This document is a non-legalese summary of our perspective on GDPR compliance, designed for your convenience. Please refer to our terms & services for our binding legal agreements.
Everyday language summaries are provided for convenience only and are not legally binding. Please read the “Master Subscription Agreement” for the complete picture of your legal requirements. By using OttoLearn or any OttoLearn services, you are agreeing to these terms. Be sure to occasionally check back for updates.
The GDPR (General Data Privacy Regulation) is a European Union regulation that establishes a new framework for handling and protecting the personal data of EU-based residents.
Organizations processing personal data of EU-based individuals will be required to comply with the GDPR by May 25, 2018.
GDPR defines three main groups in relation to cloud applications such as SmarterU.
Data Subjects
The people, in SmarterU’s case, this would be the end-users or learners.
Data Controller
The organization that subscribes to the SmarterU platform.
Data Processor
Neovation Corporation, the provider of SmarterU.
(Neovation is referred to as SmarterU within this document, for convenience.)
Any information related to a person, that can be used to directly or indirectly identify the person is considered Personal Data. This can include data such as a person’s name, photo, or email address.
Yes.
SmarterU is a product of Neovation Corporation, a Canadian company which is already subject to Canada’s strict PIPEDA (Personal Information Protection and Electronic Documents Act) legislation. Thanks to PIPEDA, Canada has Adequacy status with European privacy laws. It is expected that adequacy will continue following the GDPR.
In addition, SmarterU’s terms & conditions are specifically designed to meet GDPR requirements.
The Data Subjects have a series of rights which must be enforced by the Data Controller and/or Data Processor.
Consent
Responsibility: Data Controller
A Data Subject must provide clear and unambiguous consent, which is distinguishable from other matters, using clear and plain language.
SmarterU recommends that the Data Controller obtain consent from the Data Subject prior to uploading their data to SmarterU, or providing the Data Subject with login credentials.
Breach Notification
Responsibility: Both
In any situation where a data breach is likely to “result in a risk for the rights and freedoms of individuals”, then a notification must be issued within 72 hours of first becoming aware of a breach. Data Controllers must notify the Data Subjects, and Data Processors must notify the Data Controllers.
SmarterU will notify the Data Controller immediately upon becoming aware of a data security breach, or potential breach.
Right to Access
Responsibility: Data Controller
A Data Subject may request confirmation if their personal data is being processed, and if so, where and for what purpose. Further, a Data Subject may request a copy of the personal data in an electronic format.
In order to comply with a Data Subject’s request, a Data Controller can request a data file from SmarterU for specific users.
Right to be Forgotten
Responsibility: Data Controller
A Data Subject has the right to request their personal data to be erased, and to cease processing it. This right is limited in the case of the Data Subject being an employee of the Data Controller, as that data is required for the purposes of employment.
Upon termination of an account, SmarterU will delete all account data (including Personal Data), however de-personalized, and aggregated data will be retained.
Data Portability
Responsibility: Data Controller
A Data Subject has the right to request their personal data in an electronic format, and transmit it to another controller. This right is limited in the case of the Data Subject being an employee of the Data Controller, as that data is required for the purposes of employment.
In order to comply with a Data Subject’s request, a Data Controller can perform an export, or request a data file from SmarterU for specific users.
Privacy by Design
Responsibility: Both
Both the Data Controller and Data Processor have a responsibility to embed privacy controls into technology and service offerings, as well as limiting the access to personal data to those needing to act out the processing.
SmarterU practices Privacy by Design within the platform and service offerings.
Data Protection Officers (DPO)
Responsibility: Data Controller
The Data Controller may be required to have an assigned DPO.
As SmarterU is not a public authority, or an organization that engages in large scale systematic monitoring, or has 250 or more employees, then the assignment of a DPO, as defined by the GDPR, is not required.
