Sanoma Learning is committed to deriving value for its customers through digital solutions, while respecting requirements of Privacy laws
The EU’s General Data Protection Regulation (GDPR), approved by the European Parliament in 2016, is the most important change within data protection regulation in 20 years. It replaces the Data Protection Directive 95/46/EC and local law and regulations across the EU/EEA. The new regulation was designed to strengthen the individual’s rights to privacy and harmonize data privacy laws across Europe.
Sanoma has run a Privacy Programme since 2013, and welcomed the new regulation. In Sanoma Learning, we will keep doing our part to ensure that all our customers are GDPR compliant. There is a big, untapped potential in using technology and cloud services to improve teaching practices and learning outcomes. One of the keys to unlocking this potential is to earn the trust of teachers, students, and parents. In this sense, the increased focus on data protection and privacy due to GDPR is beneficial for all parties.
For most of the Sanoma Learning companies and products provided to customers, Sanoma Learning companies are what the new EU regulation defines as a processor. As a processor we do not decide the purpose or lawfulness of the processing, we merely process data on our customers’ behalf. The GDPR regulation established stricter requirements upon all processors of personal data.
Sanoma Learning commitments to GDPR as a processor:
- Ensure organisational and technical security for all services.
- Help our SL customers with the documentation needed to demonstrate compliance and inform their endusers.
- Provide SL customers with contract addendums that comply with GDPRs requirements for Data Processing Agreements (DPA). In some of our operating countries these Data Processing Agreements are in alignment with requirements of industry standards.
- Provide the necessary support for SL customers when their users are executing their data subject rights.
Sanoma Learning has a Data Protection Officer (DPO) as defined under GDPR. In addition to monitoring our own compliance and providing advice and training to our own staff, our DPO is available to our customers and their DPOs to discuss data privacy issues.
Contact details for our DPO:
00100 Helsinki, Finland
+35 89 122 4791
GDPR requirements for Sanoma Learning customers (municipalities, schools)
In general, GDPR requires you as a Sanoma Learning customer to:
- Document and assess all processing of personal data and the systems being used. The purpose and lawfulness of the processing should be defined and you should make sure you do not process personal data that is not needed for the defined purpose.
- Ensure the organisational and technical security of the processing, and be able to demonstrate it. Assess your internal processes for data retention and security, and document it. Ensure that your own technology can provide sufficient technical security, and document it.
- When you are using third-party services, like ours, to process personal data, you need to make sure that the data processing requirements are compliant with GDPR.
- When acquiring new technology that is likely to result in a high risk to personal data, you need to perform a risk analysis – a Data Protection Impact Assessment (DPIA). As an existing customer, our services are not new technology to you. But doing a DPIA might still be a good idea and will help you in documenting compliance.
- Users (data subjects) have stronger rights under GDPR. Our customers need to have a process in place for taking data subject requests, and for assessing the validity of the requests.
- A particularly important data subject right is transparency and information. Make sure the information to your users on everything required under GDPR is easily accessible, including how they can exercise their rights. If your users are young, you should make sure this information is available to parents too.
- Ensure you sign a appropriate Snaoma Data Processor Agreement, with Sanoma Learning. We propose a Data Processing Agreement which to regulates the rights and duties pursuant to the European Data Protection Legislation, including the GDPR regulations, applicable to the Data Controller in connection with the Standard Service Subscription Agreement.