Get a demo
Contents

GDPR

1. Our Commitment to You and the Protection of Your Data

eFront has an ethical, legal and professional duty to ensure the information it holds conforms to the principles of confidentiality, integrity, privacy and availability. In other words, the information that we are responsible for is safeguarded where necessary against inappropriate disclosure, is accurate, timely and attributable, and is available to those who should be able to access it. eFront complies with standing national law and international regulation regarding privacy and security issues. We have successfully completed a GDPR compliance program internally so as to be fully compliant with GDPR prior to when the new legislation comes into force (May 25, 2018).

We have set up a small GDPR Q&A to help you with your roadmap towards compliance, providing a high level overview of the regulation, discussing its main impact and helping you avoid some common pitfalls and fallacies.

Besides strengthening and standardising user data privacy across the EU nations, GDPR imposes new or additional obligations on all organisations that handle EU citizens’ personal data, regardless of where the organisations themselves are located. On this page, we’ll explain our methods and means of achieving GDPR-compliance, both for ourselves and for our customers.

2. GDPR Compliance

The GDPR’s updated requirements are significant and our team has worked hard to ensure that eFront fully meets them before May 25, 2018. Measures to achieve this include:

  • Continuing to invest in our security infrastructure, technical and organizational measures, so that the level of security offered is appropriate to the risk. These include but are not limited to the features of the service listed in our Security page and the knowledge base.
  • Making sure we have the appropriate contractual terms in place. Ensuring we can support deployments in the EU if needed using world-class cloud infrastructure providers with global presence, including locations in the European Union.
  • Ensuring that the third-party services that eFront may use, listed as Attachment 3 in our Data Processing Addendum, fully meet the privacy and security requirements of the eFront customers, as reflected in their GDPR compliance programs and where applicable DPAs – mutually signed with us.
  • Ensuring that there are confidentiality terms at the contracts of our personnel that is involved in the processing of personal data.
  • Ensuring that the eFront data privacy personnel is easily reachable through the email privacy at efrontlearning dot com so that users can drop questions, lodge complaints, or exercise their rights.
  • Enhancing our policies, controls and product offerings, including new tools/product features for data portability and data management, as well as enabling our customers satisfying their users’ rights and requests.
  • Provide sufficient information regarding the service through the Privacy policy , Terms of Service , and DPA .
  • In the highly unlikely case of data breach there is a policy and plan in place to notify the supervisory authorities and affected data subjects within 72 hours.

We also constantly monitor the guidance around GDPR compliance from privacy-related regulatory bodies and codes of conduct, and have joined the EU Cloud Code of Conduct, an EU Data Protection Code of Conduct for cloud service providers containing rigorous assurances for the protection of data in cloud services. eFront is verified compliant with the EU Cloud CoC, Verification-ID: 2020LVL02SCOPE003. For further information, please visit List of Adherent Services.

3. Our Security Infrastructure

Protecting our customers’ information and their users’ privacy is extremely important to us. As a cloud-based company entrusted with some of our customers’ data, we’ve set high standards for security.

Our cloud infrastructure is set up in AWS. AWS is heavily certified in privacy and security, maintaining datacenters in multiple regions worldwide, including the EU and the UK. They are industry leading cloud providers that are heavily certified in privacy and security, also offering GDPR-compliant DPAs. All eFront communications are encrypted using a highly secure version of SSL/TLS with strong ciphers, resulting in A+ security rating.

On top of that we have invested in building a robust privacy and security team, adhering to NIST recommendations and are in the process of enhancing our set of tools for detecting software vulnerabilities prior to production release, assessing our software and deployments, monitoring our infrastructure, protecting customer data, ensuring disaster recovery, business continuity and high availability. In accordance with GDPR requirements around security incident notifications, eFront will continue to meet its obligations and offer contractual assurances.

Please visit our Privacy policy and Terms of Service , as well as our Security Features page , if you’d like to learn more about our privacy and security policies, procedures and features.

4. International Data Transfers

To comply with concerns regarding international data transfers due to national legislation or E.U. data protection laws around international data transfers, we already support deployments in the US, the EU or elsewhere if needed by our customers, using cloud infrastructure providers with global presence. You can choose the location of your eFront server from multiple options across the US, Asia, Australia and the European Union, including France, Germany, Ireland and the UK.

Data transfers outside the EEA are subject to the latest versions of the Standard Contractual Clauses approved by the European Commission from time to time, as published in the Official Journal of the European Union.
On June 4, 2021 the European Commission published new Standard Contractual Clauses (SCCs) for international data transfers.
The updated SCCs are available here.

5. Supporting eFront customers’ enhanced rights as data subjects

The rights of our eFront customers as data subjects are important to us. We are committed to supporting the new, enhanced under GDPR, data subject rights for all eFront customers , regardless of their location or nationality – we will also explain how eFront helps our customers support the enhanced rights of their domains’ end users in the next section of this page.

In particular, we are prepared to address any requests made by our customers related to their expanded individual rights under the GDPR:

Right of Accesss
Our Privacy policy describes what data we collect and how we use it. If you have specific questions about particular data, you can contact us at privacy at efrontlearning dot com for any clarification or data you may need at any time. Information will be provided free of charge without undue delay and typically much sooner than the GDPR-prescribed deadline of one month after the respective request receipt.

Right to Rectification
You may access and update your eFront account at any time to correct or complete your account information through your profile: Just use the top right menu, select the ‘My Account’ menu option and then access and rectify your data through the ‘Profile’ tab. You may also contact us at any time if you need help to access, correct, amend or delete information that we hold about you, as explained in our Privacy policy .

Right to Erasure
You may terminate your eFront (managed) portal at any time, in which case we will permanently delete your account and all data associated with it, including backups. We can also export and return to you the data of your eFront instance if desired, as documented also in our Professional Services Agreement. You can also contact us at privacy at efrontlearning dot com for any issue you may face regarding the deletion of your data.

Restriction of Processing
eFront supports the right to request restriction of processing by providing to the administrator the ability to render any user as “Inactive”. This can also be done for large sets of users by means of selecting them and subsequently invoking the ‘Make active/inactive’ mass action.

Right to Object
If you object to eFront email notifications, you may deactivate them through the Notifications of your administrator panel as described here . You may opt out of inclusion of your data in our marketing by removing yourself from the mailing lists using the footer in the newsletters and marketing emails that you receive. You may also contact us at privacy at efrontlearning dot com to express your objection and we will satisfy your request within few working days.

Right of Data Portability
You may export your data at any time through the administration panel. eFront fully supports the right to receive your domain’s data in a structured, commonly used and machine-readable format. In particular, eFront by design supports exporting in multiple formats, and all data are easily exported and downloadable from the administrator by selecting the “Export” or “Save as CSV” options for any piece of information stored in your eFront service instance. Furthermore, the you can easily export your portal database through the administrator panel: It suffices to click on the “Maintenance” icon from his “Home” page to navigate to the “Home / Maintenance” page; then click on the “Backup & Restore” icon to access the list of last backups taken or create one by clicking on the “Create Backup” button at the top left of the frame; next to each database dump and under the “Operations” column there is a “Download” icon that when clicked will fetch the desired backup locally. Finally, we can export your account data to a third party at any time upon your request, which you may send at privacy at efrontlearning dot com.

6. Supporting eFront end users’ enhanced rights as data subjects

We fully understand that eFront customers need help from our side in order for them to comply with the GDPR. And we’re happy to say that we have built those tools and features to enhance eFront so as to be fully compliant with the GDPR regulation. This includes new features required by GDPR, that enable the support of the GDPR-enhanced data subject rights for the end users of the eFront portals of our customers:

Right of Accesss
The data collected for each eFront end user are described in our Privacy policy. Each eFront portal administrator may collect additional data about end users through the custom fields that the administrator may have specified for the end users of his portal. All this data is displayed at the respective user pages and can be exported by the end users as CSVs. In case end users have additional specific questions, they may contact their portal administrator for clarifications and if not satisfied also us at privacy at efrontlearning dot com for any clarification or data they may need at any time. Information will be provided free of charge without undue delay and typically much sooner than the GDPR-prescribed deadline of one month after the respective request receipt.

Right of Rectification
End users may access and update their account to correct or complete your account information by selecting the “My account” item from their account menu at the top right corner of the eFront interface and subsequently clicking on the “Profile” tab. End users may also contact their portal administrator directly in case of problem at any time in order to access, correct, amend or delete information about them: In this case it suffices for the administrator to select the “Users” item from the administrator panel, then select the desired user from the list of users and subsequently click on the pencil icon of the “Operations” column to open the respective “Profile” tab to rectify the data. The same page can also be accessed by selecting the “Report” icon for the user and then from the Report page click on the “Edit User Info” button that appears on the right frame. Therefore, there are multiple easily accessible ways for the portal administrator to satisfy end users’ data rectification requests.

Right of Erasure
eFront supports sophisticated end user management, which includes rendering a user inactive or permanently deleting him from the system.

  • The procedure for permanently deleting an individual user , e.g. due to the data subject’s request to be completely removed from the LMS, is fully supported and described step-by-step here .
  • Mass deleting users based on a variety of rules supported by eFront is also possible. This rule-based approach to the right to erasure for large amount of users, where manual deletion for each individual would be tedious, is already possible for the administrator by creating a custom report and then performing a mass action to delete the users of the list, as explained here .

These two complementary eFront features allow our customers to fully comply with GDPR regarding their end users’ right to be forgotten-erased from their eFront portal. Moreover, eFront allows the end user to directly self-delete himself from the eFront service by means of the ‘Delete my account’ option that is available at the bottom of the user profile page and subsequently confirming the deletion of the account at the popup message that appears. This additional option allows end users to delete themselves from the service without any intervention of the respective eFront portal administrator.

Restriction of Processing
eFront supports the right to restriction of processing by providing to the administrator to render any user as “Inactive”. This can also be done for large sets of users by means of following the same procedure for mass deleting users explained in the “Right to Erasure” paragraph by replacing the deletion with the “Make inactive” mass action.

Right to Object
The case where the end user objects to processing for e-learning is covered in the ‘Right to Erasure paragraph’. In case the user objects to receiving email notifications, he may contact his domain administrator to be excluded from emails. The domain administrator can serve such requests by means of different ways. The easiest way would be for the domain administrator to perform the following steps: Go to the administrator panel and select user types; Select “Add User Type” to create a new user type similar to the one the user belongs to, with the only difference being is that the “Messages” option is set to “Disabled”; Assign the user to that type.

Right of Data Portability
As explained earlier in this page, this right is supported by means of the various export functions of the LMS. For instance, user progress can also be exported by using the custom reports feature.

eFront enables its customers to explicitly ask for and record end users’ consent for the service. In particular, each portal administrator may access through the Home / System settings administration page the “Users” option on the left of the page and input appropriate text to the “License note” text area, explicitly asking for end user consent. The respective text defined there is to be shown to each end user when he/she first logs in to the system. Additionally there is the option by ticking the “Force users to accept the license note upon each login” tick box below the “License note” text area to ask for consent each time a user logs into the system and not just the first time. In both cases, it is mandatory for the end user to accept this page in order to start using the LMS, therefore this is a handy way of obtaining consent from the end users through eFront.

If the end users choose to withdraw consent for e-learning, this is essentially equivalent to the removal of the user of the service so the domain administrator can follow the “Right to Erasure” process explained earlier in this page in order to satisfy the data subject’s request and remove the end user from the eFront portal. Note that the users may review the aforementioned text at any time through their “Profile” page by clicking on the respective review button at the bottom of the page.

Finally, eFront also enables the administrator to select these users that have not accepted the Terms of Service and mass delete them. This is the same mass deletion procedure described in the ”Right to Erasure” part and can be also applied by the administrator for “old” users as well who have been inactive for a certain amount of time. Therefore, this enables the eFront customers to enforce their GDPR-compliant data retention policy for their domain.

No automated individual decision-making: eFront by design fully respects the right of its users not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

8. Reach Out

Fulfilling our privacy and data security commitments is important to us. If you have any questions about how eFront can help you with compliance, or you have any privacy-related concerns, please reach out by contacting us at: privacy at efrontlearning dot com.

We have set up a small Q&A to help you with your roadmap towards GDPR compliance. This Q&A is intended to provide some help and guidance and should be treated as such; it is by no means a detailed explanation of all aspects of the regulation and does not provide an exhaustive treatment of the regulation in its entirety, covering all regulation requirements, sub-cases and provisions.

With the General Data Protection Regulation (GDPR) “ante portas”, it is important for companies that are subject to the new regulation to have a clear understanding of the forthcoming regulation and what it really means for their business. It is equally important to comprehend what the new regulation does not require and what measures need to be taken under which assumptions.

An important aspect of the GDPR that is also a source of confusion is that GDPR has different provisions for processors and controllers, depending on the nature of their operations, the personal data they handle and the scale at which their operations are conducted. Therefore, it is important to always refer to the official document of the regulation in order to clarify them before jumping into action.

Frequently asked questions

What is new with the scope of GDPR compared to previous data privacy laws and directives?

First of all, GDPR is a regulation, this means that – as opposed to EU directives – it is self-activating and legally binding upon its enforcement date, May 25th, 2018. GDPR replaces the prior data privacy EU Directive 95/46/EC and regulates how individuals and organizations such as government institutions and companies may obtain, use, process and delete personal data of European citizens.

The territorial scope of the GDPR is also substantially larger, as it applies to any company that is doing business with/processing personal data of EU citizens regardless of where it is established or where the actual processing of personal data takes place. This means that even if a company is not based in the EU and there is no processing of personal data in any EU-based facility, either the offering of goods-services to EU citizens or the tracking of EU citizens behavior – for example by means of cookies – are enough for the company to be subject to the forthcoming regulation. Non-EU businesses that fall into this category are required to appoint a representative in the EU if they wish to carry on their business with EU citizens.

What constitutes personal data?

Any information related to a natural person (‘data subject’) that identifies or can be used to identify the person either directly or indirectly constitutes personal data. This includes but is not limited to the person’s full name, email address, online identifier, bank account, IP address, social security number, etc.

What constitutes processing?

As defined in Article 4, “Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” . The definition is very broad and includes more or less any kind of operation on personal data.

Is the way that consent is asked for and given in the context of a service affected?

Yes, the conditions for legitimate consent under the GDPR are sufficiently strengthened compared to prior data privacy laws. GDPR aims to empower the data subjects by explicitly rejecting complex pre-selected terms and conditions full of legalese as a legitimate means of valid consent. Instead, consent should be provided by means of an affirmative act (e.g. actively opting in by ticking a box as opposed to pre-selected tick boxes). Equally importantly, it must be as easy to withdraw consent as it is to give it and clear, straightforward language should be used, avoiding technical or legal jargon and confusing terminology (such as double negatives) so that users can actually understand what they consent to. Consent should be clear, granular (separate consent for different processing operations), distinguishable from other matters such as general terms and conditions and it should be given freely and unambiguously.

Is getting users’ consent mandatory for a company in order to be able to perform processing?

No, consent is just one of the legal bases one can use for the processing of personal data, as explained in Article 6 of the GDPR. Potential reasons to justify lawful processing include the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; cases where processing is necessary for compliance with a legal obligation; when processing is necessary in order to protect the vital interests of the data subject or of another natural person; when processing is necessary for the performance of a task carried out in the public interest; or finally on the basis of legitimate interest, which must, however, outweigh any detriment to the privacy of the data subject.

In case of data breach is notification to the data subjects required?

Breach notification will become mandatory under GDPR in cases where a data breach is likely to “result in a risk for the rights and freedoms of individuals” . The time deadline for the notification is 72 hours after first having become aware of a data breach.

What is the major change in GDPR regarding Privacy by Design?

Under GDPR the “Privacy by Design” system design concept is now becoming also a legal requirement for the processing of personal data. The goal is to motivate and enforce a culture of data privacy that is embedded in the companies’ operations and systems. The “Privacy by Design” culture requires that security and privacy policies, processes and controls must be explicitly specified, enforced, monitored and tested. Privacy and data protection are henceforth in the core of the designing of systems, rather than an addition or extra feature that may or may not be considered later on. An additional important implication of this is that companies are accountable for and must be able to prove the secure operation of their operations and systems against potential threats, the enforcement of the limitation of access to personal data to those needing to act out the processing for the completion of their duties, as well as that the minimum set of data are retrieved and processed for each processing operation, thus processing only the data that are absolutely necessary. Mass exposure of personal data to unlimited number of recipients is strictly prohibited.

What is the data subject’s right to access?

In order to allow data subjects to enforce their data protection rights, GDPR mandates that data subjects whose personal identifiable information is potentially processed, have the right of access to their personal data. Upon such request, a copy of the personal data is to be provided, free of charge, in an electronic format. Additionally, data subjects have the right to obtain information regarding whether, and where, their personal data are processed; the purpose of the processing; the categories of data being processed; the categories of recipients with whom the data may be shared; the period for which the data will be stored (or the criteria used to determine that period); the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing; information about the existence of the right to complain; and information about the existence of, and an explanation of the logic involved in, any automated processing that has a significant effect on data subjects.

What is the data subject’s right to data rectification?

The data subject’s right to data rectification, as defined in Article 16 of the GDPR, mandates the ability of data subjects to rectify any errors in their personal data that are processed or controlled by companies. The right to data rectification also means that the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

What is the data subject’s right to be forgotten?

The right to be forgotten is described in Article 17 of the GDPR. It entitles the data subject to have the companies controlling his/her data erase his/her personal data “without undue delay” when the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, cease further dissemination of the data, and potentially have third parties halt processing of the data. Deleting personal data is also justified in case the data subject has withdrawn the previously given consent or if the personal data have been unlawfully processed. It should also be noted that this right requires companies to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests; for instance there may be legal obligations for maintaining financial records due to tax or social security related legal obligations for at least a specific amount of time.

What is the data subject’s right to data portability?

Data subjects, as described in Article 20 of the GDPR, have the right to transfer their personal data. This means that they must be able to receive the personal data concerning them in a in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller “without hindrance from the controller to which the personal data have been provided” . As an additional means of achieving this, the regulation also prescribes that the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

Is it true that appointing a Data Protection Officer is mandatory for all companies subject to the GDPR?

No. As explained in Article 37 and Recital 97 of the GDPR, a Data Protection Officer (DPO) is only required for government institutions and also for companies whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale (for example CCTV, tracking software) or of special categories of sensitive data (such as health data) or data relating to criminal convictions and offences.

DPO appointment must be performed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices. The DPO, regardless of whether or not is an employee of the company, should be in a position to perform his/her duties and tasks in an independent manner. Equally importantly, the DPO must be provided with appropriate resources to carry out his/her tasks and must not carry out any other tasks that could results in a conflict of interest.

Is performing a Data Protection Impact Assessment for all processing activities mandatory under GDPR?

Data Protection Impact Assessment (DPIA), as explained in Article 35 of the GDPR, is explicitly required only in cases of high-risk processing of EU citizens’ personal data, including:

  • Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
  • Processing on a large scale of special categories of data such as data concerning a person’s health, or of personal data relating to criminal convictions and offences,
  • or a systematic monitoring of a publicly accessible area on a large scale.

In the same article of the regulation there is also the provision that the supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment.