We are GDPR compliant
We fully comply with the requirements for all of our services.
Systems and Policies
This policy describes why we process and how we protect personal data.
Sub-processors
itslearning uses third party suppliers to assist in connection with providing services.
Security measures
We have implemented both organizational and technical security measures.
Data Request
We comply with international regulations regarding the rights of individuals to privacy.
Information to our customers about GDPR
The EU’s General Data Protection Regulation (GDPR), approved by the European Parliament in 2016, is the most important change within data protection regulation in 20 years. It replaces the Data Protection Directive 95/46/EC and local law and regulations across the EU/EEA. The new regulation is designed to strengthen the individual’s rights to privacy and harmonize data privacy laws across Europe.
itslearning has been committed to data privacy since it was founded in 1999 and welcomes the new regulation. We will keep doing our part to ensure that all our customers are GDPR compliant. There is a big, untapped potential in using technology and cloud services to improve teaching practices and learning outcomes. One of the keys to unlocking this potential is to earn the trust of teachers, students, and parents. In this sense, the increased focus on data protection and privacy due to GDPR is beneficial for all parties.
itslearning GDPR Commitment
We fully comply with the requirements for all of our services, including itslearning, Fronter and SkoleIntra to be GDPR ready. We have been working with GDPR for a long time to analyse the new regulation, and making the necessary changes to our services, procedures, and organization. During the previous months, we made available all documentation, contract addendums, and procedures needed to prove your GDPR compliance.
It is important to say that for the cloud services we provide to our customers and their end users, itslearning is what both existing and new EU regulation defines as a processor. As a processor we do not decide the purpose or lawfulness of the processing, we merely process data on our customers’ behalf. The GDPR regulations force stricter requirements upon all processors of data.
Our commitment to GDPR requires that we work to:
- Ensure organisational and technical security for all services.
- Help you with the documentation needed to demonstrate compliance and inform your users.
- Provide you with new contract addendums that comply with GDPRs requirements for Data Processing Agreements (DPA)
- Provide the necessary support for you when your users are executing their data subject rights. You can find more information on the GDPR Data Request page on our Support site.
itslearning has a Data Protection Officer (DPO) as defined under GDPR. In addition to monitoring our own compliance and providing advice and training to our own staff, our DPO is available to our customers and their DPOs to discuss data privacy issues.
Contact details for our DPO:
Riikka Turunen
Sanoma Media Finland Oy
+35 89 122 4791
privacy@itslearning.com
GDPR customer requirements
In general, GDPR requires you to:
- Document and assess all processing of personal data and the systems being used. The purpose and lawfulness of the processing should be defined and you should make sure you do not process personal data that is not needed for the defined purpose.
- Ensure the organisational and technical security of the processing, and be able to demonstrate it. Assess your internal processes for data retention and security, and document it. Ensure that your own technology can provide sufficient technical security, and document it.
- When you are using third-party services, like ours, to process personal data, you need to make sure that the data processing requirements are compliant with GDPR.
- When acquiring new technology that is likely to result in a high risk to personal data, you need to perform a risk analysis – a Data Protection Impact Assessment (DPIA). As an existing customer, our services are not new technology to you. But doing a DPIA might still be a good idea and will help you in documenting compliance.
- Users (data subjects) have stronger rights under GDPR. Our customers need to have a process in place for taking data subject requests, and for assessing the validity of the requests.
- A particularly important data subject right is transparency and information. Make sure the information to your users on everything required under GDPR is easily accessible, including how they can exercise their rights. If your users are young, you should make sure this information is available to parents too.
- Review the itslearning Data Processor Agreement, which purpose is to regulate the rights and duties pursuant to the European Data Protection Legislation, including the GDPR regulations, applicable to the Data Controller in connection with the Standard Service Subscription Agreement.
Download the itslearning Data Processor Agreement.
For general questions related to itslearning product and services, you can as always contact our support organisation. For contractual or commercial questions, please contact your account manager.
For specific GDPR-related questions from our customers, please contact our Data Protection Officer via email privacy@itslearning.com or call +35 89 122 4791. Any communication with our DPO must be in English.
Will GDPR require us to get consent from all of our users (or their parents)?
For most of our customers, no. Under GDPR, consent is only one of six lawful reasons to process data. Our customers need to choose the lawful basis that most closely reflects the true nature of the relationship between you and your users. For most of our customers, consent would not be the most appropriate lawful basis for the processing. For many of our customers, the lawful basis of processing would be related to tasks performed in public interest or related to your legal obligations.
Can itslearning use personal data for their own purposes?
No. Both currently and under the new GDPR regulation we can only process data on direct instructions from our customers. The data is yours, and only a handful of itslearning staff has access to personal data under strict confidentiality and security. We can only process personal data independently if it is vital to the integrity or security of the service, or to analyse or evaluate the quality of the service provided.
What kind of information are we obligated to provide users about the personal data processing?
The right to transparency and information to the users (or their parents) is strong under GDPR. Information you need to make easily available may include:
- Identity and contact details of the controller / controller’s representative
- The contact details of the Data Protection Officer
- The purpose of the processing and the legal basis for processing the data
- Any intentions to transfer personal data to a third country (outside EU/EEA) and what safeguards have been put in place, and means of obtaining a copy of it.
- The period for which the personal data will be stored, or criteria that determine the period.
- The data subject’s rights (Access, rectification, erasure, etc.)
- The right to lodge a complaint with the supervisory authority
- Where the data originates from
- Any use of automatic decision making/profiling.
Can any of our users now require us to delete their data (“AKA right to be forgotten”)?
Probably not. A user can only require their data to be deleted if the lawful basis of the processing is Consent (see above) or if the original purpose or lawfulness is no longer valid. Our customers will have to have processes in place to carefully evaluate data subjects’ requests for their data to be deleted. You can contact our Data Protection Officer for advice in difficult cases. If a data subject is granted the right to be deleted, itslearning will, either through our software or our support services, be available to help execute a data subject’s rights.
Can our users now require us to give them a copy of all their personal data?
To some extent, yes. All your users now have strong rights to transparency, information and data access. Any data subject can exercise his rights in requesting a copy of all their personal data, as long as it doesn´t adversely affect others, or if this data isn´t already available to him/her. However, this is not an absolute right; other laws might require you to protect the data subject, or others, from accessing certain types of information. You will need to carefully evaluate these requests under GDPR against rights and obligations in other regulations. You can contact our Data Protection Officer for advice in difficult cases. If a data subject is granted the right of access, itslearning will, either through our software or our support services, be available to help execute a data subject’s rights.
Can a user contact itslearning directly (e.g. student, parent, teacher) to exercise his rights under GDPR?
No. Under GDPR, the data subject (user) rights is between him and the controller (our customers). Any data subject requests from end users to itslearning will be handed over to the customer. itslearning will cooperate in good faith with customers to ensure they can exercise the rights of the data subjects in a prompt manner.
When does itslearning delete personal data?
itslearning deletes personal data when instructed by our customers, or if the contract between us and the customer is terminated. The procedures around deleting customer data upon termination of service should be provided in writing or in a Data Processor Agreement.
An instruction to delete a user in our services can either be manually performed in the platform by a customer representative, automatically performed through an integration with a student administrative system (or similar) or upon request to our support organisation.
When users are deleted in our systems, there are safeguards in place to prevent errors leading to an irreplaceable loss of data. In many cases customers will have to manually confirm the deletion of customer data, including personal data.
Does itslearning have to notify users if they have been affected by a data breach?
Depending on the nature of the data breach, our customers might be required to promptly notify both the users affected and the supervising authorities. itslearning is required to unduly notify its customers when becoming aware of a data breach, and to help them in fulfilling their obligations in notifying users.
Do I need to appoint a Data Protection Officer?
In many cases, Yes. You are required to appoint a DPO if you:
a) Are a public/government institution
b) Process certain types of sensitive data on a large scale
c) The processing involves large-scale monitoring or surveillance
Please note that it is the organisation, not the system, that needs a DPO. In many cases, your organisation might already have a DPO. The DPO can be a contracted role. Many government institutions offer DPO services to other institutions.
Can I require a cloud service provider, like itslearning, to only host personal data in my country?
One of the main objectives of the new GDPR is the free flow of personal data inside the European Economic Area (EEA), under one common regulation. In most cases, restricting vendors in processing data across the EEA would not be permitted under GDPR.
Does itslearning process data outside the EEA? Is it allowed to process data outside the EEA?
GDPR does not forbid personal data to flow outside the EEA, but it puts in place strong safeguards to ensure that any processing of data outside the EEA is done following the principles of GDPR. In addition, controllers or processors that process data outside the EEA must provide detailed information about the nature of the processing, and in some cases, allow customers or users to object to the processing.
For most of our European customers, itslearning processes all personal data inside the EEA. There are some exceptions in cases where itslearning facilitates optional integration to 3rd party non-EEA based tools or services. In these cases, both itslearning and our customers must follow the requirements set out by GDPR.
I have heard that itslearning is not secure enough under GDPR! Is this true?
GDPR does not set out detailed requirements for what constitutes a “secure” cloud-based service. It is the joint responsibility of our customers (controllers) and itslearning (the processor) to provide appropriate organisational and technical security for personal data processed, and be able to demonstrate it. The main change from current regulations to GDPR is a strengthening of liability for organisations that do not provide appropriate security.
For two decades, itslearning has successfully protected the processing of personal data of millions of users. However, past performance is not always indicative of future results. So, we continuously invest in organisational security, network and infrastructure security, and application security to ensure we can offer beyond what is appropriate security for our end users. We also regularly allow 3rd parties to audit our security, and we welcome our customers to perform their own audits.
As most software companies, itslearning does not go into detail about security measures in place. But amongst the safeguards and processes in place to protect against known threats, including:
- Application security, such as use of encryption of all traffic, strongly hashed passwords, safeguards against vulnerabilities such as Cross site scripting, SQL injections, phishing and others.
- Network security, firewalls and systems to detect suspicious behaviour, or to stop malicious attempts to gain access, or compromise the resilience of the service (e.g. DDOS attacks).
- Organisational security, like access policies, audit logs and confidentiality agreements.
- Physical security to ensure the prevention of unauthorized access to infrastructure processing personal data.
- Procedural security – IT management processes to minimize the risk of human errors, or testing regimes to identify software weaknesses before releasing new features to our cloud services, or policies to ensure data is only processed on instruction from our customers.
Where does itslearning obtain personal data about users?
itslearning does not independently obtain user data to our services. User data can either be manually submitted to the platform by customers’ representatives, through an integration with a third-party system, or in some cases by the users themselves.
Most commonly, personal data in itslearning comes from “student information systems” under the control of our customers. We only import data from third-party systems on the instruction from our customers.
Does itslearning send data to 3rd parties?
itslearning does not independently send data to 3rd parties without instruction from our customers or a legal obligation to do so. An instruction from a customer could come in the form of an agreement to integrate with a 3rd party tool or service, or that customer representatives themselves set up an integration with a 3rd party tool or service. itslearning take steps to prevent customers from sending data to 3rd parties without complying with data protection regulations. However, it is important that our customers implement safeguards to ensure that data isn´t transferred to 3rd parties without adhering to their legal obligations.
Does GDPR impact US customers or US end users?
Not legally. The EU, obviously, does not have any legislative power on US soil. GDPR does not offer any rights or freedoms to data subjects located in the US. And GDPR does not put obligations on US customers that do not process data on EU/EEA data subjects. The rights and obligations of US data subjects and organisations are secured by state or federal regulations, or through contractual or voluntary arrangements.
But itslearning offers, for the most part, the same services and the same level of security to our US customers as we offer our European customers. US customers will benefit from itslearning's approach to, and culture for, securing personal data under GDPR. The fundamental principles of European personal data protection are part of the fabric and contractual commitment we offer our US customers.