How Alchemy Complies with the GDPR

Alchemy is committed to privacy, security, compliance and transparency. This approach includes complying with the obligations under the General Data Protection Regulation (GDPR) applicable to Alchemy, and supporting our customers’ GDPR compliance program in connection with the use of our products and services.

Alchemy is ready to meet the new standards for data privacy introduced by GDPR. Our products, solutions, and operations are ready to support you in your compliance with the GDPR.

Alchemy’s obligation as a “Data Processor” is defined in our Data Processing Agreement as it shares our privacy commitments and sets out the terms for Alchemy and our customers to meet GDPR requirements. Our Data Processing Agreement and standard contractual clauses for data transfers between EU and non-EU countries is our contractual commitment to our customers regarding compliance with applicable EU data protection law.

We Secure Personal Data

Alchemy Systems continually maintains a high bar for security and compliance. Our robust security by design approach provides the foundation for our long list of internationally recognized certifications and accreditations, demonstrating compliance with rigorous international standards that provide the necessary measures of protection required under the GDPR and other data privacy and security laws.

Alchemy provides the capability to attain GDPR compliance with:

  • NIST Cybersecurity Framework
  • Data Protection Agreement
  • ISO 27001
  • ISO 9001
  • ISO 14001
  • OHSAS 18001
  • SOC2

Alchemy Helps its Customers Comply with GDPR

We are committed to employing and maintaining technical and organizational measures to protect the security of personal data processed on behalf of our customers, reporting requirements to our customers to support their compliance obligations, and employing other reasonable efforts to help our customers comply with their requirements under the GDPR.

We help our customers with:

  • Responding to requests from data subjects to correct, amend or delete personal data.
  • Making customers aware of and reporting security incidents affecting personal data, including support of notifications to relevant supervisory authorities and data subjects in accordance with GDPR timeframes.
  • Demonstrating compliance with the GDPR as pertaining to Alchemy Services.

Controller vs. Processor

Under Article 4 of the EU GDPR, different roles are identified as indicated below:
Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”

Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”

The organizations that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects.

Alchemy Systems is a Processor because we provide the use of the learning platform based on the instruction of our customers, and our customers determine the purposes for and means of processing on the platform. Alchemy Systems’ data processing activities are governed by the company’s Data Processing Agreement, which satisfies the GDPR’s requirements.

Portability of Data, Access, Correction, Erasure and Consent

Alchemy Systems provides the capability to handle requests from data subjects to enforce data subject rights.

We help our customers handle requests from data subjects exercising the following rights: Data Subject Rights

  • Right of access to data
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right not to be subject to automated decision making that results in legal effects for the data subject, including profiling