[{"data":1,"prerenderedAt":302},["ShallowReactive",2],{"docs-compliance-en":3,"docs-nav-en":285},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"order":10,"body":11,"_type":279,"_id":280,"_source":281,"_file":282,"_stem":283,"_extension":284},"\u002Fdocs\u002Fcompliance","docs",false,"en","Compliance & privacy","Data minimisation and auditability as guiding principles.",4,{"type":12,"children":13,"toc":270},"root",[14,22,28,35,71,77,111,117,129,174,193,199,218,237,243,248,252],{"type":15,"tag":16,"props":17,"children":19},"element","h1",{"id":18},"compliance-privacy",[20],{"type":21,"value":8},"text",{"type":15,"tag":23,"props":24,"children":25},"p",{},[26],{"type":21,"value":27},"At ValidLearn, data minimisation and traceability are not bolted on afterwards —\nthey are anchored in the data model. Here is what that means for you.",{"type":15,"tag":29,"props":30,"children":32},"h2",{"id":31},"three-questions-that-can-always-be-answered",[33],{"type":21,"value":34},"Three questions that can always be answered",{"type":15,"tag":36,"props":37,"children":38},"ol",{},[39,51,61],{"type":15,"tag":40,"props":41,"children":42},"li",{},[43,49],{"type":15,"tag":44,"props":45,"children":46},"strong",{},[47],{"type":21,"value":48},"What data do we collect?",{"type":21,"value":50}," Only the fields needed for training and proof —\ndocumented in the data model.",{"type":15,"tag":40,"props":52,"children":53},{},[54,59],{"type":15,"tag":44,"props":55,"children":56},{},[57],{"type":21,"value":58},"Where does data flow?",{"type":21,"value":60}," Nowhere except the platform's own database and — for\nreminder emails — its own SMTP server.",{"type":15,"tag":40,"props":62,"children":63},{},[64,69],{"type":15,"tag":44,"props":65,"children":66},{},[67],{"type":21,"value":68},"What does each dependency do?",{"type":21,"value":70}," Every component in use is documented; nothing\n\"phones home\".",{"type":15,"tag":29,"props":72,"children":74},{"id":73},"gdpr-in-practice",[75],{"type":21,"value":76},"GDPR in practice",{"type":15,"tag":78,"props":79,"children":80},"ul",{},[81,91,101],{"type":15,"tag":40,"props":82,"children":83},{},[84,89],{"type":15,"tag":44,"props":85,"children":86},{},[87],{"type":21,"value":88},"Data minimisation",{"type":21,"value":90}," by default — only what is needed for proof.",{"type":15,"tag":40,"props":92,"children":93},{},[94,99],{"type":15,"tag":44,"props":95,"children":96},{},[97],{"type":21,"value":98},"Access & deletion",{"type":21,"value":100}," via a defined process; retention obligations on\ncertificate records are kept cleanly separate from deletion.",{"type":15,"tag":40,"props":102,"children":103},{},[104,109],{"type":15,"tag":44,"props":105,"children":106},{},[107],{"type":21,"value":108},"Complete audit log",{"type":21,"value":110}," of relevant actions — who did what and when, append-only.",{"type":15,"tag":29,"props":112,"children":114},{"id":113},"proof-retention-may-take-precedence-over-the-right-to-erasure",[115],{"type":21,"value":116},"Proof retention (may take precedence over the right to erasure)",{"type":15,"tag":23,"props":118,"children":119},{},[120,122,127],{"type":21,"value":121},"For training compliance, the organisation may keep a ",{"type":15,"tag":44,"props":123,"children":124},{},[125],{"type":21,"value":126},"minimal record",{"type":21,"value":128},".\nPrecisely four fields:",{"type":15,"tag":78,"props":130,"children":131},{},[132,151,163],{"type":15,"tag":40,"props":133,"children":134},{},[135,137,142,144,149],{"type":21,"value":136},"the trained person's ",{"type":15,"tag":44,"props":138,"children":139},{},[140],{"type":21,"value":141},"first name",{"type":21,"value":143}," and ",{"type":15,"tag":44,"props":145,"children":146},{},[147],{"type":21,"value":148},"last name",{"type":21,"value":150},",",{"type":15,"tag":40,"props":152,"children":153},{},[154,156,161],{"type":21,"value":155},"the ",{"type":15,"tag":44,"props":157,"children":158},{},[159],{"type":21,"value":160},"\"passed on\"",{"type":21,"value":162}," date, and",{"type":15,"tag":40,"props":164,"children":165},{},[166,167,172],{"type":21,"value":155},{"type":15,"tag":44,"props":168,"children":169},{},[170],{"type":21,"value":171},"pass \u002F fail",{"type":21,"value":173}," result.",{"type":15,"tag":23,"props":175,"children":176},{},[177,179,184,186,191],{"type":21,"value":178},"Depending on the applicable retention obligation, this record may take precedence\nover the general GDPR right to erasure (Art. 17(3)(b) GDPR): it then stays\npermissible ",{"type":15,"tag":44,"props":180,"children":181},{},[182],{"type":21,"value":183},"even after the person leaves",{"type":21,"value":185}," the organisation — and may have to be\nretained, typically for ",{"type":15,"tag":44,"props":187,"children":188},{},[189],{"type":21,"value":190},"several years",{"type":21,"value":192},". An erasure request does not override an\nexisting statutory retention duty.",{"type":15,"tag":29,"props":194,"children":196},{"id":195},"what-the-organisation-sees-and-what-it-does-not",[197],{"type":21,"value":198},"What the organisation sees — and what it does not",{"type":15,"tag":23,"props":200,"children":201},{},[202,204,209,211,216],{"type":21,"value":203},"Only ",{"type":15,"tag":44,"props":205,"children":206},{},[207],{"type":21,"value":208},"pass\u002Ffail records",{"type":21,"value":210}," (the four fields above) reach the organisation. ",{"type":15,"tag":44,"props":212,"children":213},{},[214],{"type":21,"value":215},"No raw\nscores",{"type":21,"value":217},", no answer trails, no detailed results leave the learner's personal area.",{"type":15,"tag":23,"props":219,"children":220},{},[221,223,228,230,235],{"type":21,"value":222},"Richer data — e.g. the score achieved, attempts or answers — exists at most\n",{"type":15,"tag":44,"props":224,"children":225},{},[226],{"type":21,"value":227},"privately to the user",{"type":21,"value":229}," (visible only to the person themselves) and is ",{"type":15,"tag":44,"props":231,"children":232},{},[233],{"type":21,"value":234},"erasable",{"type":21,"value":236},"\nthere at any time. This way the proof remains intact without the organisation\nlearning more about the person than it needs for compliance.",{"type":15,"tag":29,"props":238,"children":240},{"id":239},"no-tracking",[241],{"type":21,"value":242},"No tracking",{"type":15,"tag":23,"props":244,"children":245},{},[246],{"type":21,"value":247},"Neither the learning platform nor this website uses analytics or tracking SDKs.\nThe website uses a single technical cookie for the language choice — nothing else.",{"type":15,"tag":249,"props":250,"children":251},"hr",{},[],{"type":15,"tag":23,"props":253,"children":254},{},[255],{"type":15,"tag":256,"props":257,"children":258},"em",{},[259,261,268],{"type":21,"value":260},"This page will be expanded around go-live. Detailed auditor documentation is\navailable to prospects on ",{"type":15,"tag":262,"props":263,"children":265},"a",{"href":264},"\u002Fcontact",[266],{"type":21,"value":267},"request",{"type":21,"value":269},".",{"title":271,"searchDepth":272,"depth":272,"links":273},"",2,[274,275,276,277,278],{"id":31,"depth":272,"text":34},{"id":73,"depth":272,"text":76},{"id":113,"depth":272,"text":116},{"id":195,"depth":272,"text":198},{"id":239,"depth":272,"text":242},"markdown","content:en:docs:compliance.md","content","en\u002Fdocs\u002Fcompliance.md","en\u002Fdocs\u002Fcompliance","md",[286,290,293,297,298],{"_path":287,"title":288,"order":289},"\u002Fdocs\u002Fgetting-started","Getting started",1,{"_path":291,"title":292,"order":272},"\u002Fdocs\u002Frecertification","Re-certification cycle",{"_path":294,"title":295,"order":296},"\u002Fdocs\u002Fphishing-inspector","The Phishing Inspector",3,{"_path":4,"title":8,"order":10},{"_path":299,"title":300,"order":301},"\u002Fdocs\u002Ffaq","FAQ",5,1780470257642]