General Data Protection Regulation

Introduction

The EU General Data Protection Regulation (GDPR) came into effect on May 25, 2018. Although it is an EU regulation, its scope extends beyond the EU, affecting any entity that processes personal data of EU citizens, regardless of location. This document provides an overview of individual rights under the GDPR and how these rights impact D2L customers.

If you have been granted access to Brightspace or other D2L services by your institution (educational or otherwise), employer, or organisation (“Organisation”), you should contact them directly to understand their policies and practices regarding your personal data.

This document is intended for informational purposes only and should not be considered legal advice. For specific legal guidance, consult a qualified legal professional familiar with your compliance requirements.

D2L’s Approach to GDPR Compliance

D2L, a company with its roots in Canada, already aligns closely with GDPR principles due to Canada’s data protection framework. The EU has recognized Canada’s privacy laws as providing adequate protection for data transfers. More information on this adequacy decision can be found here: European Commission – Adequacy Decisions.

For EU operations, D2L utilizes AWS infrastructure located within the EU. Access to data by D2L’s affiliate offices is limited to support and maintenance activities, and such access is governed by EU Standard Contractual Clauses to ensure compliance with GDPR.

To reinforce our commitment to data security, D2L has achieved ISO 27001, ISO 27701, ISO 27017 and ISO 27018 certifications, ensuring that our data safeguards follow industry best practices. We conduct annual security audits and maintain our ISO certification to demonstrate compliance with GDPR. D2L is among the few Learning Management System (LMS) providers to hold compliance certifications directly rather than relying solely on hosting partners. For security-related details and certification requests, visit: D2L Security.

Rights of Individuals under the GDPR

The GDPR grants individuals several rights regarding their personal data. Below is an overview of these rights and how they relate to D2L’s Brightspace platform.

1. Right to Be Informed

Individuals must be informed about data collection and processing. D2L processes personal data based on a contractual agreement with you and relies on your Organisation to obtain appropriate legal consent from end-users. If a user contacts D2L directly regarding data collection, we will direct them to your Organisation and notify you of the request.

2. Right to Access Personal Information

Individuals have the right to access their personal data. Brightspace users can view most of their personal data directly through the platform, depending on permissions (e.g., administrators have more access than students). While D2L collects some system usage data (e.g., event logs, page views), it is typically anonymized. If you receive an access request requiring D2L’s assistance, please contact D2L Support to open a service ticket. We aim to fulfil such requests within 30 days, and we will notify you if we believe it will take longer to complete.

If D2L receives a data access request or subject access request directly from your users, we will instruct them to contact you, as you are the data controller.

3. Right to Erasure (Right to be Forgotten)

Individuals can request the deletion of their personal data when it is no longer necessary. However, this right is not absolute. If data is required to fulfil contractual obligations (e.g., student records necessary for graduation), it may still be retained. For data to be erased, please contact D2L support to open a service ticket. Administrators at organisations can archive data but not perform a full erasure.

D2L provides options within Brightspace to allow you to meet your data retention policies for your organisation.

4. Right to Restrict Processing

Individuals can request that data processing be restricted in specific cases, such as:

When data is inaccurate and needs correction.

When an objection to processing is under review.

When processing is unlawful but the individual prefers restriction over deletion.

When data is needed for legal claims. Brightspace provides tools to help you comply with these requirements.

Correcting inaccurate data in most circumstances is under your control with the features available in Brightspace or by changing data with which Brightspace synchronises.

5. Right to Object to Automated Decision-Making & Profiling

If automated processing affects an individual’s rights, they can:

Request human intervention.

Express their point of view.

Obtain an explanation and challenge decisions.

D2L’s tools may generate course success predictions, but ultimate decisions require human action.

6. Right to Rectification

Individuals have the right to correct inaccurate personal data. Most data can be updated directly within Brightspace or in systems synchronized with it. If assistance is needed, D2L Support is available to help.

7. Right to Data Portability

This right allows individuals to obtain their data in a portable format. With Brightspace, courses, achievements, and grades information are not directly transferable to another school or corporation; i.e., the assignments, materials, achievements in an Introduction to Astronomy course may not be taught in a similar named course at another school. There should be no expectation of individuals to move certain elements of personal information (such as achievements, quiz attempts) within Brightspace to be imported into any other school or corporate Learning Management System. For educational customers, the student transcript is the key piece of information that is transferable between institutions to determine course equivalence. Students who are using ePortfolio can export their learning artifacts files and import them into another ePortfolio system.

8. Right to Object to Data Processing

Individuals may object to processing based on:

Legitimate interests or public interest tasks.

Direct marketing.

Scientific or statistical research.

D2L processes personal data as necessary to provide you with the services. If we receive an objection from your users, we will direct them to you.

D2L does not use the data it collects through Brightspace and its associated products to market to our customers’ end-users. Information about data collected for marketing purposes through D2L corporate websites and our privacy policy surrounding how we use that information may be found here: https://www.D2L.com/legal/privacy/

Additional Resources

For more details on GDPR, visit the UK Information Commissioner’s Office (ICO) website: ICO GDPR Overview.

Legal Disclaimer

THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY AND DOES NOT CONSTITUTE LEGAL ADVICE. FOR SPECIFIC GUIDANCE, CONSULT A PROFESSIONAL ADVISOR FAMILIAR WITH YOUR COMPLIANCE REQUIREMENTS.

The D2L Difference

Customer Corner

Compare D2L

Product Focus

D2L Brightspace Add-ons

D2L Lumi

Creator+

Performance+

D2L Achievement+

D2L Link

D2L Course Merchant

D2L Services and Support

Onboard Brightspace

Optimize Brightspace

Transform Brightspace

Customer Success

D2L for Higher Education

D2L for K-12

D2L for Associations

D2L for Training Organizations

D2L for Business

D2L for Government

Use Case

Continuing Education

K-12 Blended Learning

Employee Training

Competency-Based Education

Professional Learning

Member Training

Professional Development

D2L Adventure

Non-Profits and Charities

Higher Education Blended Learning

Virtual Learning

Customer Stories

Podcasts

Guides

Events and Webinars

Blog

Teaching and Learning Studio

Careers

Leadership

Awards

Newsroom

Partners

Investor Relations

General Data Protection Regulation

Introduction