Primeclass and the General Data Protection Regulation

Last modified on: 13 jun 2022

What is the name and address of the Primeclass that is responsible for European business?

Our learning platform business address is: LearnWorlds (CY) Ltd, Gladstonos 120 Foloune Building 2nd Floor, B1 3032 Limassol Cyprus.

Who is your nominated supervisory authority? Who is your nominated supervisory authority?

Because Primeclass’s learning platform is in the Republic of Cyprus, the Commissioner for Personal Data Protection in the Republic of Cyprus is nominated supervisory authority.

Is Primeclass a controller or processor of data?

Primeclass is a processor of some data and a controller of other data. Primeclass's role as a processor: Primeclass acts as a processor for enterprise clients who are the controllers of names and email addresses of their employees that are registered on Primeclass's learning platform. Primeclass processes the provided names and email addresses for the purposes of registering user accounts, communicating with account holders to provide technical support and collect voluntary feedback, and processing certificates of completion for those who successfully complete one of our programs.
Primeclass's role as a controller: Primeclass is the controller of data that is generated by or collected from users of the platform. For example, Primeclass decides what information to track with respect to learner performance, how to grade the submitted projects of learners, and other aspects of the skills training program. For more information regarding the user data, please see our Privacy Policy.

What are Primeclass's data responsibilities as a processor versus a controller? 

Primeclass’s learning platform is committed to protecting personal data with appropriate technical and organizational measures and is certified under the ISO 27001 standard for information security.

Primeclass's role as a processor: The enterprise client is responsible for upholding the rights of their employees that use Primeclass's learning platform, while Primeclass acts on behalf of the client. For example, the enterprise client can add names/emails to the list, delete them, or change them through the enterprise management interface of the platform. Primeclass will only process the names and email addresses as instructed by the enterprise client in accordance with the Data Processing Agreement signed by the parties.

Primeclass's role as a controller: Primeclass is the controller of data that is generated by or collected from users of the platform. Primeclass allows users to make data rights-related requests directly through a web-based automated request system.

What personal data is collected by Primeclass?

Primeclass collects personal information directly from the users of our learning platform: when they use our services, make a purchase from us, sign up for email updates, upload or post to public forums, submit requests or questions to us via forms or email, and request customer support and technical assistance.

The types of information we collect include names, addresses, telephone numbers, email addresses, log-in credentials for Primeclass account holders, information about purchases or other transactions with us, information about customer service and maintenance interactions with us, demographic information, information provided in connection with an application or admissions process (e.g. educational background, work experience, and prerequisite knowledge), user-generated content uploaded or posted to public forums through the service, and other information a user chooses to provide to us. See our Privacy Policy for full details.

What is the purpose of the data processing?

Our purposes for data processing are described in our Privacy Policy. In general, Primeclass processes data to deliver our services to our best ability.

In the context of Primeclass's role as a processor: Primeclass processes the names and email addresses provided by enterprise clients for the purposes of registering user accounts, communicating with account holders to provide technical support and collect voluntary feedback, and processing certificates of completion for those who successfully complete a skills training program.

Which sub processors does Primeclass use? 

Primeclass uses the following subprocessors to process the personal data controlled by enterprise clients:
Amazon Web Services (Cloud Infrastructure)
Google Cloud Platform (Cloud Infrastructure)
Segment (Customer Data Platform)
Learn Worlds (Learning Platform, Classroom Experience)
Hubspot (Customer Data Platform, Survey Tool for Collection of User Feedback, Customer Service and Support, Communication Management, Customer Success Platform)
In each instance, the location of the processing is in the United States.
In each instance, the processors meet the requirements of the GDPR and have adequate data protections.

Where is the data stored?

Major data is stored in cloud storage within Amazon Web Services. Specifically, Primeclass stores data in US East 1 located in N.Virginia.

Also, we store some data in cloud storage of Google Cloud Platform, which stores in US-Multi-regions (all located in different States of USA).

How do you honor data subject rights requests?

Our enterprise clients can add, delete, or correct any of the information they share directly on the Primeclass platform. Additionally, Primeclass is responsible for upholding the data rights of individuals who request access, rectification, erasure, restriction of processing, or portability of their personal data that was generated by or collected from them. Primeclass allows individuals to make data rights-related requests directly through a web-based automated request system.

Is data exported out of the EU? How do you ensure that exported data is appropriately safeguarded (i.e., in view of the Schrems II decision and the invalidation of the Privacy Shield Framework)?

Yes. European personal data may only be exported out of the EU if a valid international data transfer mechanism is employed to ensure that data transferred internationally is appropriately safeguarded. Primeclass uses the Standard Contractual Clauses for international data transfer from EU to US.

Is the data encrypted in transit, at rest, and in storage?

Yes.

What information security policies protect consumer data?

Primeclass’s learning platform is certified under ISO 27001 and SOC2/3. Primeclass maintains an information security management system, including robust policies, procedures, and training to protect consumer data.

What security / organizational measures have you implemented post Schrems II to ensure that data is adequately protected?

The Schrems II decision invalidated the European Commission's adequacy decision for the EU-US Privacy Shield Framework, on which more than 5,000 U.S. companies relied to conduct trans-Atlantic trade in compliance with EU data protection rules. However, the decision upheld the validity of Standard Contractual Clauses provided that sufficient technical and organizational measures are used by the data importer to protect against government access to EU personal data. Primeclass relies on Standard Contractual Clauses in combination with strong technical and organizational measures, including data encryption in transit and at rest, to protect data imported to the U.S.

What is your data retention policy?

Primeclass retains learner data until a valid request is received to delete it. This enables Primeclass to verify whether a learner has completed a skills training program upon request in the future. A learner can request deletion of their personal information at any time through our web-based automated request system accessible from their Primeclass account.
Why is the data retained indefinitely by Primeclass (unless a student requests deletion)? 

How does this comply with GDPR?

GDPR requires personal data of data subjects to be held no longer than required to serve the purpose for which the data was collected. In the case of learner data, the purpose for which the data was collected was to deliver online skills training programs that provide the technical skills needed for the careers of the future. Unless Primeclass receives a valid request to erase the learner data, the learner data is retained permanently. This allows the learner's record of participation and progress in the program to be maintained. If the data were deleted, we would have no record of an individual's completion and performance within the program.

Have a question? Contact Us

If there are any questions regarding Primeclass and the General Data Protection Regulation you may contact us at support@primeclass.io