Litmos & GDPR: Frequently Asked Questions

What is GDPR & when did it come into effect?

• GDPR stands for General Data Protection Regulation affecting “processing” (which includes the collection, storage, transfer or use) of personal data related to EU citizens, wherever they may be located physically.
• This is an EU regulatory scheme designed to replace a patchwork of laws with a single regulation that is enforced throughout the entire European Economic Area.
• GDPR protects the privacy rights of EU citizens and empowers their control of the collection and use of their personal data by giving them expended right in relation to their personal data.
• GDPR also places new obligations on organizations that market to, track or handle EU personal data, no matter where an organization is located.
• The regulation took effect in May 2018.

What constitutes personal data?

• Any information related to a natural person (called a ‘data subject’) that can be used to directly or indirectly identify the person.
• This is very broad and can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or even a computer IP address.

What is the difference between a data processor and a data controller?

• A controller is the entity that determines the purposes, conditions and means of the processing
  of personal data.
• A data processor is an entity which processes personal data on behalf of the controller.
• In some instances, an organization can qualify as both.

Is Litmos a data processor or data controller in regard to my personal data?

• Litmos acts as a data processor (or sub-processor) for personal data provided to Litmos through our Customers and other third parties such as partners.
• If a data subject provides their personal data directly to Litmos (such as a website visitor, a conference attendee, an employee, etc.) Litmos acts as the data controller for that personal data. Note, if Litmos also processes that personal data in some fashion, Litmos also qualifies as a data processor in regard to that personal data.

How does Litmos handle the data processor obligations imposed under GDPR?

• For Litmos, keeping customer data secure is the highest priority. Along with ensuring data security, it is important that a customer’s confidence is always maintained and a high level of security around processes and protection is strongly demonstrated.
• At Litmos, we strongly value and base our business on the trust that our customers have placed upon us and will continue to earn and reinforce that trusted relationship by cooperating with requests related to our GDPR obligations.
• Litmos is committed to taking advanced measures to support and continuously enhance the security of our systems, to ensure that we collect and process personal data in a manner compliant with GDPR or any similar legislation.
• Litmos management strongly believes that “IT Security/Compliance is a key Business Enabler within a cloud company” and “Information Security Objectives and Strategy must be aligned with Litmos’ Business Objectives and Business Strategy”.

Who can we reach out to for further details regarding Litmos’ efforts in regard to GDPR compliance?

Should you have any questions on the ways in which Litmos is handles the enforcement of the General Data Protection Regulation, please reach out by emailing us at privacy@litmos.com .