by Prometric. Please note that even if opting-out of commercial emails Prometric may still need to contact candidates with important transactional information about their Prometric account or scheduled exam in order to fulfil a contractual obligation. For example, Prometric will still send testing confirmations and reminders, information about test center changes and closures, and information about test results even if commercial emails have been opted-out (or not opted-in).
California Privacy Rights
California Civil Code Section 1798 allows California residents to ask companies with whom they have an established business relationship to provide certain information about the companies’ sharing of Personal Data with third parties for direct marketing purposes. Prometric does not share any California consumer Personal Data with third parties for marketing purposes without consent. If you are a test candidate, Prometric will provide your Personal Data to your test sponsor, who may use the information in accordance with its own privacy policies.
Information Security
Data Security & Confidentiality
Security of information, both personal and proprietary data, is a fundamental principle that runs through every part of Prometric’s business. All of our technologies feature multiple layers of encryption and protection so that our test candidates, clients, constituents and stakeholders alike can rest assured that their personal data and intellectual property are being properly protected from theft, loss, improper copying, modification or tampering, improper retention or destruction, loss of integrity or unauthorized access, use or disclosure while it is in our systems. We operate information technology facilities that meet or exceed industry standards, with secure back-ups at off-site locations, where all personal data and intellectual property are securely stored and protected.
Prometric draws on industry best practices and guidance from sources such as the National Institute of Standards and Technology (NIST), Payment Card Industry (PCI) and standards promulgated by the International Standards Organization (ISO) including, but not limited to, ISO/IEC 27018:2014 (Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors) and ISO/IEC 27001:2013 (Security techniques — Information security management systems — Requirements) to design and maintain its information security program. Prometric’s Information Security Program is reviewed several times each year by multiple third party organizations to ensure it meets or exceeds the highest benchmarks available for security and data privacy and protection.
Prometric takes all reasonable steps to ensure that appropriate security measures are in place to protect the confidentiality of both electronic and manual data. Any person handling personal data on behalf of Prometric is bound by a contract including, amongst other safeguards, a confidentiality obligation regarding personal data, obligations to take appropriate steps to prevent the misuse or loss of personal data and to prevent unauthorized access to it. In addition, employees and contractors are under the obligation to immediately report any known or suspected instance of misuse, loss or unauthorized access.
Security measures will be reviewed from time to time, having regard to the technology available, the cost and the risk of unauthorized access.
Cookies and Other Data Collection Technologies
When an individual visits the Prometric website or uses Prometric’s mobile applications we collect certain information by automated means using technologies such as cookies, pixel tags, browser analysis tools, server logs, web beacons, and other similar technologies to ensure that the Prometric website offers the best possible experience. In many cases, the information we collect using cookies and other tools is only done so in a non-identifiable way without any collection of Personal Data.
Types of Data Collected and Technologies Used
- Cookies are text files containing small amounts of information which are downloaded to your computer or mobile device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognizes that cookie. Cookies are useful because they allow a website to recognize a user’s device.
Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improving the user experience. They can also help to ensure that adverts you see online are more relevant to you and your interests.
- Pixel tags and web beacons are tiny graphic images placed on website pages or in some Prometric emails that allow us to determine whether an individual has performed a specific action. When an individual accesses these pages or opens or clicks on an email the pixel tags and web beacons generate a notice of that action. These tools allow Prometric to measure responses to our communications and improve our web pages and promotions.
- Prometric server logs and other tools collect information from devices used to access Prometric websites, such as operating system type, browser type, domain, and other system settings, as well as the language a system uses and the country and time zone where the device accessing the Prometric website is located. Prometric server logs also record the IP address of the devices used to connect to the Internet, and may enable Prometric to collect information about the websites being visited by an individual before and after accessing the Prometric site. Collecting IP addresses and related data is standard practice on the Internet, and Prometric treats IP addresses as Personal Data. We use IP addresses for purposes such as calculating website usage levels, helping diagnose server problems, administering the website and combating fraudulent and/or malicious web activity. We also collect customary information from web browsers, such as Media Access Control (MAC) addresses, device type, screen resolution, operating system version and internet browser type and version. Prometric uses this information to ensure that our websites function properly for all devices and browsers and for security purposes.
- Prometric may have relationships with third party advertising companies to place advertisements on its websites and to perform analytics and reporting functions for its websites. These third party advertising companies may place cookies on individual’s computers when visiting Prometric’s website so that the website can display targeted advertisements to the user. Prometric expects third party advertising companies to use reasonable efforts to respect browser do-not-track signals by not delivering targeted advertisements to website visitors whose browsers have a do-not-track setting enabled. Additionally, Prometric does not knowingly allow these third party advertising companies to collect Personal Data in this process, and does not give any Personal Data to them.
The full Prometric Cookie Notice and instructions for configuring and/or disabling cookies will pop-up the first time an individual accesses the Prometric website and will allow the individual to opt-in and configure cookies preferences. A users cookie preferences will be saved and users have the ability to change their cookie preferences at any time.
Mobile Aware Applications
Prometric offers mobile aware applications that allow individuals to access their Prometric accounts, interact with Prometric online and receive other information via smartphones and devices. All Personal Data collected by Prometric via our mobile applications is protected and processed only by the terms of this Privacy Policy.
We also offer automatic (“push”) notifications only to those data subjects who opt-in to receive such notifications from us. No individual is required to provide location information to Prometric or to enable push notifications to use any of our mobile aware applications. Questions about location and notification privacy should be directed to mobile service providers or the manufacturer of such devices to learn how to adjust location and privacy settings.
Dispute Resolution Process
Filing Complaints
Data subjects who have concerns or complaints regarding Prometric’s collection and processing of Personal Data are encouraged to first utilize Prometric’s internal complaint resolution process by providing a detailed written description of the issue and/or complaint. Test candidates may submit complaints or inquiries by locating the ‘Contact Us’ tab on Prometric’s website and selecting the appropriate link: https://www.prometric.com/en-us/contact-us/Pages/default.aspx.
Prometric will respond to all complaints that do not concern Personal Data in forty-five (45) days or less, or as otherwise required by applicable law.
Independent Recourse Mechanism
After exhausting Prometric’s internal complaint process, if an exam candidate is not satisfied with the resolution, he or she may file a complaint with the Better Business Bureau of Greater Maryland (“BBB”), an alternative dispute resolution provider based in the United States. Prometric is an A+ accredited business with the BBB, and the BBB will review all complaints, request that Prometric take the opportunity to provide a response/offer to resolve the complaint, and/or make a recommendation as to whether the complaint should be referred for arbitration or mediation. Under certain conditions, data subjects may be able to invoke binding arbitration.
BBB Website: http://www.bbb.org/greater-maryland/
BBB Telephone: 410-347-3990
BBB Fax: 410-347-3936
EU Data Protection Officer (DPO)
In compliance with the European Union’s General Data Protection Regulation (“GDPR”) Prometric has appointed a DPO located in the European Union. He is responsible for assisting the organization in monitoring and maintaining compliance with data protection legislation. The DPO is also available to answer queries or deal with data subject concerns about Prometric’s data protection practices.
Data subjects who feel that the rights afforded to them under GDPR have been violated, or that Prometric is processing Personal Data in violation of GDPR, may submit complaints or inquiries to:
Joseph Srouji
Avocat au Barreau de Paris
Srouji Avocats Selarl
222 Boulevard Saint Germain | 75007 Paris l France
joseph.srouji@contractor.prometric.com
Data subjects also have the right to file a complaint directly with the local Supervisory Authority, as relevant under EU data protection law.
How to Contact Us
Please contact Prometric directly with any questions or comments about our privacy practices or this Privacy Policy and the statements contained herein.
To submit a request related to your personal data, please click on the following link and complete all of the required fields in the form: Personal Data Requests
You may also reach us via mail at:
Prometric Privacy Program Manager
Prometric LLC
1501 South Clinton Street
Baltimore, Maryland 21224 USA
If sending a letter, please include name, address, email address, and a brief explanation of your information request, inquiry or complaint.
For inquiries or assistance related to time sensitive issues concerning exams such as scheduling, cancellations, eligibility, payment, name changes or other test related issues, please visit https://www.prometric.com/en-us/contact-us/pages/default.aspx for the most expeditious resolution of your issue.
Changes to Privacy Policy
From time to time, Prometric may update this Privacy Policy to reflect new or different privacy practices or changes to the law. We will place a notice online when we make material changes to this Privacy Policy or the statements contained herein. Additionally, if the changes will materially affect the way we use or disclose previously-collected Personal Data, we will notify impacted individuals about the change by sending a notice to the primary email address associated with the account impacted.