General Data Protection Regulation (GDPR) Compliance Statement

The new European Union General Data Protection Regulation (GDPR) is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, coming into force on May 25, 2018. GDPR sets new standards and compliance requirements for every company that holds or processes personal data. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data. The new European Union General Data Protection Regulation (GDPR) is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, coming into force on May 25, 2018. GDPR sets new standards and compliance requirements for every company that holds or processes personal data. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data.

The Epignosis group of companies, being Epignosis LLC, a US based company, having its registered office at 315 Montgomery Street (8th Floor) San Francisco, California CA 94104 USA and Epignosis UK Ltd, a UK based company, having its registered office at Crown House, 72 Hammersmith Rd, London UK with its Greek Branch established in Athens, Lykourgou Str, 1, 10551, henceforth jointly referred to as “Epignosis”, and its cloud and enterprise LMS service offerings are committed to high standards of information security, data privacy, and transparency, and to managing data in accordance with legislation and regulation, including but not limited to GDPR. Epignosis attests that it will comply with applicable GDPR regulations as a data processor for e-learning, while also working in conjunction with our customers, the data controllers, to help them meet their GDPR obligations.

Epignosis has three main areas of focus in preparing for GDPR:

  1. Building on existing security and business continuity management policies, processes and controls, to ensure compliance.
  2. Performing gap and privacy assessment to support GDPR compliance for its customers, who use the e-learning services for their end users.
  3. Provision of services to help customers to understand and prepare for GDPR, develop compliance plans and build a stronger platform for the future by taking control of their data and reviewing their deployment options for their LMS.

It is important to stress that compliance is a shared responsibility and that the LMS customers may also need to adapt their business processes, data management practices, and integrations. Epignosis attests that the customers of its e-learning solutions remain the sole owner of the data, retaining the rights, title, and interest in the data stored in the LMS and can take advantage of the features inherent in the service to meet their GDPR obligations related to deletion, rectification, transfer of, access to, and objection to processing of personal data. Epignosis protects data from inappropriate access or use and provides customers with the ability to specify who has access to what data within each domain or branch.

Epignosis officially states that it will achieve GDPR-compliance for itself and its services and provide all required means for its customers to be able to be GDPR-compliant prior to May 25, 2018.

As a data processor, Epignosis is undertaking assessments of the data and personal information processed, security policies and procedures, contracts with data controllers, sub-contractors. Incident response plans and data retention will be reviewed and updated where needed.

Epignosis is committed to providing solutions to support its customers’ GDPR obligations, whether through standard features or modifications or enhancements of its LMS services’ features and configurations. Epignosis also commits to providing advice regarding optional features or integrations of the service to its customers, potential compliance issues, how to support the enhanced rights of the data subjects and their requests. To this end, Epignosis already does and will continue to offer:

  • GDPR-awareness content through the respective LMS sites to educate its customers regarding GDPR and provide easy-to-follow step-by-step instructions on what must be done to be able to both achieve and demonstrate compliance.
  • Software modifications, to remove or render optional non-compliant features of the services for its customers, plus adding new to better support the GDPR obligations, including the enhanced rights of its customers and their end users.
  • Improved data availability, privacy (including encryption both at rest and at transit) and consent management solutions for the LMS domains.
  • Support of customers’ requests for hosted service deployments in locations within the European Union for its enterprise LMS, so as to ensure that our customers can comply with the GDPR provisions regarding international data transfers. Retaining an active Privacy Shield certification for its cloud LMS services so that data can be lawfully transferred to the US-based cloud infrastructure of our cloud services.
  • Use of industry-leading and security-certified cloud infrastructure providers and data centers with a high level of security, data confidentiality, integrity, and availability.
  • Continuous monitoring of the LMS infrastructure health (Nagios) and auditing of logged events through Elastic Stack.
  • Multi-vendor encrypted backups to ensure data integrity and availability even in the event of a disaster or failure.
  • Deployment of its own Intrusion Prevention/Detection System (Wazuh) as an additional security safeguard and update of the company’s Data Breach Management Policy to fully comply with GDPR provisions regarding data breach incidents.
  • Each LMS service has built‑in security features, such as comprehensive role‑based access control, encryption in transit, encryption at rest, application scoping, access, logging, monitoring, and data minimization.
  • Prompt response to any privacy-related issue or request or notification or question our customer may have, as part of their GDPR-compliance efforts.

 

Furthermore Epignosis attests that: all Epignosis staff are familiar with GDPR and their personal responsibilities and are adequately trained upon induction and annually (or sooner if there is a major legislation change); the Privacy Policy and Terms of Service for its services are accurate, written in plain language and provide sufficient detail on what information is selected, how it is used and what is and is not acceptable use of the service; processing is lawful, fair and transparent; Data is collected for a specific purpose (e-learning) and the data is necessary for the purpose, can be kept accurate by means of the service features and not kept for longer than necessary; Data and infrastructure are kept secure; Epignosis does not process sensitive information; Epignosis has a notification process in case of breach.

The Epignosis DPO can be reached at privacy (at) epignosishq (dot) com.

© Epignosis. All rights reserved / We are hiring!