隐私声明


生效日期:2020 年 1 月 1 日。

关键信息

  • Cousera, Inc. 是您的个人信息的数据控制方。
  • 我们会收集下面隐私声明'我们会收集哪些信息'一节中所述的个人信息,包括帐户注册详细信息(如姓名和电子邮件)、您参与的内容产品的详细信息、调查信息(由您提供)、身份验证数据以及与您使用我们的网站和服务的情况有关的信息。
  • 我们将您的个人信息用于本隐私声明'我们如何使用信息'一节中所述的目的,包括向您提供我们的网站和服务、确保我们网站的安全和性能、开展关于内容产品的研究、与我们的内容提供商和供应商分享信息、直接营销以及对我们的网站和服务的使用情况进行统计分析。
  • 根据下面隐私声明'更新或删除您的个人身份信息'一节中的规定,您可以行使多项与我们使用您的个人信息有关的权利。

目的和我们是谁

本隐私声明的目的是说明 Coursera, Inc. 以及我们的子公司和国际分支机构(下称'Coursera'、'我们'、'我方'或'我们的')如何通过我们所拥有和控制的在线界面(例如网站和移动应用),包括但不限于 coursera.org 和 rhyme.com(在本文中统称为'网站'),收集、使用和分享您的个人信息。请仔细阅读本隐私声明,了解我们的做法。如果您对我们的隐私声明有任何疑问,欢迎随时通过 privacy@coursera.org 联系我们。您对我们网站的使用也受我们的使用条款约束。本隐私声明中使用但未定义的条款可以在我们的使用条款中找到。 Coursera, Inc. 是 Delaware 的子公司,总部位于 381 E. Evelyn Ave., Mountain View, CA 94041。根据本隐私声明的规定,如果您居住在或位于欧洲经济区('EEA'),则 Coursera 是以下信息的数据控制方:通过网站收集的所有个人身份信息(如下所示),以及通过第三方收集的某些个人身份信息。

隐私声明包含哪些信息

本隐私声明涵盖了我们通过网站向您收集的信息。您不需要提供任何个人身份信息就能够使用网站的部分功能,但如需使用与内容产品相关的功能和服务,则必须提供个人身份信息。若要访问我们网站的某些功能或享受某些权益,您需要提交或我们需要收集

'个人身份信息' (即,可用于识别您的身份的信息)(也称为'个人数据'或'个人信息')。个人可识别信息可能包括您的姓名、电子邮件地址、IP 地址和设备标识符等信息。您有责任确保提交给 Coursera 的个人身份信息的准确性。提交不准确的信息会影响您使用我们的网站、使用网站时接收到的消息,以及我们与您之间的联系。例如,您的电子邮件地址必须是最新的,因为它是我们联系您的主要方式之一。

What You Agree to by Using Our Site

We consider that the legal bases for using your personal information as set out in this Privacy Notice are as follows:

  • our use of your personal information is necessary to perform our obligations under any contract with you (for example, to comply with the Terms of Use of our Site which you accept by browsing our website and/or to comply with our contract to provide Services to you); or
  • our use of your personal information is necessary for complying with our legal obligations; or
  • use of your personal information is necessary for our legitimate interests or the legitimate interests of others. Our legitimate interests are to:
    • run, grow and develop our business;
    • operate our Site and provide our Services;
    • select appropriately skilled and qualified suppliers;
    • build relationships with partners and academic institutions;
    • carry out research and statistical analysis;
    • carry out marketing and business development; and
    • for internal administrative and auditing purposes.
  • consent, to send you certain communications or where you submit certain information to us.

Which legal basis applies to a specific processing activity will depend on the type of personal information processed and the context in which it is processed.

If we rely on our (or another person's) legitimate interests for using your personal information, we will undertake a balancing test to ensure that our (or the other person's) legitimate interests are not outweighed by your interests or fundamental rights and freedoms which require protection of the personal information.

We may process your personal information in some cases for marketing purposes on the basis of your consent (which you may withdraw at any time as described below).

If we rely on your consent for us to use your personal information in a particular way, but you later change your mind, you may withdraw your consent by visiting your profile page and clicking the box to remove consent or delete your account and we will stop doing so. However, if you withdraw your consent, this may impact the ability for us to be able to provide our Services to you.

我们会收集那些信息

我们通过网站收集用户两种类型的信息:

  1. 与您使用网站有关的信息。 当用户访问我们的网站时,我们可能会跟踪、收集和汇集信息,了解用户访问了我们网站上的哪些网页、访问的顺序、访问的时间以及点击了哪些超链接等情况。我们也将收集您是通过哪些 URL 访问我们网站的。收集此类信息可能涉及记录网站上每位用户使用的 IP 地址、操作系统和浏览器软件。我们可通过 IP 地址确定用户的互联网服务提供商及其连接点的地理位置。 在您访问我们的网站时,我们还会(或可能会)使用 Cookie 和网络信标。如需详细了解我们如何使用 Cookie 和网络信标,请参阅我们的 Cookie 政策。

  2. 您本人或通过第三方提供的个人身份信息。 在您注册帐户、更新或更改帐户信息、购买产品或服务、完成调查、注册接收邮件更新、参与公共论坛、向我们发送电子邮件及/或使用我们网站上的内容产品或其他服务时,我们会收集您提供的个人身份信息。我们可能会使用您提供的个人身份信息来回答您的问题,为您提供具体的内容产品和/或所选服务,向您发送有关内容产品或其他 Coursera 活动的更新,向您发送有关网站维护或更新的电子邮件。
  • 帐号注册。如果您在我们网站注册帐号,您需要提供个人可认证信息,例如姓名和电子邮件地址。

  • 更新。Coursera 可能会通过电子邮件或在网站特定注册用户访问区域向您提供更新。您必须向我们提供自己的姓名和电子邮件地址等个人认证信息才能够订阅这些服务。

  • 论坛。Coursera 可能会不时提供公共论坛('论坛'),您可以在论坛上分享评论和想法。若要参与论坛,您需要注册并/或向我们提供姓名和电子邮件地址等个人身份信息。请注意,您在论坛中发布或提供的信息将会公开。您不得在论坛帖子中发布任何与您本人或其他人有关的个人身份信息,或者其他个人信息或敏感信息。另外,请参阅我们的使用条款和行为准则以及有关正确使用我们论坛的其他信息。

  • 参与内容产品。Coursera 为用户提供了在网站上或通过网站参与内容产品的机会。如果您想参与内容产品,需要向我们提供完成内容产品所需的某些信息。这些信息可能包括您的姓名和电子邮件地址等。

如果您参与内容产品,我们可能会收集您以学生身份生成的内容,例如您向授课教师提交的作业、同学互评的作业以及作业互评的反馈。我们还会收集课程数据,例如学生在视频测验、独立测验、考试和调查中提供的答案。您不应添加任何与您本人或其他人、作业、考试或者调查有关的个人身份信息或其他个人信息、敏感信息,参加或提交此类作业、考试或调查时必须提供的信息除外。

  • 身份验证。Coursera 为您提供针对所选服务验证身份的功能。为了注册这些服务,您需要向我们或第三方身份认证供应商提供个人身份信息,例如您的姓名、地址、出生日期、使用网络摄像头拍摄的头像和带照片的身份证件。此外,如果您申请与这些服务有关的财务帮助,则需要提供与您的收入有关的信息。

  • 与 Coursera 联系。当您给我们发送电子邮件消息或与我们联系时,我们可能会收到您的个人可识别信息。

  • 第三方网站。在您访问或登录第三方网站时,例如从我们网站登录 Facebook 时,我们可能会获得您的个人可认证信息。内容可能包括您留在第三方网站上的文字和/或图片等个人可认证信息。

  • 调查。我们会在您提供信息以响应我们或内容提供商的调查时收到您的个人身份信息。

  • 合作伙伴网站。向 Coursera 用户提供内容产品相关工具和服务的合作伙伴网站可能会收集有关个人对合作伙伴网站使用情况的个人非财务用户数据,合作伙伴网站会向 Coursera 提供这些服务。合作伙伴网站可能会与 Coursera 分享这些数据,用于改进 Coursera 服务和合作伙伴网站服务,提升用户的学习体验。这些数据包括用户使用合作网站的时长以及浏览的页面等信息。

  • 第三方信用卡处理。Coursera 为您提供了使用信用卡通过第三方支付处理服务提供商支付内容产品和其他服务的功能。请注意,我们的服务提供商(不是 Coursera)将会收集和处理您的信用卡信息。

我们任何使用信息

  1. 与您使用网站有关的信息。 我们使用与您使用网站有关的信息对用户的集体特征和行为进行统计分析,并确定网站特定区域的人口统计信息和兴趣,在此基础上构建更优质更实用的服务。我们也可能将这些信息用于确保服务和网站安全。
  2. 您本人或通过第三方提供的个人身份信息。 除了本隐私声明中说明或明确征得您同意的情况,Coursera 不会披露任何您的个人身份信息。除了本隐私声明中说明的其他用途,我们可能还会在以下情况下披露或以其他方式使用个人身份信息。
  • 提供网站内容和服务。我们将您向我们提供的个人身份信息用于以下用途:允许您访问并使用我们的网站,为您提供您向我们请求的任何信息、产品或服务。

  • 技术支持和安全。我们可能使用个人身份信息以便向您提供技术支持(在需要时),并确保我们的服务和网站的安全。

  • 更新。我们使用您在注册我们的各种电子邮件或更新服务时提供的个人身份信息给您发送与网站或内容产品有关的消息。我们还可能会在法律允许的范围内,将这些信息存档,并/或使用这些信息在以后与您联系。

  • 论坛。您不得在论坛帖子中发布任何与您或其他人有关的个人身份信息,或者其他个人信息或敏感信息。如果您选择发布个人身份信息,那么在您使用论坛期间,我们可能会收集此类个人身份信息。我们可能会通过使用第三方服务的平台扩展功能(例如移动应用)发布这些信息。我们保留在我们以后提供的内容产品版本中重复使用包含个人身份信息的论坛帖子,提升未来内容产品的权利。我们可能会将这些信息存档,并/或用于以后与您和/或您的委托人联系,并/或提供给内容提供商、业务合作伙伴或与您所选的课程有关的授课教师。我们可能还会使用或发布论坛上提交的不含个人身份信息的帖子。

  • 参与内容产品。当您通过网站参与内容产品时,我们会使用从您那里收集的个人身份信息进行处理,包括但不限于跟踪出勤、学习进度和在线课程完成情况。我们还可能会将您的个人身份信息以及在指定内容产品的表现分享给该课程的一位或多位授课教师、助教或其他由授课教师指定协助创建、修改和运作内容产品的人员以及授课教师所属的内容提供商。我们还可能会使用参与内容产品或使用服务时生成的信息对您在内容产品中的表现进行预测性分析。此外,我们可能会在法律允许的范围内,将这些信息存档,并/或在以后使用这些信息与您联系。

  • 身份验证。对于需要身份验证的服务,我们会使用收集的个人身份信息来验证您的身份,确保在网站上进行提交的是您本人。此服务可能会通过第三方身份验证供应商提供。成功验证您的个人资料信息后,带照片的身份证明文件将被删除。

  • 与 Coursera 的联系。当您向我们发送电子邮件或通过其他方式联系我们时,我们可能会使用您提供的信息来回复您的消息,并/或根据本隐私声明规定使用这些信息。我们可能会在法律允许的范围内,将这些信息存档,并/或使用这些信息在以后与您联系。当我们向您发送电子邮件时,我们可能会跟踪您与这些电子邮件交互的方式(例如,当您打开电子邮件或点击电子邮件中的链接时)。我们使用这些信息来优化和更好地定制我们与您的通信。

  • 与 Coursera 业务合作伙伴的联系。我们可能会与 Coursera 内容提供商和其他业务合作伙伴分享您的个人身份信息,以便内容提供商和其他业务合作伙伴在法律许可的范围内分享与您可能感兴趣的产品和服务有关的信息。

  • 研究。我们可能会与内容提供商和其他业务合作伙伴分享一般课程数据(包括测验或作业、成绩,以及论坛讨论)、您在我们网站上活动的信息、我们开展的调查中的人口统计数据,以便我们的内容提供商和其他业务合作伙伴使用这些数据从事在线教育相关的研究。

  • 披露给 Coursera 运营和维护承包商。我们使用不同的服务提供商、供应商和承包商(统称为'承包商')协助我们为您提供服务。我们的承包商可能会在向我们提供产品或服务过程中对您的个人身份信息拥有有限的访问权限,这样反过来,我们就可以为您提供服务。这些承包商可能包括向我们提供与网站或内容产品的运营和维护有关的技术、服务和/或内容提供商和供应商。这些承包商对您个人身份信息的访问仅限于承包商为我们履行其有限职能所需的合理信息。

  • 政府机构;合法权利和诉讼。Coursera 可能会根据传票、法院命令或其他法律程序,向各种政府机构提供您的个人身份信息;确立或行使我们的合法权利或保护我们的财产;辩护法律指控;或法律要求的其他行为。在这些情况下,我们保留提出或放弃任何法律异议或权利的权利。在我们认为适当的情况下,我们也可能会分享您的个人身份信息,例如就非法或可疑的非法活动进行调查、预防或采取行动时;保护和捍卫 Coursera、网站、用户、客户或其他各方的权利、财产或安全时;以及涉及到我们的使用条款和其他协议时。

  • 披露给收购方。在个人身份信息与出售、合并、重组全部或大部分 Coursera 股权、业务或资产相关的情况下,Coursera 可能会将您的个人身份信息透露和/或转让给收购方、受让方或其他继承实体。

  • 电子阅读器。如果我们收到与您使用指定电子阅读器访问 Coursera 资料有关的任何个人身份信息,我们可能会将其存档,并用于研究、商业或其他目的。

外部链接

为了您的方便,我们提供了一些不属于 Coursera 而由其他组织运营网站的链接('第三方网站'),因为我们认为这些内容可以对您有所帮助。除非我们有合法的依据,否则我们不会将您的个人身份信息透露给这些第三方网站。我们不会对这些第三方网站的隐私政策发表认可与否的意见,也不对这些第三方网站的隐私政策负责。如果您点击链接进入这些第三方网站,您需要查看在这些网站上发布的隐私政策,了解第三方网站如何收集和使用您的个人身份信息。

个人身份信息保留

我们保留您的个人身份信息的时间不会超过我们为满足收集和处理个人身份信息的目的所需的时间。我们保留个人身份信息的时间取决于我们收集和使用这些信息的目的,以及/或者适用法律的要求和我们确立、行使或维护法律权利的相关要求。

个人可认证信息的机密性和安全性

我们将您的信息的机密性和安全性视为头等大事。我们将在适用法律允许的范围内,使用行业标准的物理、技术和行政安全措施来确保您的个人身份信息的私密性和安全性,而且除了本隐私声明规定的情况,或者我们有理由相信透露信息很有必要的特殊情况(例如您或其他人受到人身威胁)外,我们不会将这些信息与第三方共享。由于互联网并非 100% 安全的环境,因此我们并不能保证您的个人身份信息的安全性,未获得授权的第三方可能会找到绕过我们安全系统的方法,或者我们在互联网上传输的信息可能会被拦截。您有责任保护自己的登录信息的安全。请注意,电子邮件通信通常不加密,也不应该被视为安全的通信方式。

上传或删除您的个人可认证资料

您在个人身份信息方面拥有某些权利。您可以访问您的个人身份信息,并确认其准确性和时效性,选择是否接收我们或某些合作伙伴发送的材料,以及登录网站并访问用户帐户页面请求我们删除或提供您的个人数据副本。

如果您想进一步了解与您的权利有关的信息,或希望行使任何权利,也可以通过 privacy@coursera.org 联系我们。如果您居住在或位于 EEA,您有权请求我们:

  • 提供我们保留的与您有关的个人身份信息的访问权限;
  • 禁止将您的个人身份信息用于直接营销;
  • 更新任何过期或不正确的个人身份信息;
  • 删除我们保留的与您有关的任何个人身份信息;
  • 限制我们使用您的个人身份信息的方式;
  • 向第三方提供商或服务提供您的个人身份信息;或者
  • 向您提供我们保留的与您有关的个人身份信息的副本。我们会尽可能及时回复每封电子邮件,并在适用法律规定的期限内做出回应。但请注意,我们的数据库、访问日志和其他记录中会有残留的信息,这些信息可能包含您的个人身份信息。另请注意,在某些情况下,我们在处理某些个人身份信息时可能无需遵守此类要求,这些情况可能包括:我们需要持续使用您的个人身份信息,以满足某项法律义务的要求。当您通过电子邮件向我们发送请求时,我们可能会要求您提供必要的信息来确认您的身份。

问题、建议和投诉

如果您有任何关于隐私的疑问、建议、无法解决的问题或投诉,可以通过 privacy@coursera.org 联系我们。 如果您居住在 EEA 或位于 EEA,我们的数据保护官和隐私团队可能会通过 security@coursera.org 帮助您解答有关我们如何处理个人身份信息的所有疑问。 如果您居住在 EEA 或位于 EEA,您还可以向我们的监管机构(即英国信息委员办公室)投诉与数据保护有关的问题;如果您认为自己的权利受到了侵犯,还可以通过当地法院寻求补救措施。

Coursera UK Limited 是 Coursera, Inc. 的欧盟代表如需联系 Coursera UK Limited,请使用以下联系信息:

邮寄:Coursera UK Limited
      收件人:Privacy Request
      City Bridge House, 57 Southwark Street, London SE1 1RU

电话:+44 20 3457 0256

电子邮件:eu-representative@coursera.org 

加利福尼亚州隐私权

反客户信息披露法

按照加利福尼亚州的'Shine the Light'法,为了获取个人或家庭使用的产品或服务而提供个人信息的加州居民每年有权向我们请求并获取一次关于我们与其他企业分享、供其用于直接营销的客户信息(如果有)的信息。如果适用,此信息将包括客户信息的类别以及我们在上一个日历年与之分享客户信息的企业名称和地址(例如,2018 年提交的请求将收到关于 2017 年分享活动的信息)。

要获取此信息,请发送电子邮件至 privacy@coursera.org,邮件主题行和正文包含'请求加利福尼亚隐私信息'。我们将在回复邮件中为您提供请求的信息。请务必注意,并不是所有信息分享都涵盖在'Shine the Light'要求下,只有涵盖的分享信息才会包含在我们的回复中。

加利福尼亚州消费者隐私法案 (CCPA)

根据《加州消费者隐私法案》('CCPA'),加利福尼亚州居民有权知道收集到他们哪些个人信息、要求删除其个人数据、选择不出售其个人数据,并且如果选择行使这些权利中的任何一项将不受歧视。Coursera 不会出售收集的有关您的任何数据。如果您想行使赋予您的任何其他权利,请在您的帐户中选择'设置',或通过 privacy@coursera.org 联系我们。

有关 CCPA 的更多信息,请查看此处完整的 CCPA 声明

国际隐私惯例

Coursera 网站主要通过在美国运营的服务器进行运作和管理。为了向您提供我们的产品和服务,我们会将您的个人身份信息(通常称为个人数据)发送和存储到您所在国家/地区以外的其他国家/地区,包括美国。因此,如果您居住在或位于美国之外的其他地区,您的个人身份信息可能会传输到您所在国家/地区之外的其他国家/地区,包括对您的个人身份信息无法提供同级别保护的国家/地区。我们致力于在传输个人身份信息时保护其隐私性和机密性。如果您居住在 EEA 或位于 EEA,并且发生此类传输,我们将采取适当的措施,在适用法律允许的范围内,为您在任何此类国家/地区进行的处理提供与在 EEA 相同级别的保护。在将数据从 EEA 传输到美国时,我们参与并承诺遵守欧盟-美国隐私保护框架。有关详情,请参阅下面的隐私保护声明。

其他信息:

  • 如果您居住在法国或位于法国,您还有权发布关于在您死后使用您的个人数据的指示。
  • 如果您居住在法国或位于法国,还可以向 EEA 的任何监管机构,特别是国家信息与自由委员会 (CNIL),投诉与数据保护有关的问题;或者,如果您认为自己的权利受到了侵犯,还可以通过当地法院寻求补救措施。
  • 数据接收者的类别:数据会传输到 IT 服务提供商和营销服务提供商,以及与我们平台上的个别课程相关的合作大学或公司。
  • 数据传输:所有来自 EEA 的个人数据先传输到美国的 Coursera(隐私保护认证)。有关所有始于美国 Coursera 的向前传输规定,请参阅隐私保护声明的'向前传输'一节。
  • 数据保留期:根据获取个人数据的目的,我们保存您的个人数据的时间不会超过必要的时间。用于确定我们的保留期的标准包括:
    • 我们与您保持持续关系并为您提供服务的持续时间(例如,您拥有我们的帐户或继续使用我们的服务的持续时间);
    • 按规定遵守适用的法律或合同义务;或
    • 确立、行使或维护我们的法定权利。

隐私声明更改

请注意,我们会不时审查隐私惯例,而且这些惯例可能会发生更改。任何更改、更新或修改将在我们的网站上发布后立即生效。我们将在更新后的合理时间内在网站主页上发布通知,或者向您的用户帐户关联的电子邮件地址发送电子邮件并更改生效日期,通知本隐私声明发生的任何重大更改(本页面顶部和底部)。务必经常返回本页面,了解最新版本的隐私声明。

13 岁以下儿童没有信息

Coursera 非常关注保护儿童隐私。禁止任何 13 周岁以下的儿童使用或访问,某些地区和内容产品可能会有其他要求和/或限制。基于这一信仰,我们不会有意在网站上收集或保留 13 周岁以下儿童的个人身份信息,而且我们的任何网站内容均不面向 13 周岁以下儿童。如果您的年龄在 13 周岁以下,请不要在任何时候或以任何方式使用或访问本网站。一旦发现存在此类个人身份信息,我们将采取适当措施删除我们网站未经家长同意收集的 13 周岁以下儿童的个人身份信息。


标准合同条款和隐私保护声明


Effective date: August 28, 2020

The section below will apply only to users in the European Economic Area, or other jurisdictions where the Standard Contractual Clauses apply.

STANDARD CONTRACTUAL CLAUSES (Controllers)

Data transfer agreement between

You, the user who is registering for a Coursera account based in the European Economic Area

hereinafter “data exporter”

and

Coursera, Inc. 381 E. Evelyn Ave., Mountain View, CA 94041

hereinafter “data importer”

each a “party”; together “the parties”.

Definitions

For the purposes of the clauses: “personal data”, “special categories of data/sensitive data”, “process/processing”, “controller”, “processor”, “data subject” and “supervisory authority/authority” shall have the same meaning as in Directive 95/46/EC of 24 October 1995 (whereby “the authority” shall mean the competent data protection authority in the territory in which the data exporter is established);

“the data exporter” shall mean the controller who transfers the personal data;

“the data importer” shall mean the controller who agrees to receive from the data exporter personal data for further processing in accordance with the terms of these clauses and who is not subject to a third country’s system ensuring adequate protection;

“clauses” shall mean these contractual clauses, which are a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.

The details of the transfer (as well as the personal data covered) are specified in Annex B, which forms an integral part of the clauses.

Clause I

Obligations of the data exporter

The data exporter warrants and undertakes that:

  • The personal data have been collected, processed and transferred in accordance with the laws applicable to the data exporter.
  • It has used reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses.
  • It will provide the data importer, when so requested, with copies of relevant data protection laws or references to them (where relevant, and not including legal advice) of the country in which the data exporter is established.
  • It will respond to enquiries from data subjects and the authority concerning processing of the personal data by the data importer, unless the parties have agreed that the data importer will so respond, in which case the data exporter will still respond to the extent reasonably possible and with the information reasonably available to it if the data importer is unwilling or unable to respond. Responses will be made within a reasonable time.
  • It will make available, upon request, a copy of the clauses to data subjects who are third party beneficiaries under clause III, unless the clauses contain confidential information, in which case it may remove such information. Where information is removed, the data exporter shall inform data subjects in writing of the reason for removal and of their right to draw the removal to the attention of the authority. However, the data exporter shall abide by a decision of the authority regarding access to the full text of the clauses by data subjects, as long as data subjects have agreed to respect the confidentiality of the confidential information removed. The data exporter shall also provide a copy of the clauses to the authority where required.

Clause II

Obligations of the data importer

The data importer warrants and undertakes that:

  • It will have in place appropriate technical and organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
  • It will have in place procedures so that any third party it authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorised or required by law or regulation to have access to the personal data.
  • It has no reason to believe, at the time of entering into these clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses, and it will inform the data exporter (which will pass such notification on to the authority where required) if it becomes aware of any such laws.
  • It will process the personal data for purposes described in Annex B, and has the legal authority to give the warranties and fulfil the undertakings set out in these clauses.
  • It will identify to the data exporter a contact point within its organisation authorised to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the data exporter, the data subject and the authority concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of clause I(e).
  • At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under clause III (which may include insurance coverage).
  • Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion.
  • It will process the personal data, at its option, in accordance with: the data protection laws of the country in which the data exporter is established, or the relevant provisions of any Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the data importer complies with the relevant provisions of such an authorisation or decision and is based in a country to which such an authorisation or decision pertains, but is not covered by such authorisation or decision for the purposes of the transfer(s) of the personal data, or the data processing principles set forth in Annex A. Data importer to indicate which option it selects: The data protections laws of the region where the exporter is based, namely, the General Data Protection Regulation (GDPR).
  • It will not disclose or transfer the personal data to a third party data controller located outside the European Economic Area (EEA) unless it notifies the data exporter about the transfer and the third party data controller processes the personal data in accordance with a Commission decision finding that a third country provides adequate protection, or the third party data controller becomes a signatory to these clauses or another data transfer agreement approved by a competent authority in the EU, or data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

Clause III

Liability and third party rights

  • Each party shall be liable to the other parties for damages it causes by any breach of these clauses. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e. damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party shall be liable to data subjects for damages it causes by any breach of third party rights under these clauses. This does not affect the liability of the data exporter under its data protection law.
  • The parties agree that a data subject shall have the right to enforce as a third party beneficiary this clause and clauses I(b), I(d), I(e), II(a), II(c), II(d), II(e), II(h), II(i), III(a), V, VI(d) and VII against the data importer or the data exporter, for their respective breach of their contractual obligations, with regard to his personal data, and accept jurisdiction for this purpose in the data exporter’s country of establishment. In cases involving allegations of breach by the data importer, the data subject must first request the data exporter to take appropriate action to enforce his rights against the data importer; if the data exporter does not take such action within a reasonable period (which under normal circumstances would be one month), the data subject may then enforce his rights against the data importer directly. A data subject is entitled to proceed directly against a data exporter that has failed to use reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these clauses (the data exporter shall have the burden to prove that it took reasonable efforts).

Clause IV

Law applicable to the clauses

These clauses shall be governed by the law of the country in which the data exporter is established, with the exception of the laws and regulations relating to processing of the personal data by the data importer under clause II(h), which shall apply only if so selected by the data importer under that clause.

Clause V

Resolution of disputes with data subjects or the authority

  • In the event of a dispute or claim brought by a data subject or the authority concerning the processing of the personal data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
  • The parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
  • Each party shall abide by a decision of a competent court of the data exporter’s country of establishment or of the authority which is final and against which no further appeal is possible.

Clause VI

Termination

  • In the event that the data importer is in breach of its obligations under these clauses, then the data exporter may temporarily suspend the transfer of personal data to the data importer until the breach is repaired or the contract is terminated.
  • In the event that: the transfer of personal data to the data importer has been temporarily suspended by the data exporter for longer than one month pursuant to paragraph (a); compliance by the data importer with these clauses would put it in breach of its legal or regulatory obligations in the country of import; the data importer is in substantial or persistent breach of any warranties or undertakings given by it under these clauses; a final decision against which no further appeal is possible of a competent court of the data exporter’s country of establishment or of the authority rules that there has been a breach of the clauses by the data importer or the data exporter; or a petition is presented for the administration or winding up of the data importer, whether in its personal or business capacity, which petition is not dismissed within the applicable period for such dismissal under applicable law; a winding up order is made; a receiver is appointed over any of its assets; a trustee in bankruptcy is appointed, if the data importer is an individual; a company voluntary arrangement is commenced by it; or any equivalent event in any jurisdiction occurs then the data exporter, without prejudice to any other rights which it may have against the data importer, shall be entitled to terminate these clauses, in which case the authority shall be informed where required. In cases covered by (i), (ii), or (iv) above the data importer may also terminate these clauses.
  • Either party may terminate these clauses if (i) any Commission positive adequacy decision under Article 25(6) of Directive 95/46/EC (or any superseding text) is issued in relation to the country (or a sector thereof) to which the data is transferred and processed by the data importer, or (ii) Directive 95/46/EC (or any superseding text) becomes directly applicable in such country.
  • The parties agree that the termination of these clauses at any time, in any circumstances and for whatever reason (except for termination under clause VI(c)) does not exempt them from the obligations and/or conditions under the clauses as regards the processing of the personal data transferred.

Clause VII

Variation of these clauses

The parties may not modify these clauses except to update any information in Annex B, in which case they will inform the authority where required. This does not preclude the parties from adding additional commercial clauses where required.

Clause VIII

Description of the Transfer

The details of the transfer and of the personal data are specified in Annex B. The parties agree that Annex B may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required under clause I(e). The parties may execute additional annexes to cover additional transfers, which will be submitted to the authority where required. Annex B may, in the alternative, be drafted to cover multiple transfers.

ANNEX A

DATA PROCESSING PRINCIPLES

  • Purpose limitation: Personal data may be processed and subsequently used or further communicated only for purposes described in Annex B or subsequently authorised by the data subject.
  • Data quality and proportionality: Personal data must be accurate and, where necessary, kept up to date. The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.
  • Transparency: Data subjects must be provided with information necessary to ensure fair processing (such as information about the purposes of processing and about the transfer), unless such information has already been given by the data exporter.
  • Security and confidentiality: Technical and organisational security measures must be taken by the data controller that are appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the data controller.
  • Rights of access, rectification, deletion and objection: As provided in Article 12 of Directive 95/46/EC, data subjects must, whether directly or via a third party, be provided with the personal information about them that an organisation holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the data exporter. Provided that the authority has given its prior approval, access need also not be granted when doing so would be likely to seriously harm the interests of the data importer or other organisations dealing with the data importer and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject. The sources of the personal data need not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated. Data subjects must be able to have the personal information about them rectified, amended, or deleted where it is inaccurate or processed against these principles. If there are compelling grounds to doubt the legitimacy of the request, the organisation may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed need not be made when this involves a disproportionate effort. A data subject must also be able to object to the processing of the personal data relating to him if there are compelling legitimate grounds relating to his particular situation. The burden of proof for any refusal rests on the data importer, and the data subject may always challenge a refusal before the authority.
  • Sensitive data: The data importer shall take such additional measures (e.g. relating to security) as are necessary to protect such sensitive data in accordance with its obligations under clause II.
  • Data used for marketing purposes: Where data are processed for the purposes of direct marketing, effective procedures should exist allowing the data subject at any time to “opt-out” from having his data used for such purposes.
  • Automated decisions: For purposes hereof “automated decision” shall mean a decision by the data exporter or the data importer which produces legal effects concerning a data subject or significantly affects a data subject and which is based solely on automated processing of personal data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. The data importer shall not make any automated decisions concerning data subjects, except when: a) i. such decisions are made by the data importer in entering into or performing a contract with the data subject, and ii. the data subject is given an opportunity to discuss the results of a relevant automated decision with a representative of the parties making such decision or otherwise to make representations to that parties. or b) where otherwise provided by the law of the data exporter.

ANNEX B

DESCRIPTION OF THE TRANSFER

Data subjects -- The personal data transferred concern the following categories of data subjects: You, the user registering for a Coursera account

Purposes of the transfer(s) -- The transfer is made for the following purposes: Coursera needs certain personal data to provide our services and ensure functionality of our platform. Your name is used to personalize content, put on any certificates you earn, and verify your identity as needed for certain content. Your email address is used as your account login credential and for communication. Your IP address is used to personalize content such as currency and timezone. More information on the data we collect and the purposes for which we collect it can be found in our Privacy Notice.

Categories of data -- The personal data transferred concern the following categories of data: Name, email address, IP address, other data as described in the Privacy Notice

Recipients -- The personal data transferred may be disclosed only to the following recipients or categories of recipients: Coursera, Inc. and its affiliates, vendors, and partners.

Sensitive data (if appropriate) -- The personal data transferred concern the following categories of sensitive data: None.

Data protection registration information of data exporter (where applicable) -- Not applicable.

Additional useful information (storage limits and other relevant information) -- You can delete your account, and thereby remove your personal data from our systems, at any time once your account is created. The ‘Delete Account’ functionality can be found on your ‘Account Settings’ page towards the bottom.

Contact points for data protection enquiries

Data importer

Coursera, Inc. 381 E. Evelyn Ave., Mountain View, CA 94041

Attn: Legal and Compliance (Privacy)

or email: privacy@coursera.org

自 2020 年 1 月 1 日起生效。

简介。

Coursera, Inc(亦称为“我们”)相信您的隐私处于保护中。

我们参与并承诺遵守欧盟-美国和瑞士-美国隐私保护框架,我们会在 EEA、瑞士或英国到美国的所有个人数据传输的通知、选择、向前传输、安全、数据完整性、访问和执行方面遵循隐私保护原则('原则')。要了解隐私保护的详细信息,请访问美国商务部隐私保护网站:https://www.privacyshield.gov/。有关我们的隐私保护认证的更多信息,请点击[此处](https://www.privacyshield.gov/participant?id=a2zt000000001EEAAY&status=Active)。当我们在隐私保护声明中使用术语'个人信息'时,我们是指 (i) 以任何形式记录;(ii) 与已识别或可识别的个人相关;以及 (iii) 我们可以从 EEA、瑞士或英国接收的任何信息。

我们在本隐私保护声明中使用的'敏感个人信息'一词指的是个人信息特定子集,它提供了有关种族、种族本源、性取向、政治观点、宗教或哲学信仰、工会会员资格或健康详细信息。

这项隐私保护声明的目的是概述我们针对收集的个人信息执行原则的一般惯例。如果您想获得有关我们与通常在该网站上收集的信息关联的隐私惯例的更多信息,请参阅我们的在线隐私声明。

原则。

  1. 通知 。我们将会在使用条款和隐私声明中为您提供及时且适当的通知,说明我们收集了哪些个人信息、我们如何使用这些信息以及我们可能会与其分享此类信息的第三方(以及分享的原因)。请仔细阅读这些文档。在我们代表业务合作伙伴处理个人数据时,我们将与他们合作,帮助他们向您提供适当的通知。

  2. 选择 。出现以下情况时,我们将为您提供取消提供个人信息(或明确表示为敏感个人信息)的机会:(i) 披露给第三方(下述服务提供商之外的其他人);或 (ii) 实质性违背最初收集目的(如我们的隐私声明所规定的目的)或当出现这些情况后由您授权。您还可以随时选择不将您的个人信息用于直接营销用途。要行使此权力,请查看您的设置选项。如果您对上述描述有其他疑问,请通过 privacyshield@coursera.org 联系我们。

在我们代表我们的业务合作伙伴处理个人数据时,我们将与他们合作,以确保向您提供适当的选择(以及执行这些选择的 手段)以限制使用或披露您的个人数据(如果适用)。

尽管有上述规定,您仍然同意我们可能在以下没有为您提供机会选择不披露的情况下披露个人信息:(i) 以我们的名义将保留的个人信息提供给我们的内容提供商或其他服务提供商以执行所请求的服务时;(ii) 法律或法律程序要求我们提供时;(iii) 根据执法部门或其他政府部门的有效请求提供时(要求我们依法进行回应);(iv) 当我们相信有必要披露以防止人身伤害或财产损失或帮助调查涉嫌非法活动时。此外,我们保留在我们出售或转让全部或部分业务或资产(包括重组、解散或清算)时转让个人信息的权利。如果发生此类出售或转让,我们将通过合理的措施指导受让人以符合这项隐私保护声明的方式使用个人信息。

  1. 向前传输(传输到第三方) 。我们仅在第三方满足以下条件时才会将个人信息传输给第三方:(i) 已提供令我们满意的保证,它将根据本隐私保护声明和原则保护个人信息;(ii) 它位于欧盟或被欧盟委员会认为隐私保护'充分'的国家/地区,因此必须遵守欧盟数据保护法或实质同等的隐私法;或者 (iii) 通过隐私保护认证并可以独立负责遵守这些原则。

我们知道,我们为其提供个人信息的第三方正在以违反这项隐私保护声明或原则的方式处理个人信息,我们将采取合理的措施防止或终止第三方进行处理,直到第三方可以按照这项隐私保护声明或原则处理个人信息为止。在某些情况下,如果达不到这些要求,我们可能会承担相应责任。

  1. 数据安全 。我们将采取合理且适当的措施保护个人信息免遭丢失、误用、未经授权的访问、披露、修改和破坏。我们已实施适当的物理、电子和管理程序,以帮助维护和保护个人信息免遭损失、滥用、未经授权的访问、披露、更改或销毁。

  2. 数据完整性和目的限制 。我们将以与您收集或授权个人信息的目的相符和相关的方式处理个人信息。我们将在达成这些目的的必要范围内,采取合理的措施确保个人信息准确、完整、及时且可靠,可以满足其预期用途。

  3. 访问 。根据请求,我们将针对我们所持有的关于您的个人信息为您提供合理的访问权限。我们还将采取合理的措施纠正、更新、修改或删除任何经证明不准确的信息,这样做的负担或费用与相应案例中的隐私风险不成正比或将会触犯第三方的权利除外。在我们代表业务合作伙伴处理个人数据时,我们将根据适用法律与他们合作,以遵守此类要求。

  4. 资源;执行 。我们会定期检查我们是否遵守本隐私保护声明中所述的声明,且我们将提供独立的方法来解决有关我们隐私惯例的投诉。我们鼓励感兴趣的用户与我们联系(下面提供了联系信息),我们将根据相关原则调查并尝试解决有关使用和披露个人信息的任何投诉和纠纷。如果您对我们提供的问题答复不满意,我们已注册国际争议解决中心('ICDR'),它是美国仲裁协会的一个部门,可提供独立的第三方纠纷解决方案服务(免费)。要联系 ICDR 和/或了解有关公司纠纷解决方案服务的详细信息,包括提出诉讼,请访问:http://go.adr.org/privacyshield.html。在某些情况下,可以通过隐私保护约束仲裁程序来解决纠纷。请登录隐私保护网站,了解更多信息:[https://www.privacyshield.gov/article?id=C-Pre-Arbitration-Requirements](https://www.privacyshield.gov/article?id=C-Pre-Arbitration-Requirements)。对于瑞士居民,瑞士联邦数据保护和信息委员的权限将取代欧盟机构的权限。对于英国居民,信息委员会办公室将充当此角色。

  5. 管辖权 。作为我们参与隐私保护的一部分,我们受美国联邦贸易委员会和其他获得授权的法定机构的调查和执行权力的约束。

修改。

我们可能会不时地根据欧盟-美国或瑞士-美国隐私保护框架的要求修订本隐私保护声明。隐私保护声明的最新版本将始终在本网站上发布。每当我们进行此类变更时,都会更新列在隐私保护声明顶部的生效日期。请务必在您每次访问本网站时查看最新版本的隐私保护声明,以便了解我们如何收集、使用和保留个人信息。

联系我们。

如果您对本隐私保护声明、将您的个人信息从 EEA、瑞士或英国传输到美国、我们的隐私惯例或您的同意选择有任何疑问或意见,请通过 [privacyshield@coursera.org] ([privacyshield@coursera.org](mailto:privacyshield@coursera.org)\) 联系我们。