GDPR Compliance

Lawful Basis Under Article 6

We process personal data based on the following lawful bases:

• Consent (Article 6(1)(a)): When you have given clear consent for us to process your personal data for specific purposes
• Contract (Article 6(1)(b)): Processing necessary for the performance of a contract with you or to take steps at your request before entering into a contract
• Legal Obligation (Article 6(1)(c)): Processing necessary for compliance with a legal obligation
• Legitimate Interests (Article 6(1)(f)): Processing necessary for legitimate interests pursued by us or a third party, except where overridden by your interests or fundamental rights

Special Categories of Data

For any special categories of personal data (Article 9), we ensure we have an appropriate legal basis, such as explicit consent or processing for substantial public interest in education.

Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

Making a Request

To exercise any of your GDPR rights, please contact our Data Protection Officer using the contact details provided below. We will:

• Acknowledge your request within 72 hours
• Verify your identity to protect your personal data
• Respond to your request within one month (extendable to three months for complex requests)
• Provide information free of charge (except for manifestly unfounded or excessive requests)

Categories of Personal Data

We process the following categories of personal data:

• Identity Data: Name, username, profile information
• Contact Data: Email address, telephone numbers, postal address
• Technical Data: IP address, login data, browser type, device information
• Usage Data: Information about how you use our platform and services
• Educational Data: Course progress, assessment results, learning analytics
• Communication Data: Your communications with us and through our platform

Purposes of Processing

We process personal data for the following purposes:

• Providing and maintaining our learning management services
• User account management and authentication
• Educational content delivery and progress tracking
• Communication and customer support
• Service improvement and analytics
• Legal compliance and fraud prevention

International Data Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• Adequacy Decisions: Transfers to countries with adequacy decisions from the European Commission
• Standard Contractual Clauses (SCCs): Use of European Commission-approved SCCs
• Binding Corporate Rules: Where applicable, approved binding corporate rules
• Certification Mechanisms: Transfers under approved certification mechanisms

Transfer Impact Assessments

We conduct transfer impact assessments to evaluate the level of protection for personal data in third countries and implement additional safeguards where necessary.

Retention Principles

We retain personal data only for as long as necessary for the purposes for which it was collected:

• Account Data: Retained while your account is active and for 2 years after account closure
• Educational Records: Retained according to institutional requirements and legal obligations
• Communication Data: Retained for 3 years for customer service purposes
• Technical Logs: Retained for 12 months for security and system optimization
• Marketing Data: Retained until consent is withdrawn or for 3 years since last interaction

Automated Deletion

We have implemented automated deletion processes to ensure personal data is deleted when retention periods expire, unless there is a legal basis for continued retention.

Technical and Organizational Measures

We have implemented comprehensive security measures including:

• Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
• Access Controls: Role-based access control with principle of least privilege
• Authentication: Multi-factor authentication for administrative access
• Monitoring: Continuous security monitoring and incident detection
• Security Reviews: Internal security reviews and assessments
• Staff Awareness: GDPR and security awareness practices for staff

Breach Response

In the event of a personal data breach, we will:

• Detect and contain the breach immediately upon discovery
• Assess the risk and impact of the breach
• Notify the relevant supervisory authority within 72 hours when required
• Notify affected data subjects when there is a high risk to their rights and freedoms
• Document all breaches and remediation actions taken
• Implement measures to prevent similar breaches in the future

Built-in Privacy Protection

Our platform is designed with privacy by design and default principles:

• Data Minimization: Collection and processing of only necessary personal data
• Purpose Limitation: Clear specification and limitation of processing purposes
• Storage Limitation: Automatic deletion when retention periods expire
• Privacy-Friendly Defaults: Most privacy-friendly settings applied by default
• Transparency: Clear information about data processing activities
• User Control: Granular controls for users to manage their privacy preferences

DPIA Process

We conduct Data Protection Impact Assessments (DPIAs) for processing operations that are likely to result in high risk to individuals. Our DPIA process includes:

• Systematic description of processing operations and purposes
• Assessment of necessity and proportionality of processing
• Identification and assessment of risks to data subjects
• Implementation of measures to address identified risks
• Consultation with our Data Protection Officer
• Consultation with supervisory authorities when required

DPO Responsibilities

Our Data Protection Officer is responsible for:

• Monitoring compliance with GDPR and other data protection laws
• Conducting privacy audits and assessments
• Providing guidance on data protection matters
• Serving as the contact point for supervisory authorities
• Handling data subject requests and complaints
• Providing training and awareness programs

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority if you believe your personal data has been processed in violation of GDPR. You can contact:

• The supervisory authority in your country of residence
• The supervisory authority in your place of work
• The supervisory authority where the alleged infringement occurred

You can find contact information for EU supervisory authorities at https://edpb.europa.eu/about-edpb/about-edpb/members_en