Our Commitment to You and the Protection of Your Data
TalentLMS has an ethical, legal and professional duty to ensure the information it holds conforms to the principles of confidentiality, integrity, privacy and availability. In other words, the information that we are responsible for is safeguarded where necessary against inappropriate disclosure, is accurate, timely and attributable, and is available to those who should be able to access it. TalentLMS complies with standing national law and international regulation regarding privacy and security issues. We have successfully completed a GDPR compliance program internally so as to be fully compliant with GDPR prior to when the new legislation comes into force (May 25, 2018).
We have set up a small GDPR Q&A to help you with your roadmap towards compliance, providing a high level overview of the regulation, discussing its main impact and helping you avoid some common GDPR pitfalls and fallacies.
Besides strengthening and standardizing user data privacy across the EU nations, GDPR imposes new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located. On this page, we’ll explain our methods and means of achieving GDPR-compliance, both for ourselves and for our customers.
Preparing for the GDPR
The GDPR’s updated requirements are significant and our team has worked hard to ensure that TalentLMS fully meets them. Measures to achieve this include:
- Continuing to invest in our security infrastructure, technical and organizational measures, so that the level of security offered is appropriate to the risk, including but not limited to the features of the service listed in our Security page and the knowledge base.
- Making sure we have the appropriate contractual terms in place. Ensuring we can support international data transfers by maintaining our Privacy Shield self-certifications, and offering an updated GDPR-compliant Data Processing Addendum (DPA). Ensuring that the third-party services that TalentLMS may use, listed as Attachment 3 in our Data Processing Addendum, fully meet the privacy and security requirements of TalentLMS customers, as reflected in their GDPR compliance programs, Privacy Shield certifications and their DPAs – mutually signed with us.
- Ensuring that there are confidentiality terms at the contracts of our personnel that is involved in the processing personal data.
- Ensuring that the TalentLMS data privacy personnel is easily reachable through the email privacy at talentlms dot com so that users can drop questions, lodge complaints, or exercise their rights.
- Enhancing our policies, controls and product offerings, including new tools/product features for data portability and data management for supporting our customers for exercising the data subjects’ rights.
- In the highly unlikely case of data breach have a policy and plan in place to notify the supervisory authorities and affected data subjects within 72 hours.
We also constantly monitor the guidance around GDPR compliance from privacy-related regulatory bodies and codes of conduct, and have recently joined the EU Cloud Code of Conduct, an EU Data Protection Code of Conduct for cloud service providers containing rigorous assurances for the protection of data in cloud services.
Our Security Infrastructure
Protecting our customers’ information and their users’ privacy is extremely important to us. As a cloud-based company entrusted with some of our customers’ most valuable data, we’ve set high standards for security. Our cloud infrastructure utilizes Rackspace servers and Amazon S3 storage with AES-256 encryption. Both Rackspace and Amazon are active participants in the Privacy Shield program, industry leading cloud providers that are heavily certified in privacy and security, also offering GDPR-compliant DPAs. All TalentLMS communications are encrypted using a highly secure version of SSL/TLS with strong ciphers, resulting in A+ security rating.
Our cloud infrastructure utilizes Rackspace servers and AWS S3 storage, two industry leading cloud providers that are heavily certified in privacy and security. On top of that we have invested in building a robust privacy and security team, adhering to NIST recommendations and are in the process of enhancing our set of tools for detecting software vulnerabilities prior to production release, assessing our software and deployments, running a bug bounty program, monitoring our infrastructure, protecting customer data, ensuring disaster recovery, business continuity and high availability. In accordance with GDPR requirements around security incident notifications, TalentLMS will continue to meet its obligations and offer contractual assurances.
On top of that we have invested in building a robust privacy and security team, adhering to NIST recommendations and are in the process of enhancing our set of tools for detecting software vulnerabilities prior to production release, assessing our software and deployments, running a bug bounty program, monitoring our infrastructure, protecting customer data, ensuring disaster recovery, business continuity and high availability. In accordance with GDPR requirements around security incident notifications, TalentLMS will continue to meet its obligations and offer contractual assurances.
International Data Transfers: Privacy Shield and Contractual Terms
To comply with E.U. data protection laws around international data transfer mechanisms, we already take part in the transatlantic Privacy Shield program that ensures that data from EU customers are properly handled when located on US servers. You may find our entry for TalentLMS here.
TalentLMS will never employ subprocessors that retain facilities or may perform processing in countries that are not contained in the list of countries for which the European Commission has explicitly affirmed on the adequacy of the protection of personal data.
Supporting TalentLMS customers’ enhanced rights as data subjects
The rights of our TalentLMS customers as data subjects are important to us. We are committed to supporting the new, enhanced under GDPR, data subject rights for all TalentLMS customers, regardless of their location or nationality – we will also explain how TalentLMS helps our customers support the enhanced rights of their domains’ end users in the penultimate section of this page.
Right to Erasure: You may terminate your TalentLMS account at any time, in which case we will permanently delete your account and all data associated with it according to the TalentLMS data retention policy. In particular, the termination of your administrator account will render the domain as inactive; all account data is kept for 12 months after an account cancellation to ensure that a service re-connection will be as smooth as possible. Inactive domains for a period of 12 months or more are deleted by the system. You can also contact us at privacy at talentlms dot com if you want your data to be deleted upon your account cancelation; we will permanently delete your account and all data associated with it within at most thirty days.
Restriction of Processing: TalentLMS supports the right to request restriction of processing by providing to the administrator to render any user as “Inactive”. This can also be done for large sets of users by means of selecting them and subsequently invoking the “Make active/inactive” mass action.
Right to Object: If you object to TalentLMS email notifications, you may deactivate them for yourself - or any other end user of your domain - by following these steps. You may opt out of inclusion of your data in our marketing by removing yourself from the mailing lists using the footer in the newsletters and marketing emails that you receive.
Right of Data Portability: You may export your data at any time through the administration panel of the application; the process is quite straightforward and also explained here. TalentLMS fully supports the right to receive your domain’s data in a structured, commonly used and machine-readable format. In particular, TalentLMS by design supports exporting in multiple formats, including CSV, XLS and SCORM. Furthermore, we will be happy to export your account data to a third party at any time upon your request, which you may send at privacy at talentlms dot com.
Supporting TalentLMS end users’ enhanced rights as data subjects
We fully understand that TalentLMS customers need help from our side in order for them to comply with the GDPR. And we’re happy to say that we have built those tools and features to enhance TalentLMS so as to be fully compliant with the GDPR regulation regarding the support of the GDPR-enhanced data subject rights for the end users of the TalentLMS domains that our customers create and manage:
Right to Erasure: TalentLMS supports sophisticated end user management, which includes rendering a user inactive or permanently deleting him from the system.
- The procedure for permanently deleting an individual user, e.g. due to the data subject’s request, is described here.
- Mass deleting users that are for instance inactive for a specific amount of time or have not logged in for a certain amount of time or based on a variety of rules supported by TalentLMS is also possible. This rule-based approach to the right to be forgotten for large amount of users, where manual deletion for each individual would be tedious, is already possible for the administrator by creating a custom report and then performing a mass action to delete the users of the list, as explained here.
These two complementary TalentLMS features allow our customers to fully comply with GDPR regarding their domains’ end users’ right to be forgotten-erased from TalentLMS. Moreover, in case the domain administrator enables this feature for his domain users by setting the "Generic / Profile / Update" option, the end user may directly self-delete himself from the TalentLMS service by means of the "Delete my account" option that is available below the "More" button on the user profile. This additional option allows end users to delete themselves from the service without any intervention of the respective TalentLMS domain administrator.
Restriction of Processing: TalentLMS supports the right to restriction of processing by providing to the administrator to render any user as “Inactive”. This can also be done for large sets of users by means of following the same procedure for mass deleting users explained in the “Right to Erasure” paragraph and invoking the “Make active/inactive” mass action instead of deleting.
Right to Οbject: The case where the end user objects to processing for e-learning is covered in the "Right to Erasure" part. In case the user objects to TalentLMS email notifications, he may contact his domain administrator, who can exclude the respective user(s) from email notifications by following the steps described here.
Right of Data Portability: As explained earlier in this page, this is supported by means of the export function of the application. User progress can also be exported by using the custom reports feature of TalentLMS.
Consent: TalentLMS enables its customers to explicitly ask for and record users’ consent for using the TalentLMS service. In particular, each domain administrator may set through the “Users” tab of the Home / Account & Settings administration page a custom “Terms of Service” page that is to be shown to each end user when he/she first logs in to the system. It is necessary to accept this page in order to continue to the LMS, therefore this is a handy way of obtaining consent from the end users through TalentLMS. Note that once an end user accepts to provide consent, this is also logged by the TalentLMS and appears in the extended timeline of the application, thus making it easy to use it for reporting or compliance purposes if needed. If the end users choose to withdraw consent for e-learning, this is essentially equivalent to the removal of the user from the service so the domain administrator can follow the “Right to Erasure” process explained earlier in this page in order to satisfy the data subject’s request and remove the end user from TalentLMS.
Furthermore, TalentLMS supports the granular importing/exporting of users based on a column “Terms”, provided that the respective domain has specified "Terms of Service".
Regarding users who have been inserted in the system prior to the date consent was asked for, and without having opted in to the Terms, TalentLMS also enables the administrator to select these users that have not accepted the Terms of Service and mass delete them. This is the same mass deletion procedure described in the ”Right to Erasure” part and can be also applied by the administrator for “old” users as well who have been inactive for a certain amount of time. Therefore, this enables the TalentLMS customers to enforce their GDPR-compliant data retention policy for their domain.
No automated individual decision-making: TalentLMS by design fully respects the right of its users not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Fulfilling our privacy and data security commitments is important to us. So we’re glad to help you prepare for all the changes the GDPR brings. If you have any questions about how TalentLMS can help you with compliance, or you have any privacy-related concerns, please reach out by contacting us at: privacy at talentlms dot com.