In accordance to the General Data Protection Regulatory (GDPR) employers are allowed to share personal data of employees with third party vendors, such as LMS365, without the consent of employees. This, however, requires that the employer informs employees that their data is being shared with the third party, that there is a legitimate interest behind the sharing, and that sharing is done in line with the requirements of GDPR.
As this is fundamental to the functioning of LMS365, you will store personal data of employees with the solution. This is part of the agreement with us. In this article, we will provide you guidance on how to ensure you meet the standards for the handling of employees’ personal information when sharing these data with us.
In this article:
- Personal data shared with LMS365
- Product functionality to meet the principle of the right to be forgotten
- Recommended practice regarding the use of personal data of employees in LMS365
Personal data shared with LMS365
As a learning management system with functionality like participants lists, mandatory training, personal notifications, and individual training progress, LMS365 is dependent on personal data in order to run properly.
LMS365, however, only collects the minimum required personal information to deliver this functionality. This includes information like account name, email address, location, and job title. Each customer’s data is stored in a dedicated Azure SQL database in the Data Center location selected by the respective customer. Please find the full list of data we collect and details of how it is being stored here.
All customer data is processed in full accordance with the requirements of GDPR. Please find details on our data processing here.
Product functionality to meet the principle of the right to be forgotten
To provide customers with the ability to meet the principle of the right to be forgotten, LMS365 includes the option of purging all records of a selected learner from a course catalog. This action can be done by people in the customer’s organization with the right level of access.
Purging all records of a user will remove all information and records of actions of that person in the course catalog and ensure that the person’s data is no longer stored in LMS365. In this way, the user can be completely forgotten in the product, if the customer chooses so.
As outlined, LMS365 solely collects personal data that is necessary for the proper functioning of a learning management system and all data is handled in accordance with the requirements of GDPR. This means there is a legitimate interest behind the sharing of personal data with LMS365 and that the sharing of data carefully follows requirements.
Recommended practice regarding the use of personal data of employees in LMS365
To comply with the standards within GDPR for processing personal data in your collaboration with LMS365, you can, therefore, rely on the following practices:
- Inform your employees of the fact that personal data is shared with LMS365, which personal data this concerns, and the reason for this. This will provide the necessary transparency.
- Allow a method for employees to easily rectify their personal information shared with LMS365. In this way, you will allow people their right to rectification of inaccurate personal data.
- After an employee leaves the organization, set up a function to enable employees to easily request to be forgotten in LMS365. This will ensure former employees their right to erase personal data in LMS365 if your organization do not have a valid reason to retain such personal data about the former employee.
You can find more information regarding LMS365 IT security management in our Trust Center where we have collated information on security, authentication, the data that we store in LMS365, privacy, data handling security, data access, and encryption.