We are GDPR compliant!

For most of our customers, no. Under GDPR, consent is only one of six lawful reasons to process data. Our customers need to choose the lawful basis that most closely reflects the true nature of the relationship between you and your users. For most of our customers, consent would not be the most appropriate lawful basis for the processing. For many of our customers, the lawful basis of processing would be related to tasks performed in public interest or related to your legal obligations.

No. Both currently and under the new GDPR regulation we can only process data on direct instructions from our customers. The data is yours, and only a handful of itslearning staff has access to personal data under strict confidentiality and security. We can only process personal data independently if it is vital to the integrity or security of the service, or to analyse or evaluate the quality of the service provided.

Probably not. A user can only require their data to be deleted if the lawful basis of the processing is Consent (see above) or if the original purpose or lawfulness is no longer valid. Our customers will have to have processes in place to carefully evaluate data subjects’ requests for their data to be deleted. You can contact our Data Protection Officer for advice in difficult cases. If a data subject is granted the right to be deleted, itslearning will, either through our software or our support services, be available to help execute a data subject’s rights.

To some extent, yes. All your users now have strong rights to transparency, information and data access. Any data subject can exercise his rights in requesting a copy of all their personal data, as long as it doesn´t adversely affect others, or if this data isn´t already available to him/her. However, this is not an absolute right; other laws might require you to protect the data subject, or others, from accessing certain types of information. You will need to carefully evaluate these requests under GDPR against rights and obligations in other regulations. You can contact our Data Protection Officer for advice in difficult cases. If a data subject is granted the right of access, itslearning will, either through our software or our support services, be available to help execute a data subject’s rights.

No. Under GDPR, the data subject (user) rights is between him and the controller (our customers). Any data subject requests from end users to itslearning will be handed over to the customer. itslearning will cooperate in good faith with customers to ensure they can exercise the rights of the data subjects in a prompt manner.

Depending on the nature of the data breach, our customers might be required to promptly notify both the users affected and the supervising authorities. itslearning is required to unduly notify its customers when becoming aware of a data breach, and to help them in fulfilling their obligations in notifying users.

One of the main objectives of the new GDPR is the free flow of personal data inside the European Economic Area (EEA), under one common regulation. In most cases, restricting vendors in processing data across the EEA would not be permitted under GDRP.

GDPR does not forbid personal data to flow outside the EEA, but it puts in place strong safeguards to ensure that any processing of data outside the EEA is done following the principles of GDPR. In addition, controllers or processors that process data outside the EEA must provide detailed information about the nature of the processing, and in some cases, allow customers or users to object to the processing.

For most of our European customers, itslearning processes all personal data inside the EEA. There are some exceptions in cases where itslearning facilitates optional integration to 3rd party non-EEA based tools or services. In these cases, both itslearning and our customers must follow the requirements set out by GDPR.

itslearning does not independently send data to 3rd parties without instruction from our customers or a legal obligation to do so. An instruction from a customer could come in the form of an agreement to integrate with a 3rd party tool or service, or that customer representatives themselves set up an integration with a 3rd party tool or service. itslearning take steps to prevent customers from sending data to 3rd parties without complying with data protection regulations. However, it is important that our customers implement safeguards to ensure that data isn´t transferred to 3rd parties without adhering to their legal obligations.

Not legally. The EU, obviously, does not have any legislative power on US soil. GDPR does not offer any rights or freedoms to data subjects located in the US. And GDPR does not put obligations on US customers that do not process data on EU/EEA data subjects. The rights and obligations of US data subjects and organisations are secured by state or federal regulations, or through contractual or voluntary arrangements.

But itslearning offers, for the most part, the same services and the same level of security to our US customers as we offer our European customers. US customers will benefit from itslearning's approach to, and culture for, securing personal data under GDPR. The fundamental principles of European personal data protection are part of the fabric and contractual commitment we offer our US customers.