E-Learning Platform and GPDR
Or What you need to know!
It is important to understand how you protect the security and privacy of your learners when using an e-learning platform (LMS)
This is how The Learning Lab Learning Management System rigorously applies the GDPR recommendations and requirements.
This article allows you to follow this document as a checklist for any analysis of your eLearning platform (LMS) and GDPR Obligation!
The General Data Protection Regulation (“GDPR”) aims to strengthen the protection of personal data in the European Union (“EU”).
Coming into force on May 25, 2018, the GDPR replaces the current EU Data Protection Directive as well as its national implementations in EU member states.
The Learning LAB eLearning platform (LMS) builds its success on the trust its customers, partners, employees and other stakeholders place in our ability to provide premier location products and services.
This includes a high level of protection and security regarding the personal data that our stakeholders entrust to us. As a controller and processor of personal data, The Learning LAB Learning Management System confirms that we have the required policies, processes and procedures in place to comply with the GDPR
Over the past months, TheLearning LAB LMS has worked to ensure that every part of our organization that comes into contact with personal data, from both internal and external sources, has implemented privacy practices that align with the GDPR. This work was driven by an executive-led GDPR steering group.
We have also taken compliance a step further by fortifying data protection and privacy as a core component of TheLearning LAB’s composition. We have achieved this by applying the same GDPR-compliant standards across our organization internationally, which allows us to provide our stakeholders with the same level of transparency and consistency.
Our commitment to this end is enshrined in our policies and Code of Conduct. In our work, we apply the following principles
1. We are accountable for ensuring our fair and lawful collection and processing of personal data, meaning we collect and process data honestly, ethically, with integrity and in a manner that is consistent with applicable laws and our values.
2. We use a privacy by design and by default approach, meaning that privacy is a key consideration in the creation, delivery and support of our products and services.
3. We focus on transparency, choice and individual participation, meaning that we
provide appropriate privacy notices and information about our collection and use of personal data. We provide fair and reasonable choices for the collection and use of personal data, and we allow individuals to access, update and delete their personal data.
4. We abide by collection and purpose limitation practices, meaning that we only collect and process personal data that is adequate and relevant to the specified, explicit and legitimate purposes for which it was collected.
5. We apply responsible data management practices to govern the processing of personal data. We classify and catalogue information accordingly and in a systematic, holistic manner. We take measures to avoid extracting or copying personal data to unmanaged environments.
6. We do not disclose personal data to law enforcement, governmental agencies or third parties unless required by law. We limit disclosures of personal data to our partners to what is described in our privacy notices, or to what has been authorized by our customers or end users.
7. We implement appropriate security safeguards, including technical and organizational measures, to protect personal data against unauthorized access, use, modification or loss. We also require our partners to apply appropriate security and privacy safeguards.
Our eLearning Platform TheLearning LAB, we welcome the GDPR as an opportunity to strengthen our commitment to data protection and privacy within our company for the benefit of all our stakeholders. We believe this commitment will be a significant part of the future success of TheLearning LAB, our partners and our customers.
1.1 GDPR FAQ
1.1.1 At TheLearning LAB, we welcome the GDPR as an opportunity to strengthen our commitment to data protection and privacy.
Since the application of GDPR to a global business can be quite complex, we have provided answers to some common questions below:
Is TheLearning LAB compliant with GDPR?
TheLearning LAB eLearning Platform (LMS) has implemented the required policies, processes and procedures to comply with the GDPR. As a controller and processor of personal data, TheLearning LAB LMS builds its success on the trust its customers, partners, employees and other stakeholders place in our ability to provide premier location products and services. This includes ensuring a high level of protection and security regarding the personal data that is entrusted to us.
Has TheLearning LAB Learning Management System complied with ‘the letter of the law’ or the ‘spirit of the law’?
Both. TheLearning LAB LMS has taken compliance a step further by fortifying data protection and privacy as a core component of our composition. We have achieved this by applying the same GDPR-compliant standards across our organization internationally (unless otherwise required by applicable local law), which allows us to provide our stakeholders with the same level of transparency and consistency.
Has TheLearning LAB implemented GDPR only in Europe or globally?
Data privacy is a global issue, hence TheLearning LAB has applied the EU requirements for GDPR to our organization’s approach to data protection and privacy worldwide, unless otherwise required by applicable local law.
How does TheLearning LAB reassure customers that their privacy is protected?
TheLearning LAB follows a “privacy by design and by default” methodology, making privacy a key consideration in the creation, delivery and support of our products and services. This also means that our default approach to collection and use of personal data is to focus on transparency, choice and individual participation.
How does TheLearning LAB ensure that data is only used for the purpose it was intended?
At TheLearning LAB, we abide by the principle of collection and purpose limitation, meaning that we only collect and process personal data that is adequate and relevant to the specified, explicit and legitimate purposes for which it was collected. We apply responsible data management practices to govern the processing of personal data. We classify and catalogue information accordingly and in a systematic, holistic manner. We take measures to avoid extracting or copying personal data to unmanaged environments.
What is TheLearning LAB’s policy on disclosure to authorities or third parties?
TheLearning LAB does not disclose personal data to law enforcement, or governmental agencies unless required by law. We limit disclosures of personal data to our partners and any other third parties to what is described in our privacy notices, or to what has been authorized by our customers or end users.
What safeguards does TheLearning LAB have in place to protect personal data?
TheLearning LAB implements appropriate security safeguards, including technical and organizational measures, to protect personal data against unauthorized access, use, modification or loss. We also require our partners to apply appropriate security and privacy safeguards.
Under GDPR, is TheLearning LAB considered a data controller and/or a data processor and what are the implications?
TheLearning LAB can be either a controller or a processor, depending on the product or service concerned. Where TheLearning LAB acts as a controller, we will only process
page 3 of 7
LMS Agreement – Penceo TheLearning LAB September 1, 2022
personal data for the limited purposes as described in our privacy policies or relevant notices or consents. Depending on the product or service concerned, TheLearning LAB either establishes its legal basis for processing personal data as a controller independently, or we flow this requirement down to our customers through a requirement to provide our applicable terms to relevant data subjects.
If TheLearning LAB is a processor, we only process the data on the instructions of the relevant controller (i.e. the customer), or as required by law.
As a processor, we are legally required to enter into data processing agreements with our customers and we have created agreements for all cases where this is required.
How does TheLearning LAB ensure GDPR compliance on data that travels outside Europe?
TheLearning LAB develops global products and services and so it makes sense that we apply the highest common denominator (i.e., the GDPR) when it comes to standards. International data transfers from the EU to 3rd countries that have not been deemed to provide an adequate level of data protection by the European Commission are protected through standard contractual clauses or other approved transfer mechanisms. Internally, TheLearning LAB has implemented standard contractual clauses between each of its legal entities to ensure that all data transfers within the TheLearning LAB organization are conducted pursuant to a legally sufficient transfer mechanism.
How will TheLearning LAB secure valid consent in future and how does this differ from past practice?
Securing valid consent has been changed to an affirmative action as required by the GDPR. Where TheLearning LAB processes personal data based on consent, all ‘opt-out’ consents have been changed to ‘opt-in’. Where required, TheLearning LAB workflows and technical implementations have been changed accordingly.
What has TheLearning LAB done to ensure partners comply with the GDPR regulations?
In general, TheLearning LAB does not share personal data with third parties except to assist TheLearning LAB in providing services, or to comply with relevant laws. Where TheLearning LAB engages data processors, TheLearning LAB has included relevant safeguards into its contracts. TheLearning LAB also conducts diligence in the vendor selection phase to ensure its data processors provide sufficient privacy and security protections. TheLearning LAB monitors compliance of its vendors on an ongoing basis e.g. by conducting relevant audits or compliance evaluations.
Is it true that European customers can't send personal data to the U.S. anymore?
No. Although the CJEU invalidated the EU-US Privacy Shield, it didn't say that all data transfers to the U.S. are illegal or that data should no longer be transferred to the U.S. In fact, the CJEU confirmed that companies can transfer data outside the EU — including to
page 4 of 7
LMS Agreement – Penceo TheLearning LAB September 1, 2022
the U.S. — so long as they implement adequate data protection safeguards. There has been a lot of confusion on this topic, so we want to take a moment to explain.
Firstly, the CJEU said that the SCCs can be used to transfer data.
Secondly, it said that companies relying on the SCCs (the "data exporter" and "data importer") must assess whether the data which is subject to the transfer will remain protected according to EU standards.
In some cases, the SCCs will be enough on their own to satisfy this requirement. In other cases, the parties may need to agree on "additional measures" (also referred to as "supplementary measures") alongside the SCCs.