1. What GDPR compliancy means for
Open Badge Factory and Open Badge
Passport users
Eric Rousselle
2. About the EU General Data Protection
Regulation
• We’ve always been committed to protect personal data in all our
services
• EU General Data Protection Regulation (GDPR) is beneficial for
all parties as it sets clear rules for personal data protection
• GDPR brings transparency and therefore supports trust
• We’ve made necessary modifications to get OBF and OBP GDPR
compliant before May 25
• OBF and OBP will be updated on May 22 and 23
3. GDPR terminology
• Personal data is information relating to an identifiable living
individual
• Data subject means an individual who is the subject of
personal data
• Data controller means usually an organisation which
determines the purposes for which and the manner in which
any personal data are, or are to be, processed
• Data processor, means any person (usually organisation)
who processes the data on behalf of the data controller
4. What rights GDPR gives to individuals?
• a right of access to a copy their personal data
• a right to object to processing
• a right to have personal data rectified, blocked, erased or
destroyed or anonymised
• See the complete list:
https://ico.org.uk/for-organisations/guide-to-data-
protection/principle-6-rights/
5. Data protection principles
• Personal data shall be processed fairly and lawfully
• Personal data shall be processed in accordance with the rights
of data subjects
• Personal data shall not be transferred to a country or
territory outside the European Economic Area unless that
country or territory ensures an adequate level of protection
for the rights and freedoms of data subjects in relation to the
processing of personal data
• See: https://ico.org.uk/for-organisations/guide-to-data-protection/data-
protection-principles/
6. GDPR and Open Badge Factory
• data controller is a customer organisation using OBF to
create and issue badges
• data processor is the service provider (Discendum)
• OBF customer’s admin(s), registered users (creators and
issuers) are data subjects
• Badge recipients are also considered as data subjects
because their personal data is used to issue badges (email
address, name, surname, data submitted in badge
application forms)
7. How data subjects can access their personal data?
• OBF users (registered) can list their personal data in OBF and erase
their account and all their personal data if they wish to do so
• When receiving a badge, a badge recipient will get a link to check
(using their email address) what personal data is stored and processed
in OBF
• Badge recipient can request their personal data (name, surname,
email address, possibly also data submitted in badge request /
application forms) to be anonymised or erased
• Data subject’s requests have to be processed by the data controller
(customer) promptly (in a maximum delay of 40 calendar days)
• Data processor can not / will not anonymise or erase personal data on
behalf of the data controller (customer)
8. OBF documents
• DPA (Data Processing Agreement)
• This document is an annex, part of the agreement between the
Service provider and its Customer. The purpose of this Annex is to
agree on the privacy and data protection of the personal data of the
Customer in the services of the Service Provider.
• Terms and Conditions
• Privacy notice (annex of Terms and Conditions)
• Tells users what data is processed. On what legal basis and for what
purpose.
• These documents will be displayed to users when they log in to OBF (May
22). No agreement needs to be signed. Using OBF is considered as an
agreement.
10. • From GDPR point of view, OBP is a straightforward case
• The service provider is data controller and data processor
• OBP users are data subjects
• User creates their own account in OBP (accounts aren’t
created on their behalf)
• User brings their personal data to OBP
• User has access to their personal data
• User can delete all personal data and their account
• Service provider doesn’t delete data on behalf of the user
11. OBP documents
• Terms and Conditions
• Privacy notice (annex of Terms and Conditions)
12. Good to know
• Both OBF and OBP are hosted in an EU country (Finland)
• The cloud service provider of both OBF and OBP is GDPR compliant
• Aligning to GDPR is a requirement for all European companies
• OBF and OBP data is protected (firewalls, etc.) and backed up daily. Passwords
and network connections are encrypted
• OBF’s and OBP’s data processor (service provider) doesn’t transfer any data into
other services (except for back up purposes)
• When a customer issues badges in a Learning Management System using an OBF
plugin, some data is transferred between the systems
• Badges are usually hosted in OBF’s server, but in some cases customer can set up
their own Badge Record Storage to host their badges in their own server
13. OBF and OBP are “low risk services”
• Personal data stored and processed in both systems is not “sensitive
data”
• The amount of personal data used is small
• Open Badge is an earner centric concept, recipient can always decide
how to use and display their badges
• Badge earners have the right not to display and share their badges but it
is good to keep in mind that the Open Badges concept has been built to
recognise and communicate achievements, skills, competencies,
attitudes, etc. and therefore openness and sharing are in the core of the
concept!