General Data Protection Regulation (GDPR) Compliance

Statement for our customers

Purpose of this Statement

The General Data Protection regulation (GDPR), which came into force on the 25th May 2018, is one of the strictest pieces of privacy legislation globally. vLearning Solutions believes that privacy is a very important right for citizens and wishes to assure all the company’s customers that we are working hard to ensure compliance in all areas of our business.

Within this statement we wanted to highlight to our customers the measures we have put in place to ensure compliance with the GDPR where we hold or process personal data on your behalf.

What are our obligations in relation to GDPR?

vLearning Solutions is a data processor as defined by GDPR i.e. the vLearning Platform stores and processes personal data, on behalf of, and with the consent of our customer (the data controller).

As a data processor, vLearning Solutions’ obligations under GDPR are to:

  • Act ONLY under the instructions of the data controller (vLearning Solutions customers)
  • Keep personal data secure from unauthorised access, loss or destruction

What personal data does vLearning Solutions store and process?

As a data processor, vLearning Solutions stores and processes personal data relating to people who access the vLearning Platform. This includes customer admins and customer end users (learners). The precise type of personal data maintained depends on the specific customer implementation and the data that the customer would like to maintain for their user population for example for reporting purposes.

Typically, personal data includes email addresses, first names and surnames, although other details such as a user’s job role, department and location can also be stored if required by the customer.

Sensitive personal data (as defined by GDPR) for example that relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, physical or mental health records, sex life or sexual orientation, genetic or biometric data are not stored by the vLearning Platform.

Does vLearning Solutions transfer personal data across boarders?

No. Personal data is not transferred across borders.

Can the customer view personal data on the vLearning Platform?

Yes. Customer users (data subjects) can see their personal data in their Profile page.

Can the customer delete personal data from the vLearning Platform?

Yes. Customer administrators can delete personal data, or vLearning Solutions can delete personal data at the request of either the data controller or the data subject.

The standard management facilities provided by the platform permit the archiving of user data on an individual basis, which hides it from the system. Once users have been inactive for a period of 12 months (alternative durations can be requested) their records will be fully anonymised. Immediate and full deletion of user data, or immediate anonymisation, can be requested from the support helpdesk.

Can the customer export personal data from the vLearning Platform?

Yes. Customer administrators can use “QuickExport” reports to export data from the vLearning Platform, including personal data.

Data Protection Officer

vLearning Solutions has designated a Data Protection Officer (DPO), who is taking full responsibility for all matters relating to data protection and GDPR compliance. The DPO will ensure that we are accountable and transparent to the supervisory authorities, including the creation and maintenance of “Records of processing activities” as per Article 30 of the GDPR.

Security and Business Continuity Measures

vLearning Solutions continually seeks to ensure the confidentiality, integrity and availability of the personal data we store or process. We maintain appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access.

We have updated the following policies for GDPR:

  • Data Security Policy
  • IT Security Policy
  • Incident Management Policy
  • Software Development Policy
  • Information Classification and Handling Policy

All staff are trained to follow the processes within the scope of the policies.

End-to-end encryption using SSL Certificates

Personal data is stored at-rest in an encrypted database and only ever transferred over HTTPS channels. Access to the vLearning Platform site is restricted to HTTPS only.

Personal data retention

Our data back-up, retention and archive and purge policy is as follows:

  • 30 days full daily backup to geo-replicated cloud storage.
  • 30 days managed point-in-time backup.
  • We retain core data for the lifetime of the contract + 90 days, unless directed otherwise by the customer or the data owner.
  • On cessation, all entries in the vLearning Platform database are deleted, and cloud storage is also deleted.

Microsoft Azure GDPR-compliant sub-processor

The vLearning Platform is hosted using Microsoft Azure. Azure provides industry-leading performance and resilience through multiple layers of redundancy. Our hosting servers are load-balanced and rapidly scalable and we use the SQL Azure service for database provision which always maintains a resilient server cluster accessed via a load balancer. A passive replica of the database is maintained for Disaster Recovery purposes.

Microsoft’s GDPR compliance information can be found here:

Data Breaches

Under the GDPR, we must notify any data breach to the controller without undue delay. vLearning Solutions therefore has processes and procedures in place for identifying, reviewing and promptly reporting data breaches to the relevant controller.

We would provide the controller with:

  • A description of the nature of the breach
  • Contact details of the responsible data protection officer or any other contact person
  • Likely consequences of the breach
  • Proposed and imposed measures that were taken to limit harmful effects

We would stress again that we have comprehensive technical and organisational security measures in place to mitigate against a data breach.