At NovoEd, we strongly value data protection and privacy as a core part of what we do in our mission to make online learning more effective and engaging. NovoEd has implemented administrative, technical, and physical security measures and policies to protect the privacy and security of data for our customers and their users.
You can find an overview of user privacy, including data collection, use, and security at https://help.novoed.com/hc/en-us/articles/214633123
NovoEd and the General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation (GDPR) places new obligations on organizations that process EU personal data. As a data processor, we value the privacy of our customers and their users and are committed to fully complying with the intent and requirements of the GDPR.
Does the GDPR apply to my organization?
You need to determine if GDPR applies to your organization. For many NovoEd customers, the answer is yes even if you have no EU based operations. GDPR may apply to you if you actively sell or market to EU member states or are training employees in the EU on the NovoEd platform.
What do I need to do with respect to NovoEd if GDPR applies to my organization?
There are many aspects of GDPR compliance to consider. Some specific items related to GDPR compliance with your use of NovoEd include
- Determine and document your lawful basis for processing
- Execute a Data Processing Addendum with NovoEd
- Share your privacy information with learners
- Be prepared to handle requests related to individual rights of data subjects
NovoEd has added a feature for your organization to define privacy information that is shared with the user. Learn more about that feature at: Sharing Org Specific Privacy Information
GDPR requires data controllers have a lawful basis for processing personal data. NovoEd is primarily a Data Processor under GDPR for our customers, who are the data controller. As such, NovoEd’s collection and processing of personal data is based on a contractual service agreement with a client. We rely on our clients to have a lawful basis for processing, either by obtaining consent or determining another lawful basis (e.g. contract or legitimate interest).
Individual Rights of Data Subjects
Requests related to individual rights of data subjects should go to the you, the Controller, and you will pass the necessary requests on to NovoEd. This includes the data subject’s right for access, rectification, erasure, etc. NovoEd will notify the data controller if a data subject issues a request related to their individual rights directly to NovoEd.
Data Processing Addendum
If subject to the GDPR, you should have a Data Processing Addendum (DPA) executed with all processors used, including NovoEd. NovoEd has a standard DPA available to execute.
You can access NovoEd’s standard DPA at: NovoEd Data Processing Addendum.docx.pdf
You may sign and send to NovoEd Customer Success in order to execute as an addendum to your agreement with NovoEd.
NovoEd utilizes a number of sub processors in the delivery of the service, support, marketing, and sales. You can view our list of sub processors including the purpose and location for processing here: NovoEd Subprocessors.xlsx.pdf