eFront has an ethical, legal and professional duty to ensure the information it holds conforms to the principles of confidentiality, integrity, privacy and availability. In other words, the information that we are responsible for is safeguarded where necessary against inappropriate disclosure, is accurate, timely and attributable, and is available to those who should be able to access it. eFront complies with standing national law and international regulation regarding privacy and security issues. We have successfully completed a GDPR compliance program internally so as to be fully compliant with GDPR prior to when the new legislation comes into force (May 25, 2018).
We have set up a small GDPR Q&A to help you with your roadmap towards compliance, providing a high level overview of the regulation, discussing its main impact and helping you avoid some common pitfalls and fallacies.
Besides strengthening and standardising user data privacy across the EU nations, GDPR imposes new or additional obligations on all organisations that handle EU citizens’ personal data, regardless of where the organisations themselves are located. On this page, we’ll explain our methods and means of achieving GDPR-compliance, both for ourselves and for our customers.
The GDPR’s updated requirements are significant and our team has worked hard to ensure that eFront fully meets them before May 25, 2018. Measures to achieve this include:
We also constantly monitor the guidance around GDPR compliance from privacy-related regulatory bodies and codes of conduct, and have recently joined the EU Cloud Code of Conduct , an EU Data Protection Code of Conduct for cloud service providers containing rigorous assurances for the protection of data in cloud services.
Protecting our customers’ information and their users’ privacy is extremely important to us. As a cloud-based company entrusted with some of our customers’ data, we’ve set high standards for security.
Our cloud infrastructure utilises industry leading cloud infrastructure providers that are heavily certified in privacy and security, such as Amazon or Rackspace. Both Rackspace and Amazon are active participants in the Privacy Shield program and offer datacenters in the EU. They are industry leading cloud providers that are heavily certified in privacy and security, also offering GDPR-compliant DPAs. All eFront communications are encrypted using a highly secure version of SSL/TLS with strong ciphers, resulting in A+ security rating.
On top of that we have invested in building a robust privacy and security team, adhering to NIST recommendations and are in the process of enhancing our set of tools for detecting software vulnerabilities prior to production release, assessing our software and deployments, monitoring our infrastructure, protecting customer data, ensuring disaster recovery, business continuity and high availability. In accordance with GDPR requirements around security incident notifications, eFront will continue to meet its obligations and offer contractual assurances.
To comply with concerns regarding international data transfers due to national legislation or E.U. data protection laws around international data transfers, we already support deployments in the US, the EU or elsewhere if needed by our customers, using cloud infrastructure providers with global presence. You can choose the location of your eFront server from multiple options across the US, Asia, Australia and the European Union, including France, Germany, Ireland and the UK.
The rights of our eFront customers as data subjects are important to us. We are committed to supporting the new, enhanced under GDPR, data subject rights for all eFront customers , regardless of their location or nationality – we will also explain how eFront helps our customers support the enhanced rights of their domains’ end users in the next section of this page.
In particular, we are prepared to address any requests made by our customers related to their expanded individual rights under the GDPR:
Right to Erasure: You may terminate your eFront (managed) portal at any time, in which case we will permanently delete your account and all data associated with it, including backups. We can also export and return to you the data of your eFront instance if desired, as documented also in our Professional Services Agreement. You can also contact us at privacy at efrontlearning dot com for any issue you may face regarding the deletion of your data.
Restriction of Processing: eFront supports the right to request restriction of processing by providing to the administrator the ability to render any user as “Inactive”. This can also be done for large sets of users by means of selecting them and subsequently invoking the 'Make active/inactive' mass action.
Right to Object: If you object to eFront email notifications, you may deactivate them through the Notifications of your administrator panel as described here . You may opt out of inclusion of your data in our marketing by removing yourself from the mailing lists using the footer in the newsletters and marketing emails that you receive. You may also contact us at privacy at efrontlearning dot com to express your objection and we will satisfy your request within few working days.
Right of Data Portability: You may export your data at any time through the administration panel. eFront fully supports the right to receive your domain’s data in a structured, commonly used and machine-readable format. In particular, eFront by design supports exporting in multiple formats, and all data are easily exported and downloadable from the administrator by selecting the “Export” or “Save as CSV” options for any piece of information stored in your eFront service instance. Furthermore, the you can easily export your portal database through the administrator panel: It suffices to click on the “Maintenance” icon from his “Home” page to navigate to the “Home / Maintenance” page; then click on the “Backup & Restore” icon to access the list of last backups taken or create one by clicking on the “Create Backup” button at the top left of the frame; next to each database dump and under the “Operations” column there is a “Download” icon that when clicked will fetch the desired backup locally. Finally, we can export your account data to a third party at any time upon your request, which you may send at privacy at efrontlearning dot com.
We fully understand that eFront customers need help from our side in order for them to comply with the GDPR. And we’re happy to say that we have built those tools and features to enhance eFront so as to be fully compliant with the GDPR regulation. This includes new features required by GDPR, that enable the support of the GDPR-enhanced data subject rights for the end users of the eFront portals of our customers:
Right to Rectification: End users may access and update their account to correct or complete your account information by selecting the “My account” item from their account menu at the top right corner of the eFront interface and subsequently clicking on the “Profile” tab. End users may also contact their portal administrator directly in case of problem at any time in order to access, correct, amend or delete information about them: In this case it suffices for the administrator to select the “Users” item from the administrator panel, then select the desired user from the list of users and subsequently click on the pencil icon of the “Operations” column to open the respective “Profile” tab to rectify the data. The same page can also be accessed by selecting the “Report” icon for the user and then from the Report page click on the “Edit User Info” button that appears on the right frame. Therefore, there are multiple easily accessible ways for the portal administrator to satisfy end users’ data rectification requests.
Right to Erasure: eFront supports sophisticated end user management, which includes rendering a user inactive or permanently deleting him from the system.
These two complementary eFront features allow our customers to fully comply with GDPR regarding their end users’ right to be forgotten-erased from their eFront portal. Moreover, eFront allows the end user to directly self-delete himself from the eFront service by means of the 'Delete my account' option that is available at the bottom of the user profile page and subsequently confirming the deletion of the account at the popup message that appears. This additional option allows end users to delete themselves from the service without any intervention of the respective eFront portal administrator.
Restriction of Processing: eFront supports the right to restriction of processing by providing to the administrator to render any user as “Inactive”. This can also be done for large sets of users by means of following the same procedure for mass deleting users explained in the “Right to Erasure” paragraph by replacing the deletion with the “Make inactive” mass action.
Right to Object: The case where the end user objects to processing for e-learning is covered in the 'Right to Erasure paragraph'. In case the user objects to receiving email notifications, he may contact his domain administrator to be excluded from emails. The domain administrator can serve such requests by means of different ways. The easiest way would be for the domain administrator to perform the following steps: Go to the administrator panel and select user types; Select “Add User Type” to create a new user type similar to the one the user belongs to, with the only difference being is that the “Messages” option is set to “Disabled”; Assign the user to that type.
Right of Data Portability: As explained earlier in this page, this right is supported by means of the various export functions of the LMS. For instance, user progress can also be exported by using the custom reports feature.
eFront enables its customers to explicitly ask for and record end users’ consent for the service. In particular, each portal administrator may access through the Home / System settings administration page the “Users” option on the left of the page and input appropriate text to the “License note” text area, explicitly asking for end user consent. The respective text defined there is to be shown to each end user when he/she first logs in to the system. Additionally there is the option by ticking the “Force users to accept the license note upon each login” tick box below the “License note” text area to ask for consent each time a user logs into the system and not just the first time. In both cases, it is mandatory for the end user to accept this page in order to start using the LMS, therefore this is a handy way of obtaining consent from the end users through eFront.
If the end users choose to withdraw consent for e-learning, this is essentially equivalent to the removal of the user of the service so the domain administrator can follow the “Right to Erasure” process explained earlier in this page in order to satisfy the data subject’s request and remove the end user from the eFront portal. Note that the users may review the aforementioned text at any time through their “Profile” page by clicking on the respective review button at the bottom of the page.
Finally, eFront also enables the administrator to select these users that have not accepted the Terms of Service and mass delete them. This is the same mass deletion procedure described in the ”Right to Erasure” part and can be also applied by the administrator for “old” users as well who have been inactive for a certain amount of time. Therefore, this enables the eFront customers to enforce their GDPR-compliant data retention policy for their domain.
No automated individual decision-making: eFront by design fully respects the right of its users not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Fulfilling our privacy and data security commitments is important to us. If you have any questions about how eFront can help you with compliance, or you have any privacy-related concerns, please reach out by contacting us at: privacy at efrontlearning dot com.