The Visual Learning Company is GDPR Compliant
The Visual Learning Company is now compliant with the EU General Data Protection Regulation (GDPR) and is supportive of our customers own GDPR compliance. The Visual Learning Company customers can have confidence that The Visual Learning Company’s handling of personal data is of the GDPR’s security standards.
In particular, in accordance with article 5 of the GDPR, The Visual Learning Company will ensure that personal data is:
Processed lawfully on the basis of Legitimate Interests
Collected only for specified, explicit and legitimate purposes
Adequate, relevant and limited to what is necessary
Accurate and kept up to date
Held only for the absolute time necessary and no longer
Processed in a manner that ensures appropriate security of the personal data
The Visual Learning Company’s steps to GDPR Compliance
The Visual Learning Company has undertaken a review and audit of all of our systems and practices in connection with the personal data of our customers and has made the appropriate internal amendments in order to comply with the requirements of the GDPR.
In particular, The Visual Learning Company have:
Implemented appropriate documentation with customers and suppliers.
Confirmed with our suppliers that each supplier itself has taken steps to achieve GDPR compliance.
Reviewed and continue to monitor organizational access to personal data and measures to ensure compliance, including policies and procedures for staff and other personnel.
Implemented and made appropriate changes to our security measures in accordance with the GDPR standards.
The Visual Learning Company and the GDPR – Frequently Asked Questions
This document provides a summary of the new data protection requirements which apply under the GDPR from 25 May 2018 and how the GDPR applies to the services offered by The Visual Learning Company.
What is the GDPR?
The GDPR is the new European Union Regulation about the protection of personal data and the rights of individuals in relation to their personal data.
When does the GDPR come into effect?
The GDPR takes effect on 25 May 2018.
Who does the GDPR affect?
The GDPR applies to organisations located within the EU and to organisations located outside of the EU if they offer goods or services to individuals in the EU.
The Visual Learning Company’s GDPR compliance is subject to the personal data that we process and hold for individuals in the EU.
As The Visual Learning Company have customers in the EU, compliance with the GDPR is irrespective of whether or not the UK retains the GDPR post-Brexit. Our data handling processes for organisations which are located in the UK are GDPR compliant. If the UK government implements new laws equivalent to the GDPR post-Brexit then The Visual Learning Company will ensure that it will comply with any such laws.
What is personal data under the GDPR?
The GDPR applies to ‘personal data’ which means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What types of personal data does The Visual Learning Company collect?
This personal data which The Visual Learning Company collects depends on the type of customer account but typically includes individuals’ contact details such as name, email address, title, student or staff group, and institution name; technical identifiers, including user IDs and IP addresses; and video content and metadata, to the extent they contain personal data.
Our collection and processing of personal data is for the purposes of The Visual Learning Company’s legitimate interest in the commercial provision of educational services and to the extent necessary for the performance of our services.
What is the difference between a data processor and a data controller?
The GDPR applies to data controllers and data processors. A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Our usual practice follows that The Visual Learning Company is the Data Processor and The Visual Learning Company customers are nominated as Data Controllers.
What are the rights of data subjects?
Data subjects are the individuals who are identified or identifiable by reference to the personal data they provide. Data subjects have the following rights under the GDPR:
Breach Notification – Notification of a data breach is mandatory where it is likely to result in a risk for the rights and freedoms of individuals. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, without undue delay after first becoming aware of a data breach.
The right to be informed – Individuals have the right to be informed about the collection and use of their personal data.
The right to rectification – A right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
The right to restrict processing – Individuals have the right to request the restriction or suppression of their personal data.
The right to object – Individuals have the right to object to processing of personal data for direct marketing purposes.
Right to Access -Data subjects have a right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller must provide a copy of the personal data, free of charge, in an electronic format.
Right to be Forgotten – The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Data Portability – This is the right for a data subject to receive the personal data concerning them which they have previously provided in a commonly used and machine readable format and the right to transmit that data to another controller.
The Visual Learning Company has and will implement procedures to ensure that it will comply with all data subject rights in accordance with the requirements under the GDPR.
What is The Visual Learning Company’s legal basis for processing personal data?
The processing of personal data is lawful under the GDPR where one (or more) of the following six grounds have been met:
Consent – The data subject has given consent to the processing for one or more specific purposes.
Performance of a Contract – Where the processing is necessary for the performance of a contract or where it is necessary in order to “take steps” at the request of the data subject before entering into a contract.
Compliance with a Legal Obligation – Where personal data is processed in order to comply with a legal obligation.
Vital Interests of the Data Subject – Where personal data is processed in order to protect the vital interests of the data subject or another individual.
Public Interest – Where the processing is necessary for the purpose of performing a task that is in the public interest or in the exercise of official authority vested in the data controller.
Legitimate Interests – Processing personal data will be lawful where the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that the processing does not override the fundamental rights and freedoms of the data subject.
The Visual Learning Company’s legal basis for processing personal data is through the legitimate interest in the commercial provision of educational services.
Does The Visual Learning Company transfer personal data outside of the European Union?
The Visual Learning Company currently stores personal data in a cloud platform.
In respect of personal data stored in Commission’s set of models contractual “Standard Clauses” remains a valid approach to transfers of personal data from the EU to non-EU countries. The Visual Learning Company has released a Data Processing Addendum that contractually commits us to comply with the EU’s data protection principles. Our The Visual Learning Company customers can request a copy of this addendum by contacting info@Visuallearning.co.uk
In respect of personal data stored in Digital Ocean cloud platform. Digital Ocean provide extensive documentation regarding security practices, certifications and GDPR compliance commitments. GDPR compliance is included in The Visual Learning Company’s contractual commitments with Digital Ocean. Further information is available online from each party’s trust center resources at:
In addition, customer support teams located in London, may access personal data solely for troubleshooting and maintaining The Visual Learning Company’s services.
What security measures does The Visual Learning Company have in place to protect personal data?
The Visual Learning Company has implemented appropriate security measures to safeguard the confidentiality and integrity of customer data. These include tiered access to the platform, password access which is regularly changed, use of encryption software and recording systems which monitor platform access.
Does The Visual Learning Company engage any sub-processors?
The Visual Learning Company currently engages sub-processors to carry out Customer Relationship Management services and analytics services to assist us in the provision of our services. The Visual Learning Company’s sub-processors are required to comply with our standard data processing addendum for suppliers which reflect the rights of The Visual Learning Company customers as data controllers under the GDPR.
Customers may request details about the particular sub-processors used in their deployment and can request that they be notified of changes to those sub-processors and given a chance to object to any changes in the applicable sub-processors.
Can The Visual Learning Company customers search for their personal data on our systems?
The Visual Learning Company customers do not have access to search for their personal data on our systems. Only specified The Visual Learning Company employees are able to access this.
The Visual Learning Company will comply with all requests to access personal data in accordance with the requirements of the GDPR.
Can The Visual Learning Company customers delete their personal data from our systems?
The Visual Learning Company customers cannot directly access our systems and delete the personal data we store. However, they can request for part, or all of their personal data that we store on our systems to be deleted.
The Visual Learning Company will comply with all requests to delete personal data in accordance with the requirements of the GDPR.
Can The Visual Learning Company customers export their personal data from our systems?
The Visual Learning Company customers cannot directly access our systems to export personal data. However, The Visual Learning Company customers can request for an exported version of all their personal data that we store on our systems.
For security reasons, The Visual Learning Company will only comply with a request sent by the nominated ‘Key Contact’ (an individual that every The Visual Learning Company customer nominates when joining The Visual Learning Company).
Is The Visual Learning Company maintaining Data Processing Records?
The Visual Learning Company fully complies with the requirements under the GDPR to maintain records of processing activities carried out on behalf of our customers. This includes the types of processing and any transfers of personal data.
We contractually require our approved sub-processors to comply with the same requirements.
What if The Visual Learning Company encounters an unauthorised breach of data?
The Visual Learning Company will immediately report any personal data breach to our customers in full compliance with the GDPR.
Does The Visual Learning Company have an EU data protection representative?
We have designated our UK entity, The Visual Learning Company Limited, as our EU data protection representative. The contact information for our EU data protection representative is as follows:
13 Knights Templar way
High Wycombe, Bucks
Phone: 0333 123 2020
We hope you have found this document helpful and informative. For more information about GDPR compliance or our privacy program please contact us at info@Visuallearning.co.uk
This document is designed to help organisations understand the GDPR in connection with The Visual Learning Company’s services. However the information contained in this document should not be construed as legal advice and organisations should obtain their own legal advice in respect of their own obligations under the GDPR.