We want the information presented in this article to be as useful as possible, but it can't be relied on as legal advice. We always recommend consulting a qualified legal advisor to understand your organisation's legal obligations.
Contents
Key data protection terminology
What are my organisation's obligations under data protection law?
Does my organisation gather personal data when using the Lumina Platform?
What is the relationship between my organisation and Lumina Learning?
What is a Privacy Notice and does my organisation need one?
How do I add a Privacy Notice to the Lumina Platform?
What is personal data?
GDPR defines personal data as follows:
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Key data protection terminology
Below is a selection of key terms from GDPR that help when reading this article.
Data processing:
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Data controller:
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
Data processor:
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
What are my organisation's obligations under data protection law?
Your organisation may be subject to data protection laws depending on the location of your organisation and the location of the individuals that you gather personal data from.
- Organisations in the European Union (EU) or European Economic Area (EEA): must comply with the General Data Protection Regulation (GDPR)
- Organisations in the UK: must comply with the Data Protection Act 2018. The UK's data protection rules may also be referred to as 'UK GDPR'
- Organisations outside the EU/EEA/UK: must comply with GDPR or UK GDPR if services are targeted to individuals who are located inside the EU/EEA or UK. Organisations must also comply with any data protection laws in their local territory
To understand your organisation's data protection obligations, we recommend that you consult your local data protection authority's guidance. You should seek the help of a legal advisor if necessary.
If you are located in the UK, the Information Commissioner's Office guide to UK GDPR compliance can help you understand your obligations. You can find the guide by clicking here.
Does my organisation gather personal data when using the Lumina Platform?
Yes, when your organisation uses the Lumina Platform, it gathers personal data from individuals who complete questionnaires and other tasks. We term these individuals Participants.
Your organisation is the data controller of any personal data it gathers from Participants. This includes:
- First and last name
- Email address
- 'Language Option' (linguistic gender) preferences
Depending on the Lumina Learning products you use, your organisation additionally gathers the following personal data:
- Self-assessment products: individuals assess their workplace behaviours and competences using a likert scale (e.g. scale of 1-5)
- 360-feedback products: individuals assess other individuals' workplace behaviours and competences using a likert scale
- Some products allow individuals to enter free-text comments (Lumina Leader, Lumina Emotion, Spark Coach)
What is the relationship between my organisation and Lumina Learning?
You are the data controller of any personal data you gather or store about Participants in the Lumina Platform. Lumina Learning is your data processor.
We process the data you control in accordance with the Data Processing Agreement in our customer agreement.
What is a Privacy Notice and does my organisation need one?
Any organisation that is subject to GDPR or UK GDPR must display a privacy notice to individuals when gathering their data.
A privacy notice explains in simple, easy to understand language everything individuals need to know about how your business uses their personal data. This includes the types of data you gather, how it is used and who it is shared with.
The UK Information Commission's Office guide to creating a privacy notice can be viewed by clicking here.
For illustrative purposes, Lumina Learning's Participant Privacy Notice can be viewed by clicking here. We use this privacy notice when we gather data from our own Participants. You must ensure that your organisation's privacy notice accurately reflects its specific circumstances and complies with your local data protection law. We recommend getting local legal advice if you need assistance.
How do I add a Privacy Notice to the Lumina Platform?
The Lumina Platform allows you to display your organisation's privacy notice to Participants at the point at which they register to join one of your projects. The privacy notice is displayed before any data is shared with your organisation.
Our guide on how to use this feature is located here.