Effective: January 1, 2020.
- Coursera, Inc. is the data controller of your personal information.
- We collect the personal information set out in the "What Information We Collect" section of this Privacy Notice below, including account registration details such as name and email, details of Content Offerings you undertake, survey information (where you provide it), identity verification data, and information about your use of our site and Services.
- We use your personal information for the purposes set out in the "How We Use the Information" section of this Privacy Notice below, including providing our site and Services to you, ensuring the security and performance of our site, conducting research relating to Content Offerings, sharing information with our Content Providers and our suppliers, direct marketing, and performing statistical analysis of the use of our site and Services.
- You have a number of rights that you can exercise in relation to our use of your personal information, as set out in the "Updating or Deleting Your Personally Identifiable Information" section of this Privacy Notice below.
Purpose and who we are
What Information this Privacy Notice Covers
This Privacy Notice covers information we collect from you through our Site. Some of our Site’s functionality can be used without revealing any Personally Identifiable Information, though for features or Services related to the Content Offerings, Personally Identifiable Information is required. In order to access certain features and benefits on our Site, you may need to submit, or we may collect,
"Personally Identifiable Information" (i.e., information that can be used to identify you)(may also be referred to as “personal data” or “personal information”). Personally Identifiable Information can include information such as your name, email address, IP address, and device identifier, among other things. You are responsible for ensuring the accuracy of the Personally Identifiable Information you submit to Coursera. Inaccurate information may affect your ability to use the Site, the information you receive when using the Site, and our ability to contact you. For example, your email address should be kept current because that is one of the primary manners in which we communicate with you.
What You Agree to by Using Our Site
We consider that the legal bases for using your personal information as set out in this Privacy Notice are as follows:
- our use of your personal information is necessary for complying with our legal obligations; or
- use of your personal information is necessary for our legitimate interests or the legitimate interests of others. Our legitimate interests are to:
- run, grow and develop our business;
- operate our Site and provide our Services;
- select appropriately skilled and qualified suppliers;
- build relationships with partners and academic institutions;
- carry out research and statistical analysis;
- carry out marketing and business development; and
- for internal administrative and auditing purposes.
- consent, to send you certain communications or where you submit certain information to us.
Which legal basis applies to a specific processing activity will depend on the type of personal information processed and the context in which it is processed.
If we rely on our (or another person's) legitimate interests for using your personal information, we will undertake a balancing test to ensure that our (or the other person's) legitimate interests are not outweighed by your interests or fundamental rights and freedoms which require protection of the personal information.
We may process your personal information in some cases for marketing purposes on the basis of your consent (which you may withdraw at any time as described below).
If we rely on your consent for us to use your personal information in a particular way, but you later change your mind, you may withdraw your consent by visiting your profile page and clicking the box to remove consent or delete your account and we will stop doing so. However, if you withdraw your consent, this may impact the ability for us to be able to provide our Services to you.
What Information We Collect
We gather two types of information about users through the Site:
- Personally Identifiable Information provided directly by you or via third parties. We collect Personally Identifiable Information that you provide to us when you register for an account, update or change information for your account, purchase products or Services, complete a survey, sign-up for email updates, participate in our public forums, send us email messages, and/or participate in Content Offerings or other Services on our Site. We may use the Personally Identifiable Information that you provide to respond to your questions, provide you the specific Content Offering and/or Services you select, send you updates about Content Offerings or other Coursera events, and send you email messages about Site maintenance or updates.
Account Registration. If you register for an account on our Site, you may be required to provide us with Personally Identifiable Information such as your name and email address.
Updates. Coursera may offer you the ability to receive updates either via email or by posting on portions of the Site only accessible to registered users. In order to subscribe to these Services, you may be required to provide us with Personally Identifiable Information such as your name and email address.
- Participation in Content Offerings. Coursera offers users the opportunity to participate in an Content Offerings on or through the Site. If you desire to participate in a Content Offering, you will be asked to provide us with certain information necessary to conduct such a Content Offering. This information may include, among other things, your name and email address.
If you participate in a Content Offering, we may collect from you certain student-generated content, such as assignments you submit to instructors, peer-graded assignments, and peer grading student feedback. We also collect course data, such as student responses to in-video quizzes, standalone quizzes, exams, and surveys. You should not include any Personally Identifiable Information or other information of a personal or sensitive nature, whether relating to you or another person, on assignments, exams, or surveys, except for information required to participate or submit such assignments, exams, or surveys.
Identity Verification. Coursera may offer you the ability to verify your identity for select Services. In order to enroll for these Services, you may be required to provide us or our third-party identity verification vendor with Personally Identifiable Information such as your name, address, date of birth, a headshot taken using a webcam, and a photo identification document. Additionally, if you apply for financial aid in connection with these Services, you may be required to provide information regarding your income.
Communications with Coursera. We may receive Personally Identifiable Information when you send us an email message or otherwise contact us.
Third Party Sites. We may receive Personally Identifiable Information when you access or log-in to a third party site, e.g., Facebook, from our Sites. This may include the text and/or images of your Personally Identifiable Information available from the third party site.
Surveys. We may receive Personally Identifiable Information when you provide information in response to a survey operated by us or a Content Provider.
Partner sites. Partner sites providing Content Offering related tools and services to Coursera users may collect nonfinancial individual level user data regarding the individual’s use of that partner site while the partner sites provide those services to Coursera. The partner sites may share that data with Coursera for the purpose of improving Coursera’s Services, the partner site’s services, and the individual’s education experience. This data includes information such as the amount of time spent on the partner site and pages viewed.
- Third Party Credit Card Processing. Coursera provides you with the ability to pay for Content Offerings and other Services using a credit card through a third party payment processing service provider. Please note that our service provider – not Coursera – collects and processes your credit card information.
How We Use the Information
- Information relating to your use of our Site. We use information relating to your use of the Site to build higher quality, more useful Services by performing statistical analyses of the collective characteristics and behavior of our users, and by measuring demographics and interests regarding specific areas of our Site. We may also use this information to ensure the security of our Services and the Site.
- Personally Identifiable Information provided directly by you or via third parties. Except as set forth in this Privacy Notice or as specifically agreed to by you, Coursera will not disclose any of your Personally Identifiable Information. In addition to the other uses set forth in this Privacy Notice, we may disclose and otherwise use Personally Identifiable Information as described below.
Providing the Site and our Services. We use Personally Identifiable Information which you provide to us in order to allow you to access and use the Site and in order to provide any information, products, or Services that you request from us.
Technical support and security. We may use Personally Identifiable Information to provide technical support to you, where required, and to ensure the security of our Services and the Site.
Updates. We use Personally Identifiable Information collected when you sign-up for our various email or update services to send you the messages in connection with the Site or Content Offerings. We may also archive this information and/or use it for future communications with you, where we are legally entitled to do so.
Forums. You should not post any Personally Identifiable Information or other information of a personal or sensitive nature, whether relating to you or another person, within a Forum post. If you choose to post Personally Identifiable Information, such Personally Identifiable Information may be collected during your use of the Forums. We may publish this information via extensions of our Platform that use third-party services, like mobile applications. We reserve the right to reuse Forum posts that contain Personally Identifiable Information in future versions of the Content Offerings, and to enhance future Content Offerings. We may archive this information and/or use it for future communications with you and/or your designee(s), and/or provide it to the Content Provider, business partner, or the instructor(s) associated with the courses you have taken. We may also use or publish posts submitted on the Forums without using Personally Identification Information.
Participation in Content Offerings. We use the Personally Identifiable Information that we collect from you when you participate in a Content Offering through the Site for processing purposes, including but not limited to tracking attendance, progress, and completion of the Content Offerings. We may also share your Personally Identifiable Information and your performance in a given Content Offering with the instructor or instructors who taught it, with teaching assistants or other individuals designated by the instructor or instructors to assist with the creation, modification, or operation of the Content Offering, and with the Content Provider(s) with which they are affiliated. We may also use the information generated when taking a Content Offering or using the Services for predictive analysis of your performance in the Content Offerings. Also, we may archive this information and/or use it for future communications with you, where we are legally entitled to do so.
Identity Verification. For Services that require identity verification, we may use the Personally Identifiable Information that we collect for verifying your identity, and for authenticating that submissions made on the Site were made by you. This Service may be provided through a third-party identity verification vendor. Your photo identification document will be deleted after successful verification of your profile information.
Communications with or from Coursera. When you send us an email message or otherwise contact us, we may use the information provided by you to respond to your communication and/or as described in this Privacy Notice. We may also archive this information and/or use it for future communications with you where we are legally entitled to do so. Where we send you emails, we may track the way that you interact with these emails (such as when you open an email or click on a link inside an email). We use this information for the purposes of optimizing and better tailoring our communications to you.
Communications with Coursera Business Partners. We may share your Personally Identifiable Information with Content Providers and other business partners of Coursera so that Content Providers and other business partners may share information about their products and services that may be of interest to you where they are legally entitled to do so.
Research. We may share general course data (including quiz or assignment submissions, grades, and forum discussions), information about your activity on our Site, and demographic data from surveys operated by us with our Content Providers and other business partners so that our Content Providers and other business partners may use the data for research related to online education.
Disclosure to Coursera Operations and Maintenance Contractors. We use various service providers, vendors and contractors (collectively, "Contractors") to assist us in providing our Services to you. Our Contractors may have limited access to your Personally Identifiable Information in the course of providing their products or services to us, so that we in turn can provide our Services to you. These Contractors may include vendors and suppliers that provide us with technology, services, and/or content related to the operation and maintenance of the Site or the Content Offerings. Access to your Personally Identifiable Information by these Contractors is limited to the information reasonably necessary for the Contractor to perform its limited function for us.
Disclosure to Acquirers. Coursera may disclose and/or transfer your Personally Identifiable Information to an acquirer, assignee or other successor entity in connection with a sale, merger, or reorganization of all or substantially all of the equity, business, or assets of Coursera to which your Personally Identifiable Information relates.
- e-Readers. If we receive any Personally Identifiable Information related to the extent to which you use designated e-Readers to access Coursera materials, we may archive it, and use it for research, business, or other purposes.
Retention of Personally Identifiable Information
We keep your Personally Identifiable Information for no longer than necessary for the purposes for which the Personally Identifiable Information is collected and processed. The length of time we retain Personally Identifiable Information for depends on the purposes for which we collect and use it and/or as required to comply with applicable laws and to establish, exercise, or defend our legal rights.
Confidentiality & Security of Personally Identifiable Information
We consider the confidentiality and security of your information to be of the utmost importance. We will use industry standard physical, technical, and administrative security measures to keep your Personally Identifiable Information confidential and secure, and will not share it with third parties, except as otherwise provided in this Privacy Notice, or unless such disclosure is necessary in special cases, such as a physical threat to you or others, as permitted by applicable law. Because the Internet is not a 100% secure environment, we cannot guarantee the security of Personally Identifiable Information, and there is some risk that an unauthorized third party may find a way to circumvent our security systems or that transmission of your information over the Internet will be intercepted. It is your responsibility to protect the security of your login information. Please note that e-mails communications are typically not encrypted and should not be considered secure.
Updating or Deleting Your Personally Identifiable Information
You have certain rights in relation to your Personally Identifiable Information. You can access your Personally Identifiable Information and confirm that it remains correct and up-to-date, choose whether or not you wish to receive material from us or some of our partners, and request that we delete or provide you with a copy of your personal data by logging into the Site and visiting your user account page.
If you would like further information in relation to your rights or would like to exercise any of them, you may also contact us via firstname.lastname@example.org. If you reside or are located in the EEA, you have the right to request that we:
- provide access to any Personally Identifiable Information we hold about you;
- prevent the processing of your Personally Identifiable Information for direct-marketing purposes;
- update any Personally Identifiable Information which is out of date or incorrect;
- delete any Personally Identifiable Information which we are holding about you;
- restrict the way that we process your Personally Identifiable Information;
- provide your Personally Identifiable Information to a third party provider of services; or
- provide you with a copy of any Personally Identifiable Information which we hold about you. We try to answer every email promptly where possible, and provide our response within the time period stated by applicable law. Keep in mind, however, that there will be residual information that will remain within our databases, access logs, and other records, which may or may not contain your Personally Identifiable Information. Please also note that certain Personally Identifiable Information may be exempt from such requests in certain circumstances, which may include if we need to keep processing your Personally Identifiable Information to comply with a legal obligation. When you email us with a request, we may ask that you provide us with information necessary to confirm your identity.
Questions, Suggestions, and Complaints
If you have any privacy-related questions, suggestions, unresolved problems, or complaints, you may contact us via email@example.com. If you reside or are located in the EEA, our Data Protection Officer and Privacy Team may assist with all queries regarding our processing of Personally Identifiable at firstname.lastname@example.org. If you reside or are located in the EEA, you may also make a complaint to our supervisory body for data protection matters (namely the UK Information Commissioner's Office) or seek a remedy through local courts if you believe that your rights have been breached.
Coursera UK Limited serves as the EU Representative for Coursera, Inc. To contact Coursera UK Limited, please use the following contact info:
Post: Coursera UK Limited Attn: Privacy Request City Bridge House, 57 Southwark Street, London SE1 1RU Phone: +44 20 3457 0256 Email: email@example.com
California Privacy Rights
Shine the Light
Under California’s "Shine the Light" law, California residents who provide personal information in obtaining products or services for personal, family, or household use are entitled to request and obtain from us, once a calendar year, information about the customer information we shared, if any, with other businesses for their own direct marketing uses. If applicable, this information would include the categories of customer information and the names and addresses of those businesses with which we shared customer information for the immediately prior calendar year (e.g. requests made in 2018 will receive information regarding 2017 sharing activities).
To obtain this information, please send an email message to firstname.lastname@example.org with "Request for California Privacy Information" on the subject line and in the body of your message. We will provide the requested information to you at your email address in response. Please be aware that not all information sharing is covered by the "Shine the Light" requirements and only information on covered sharing will be included in our response.
California Consumer Privacy Act
Under the California Consumer Privacy Act (“CCPA”), California residents have the right to know what personal information about them is collected, request deletion of their personal data, opt-out of the sale of their personal data, and not be discriminated against if they choose to exercise any of these rights. Coursera does not sell any of the data we collect about you. If you’d like to exercise any of the other rights afforded to you, select ‘Settings’ in your account or contact us at email@example.com.
For more information about the CCPA, review our full CCPA Notice here.
International Privacy Practices
Coursera’s Sites are primarily operated and managed on servers located and operated within the United States. In order to provide our products and Services to you, we may send and store your Personally Identifiable Information (also commonly referred to as personal data) outside of the country where you reside or are located, including to the United States. Accordingly, if you reside or are located outside of the United States, your Personally Identifiable Information may be transferred outside of the country where you reside or are located, including to countries that may not or do not provide the same level of protection for your Personally Identifiable Information. We are committed to protecting the privacy and confidentiality of Personally Identifiable Information when it is transferred. If you reside or are located within the EEA and such transfers occur, we take appropriate steps to provide the same level of protection for the processing carried out in any such countries as you would have within the EEA to the extent feasible under applicable law. We participate in and commit to adhering to the EU-U.S. Privacy Shield Framework when transferring data from the EEA to the United States. Please see our Privacy Shield Notice below for further information.
Changing Our Privacy Notice
Please note that we review our privacy practices from time to time, and that these practices are subject to change. Any change, update, or modification will be effective immediately upon posting on our Site. We will notify you of any material change to this Privacy Notice by posting a notice on our Site’s homepage for a reasonable period of time following such update or by sending an email to the email address associated with your user account, and by changing the effective date (located at the top and bottom of this page). Be sure to return to this page periodically to ensure familiarity with the most current version of this Privacy Notice.
No Information from Children Under 13
Coursera strongly believes in protecting the privacy of children. Any use or access by anyone under the age of 13 is prohibited, and certain regions and Content Offerings may have additional requirements and/or restrictions. In line with this belief, we do not knowingly collect or maintain Personally Identifiable Information on our Site from persons under 13 years of age, and no part of our Site is directed to persons under 13 years of age. If you are under 13 years of age, then please do not use or access this Site at any time or in any manner. We will take appropriate steps to delete any Personally Identifiable Information of persons less than 13 years of age that has been collected on our Site without verified parental consent upon learning of the existence of such Personally Identifiable Information.
Standard Contractual Clauses and Privacy Shield Notice
Effective date: August 28, 2020
The section below will apply only to users in the European Economic Area, or other jurisdictions where the Standard Contractual Clauses apply.
STANDARD CONTRACTUAL CLAUSES (Controllers)
Data transfer agreement between
You, the user who is registering for a Coursera account based in the European Economic Area
hereinafter “data exporter”
Coursera, Inc. 381 E. Evelyn Ave., Mountain View, CA 94041
hereinafter “data importer”
each a “party”; together “the parties”.
For the purposes of the clauses: “personal data”, “special categories of data/sensitive data”, “process/processing”, “controller”, “processor”, “data subject” and “supervisory authority/authority” shall have the same meaning as in Directive 95/46/EC of 24 October 1995 (whereby “the authority” shall mean the competent data protection authority in the territory in which the data exporter is established);
“the data exporter” shall mean the controller who transfers the personal data;
“the data importer” shall mean the controller who agrees to receive from the data exporter personal data for further processing in accordance with the terms of these clauses and who is not subject to a third country’s system ensuring adequate protection;
“clauses” shall mean these contractual clauses, which are a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.
The details of the transfer (as well as the personal data covered) are specified in Annex B, which forms an integral part of the clauses.
Obligations of the data exporter
The data exporter warrants and undertakes that:
- The personal data have been collected, processed and transferred in accordance with the laws applicable to the data exporter.
- It has used reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses.
- It will provide the data importer, when so requested, with copies of relevant data protection laws or references to them (where relevant, and not including legal advice) of the country in which the data exporter is established.
- It will respond to enquiries from data subjects and the authority concerning processing of the personal data by the data importer, unless the parties have agreed that the data importer will so respond, in which case the data exporter will still respond to the extent reasonably possible and with the information reasonably available to it if the data importer is unwilling or unable to respond. Responses will be made within a reasonable time.
- It will make available, upon request, a copy of the clauses to data subjects who are third party beneficiaries under clause III, unless the clauses contain confidential information, in which case it may remove such information. Where information is removed, the data exporter shall inform data subjects in writing of the reason for removal and of their right to draw the removal to the attention of the authority. However, the data exporter shall abide by a decision of the authority regarding access to the full text of the clauses by data subjects, as long as data subjects have agreed to respect the confidentiality of the confidential information removed. The data exporter shall also provide a copy of the clauses to the authority where required.
Obligations of the data importer
The data importer warrants and undertakes that:
- It will have in place appropriate technical and organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
- It will have in place procedures so that any third party it authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorised or required by law or regulation to have access to the personal data.
- It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws.
- It will process the personal data for purposes described in Annex B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses.
- It will identify to the data exporter a contact point within its organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e).
- At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under clause III (which may include insurance coverage).
- Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion.
- It will process the personal data, at its option, in accordance with: the data protection laws of the country in which the data exporter is established, or the relevant provisions of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a country to which such an authorisation or decision pertains, but is not covered by such authorisation or decision for the purposes of the transfer(s) of the personal data, or the data processing principles set forth in Annex A. Data importer to indicate which option it selects: The data protections laws of the region where the exporter is based, namely, the General Data Protection Regulation (GDPR).
- It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area (EEA) unless it notifies the data exporter about the transfer and the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.
Liability and third party rights
- Each party shall be liable to the other parties for damages it causes by any breach of these clauses. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e. damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party shall be liable to data subjects for damages it causes by any breach of third party rights under these clauses. This does not affect the liability of the data exporter under its data protection law.
- The parties agree that a data subject shall have the right to enforce as a third party beneficiary this clause and clauses I(b), I(d), I(e), II(a), II(c), II(d), II(e), II(h), II(i), III(a), V, VI(d) and VII against the data importer or the data exporter, for their respective breach of their contractual obligations, with regard to his personal data, and accept jurisdiction for this purpose in the data exporter’s country of establishment. In cases involving allegations of breach by the data importer, the data subject must first request the data exporter to take appropriate action to enforce his rights against the data importer; if the data exporter does not take such action within a reasonable period (which under normal circumstances would be one month), the data subject may then enforce his rights against the data importer directly. A data subject is entitled to proceed directly against a data exporter that has failed to use reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses (the data exporter shall have the burden to prove that it took reasonable efforts).
Law applicable to the clauses
These clauses shall be governed by the law of the country in which the data exporter is established, with the exception of the laws and regulations relating to processing of the personal data by the data importer under clause II(h), which shall apply only if so selected by the data importer under that clause.
Resolution of disputes with data subjects or the authority
- In the event of a dispute or claim brought by a data subject or the authority concerning the processing of the personal data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
- The parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
- Each party shall abide by a decision of a competent court of the data exporter’s country of establishment or of the authority which is final and against which no further appeal is possible.
- In the event that the data importer is in breach of its obligations under these clauses, then the data exporter may temporarily suspend the transfer of personal data to the data importer until the breach is repaired or the contract is terminated.
- In the event that: the transfer of personal data to the data importer has been temporarily suspended by the data exporter for longer than one month pursuant to paragraph (a); compliance by the data importer with these clauses would put it in breach of its legal or regulatory obligations in the country of import; the data importer is in substantial or persistent breach of any warranties or undertakings given by it under these clauses; a final decision against which no further appeal is possible of a competent court of the data exporter’s country of establishment or of the authority rules that there has been a breach of the clauses by the data importer or the data exporter; or a petition is presented for the administration or winding up of the data importer, whether in its personal or business capacity, which petition is not dismissed within the applicable period for such dismissal under applicable law; a winding up order is made; a receiver is appointed over any of its assets; a trustee in bankruptcy is appointed, if the data importer is an individual; a company voluntary arrangement is commenced by it; or any equivalent event in any jurisdiction occurs then the data exporter, without prejudice to any other rights which it may have against the data importer, shall be entitled to terminate these clauses, in which case the authority shall be informed where required. In cases covered by (i), (ii), or (iv) above the data importer may also terminate these clauses.
- Either party may terminate these clauses if (i) any Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC (or any superseding text) is issued in relation to the country (or a sector thereof) to which the data is transferred and processed by the data importer, or (ii) Directive 95/46/EC (or any superseding text) becomes directly applicable in such country.
- The parties agree that the termination of these clauses at any time, in any circumstances and for whatever reason (except for termination under clause VI(c)) does not exempt them from the obligations and/or conditions under the clauses as regards the processing of the personal data transferred.
Variation of these clauses
The parties may not modify these clauses except to update any information in Annex B, in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial clauses where required.
Description of the Transfer
The details of the transfer and of the personal data are specified in Annex B. The parties agree that Annex B may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required under clause I(e). The parties may execute additional annexes to cover additional transfers, which will be submitted to the authority where required. Annex B may, in the alternative, be drafted to cover multiple transfers.
DATA PROCESSING PRINCIPLES
- Purpose limitation: Personal data may be processed and subsequently used or further communicated only for purposes described in Annex B or subsequently authorised by the data subject.
- Data quality and proportionality: Personal data must be accurate and, where necessary, kept up to date. The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.
- Transparency: Data subjects must be provided with information necessary to ensure fair processing (such as information about the purposes of processing and about the transfer), unless such information has already been given by the data exporter.
- Security and confidentiality: Technical and organisational security measures must be taken by the data controller that are appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the data controller.
- Rights of access, rectification, deletion and objection: As provided in Article 12 of Directive 95/46/EC, data subjects must, whether directly or via a third party, be provided with the personal information about them that an organisation holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the data exporter. Provided that the authority has given its prior approval, access need also not be granted when doing so would be likely to seriously harm the interests of the data importer or other organisations dealing with the data importer and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject. The sources of the personal data need not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated. Data subjects must be able to have the personal information about them rectified, amended, or deleted where it is inaccurate or processed against these principles. If there are compelling grounds to doubt the legitimacy of the request, the organisation may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed need not be made when this involves a disproportionate effort. A data subject must also be able to object to the processing of the personal data relating to him if there are compelling legitimate grounds relating to his particular situation. The burden of proof for any refusal rests on the data importer, and the data subject may always challenge a refusal before the authority.
- Sensitive data: The data importer shall take such additional measures (e.g. relating to security) as are necessary to protect such sensitive data in accordance with its obligations under clause II.
- Data used for marketing purposes: Where data are processed for the purposes of direct marketing, effective procedures should exist allowing the data subject at any time to “opt-out” from having his data used for such purposes.
- Automated decisions: For purposes hereof “automated decision” shall mean a decision by the data exporter or the data importer which produces legal effects concerning a data subject or significantly affects a data subject and which is based solely on automated processing of personal data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. The data importer shall not make any automated decisions concerning data subjects, except when: a) i. such decisions are made by the data importer in entering into or performing a contract with the data subject, and ii. the data subject is given an opportunity to discuss the results of a relevant automated decision with a representative of the parties making such decision or otherwise to make representations to that parties. or b) where otherwise provided by the law of the data exporter.
DESCRIPTION OF THE TRANSFER
Data subjects -- The personal data transferred concern the following categories of data subjects: You, the user registering for a Coursera account
Purposes of the transfer(s) -- The transfer is made for the following purposes: Coursera needs certain personal data to provide our services and ensure functionality of our platform. Your name is used to personalize content, put on any certificates you earn, and verify your identity as needed for certain content. Your email address is used as your account login credential and for communication. Your IP address is used to personalize content such as currency and timezone. More information on the data we collect and the purposes for which we collect it can be found in our Privacy Notice.
Categories of data -- The personal data transferred concern the following categories of data: Name, email address, IP address, other data as described in the Privacy Notice
Recipients -- The personal data transferred may be disclosed only to the following recipients or categories of recipients: Coursera, Inc. and its affiliates, vendors, and partners.
Sensitive data (if appropriate) -- The personal data transferred concern the following categories of sensitive data: None.
Data protection registration information of data exporter (where applicable) -- Not applicable.
Additional useful information (storage limits and other relevant information) -- You can delete your account, and thereby remove your personal data from our systems, at any time once your account is created. The ‘Delete Account’ functionality can be found on your ‘Account Settings’ page towards the bottom.
Contact points for data protection enquiries
Coursera, Inc. 381 E. Evelyn Ave., Mountain View, CA 94041
Attn: Legal and Compliance (Privacy)
or email: firstname.lastname@example.org
Privacy Shield Notice
Effective as of January 1, 2020.
Coursera, Inc. (referred to as "we," "us," or "our"), believes in protecting your privacy.
We participate in and commit to adhering to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks which includes the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement (the "Principles") for all transfers of personal data from the EEA, Switzerland, or the United Kingdom to the U.S. To learn more about Privacy Shield, please visit the U.S. Department of Commerce Privacy Shield website: https://www.privacyshield.gov/. For more information regarding our Privacy Shield certification, please click here. When we use the term "Personal Information" in this Privacy Shield Notice, we are referring to any information that (i) is recorded in any form; (ii) is about an identified or identifiable individual; and (iii) is received by us from the EEA, Switzerland, or the United Kingdom.
When we use the term "Sensitive Personal Information" in this Privacy Shield Notice, we are referring to a particular subset of an individual’s Personal Information that provides details of his or her race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership or that concerns his or her health.
The purpose of this Privacy Shield Notice is to outline our general practices for implementing the Principles with respect to the Personal Information we collect. If you would like to obtain additional information regarding our privacy practices in connection with information collected on this website in general, please refer to our online Privacy Notice.
- Choice. We will offer you the opportunity to opt-out of your Personal Information (or to provide explicit consent for Sensitive Personal Information) being: (i) disclosed to a third party (other than a service provider as set forth below); or (ii) used for a purpose materially different from the purpose for which it was originally collected (as set out in our Privacy Notice), or subsequently authorized by you, when the circumstances arise. You also have the ability to opt out at any time from the use of your Personal information for direct marketing purposes. To exercise this right, please check your settings options. If you have further questions related to the above, you can also contact us at email@example.com.
Where we process personal data on behalf of our business partners, we will work with them to ensure you are offered appropriate choices (and means to exercise those choices) for limiting use or disclosure of your personal data (where appropriate).
Notwithstanding the foregoing, you agree that we may disclose Personal Information under the following circumstances without offering you an opportunity to opt out of such disclosure: (i) to our Content Providers and other service providers that we have retained to perform requested Services on our behalf; (ii) if we are required to do so by law or legal process; (iii) pursuant to valid requests by law enforcement or other government authorities (which we are legally required to respond to); and (iv) when we believe disclosure is necessary to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity. In addition, we reserve the right to transfer Personal Information in the event we sell or transfer all or a portion of our business or assets (including in the event of a reorganization, dissolution or liquidation). Should such a sale or transfer occur, we will use reasonable efforts to direct the transferee to use the Personal Information in a manner consistent with this Privacy Shield Notice.
- Onward Transfers (Transfer to Third Parties). We will only transfer Personal Information to third parties where the third party: (i) has provided satisfactory assurances to us that it will protect the Personal Information in accordance with this Privacy Shield Notice and the Principles; (ii) is located in the EU or a country considered "adequate" for privacy by the EU Commission, and therefore is required to comply with the EU data protection laws or substantially equivalent privacy laws; or (iii) has certified to Privacy Shield, and is independently responsible for complying with the Principles.
Where we have knowledge that a third party to whom we have provided Personal Information is processing that Personal Information in a manner contrary to this Privacy Shield Notice or the Principles, we will take reasonable steps to prevent or terminate processing by the third party until such time the third party can process Personal Information in compliance with this Privacy Shield Notice and the Principles. Under certain circumstances, we may be potentially liable if these requirements are not met.
Data Security. We will take reasonable and appropriate measures to protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction. We have implemented appropriate physical, electronic and managerial procedures to help safeguard and secure Personal Information from loss, misuse, unauthorized access or disclosure, alteration, or destruction.
Data Integrity and Purpose Limitation. We will process Personal Information in a manner that is compatible with and relevant to the purpose for which it was collected or authorized by you. To the extent necessary for those purposes, we will take reasonable steps to ensure that Personal Information is accurate, complete, current, and reliable for its intended use.
Access. Upon request, we will provide you with reasonable access to the Personal Information about you that we hold. We will also take reasonable steps to correct, update, amend, or delete any information that is demonstrated to be inaccurate, except where the burden or expense of doing so would be disproportionate to the risks to your privacy in the case in question or where the rights of third parties would be violated. Where we process personal data on behalf of our business partners, we will work with them in complying with such requests in accordance with applicable law.
- Recourse; Enforcement. We will regularly review our compliance with the statements set forth in this Privacy Shield Notice, and we will provide an independent way to resolve complaints about our privacy practices. We encourage interested persons to first contact us (contact information provided below) and we will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Information in accordance with the Principles. If your inquiry is not satisfactorily addressed by us, we have registered with the International Centre for Dispute Resolution ("ICDR"), a division of the American Arbitration Association, to provide independent third party dispute resolution (free of charge) to you. To contact ICDR and/or learn more about the company’s dispute resolution services, including complaint submission, please visit: http://go.adr.org/privacyshield.html. There may also be circumstances when disputes can be resolved through the Privacy Shield binding arbitration process. Please see the Privacy Shield website for further information: https://www.privacyshield.gov/article?id=C-Pre-Arbitration-Requirements. For residents of Switzerland, the Swiss Federal Data Protection and Information Commissioner’s authority will replace that of the EU bodies. For residents of the United Kingdom, the Information Commissioner’s Office will serve this role.
- Jurisdiction. As part of our participation in Privacy Shield, we are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission and other authorized statutory bodies.
We may amend this Privacy Shield Notice from time-to-time in accordance with the requirements of the EU-U.S. or Swiss-U.S. Privacy Shield Framework. The most recent version of the Privacy Shield Notice will always be posted to this website. Anytime that we do make such changes, we will also update the effective date listed at the top of the Privacy Shield Notice. Please be sure to review the most recent version of the Privacy Shield Notice each time that you visit this website so that you are aware of how we collect, use, and retain personal information.
Please contact us with any questions or comments about this Privacy Shield Notice, transfer of your personal information from the EEA, Switzerland, or the United Kingdom to the U.S., our privacy practices, or your consent choices by email at firstname.lastname@example.org.
Below is a list of all the revisions made to our Privacy Policies, with links to view the difference between each revision.
- 2020-08-28: Added Standard Contractual Clauses
- 2019-12-20: Updated to incorporate CCPA and increase transparency of data handling practices.
- 2019-03-19: Updated to include EU Representative contact info
- 2018-12-11: Updated contact ICDR link
- 2018-07-11: Updated for clarification on grounds for data processing.
- 2018-05-16: Added table of contents and summary. Clarified sections on data processing bases and communications
- 2018-03-16: Updated for GDPR and removed outdated Swiss Safe Harbor Policy
- 2017-06-28: Updated Privacy Shield Policy
- 2016-09-29: New Privacy Shield Policy/Revised Safe Harbor Policy
- 2014-01-02: Initial revision