GDPR compliance

What is the GDPR?

The General Data Protection Regulation (GDPR) came into effect on May 25th 2018 and standardizes data protection laws across EU countries. The GDPR provides EU citizens with greater data rights, and requires businesses to be more accountable and transparent with how they collect and process that data. There are seven key principles:

  • Process data lawfully, fairly, and in a transparent manner.
  • Identify a purpose for the processing of that data.
  • Limit the data collected to what is necessary.
  • Ensure the accuracy of personal data.
  • Don't store personal data longer than needed.
  • Put security measures in place to protect personal data.
  • Take responsibility for what you do with personal data.

Data controller or processor?

Under the GDPR, there are different obligations for data controllers and data processors. Controllers are organizations that determine the purpose of processing personal data. Processors are typically third parties that process data on behalf of the controller.

CompetencyCore is considered a data processor because we do not control or change the purpose of information provided by clients, and we don't transfer that information to third parties without authorization from the client. Each client controls the data on their own CompetencyCore site.

How does CompetencyCore comply with the GDPR?

As a data processor, we are committed to protecting personal data. On May 17th 2018, we released a new version of CompetencyCore that supports the rights of EU citizens under the GDPR and helps our clients meet their obligations as data controllers.

We've revised our internal policies, procedures, and working practices in order to meet the requirements of the GDPR. Our updated Privacy Policy clearly documents the personal data we collect and how it's used. We also implement a variety of proactive tools and processes to find vulnerabilities, protect against data-leaks, prevent injection attacks, and ensure system stability and security.

Right to be informed

When new users access CompetencyCore for the first time, they're requested to agree to the Terms & Conditions and are presented with our Privacy Policy. The Privacy Policy can also be accessed from a user's personal menu. When we update either of these documents, they're presented to users again.

We've also added a notification to the Login page so users know we use cookies to authenticate their session when they log in to CompetencyCore.

Right of access and data portability

Administrators can export a CSV file of each user's personal data. This includes the user's contact details and data provided about the user from their profile, assessments, plans, and tests. Check out the Manage users article to learn how to download this information.

Right to rectification, restrict processing, and object

Each client can add their administrator's contact information to the Privacy Policy. Employees can contact the administrator with questions, complaints about how their data is being used, requests for corrections, or objections to the processing of their information. Check out the Brand my site article to learn more.

Right to be forgotten

CompetencyCore allows administrators to disable and delete user accounts so you can respond to user requests to erase their data from your site.