International data transfers

This document is provided for informational purposes only. It is not intended to provide any sort of legal advice. Pearson urges its customers to consult with their own legal advisor to familiarize themselves with the requirements governing their specific situation.

Pearson values our customers' trust and privacy, and we are dedicated to protecting and safeguarding the personal data they entrust as with when using our products and services. We understand and respect that some customers may be concerned about their personal data being processed and stored outside of the countries where it was collected.

This document briefly outlines how Pearson processes and protects the personal data of customers in the European Economic Area (EEA)/ United Kingdom (UK), ensuring compliance with applicable data protection laws including General Data Protection Regulation (GDPR) and UK DPA (2018).

Many of Pearson’s products and services are developed, delivered and hosted entirely in the EEA and/or UK. UK region respectively. However, we are a global business with a significant presence in other countries and our operations may require the transfer of personal data to countries outside the EEA, UK and thecountries in which it is collected or from which it originates. This may include transfers of personal information to the United States of America.

We understand and respect the rules for onward transfers of personal data across international borders and, where such transfers are necessary the measures we take to protect personal information include:

• Contractual Safeguards: Pearson’s contracts with its group companies, affiliates and third-party suppliers include necessary data protection terms and appropriate security measures to ensure protection of personal data to the standard required by applicable law.

• Operational Safeguards: Customer personal data is retained only for the period necessary to fulfil the purposes outlined in the respective privacy notices unless a longer retention period is required or allowed by applicable law(s).

• Technical and Security Safeguards: Pearson maintains technical, organisational, and physical measures designed to protect personal data in accordance with privacy and applicable laws against loss, and unauthorised access, use, alteration, and disclosure. We consider the nature of the data and the processing, as well as the impact on the rights and freedoms of individuals whose data is being processed. Such measures include but are not limited to encryption during transit and at rest using state- of-art encryption protocols, two-factor authentication, and strict access controls on a need-to-know basis for the purpose of performing required business functions.

• Legal and Regulatory Safeguards: Pearson relies on EU Commission adequacy decisions and Standard Contractual Clauses (“SCC’s”) for transfers of customer data to its non-EU affiliates and third-party suppliers and based on transfer impact assessments carried out in accordance with the requirements of EU law and the European Data Protection Board (EDPB) Recommendations. 
  

In order to assist customers with carrying out their own assessment Pearson has provided the following Data Transfer Impact Assessment.

Transparency Information

As of July 2022, Pearson has not received any requests from or on behalf of the US government or law enforcement organisations for access to EU or UK Customer personal data. Due to the nature of our services, we are unlikely to receive such requests in the future; however, if we do, Pearson will carefully review each request with the goal of protecting Customers' privacy while complying with applicable legal obligations, including the GDPR and UK DPA (2018) and will notify Customers before sharing any data in response to requests unless we are prohibited from doing so by applicable law.