EU GPDR Compliance

This document is a non-legalese summary of our perspective on GDPR compliance, designed for your convenience. Please refer to your signed SmarterU Enterprise agreement for our binding legal agreements.

What is the GDPR?

The GDPR (General Data Privacy Regulation) is a European Union regulation that establishes a new framework for handling and protecting the personal data of EU-based residents.

Organizations processing personal data of EU-based individuals will be required to comply with the GDPR by May 25, 2018.

GDPR defines three main groups in relation to cloud applications such as SmarterU.

Data Subjects

The people, in SmarterU’s case, this would be the end-users or learners.

Data Controller

The organization that subscribes to the SmarterU platform.

Data Processor

Neovation Corporation, the provider of SmarterU. 
(Neovation is referred to as SmarterU within this document, for convenience.)

What is considered personal data?

Any information related to a person, that can be used to directly or indirectly identify the person is considered Personal Data. This can include data such as a person’s name, photo, or email address.

Is SmarterU compliant?

Yes.
SmarterU is a product of Neovation Corporation, a Canadian company which is already subject to Canada’s strict PIPEDA (Personal Information Protection and Electronic Documents Act) legislation. Thanks to PIPEDA, Canada has Adequacy status with European privacy laws. It is expected that adequacy will continue following the GDPR.

What are the Rights & Responsibilities?

The Data Subjects have a series of rights which must be enforced by the Data Controller and/or Data Processor.

Consent

Responsibility: Data Controller

A Data Subject must provide clear and unambiguous consent, which is distinguishable from other matters, using clear and plain language.

SmarterU recommends that the Data Controller obtain consent from the Data Subject prior to uploading their data to SmarterU, or providing the Data Subject with login credentials.

Breach Notification

Responsibility: Both

In any situation where a data breach is likely to “result in a risk for the rights and freedoms of individuals”, then a notification must be issued within 72 hours of first becoming aware of a breach. Data Controllers must notify the Data Subjects, and Data Processors must notify the Data Controllers.

SmarterU will notify the Data Controller immediately upon becoming aware of a data security breach, or potential breach.

Right to Access

Responsibility: Data Controller

A Data Subject may request confirmation if their personal data is being processed, and if so, where and for what purpose. Further, a Data Subject may request a copy of the personal data in an electronic format.

In order to comply with a Data Subject’s request, a Data Controller can request a data file from SmarterU for specific users.

Right to be Forgotten

Responsibility: Data Controller

A Data Subject has the right to request their personal data to be erased, and to cease processing it. This right is limited in the case of the Data Subject being an employee of the Data Controller, as that data is required for the purposes of employment.

Upon termination of an account, SmarterU will delete all account data (including Personal Data), however de-personalized, and aggregated data will be retained.

Data Portability

Responsibility: Data Controller

A Data Subject has the right to request their personal data in an electronic format, and transmit it to another controller. This right is limited in the case of the Data Subject being an employee of the Data Controller, as that data is required for the purposes of employment.

In order to comply with a Data Subject’s request, a Data Controller can perform an export, or request a data file from SmarterU for specific users.

Privacy by Design

Responsibility: Both

Both the Data Controller and Data Processor have a responsibility to embed privacy controls into technology and service offerings, as well as limiting the access to personal data to those needing to act out the processing.

SmarterU practices Privacy by Design within the our platform and service offerings.

Data Protection Officers (DPO)

Responsibility: Data Controller

The Data Controller may be required to have an assigned DPO.

As SmarterU is not a public authority, or an organization that engages in large scale systematic monitoring, or has 250 or more employees, then the assignment of a DPO, as defined by the GDPR, is not required.