ATP Online Legal Information

Return to Legal Home

GDPR Statement

Last Updated: July 2018

Academic Therapy Publications, Inc. is committed to protecting Personal Data from loss, misuse, and unauthorized access, disclosure, alteration or destruction.

This GDPR statement ("Policy") explains how Academic Therapy Publications, Inc. and ATP Assessments ("ATP", "we", "us", or "our") collects, protects, uses and shares Personal Data through our interactions with users of the ATP Online web site located at ("ATP Online", "Service(s)"). ATP Online is made available to qualified clinicians, therapists, examiners, and other professionals ("Customer(s)", "Practitioner(s)", "you", "your") with access to Personal Data about their clients, students, or patients ("Data Subject(s)", "Examinee(s)").

We reserve the right to revise this Policy periodically to reflect changes in our Services and in order to comply with changes in the law. Any such revisions are effective immediately upon posting. Your use of the Services subsequent to such posting constitutes your acceptance of such revisions. The date at the top of this document shall indicate the most recent date of this Policy revision.

Jurisdiction of GDPR

The General Data Protection Regulation ("GDPR") is a European Union ("EU") regulation that is aimed at protecting Personal Data of EU citizens. It replaces the existing Data Protection Directive 95/46/EC and consolidates the data privacy laws across the EU region into one single regulation. The regulation is in effect beginning May 25, 2018.

As per the new regulation, any company, be it EU or non-EU based, which processes Personal Data of EU individuals comes under the scope of GDPR. For additional questions regarding GDPR please use the link below:
GDPR FAQs from

Important terms in GDPR

Personal Data - GDPR defines Personal Data as "Any information related to a natural person or 'Data Subject', that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address."

Data Processor and Data Controller - According to the GDPR, "A controller is the entity that determines the purposes, conditions and means of the processing of Personal Data, while the processor is an entity which processes Personal Data on behalf of the controller."

Responsibilities under GDPR

ATP is committed to ensuring that our products and services meet the highest standards of data security and privacy, including compliance with the European Union's ("EU") GDPR. ATP Online already assists Customers in meeting their compliance obligations under US regulations such as HIPAA, FERPA, and COPPA, and is taking all the necessary steps to be in compliance with GDPR.

We provide this Policy for Customers classified as "Data Controllers" under GDPR to ensure that, in providing Personal Data to us about your Data Subjects, you have full information and assurance that our practices comply with GDPR.

Under GDPR, we are a "Data Processor" and ATP Online offers the following assurances:

Data Protection
  • ATP Online uses necessary technical measures to ensure that Personal Data is protected.
  • Data transferred to ATP Online is encrypted during transit and not processed for any purpose other than as agreed upon in our Policies and Terms of Use.
  • We protect Personal Data from loss.
  • We provide timely data breach notifications to Customers.

Data Control and Portability
  • We allow Customers to fully determine the purposes, conditions and means of the processing of Personal Data for their Data Subjects using ATP Online.
  • We allow Customers to retrieve Personal Data for disclosure to their Data Subjects at any time.
  • We assist Customers in removing or erasing Personal Data for their Data Subjects.
  • We assist Customers in recovering data that has been lost.
  • We assist Customers in fulfilling requests from their Data Subject's to transport their Personal Data to another controller in a "commonly used and machine readable format."

More About Right to Erasure
This is the right to have all Personal Data removed from our systems upon request. Under GDPR, EU citizens have the right to request that their Personal Data be deleted, amended, or moved to a different organization. ATP works directly with its Customers (the Data Controllers) to help EU citizens exercise all of their rights under GDPR including data erasure. Should ATP receive an inquiry directly from the Data Subject, we will first contact our Customer, the Data Controller, to verify the Data Subject's identity. For all inquiries regarding right to erasure, please contact the ATP Privacy and Security Officer ("Data Protection Officer" or "DPO").

Data Subject Consent
Only qualified professionals may use ATP Online to create, maintain or transmit Personal Data about Data Subjects. Our Customers, the Data Controllers, are in complete control of any Personal Data they provide to us about their Data Subjects including Data Subjects under the age of 16. ATP Online does not collect information directly from children under the age of 16 for any of its products or services.

According to our Terms of Use, our Customers must comply with all applicable laws including GDPR and must always obtain explicit Data Subject consent or parental consent prior to using ATP Online to process a Data Subject's Personal Data. If we discover that we have collected Personal Data in a manner inconsistent with the requirements of GDPR, we will either (a) delete the Personal Data or (b) promptly seek requisite consents before taking further action concerning the Personal Data.

Customer's responsibilities under GDPR
ATP Online strives to be a valuable resource and provide support to our valued Customers to help them achieve their own compliance with the GDPR. You should ensure that any providers (Data Processors) which you work with, have a highly robust approach to data protection, understand their obligations under GDPR, and are well prepared to meet them. However, compliance is ultimately your responsibility. You, as the Customer and the Data Controller, have specific legal obligations under the GDPR. While ATP Online does provide features you can use to meet your obligations under GDPR, no provider can ensure GDPR compliance for you, nor can we dictate how or if you choose to be compliant.

Additional Information

For more information including product-specific details about the Personal Data we collect, how we use it, reasons we share it, and how you may access and control it, please refer to our General Privacy Statement and our Terms of Use.