The purpose of this privacy statement is to tell you what kind of information is collected in Priima learning management system, how the information is processed and how it is protected.
|Register name||Customer specific Priima user register|
|Controller||Each Customer is the controller of the user register of their own Priima environment|
Kiviharjunlenkki 1 B
+358 20 718 1850
|Contact person for GDPR||Esko Pulkkinen|
Kiviharjunlenkki 1 B
+358 20 718 1850
The processing of personal data owned by the customer, groups of the registered and type of personal data
The customer adds personal data when using Priima learning management system for example from their own staff, partners or other interest groups using the service. The customer owns this user register making the customer the controller and Discendum Oy the processor of personal data. Discendum Oy shall process the personal data of the Customer on behalf of, and commissioned by the Customer.
As processor, Discendum Oy has access to user data added by the customer. Compulsory data fields in the service are e-mail, first name and last name. Additional data fields are: username, password, phone number and address. Customer’s environment admin can enable saving the personal identity code in the environment by making the personal identity code field available for users.
The basis and purpose of processing personal data
Discendum Oy processes personal data in order to provide the Priima learning management system service as described in the Contract between the Customer and Discendum. In addition, users are recognized technically and a safe access can be provided with the help of personal data. Users can check their own saved data: course completions, assignments, completions, a list of files uploaded by the user and their own personal data. When a user submits a request to an admin user named by the Customer, their login details and all data can be deleted.
Discendum Oy never processes personal data owned by the customer without an initiative from the customer, such as getting in touch to resolve a problem situation. If the solution to the problem requires processing of personal data, a written permission is always asked from the customer.
Applicable information security measures
Discendum follows actively the realization and state of information security on a general level and regarding their own services. A specified person is responsible for the information security as a whole.
Discendum monitors the state of the learning management systems they offer and informs customers of any possible data leakage at once as has been agreed upon in the escalation procedure.
Information security policy
Information security is a central part of Discendum’s business. The aim of Discendum’s information security policy is to ensure the confidentiality, wholeness and availability of all information, both the customer’s and Discendum’s, in every stage of data processing. The services and functionalities have to be reliable and protected so that the compliance with laws and contractual obligations are ensured.
The incident response plan describes the operations when a general or service related information security incident is detected in the organization.
The rights and obligations of the customer as controller
Customer is responsible for reacting and answering to data requests regarding their own register and the registered users and their rights. In addition, Customer takes care of informing the end users. The customer organization is responsible for the data protection of information related to user accounts as well as materials and other information that they bring up, such as results, that have been created in Priima environment.
Discendum Oy has trained its staff regarding the General Data Protection Regulation. In addition, all individuals that have the right to process personal data are obligated to observe confidentiality.
The user data saved in the users’ contact information in Priima environment can be viewed by the customer’s admin users via the Priima interface. Admin users are users that have the rights to manage the environment.
Users who have rights to manage courses can always see the names and profile pictures of all environment users if the user has set a profile picture. Each user can enable or block others to see profile information set by the user. However, the contact information set in the environment administration are always visible to admin users.
Users can see other users’ information saved in their profiles if they have enabled that. There is a setting in the user profile: Other people can see my profile.
Major updates that change the functionalities of the system are ensured to be working properly in a separate test environment before being released to the production servers.
Transferring or processing Data outside EU or EEA
Discendum does not transfer orprocess personal data outside EU or EEA without a written consent from the Customer. The Customer and Discendum agree beforehand within the contract or as an attachment to the contract of all personal data transfer or processing outside EU or EEA, and they are in principle subject to the model contractual clauses adopted by the European Union for the transfer of personal data outside the EU / EEA.