O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.


674 visualizações

Publicada em

What GDPR compliancy means for Open Badge Factory and Open Badge Passports users?

Publicada em: Software
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto


  1. 1. What GDPR compliancy means for Open Badge Factory and Open Badge Passport users Eric Rousselle
  2. 2. About the EU General Data Protection Regulation • We’ve always been committed to protect personal data in all our services • EU General Data Protection Regulation (GDPR) is beneficial for all parties as it sets clear rules for personal data protection • GDPR brings transparency and therefore supports trust • We’ve made necessary modifications to get OBF and OBP GDPR compliant before May 25 • OBF and OBP will be updated on May 22 and 23
  3. 3. GDPR terminology • Personal data is information relating to an identifiable living individual • Data subject means an individual who is the subject of personal data • Data controller means usually an organisation which determines the purposes for which and the manner in which any personal data are, or are to be, processed • Data processor, means any person (usually organisation) who processes the data on behalf of the data controller
  4. 4. What rights GDPR gives to individuals? • a right of access to a copy their personal data • a right to object to processing • a right to have personal data rectified, blocked, erased or destroyed or anonymised • See the complete list: https://ico.org.uk/for-organisations/guide-to-data- protection/principle-6-rights/
  5. 5. Data protection principles • Personal data shall be processed fairly and lawfully • Personal data shall be processed in accordance with the rights of data subjects • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data • See: https://ico.org.uk/for-organisations/guide-to-data-protection/data- protection-principles/
  6. 6. GDPR and Open Badge Factory • data controller is a customer organisation using OBF to create and issue badges • data processor is the service provider (Discendum) • OBF customer’s admin(s), registered users (creators and issuers) are data subjects • Badge recipients are also considered as data subjects because their personal data is used to issue badges (email address, name, surname, data submitted in badge application forms)
  7. 7. How data subjects can access their personal data? • OBF users (registered) can list their personal data in OBF and erase their account and all their personal data if they wish to do so • When receiving a badge, a badge recipient will get a link to check (using their email address) what personal data is stored and processed in OBF • Badge recipient can request their personal data (name, surname, email address, possibly also data submitted in badge request / application forms) to be anonymised or erased • Data subject’s requests have to be processed by the data controller (customer) promptly (in a maximum delay of 40 calendar days) • Data processor can not / will not anonymise or erase personal data on behalf of the data controller (customer)
  8. 8. OBF documents • DPA (Data Processing Agreement) • This document is an annex, part of the agreement between the Service provider and its Customer. The purpose of this Annex is to agree on the privacy and data protection of the personal data of the Customer in the services of the Service Provider. • Terms and Conditions • Privacy notice (annex of Terms and Conditions) • Tells users what data is processed. On what legal basis and for what purpose. • These documents will be displayed to users when they log in to OBF (May 22). No agreement needs to be signed. Using OBF is considered as an agreement.
  9. 9. Open Badge Passport and GDPR
  10. 10. • From GDPR point of view, OBP is a straightforward case • The service provider is data controller and data processor • OBP users are data subjects • User creates their own account in OBP (accounts aren’t created on their behalf) • User brings their personal data to OBP • User has access to their personal data • User can delete all personal data and their account • Service provider doesn’t delete data on behalf of the user
  11. 11. OBP documents • Terms and Conditions • Privacy notice (annex of Terms and Conditions)
  12. 12. Good to know • Both OBF and OBP are hosted in an EU country (Finland) • The cloud service provider of both OBF and OBP is GDPR compliant • Aligning to GDPR is a requirement for all European companies • OBF and OBP data is protected (firewalls, etc.) and backed up daily. Passwords and network connections are encrypted • OBF’s and OBP’s data processor (service provider) doesn’t transfer any data into other services (except for back up purposes) • When a customer issues badges in a Learning Management System using an OBF plugin, some data is transferred between the systems • Badges are usually hosted in OBF’s server, but in some cases customer can set up their own Badge Record Storage to host their badges in their own server
  13. 13. OBF and OBP are “low risk services” • Personal data stored and processed in both systems is not “sensitive data” • The amount of personal data used is small • Open Badge is an earner centric concept, recipient can always decide how to use and display their badges • Badge earners have the right not to display and share their badges but it is good to keep in mind that the Open Badges concept has been built to recognise and communicate achievements, skills, competencies, attitudes, etc. and therefore openness and sharing are in the core of the concept!
  14. 14. Thank you! eric.rousselle@discendum.com @eric_rousselle