GDPR for Digiforma User Training Providers


Introduction to GDPR

The General Data Protection Regulation (GDPR) (EU 2016/679) is a European regulation that governs the collection, processing, and use of personal data. It came into effect on May 25, 2018, and applies to all training providers, regardless of their size or location.

The GDPR aims to strengthen the rights of individuals concerning the processing of their personal data and to make training providers responsible for the data they collect.


What is personal data?

Personal data is any information related to an identifiable natural person, either directly or indirectly. This can include information such as the name, address, phone number, email address, social security number, health data, consumption habits, internet browsing history, etc. training providers collect and process the personal data of their clients, trainees, trainers, and other stakeholders. This data is used for various purposes, such as:

  • Managing registrations and attendance at training sessions
  • Invoicing
  • Communication
  • Prospecting
  • Evaluating training programmes

The fundamental principles of GDPR

The general principles related to the processing of personal data are defined in Article 5 of the GDPR.

They form the foundation of the GDPR and must be adhered to by anyone responsible for processing personal data, meaning any natural or legal person who determines the purposes and means of the processing.

The six principles are as follows:

  1. Lawfulness, fairness, and transparency: Individuals must be informed about the existence of the processing and its purposes, and they must have given their consent or the processing must be based on another legal basis.
  2. Purpose limitation: Personal data should only be collected for specific, explicit, and legitimate purposes.
  3. Data minimization: The personal data collected should be adequate, relevant, and not excessive for the purposes for which they are collected.
  4. Accuracy: Personal data must be accurate and, if necessary, kept up to date.
  5. Storage limitation: Personal data should not be retained for longer than necessary for the purposes for which it was collected.
  6. Integrity and confidentiality: Personal data must be processed to ensure security, confidentiality, and integrity.

Finally, the data controller must be able to demonstrate compliance with these obligations. This is a new requirement of the GDPR: the data controller no longer needs to make a declaration to the CNIL.


GDPR compliance for a training provider

Here is a brief list of various points to consider when implementing GDPR within your organisation. For more comprehensive information, we recommend exploring the excellent guides provided by the CNIL on this subject.


Are training providers subject to the GDRP?

Yes!
 The implementation of GDPR is an internal process within your organisation. It is not sufficient to “use GDPR-compliant software.” You must establish a policy for the responsible collection and management of personal data of your clients and trainees stored on various media, and on which you perform processing.

Digiforma is one of the platforms on which you store this data and is therefore responsible for implementing GDPR as a data processor. We offer various functions described below to facilitate this process. In practice, centralizing data in as few tools as possible will simplify your work.

Most routine tasks carried out by a training provider for the operational execution of training programmes do not pose particular problems for GDPR compliance. You will need to pay attention to security, limit the collection to the minimum data really needed, and enable clients and trainees to request data retrieval and deletion.

You will, however, need to pay special attention to your use of data for commercial purposes. This is the very spirit of GDPR to combat abuses in this regard. If you use data entrusted to you for training for other purposes, you must absolutely communicate clearly about these processes and obtain informed consent from individuals.


Your role and Digiforma’s role in GDPR compliance

It is important to note that you, as a training provider, are the data controller, and Digiforma is a data processor for your training provider’s activities.


What are the GDPR obligations of a training provider?

The training provider, as the data controller, determines the purposes and means of processing personal data. The data controller is responsible for compliance with GDPR rules on the processing of personal data.

Specifically, it must:

  • Obtain the consent of the individuals concerned before collecting their personal data.
  • Inform the individuals concerned about how their personal data is collected, used, and retained.
  • Ensure the security of personal data.
  • Limit the collection of personal data to data necessary for the processing purpose.
  • Delete personal data when the processing is no longer necessary.

The data controller can appoint a data processor, such as Digiforma, to process personal data on its behalf. The data processor is subject to the same data protection obligations as the data controller.

The data controller must maintain a register of processing activities of personal data that it carries out. This register must include the processing purposes, the categories of personal data concerned, data recipients, data retention periods, and security measures in place.

The data controller must also respond to requests from individuals concerning their personal data. This includes providing individuals with a copy of their personal data, informing them of how their data is used, and responding to requests for rectification, deletion, or restriction of data processing.

The data controller can be sanctioned by the National Commission for Information Technology and Civil Liberties (CNIL) for non-compliance with GDPR. Sanctions can amount to up to 4% of the organisation’s worldwide annual turnover, or €20 million, with the higher amount being retained.


How to collect trainee data?

The General Data Protection Regulation (GDPR) is a European Union regulation adopted on April 27, 2016, and came into effect on May 25, 2018. GDPR aims to enhance and unify the protection of personal data of natural persons within the EU.

Training providers are subject to GDPR to the extent that they collect and process personal data of their trainees. Personal data includes all information related to an identifiable natural person, such as their name, first name, address, phone number, email address, etc.

To comply with GDPR, training providers must meet a number of obligations, including:

  • Obtaining the consent of trainees before collecting and processing their personal data.
  • Informing trainees about how their personal data is collected, used, and retained.
  • Limiting the collection and processing of personal data to only the information necessary for the purposes for which it is collected.
  • Ensuring the security of personal data.
  • Deleting trainee personal data when it is no longer necessary for the purposes for which it was collected.

How can a training provider achieve full GDPR compliance?

To achieve full GDPR compliance for your training provider, you can start with the following steps:

  • Draft a privacy policy that informs trainees about how their personal data is collected, used, and retained.
  • Obtain the consent of trainees before collecting and processing their personal data.
  • Limit the collection and processing of personal data to only the information necessary for the purposes for which it is collected.
  • Use appropriate security measures to protect personal data against unauthorized access, alteration, destruction, and loss.
  • Delete trainee personal data when it is no longer necessary for the purposes for which it was collected.

Do we need to appoint a GDPR representative?

It is imperative to designate someone within your training provider to be responsible for implementing the policy for the protection of personal data in your organisation. This person must have the appropriate status and skills.
The Data Protection Officer (DPO) is the person responsible for implementing the policy for the protection of personal data and ensuring the effective protection of this personal data within your organisation.

DPO appointment is mandatory for certain structures, such as public entities, for example. Even in the absence of a legal obligation, appointing a DPO is crucial for any business. The DPO can be internal or external, but must have the appropriate status and skills.


Two procedures to implement in your training centre

We recommend implementing two procedures to respond to data breaches and trainee data access requests.

what is the procedure in case of a data breach?

raining organisations that process personal data (data controllers or data processors) must establish comprehensive procedures for personal data breach.

These procedures should cover the entire process: implementing measures to detect a breach immediately, containing it promptly, analyzing the risks arising from the incident, and determining whether it is necessary to notify the supervisory authority, or even the individuals affected. These procedures contribute to documenting compliance with GDPR.

Not all breaches need to be reported to the supervisory authority or individuals. When necessary, informing the affected individuals should be a priority for the data controller, as it allows them to take measures to protect themselves from risks.

The obligation to notify depends on the risk posed by the personal data breach to the rights and freedoms of the individuals whose data has been affected:

L’obligation de notifier dépend du risque que la violation de données personnelles fait peser sur les droits et libertés des individus dont les données ont été impactées :

  • If the breach does not pose a risk to the rights and freedoms of the individuals concerned, the data controller must document the breach internally in a register but is not required to notify the CNIL. However, the CNIL can review this internal documentation.

 

  • If the breach poses a risk to the rights and freedoms of the individuals concerned, the data controller must document the breach internally in a register and notify the CNIL as soon as possible and within a maximum of 72 hours.

 

  • If the breach poses a high risk to the rights and freedoms of the individuals concerned, the data controller must document the breach internally in a register, notify the CNIL as soon as possible, and within a maximum of 72 hours, and also notify the affected individuals as soon as possible.té rejetée.

What is the procedure for a trainees GDPR right to access their data?

A trainee, like any individual whose personal data is processed, has rights (right of access, right to rectify, right to lodge a complaint with the CNIL (the French data protection authority), and under certain conditions, the right to erasure, restriction, objection, withdrawal of consent, and objection to the processing of data for marketing purposes).

To exercise these rights, individuals should send a written request with the necessary information (complete contact details and a copy of their identification) by post or email.
The data controller has one month to respond. If for any reason it cannot comply with a request, it must explain to the individual why their request was rejected.


GDPR compliance of Digiforma


GDPRpoint of contact:

Data Protection Officer (DPO) Digiforma has appointed the firm xDPO as the Data Protection Officer (DPO), who can be contacted with any questions regarding GDPR at rgpd@aworldforus.com.

 

A Data Protection Officer (DPO) is a person responsible for the protection of personal data within an organisation. The DPO ensures that the organisation complies with all applicable laws and regulations related to data protection.

The DPO has a number of responsibilities, including:

  • Advising the organisation on best practices for data protection.
  • Overseeing the implementation of data protection policies and procedures.
  • Training employees on data protection.
  • Responding to requests from individuals regarding their personal data.
  • Coordinating with data protection authorities (such as CNIL in France).

 

The DPO plays a crucial role in safeguarding individuals’ personal data. By ensuring that the organisation complies with all applicable laws and regulations, the DPO helps ensure that personal data is collected, used, and stored securely and in compliance with the law.

The role of the DPO is defined by the General Data Protection Regulation (GDPR). GDPR requires all organisations that process personal data of individuals located in the European Union to appoint a DPO if they meet certain criteria, including processing data on a large scale or processing sensitive data.


Personal Data processed by Digiforma

Digiforma processes two types of personal data from its clients:

User data:

These are visible and editable in their Digiforma account. The data required in a user account are those legitimately necessary for the service’s operation.
A user can export their data from their account and request to have their account permanently deleted by contacting us at rgpd@aworldforus.com.

 

Trainee data:

Digiforma provides various means to store data about your trainees (editable fields, file uploads, grades).
The only data required by the software is the last name. Other data should only be collected and stored when necessary for your activities.

If one of your trainees requests the export or deletion of their personal data, you have several functions that can be used in your Digiforma account.

  • You can export the personal data of a trainee in Excel format from their record in the software.
  • You can anonymize the personal data of trainees from their record in your Digiforma account.
    Anonymization preserves the educational and financial record and your history. The trainee’s name will be replaced with a code, and all personal information (name, address, etc.) will be permanently deleted.

Technical data protection measures implemented by Digiforma

All data exchanges between your web browser and the Digiforma server are encrypted using the SSL protocol.

Data from your account can only be accessed with your username and password.

The Digiforma servers are located in Europe (Ireland) in the AWS data center via the web application host Heroku. This data center is certified ISO 27001, SOC 1, and SOC 2/SSAE 16/ISAE 3402. The databases are continuously protected by physical backup, and the data is encrypted on disk with AES-256.

We use cloud solutions to manage or communicate with our clients. The list of solutions used is listed in our Privacy and Personal Data Use Policy.

When we use a solution that transfers personal data to the USA, we ensure that Standard Contractual Clauses (SCCs) have been signed or that the solution provider is a signatory of the Data Privacy Framework, a US regulatory framework for the protection of personal data adopted by the European Commission on July 13, 2023.

View the solution providers that have signed the Data Privacy Framework:
Data Privacy Framework Signatories

The adequacy decision validated by the European Commission:
Data Transfers to the United States: European Commission Adopts a New Decision


Where is data hosted in Digiforma?

The Digiforma servers are located in Europe (Ireland) in the AWS data center through the web application host Heroku.


Is Digiforma’s web host GDPR compliant?

Yes!
Yes! All Digiforma data transferred to the European data center is protected by various technical and organisational measures.
The GDPR compliance of our hosting provider AWS is described here:
AWS GDPR Compliance

The GDPR compliance of our hosting provider Heroku is described here:
Heroku GDPR Compliance


What technical measures are in place?

All data exchanges between your web browser and the Digiforma server are encrypted using SSL protocol.

Your account data can only be accessed with your login and password. The data is hosted in a datacenter that is ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 certified.

Databases are continuously protected by physical back-up, and data is encrypted on disk using AES-256.

Discover also the other essential features for training providers

La bibliothèque de ressources de Digiforma

Téléchargez nos meilleurs contenus gratuits autour de la formation & du digital

La certification Qualiopi de A à Z

Des centaines de conseils et astuces pour préparer son audit Qualiopi.

Certification - Illustration Digiforma

Livres blancs formation pro

Organismes de formation réussissez votre transformation digitale avec nos e-books.

Livre Blanc - Illustration Digiforma

Digiformag

Toute l’actualité de la formation professionnelle en ligne.

Digiformag - Illustration Digiforma

Find out more about the Digiforma solution

The full potential of digital technology for your activity