We want the information presented in this article to be as useful as possible, but it can't be relied on as legal advice. We always recommend consulting a qualified legal advisor to understand your business's legal obligations.
What are my obligations under data protection law?
The obligations that your business is subject to depends on the location of your business and the location of the individuals that you gather data from.
- Businesses in the European Union (EU) or European Economic Area (EEA): you must comply with the General Data Protection Regulation (GDPR).
- Businesses in the UK: you must comply with the UK GDPR. (Following Brexit, the UK is no longer subject to GDPR. However, the UK Data Protection Act 2018 replicates most of GDPR and creates obligations for UK businesses that are termed 'UK GDPR'. In practical terms, there is little difference between GDPR and UK GDPR for most businesses, but this may change over time.)
- Businesses outside the EU/EEA/UK: you must comply with GDPR or UK GDPR if you provide services aimed at individuals who are located inside the EU/EEA/UK. You may also be subject to additional data protection laws in your local territory.
To understand your data protection obligations, we recommend that you consult your local data protection authority's guidance. You should seek the help of a legal advisor if necessary.
If you are located in the UK, the Information Commissioner's Office guide to UK GDPR compliance can help you understand your obligations. You can find the guide by clicking here.
What is the status of the data my business gathers via the Lumina Platform?
When you use the Lumina Platform, you gather data from individuals who complete questionnaires and other tasks. We term these individuals Participants.
You are the data controller of any information you gather from Participants. This includes:
- First and last name
- Email address
- Gender or pronoun preferences
Depending on the Lumina Learning products you use, you additionally gather the following data:
- Self-assessment products: individuals assess their workplace behaviours and competences using a likert scale (e.g. scale of 1-5).
- 360-feedback products: individuals assess other individuals' workplace behaviours and competences using a likert scale.
- Some products allow individuals to enter free-text comments (Lumina Leader, Lumina Emotion, Spark Coach).
What is the relationship between my business and Lumina Learning?
You are the data controller of any information you gather or store about Participants in the Lumina Platform. Lumina Learning is your data processor.
We process the data you control in accordance with the Data Processing Agreement in our business agreement.
What is a Privacy Notice? Does my business need one?
Any business that is subject to GDPR or UK GDPR must display a privacy notice to individuals when gathering their data.
A privacy notice explains in simple, easy to understand language everything individuals need to know about how your business uses their data. This includes the types of data you gather, how it is used and who it will be shared with.
The UK Information Commission's Office guide to creating a privacy notice can be viewed by clicking here.
Sample Privacy Notice
We at Lumina Learning are located in the UK, meaning we are subject to the UK GDPR. When we gather data from Participants, we do so in accordance with our Participant Privacy Notice.
You can view our privacy notice by clicking here.
We are providing this privacy notice for illustrative purposes only and you must ensure that your business's privacy notice accurately reflects its specific circumstances and complies with your local data protection law.
How do I insert my Privacy Notice into the Lumina Platform?
The Lumina Platform allows you to display your privacy notice to Participants at the point at which they register to join one of your projects. Your privacy notice is displayed before any data is shared with you.
Our guide on how to use this feature is located here.