The GDPR (General Data Privacy Regulation) is a European Union regulation that establishes a new framework for handling and protecting the personal data of EU-based residents.
Organizations processing personal data of EU-based individuals will be required to comply with the GDPR by May 25, 2018.
GDPR defines three main groups in relation to cloud applications such as SmarterU.
The people, in SmarterU’s case, this would be the end-users or learners.
The organization that subscribes to the SmarterU platform.
Neovation Corporation, the provider of SmarterU.
(Neovation is referred to as SmarterU within this document, for convenience.)
Any information related to a person, that can be used to directly or indirectly identify the person is considered Personal Data. This can include data such as a person’s name, photo, or email address.
Yes.
SmarterU is a product of Neovation Corporation, a Canadian company which is already subject to Canada’s strict PIPEDA (Personal Information Protection and Electronic Documents Act) legislation. Thanks to PIPEDA, Canada has Adequacy status with European privacy laws. It is expected that adequacy will continue following the GDPR.
The Data Subjects have a series of rights which must be enforced by the Data Controller and/or Data Processor.
Responsibility: Data Controller
A Data Subject must provide clear and unambiguous consent, which is distinguishable from other matters, using clear and plain language.
SmarterU recommends that the Data Controller obtain consent from the Data Subject prior to uploading their data to SmarterU, or providing the Data Subject with login credentials.
Responsibility: Both
In any situation where a data breach is likely to “result in a risk for the rights and freedoms of individuals”, then a notification must be issued within 72 hours of first becoming aware of a breach. Data Controllers must notify the Data Subjects, and Data Processors must notify the Data Controllers.
SmarterU will notify the Data Controller immediately upon becoming aware of a data security breach, or potential breach.
Responsibility: Data Controller
A Data Subject may request confirmation if their personal data is being processed, and if so, where and for what purpose. Further, a Data Subject may request a copy of the personal data in an electronic format.
In order to comply with a Data Subject’s request, a Data Controller can request a data file from SmarterU for specific users.
Responsibility: Data Controller
A Data Subject has the right to request their personal data to be erased, and to cease processing it. This right is limited in the case of the Data Subject being an employee of the Data Controller, as that data is required for the purposes of employment.
Upon termination of an account, SmarterU will delete all account data (including Personal Data), however de-personalized, and aggregated data will be retained.
Responsibility: Data Controller
A Data Subject has the right to request their personal data in an electronic format, and transmit it to another controller. This right is limited in the case of the Data Subject being an employee of the Data Controller, as that data is required for the purposes of employment.
In order to comply with a Data Subject’s request, a Data Controller can perform an export, or request a data file from SmarterU for specific users.
Responsibility: Both
Both the Data Controller and Data Processor have a responsibility to embed privacy controls into technology and service offerings, as well as limiting the access to personal data to those needing to act out the processing.
SmarterU practices Privacy by Design within the our platform and service offerings.
Responsibility: Data Controller
The Data Controller may be required to have an assigned DPO.
As SmarterU is not a public authority, or an organization that engages in large scale systematic monitoring, or has 250 or more employees, then the assignment of a DPO, as defined by the GDPR, is not required.