EU General Data Protection Regulation
GDPR-compliant LMS infrastructure
Learning management systems process personal data on behalf of your organization — tracking learner progress, storing completion records, and managing certifications. When that data includes personal information, your LMS infrastructure is a GDPR data processor. We ensure yours is compliant.
What is the GDPR?
Learning management systems sit at the centre of your organization's training data. Every course enrollment, quiz result, and certificate issued contains personal data. GDPR applies to every system that processes personal data — not just HR systems where employee records rest. That includes your LMS.
In force since
25 May 2018
Scope
Any org processing EU personal data
Max fine
€20M or 4% of global turnover
Breach reporting
72 hours
Key GDPR obligations for LMS platforms
Learning management systems are data processors — they store and process personal data about your learners. These six articles govern what obligations that creates.
Art. 5 — Principles of processing
LMS platforms must process learner data only for the purposes for which it was collected. Completion records and quiz responses should be retained for defined periods and then purged. We support configurable data retention policies.
Art. 6 — Lawful basis
Processing learner data requires a valid lawful basis — typically employment contract, legitimate interest, or consent. Your LMS is a processing activity and should appear in your Record of Processing Activities (Art. 30).
Art. 17 — Right to erasure
If a learner or employee requests deletion, you must remove personal data from LMS records, completion logs, and certificates. We support data deletion requests and configurable retention windows.
Art. 28 — Data Processor
We act as your data processor for any personal data stored in your managed LMS. Our DPA covers Moodle and Open edX — and the infrastructure sub-processors involved.
Art. 32 — Security of processing
LMS platforms need the same security standards as any data processor. Our deployments use encrypted storage, isolated tenant environments, and access controls — protecting learner data.
Art. 33 — Breach notification
If a breach affects personal data on our managed LMS infrastructure, we notify you within 72 hours so you can meet your reporting obligation to your supervisory authority.
Art. 30 — LMS as a documented processing activity
Under GDPR Art. 30, data controllers must maintain a Record of Processing Activities (RoPA). Your LMS is one of them — it processes personal data about employees, students, and external learners.
- Document your LMS in your RoPA: what learner data you collect, for what purpose, under which lawful basis, and how long you retain it
- Data minimization: configure your LMS to collect only the fields necessary for your training objectives — avoid storing unnecessary personal attributes
- Retention policies: configure completion record and activity log retention limits so the system purges personal data after your defined retention period
What we provide for GDPR compliance
- Data Processing Agreement (DPA) on request
- EU data residency — Nuremberg (primary) + Falkenstein (DR)
- Audit logs retained and exportable
- Data export on request (Art. 20 portability)
- Data deletion on request (Art. 17 erasure)
- 72-hour breach notification to you (Art. 33)
- Encrypted backups stored within the EU
- Sub-processor list available on request
Your GDPR-compliant LMS stack
Two managed learning platforms — running on EU infrastructure with DPA coverage for all personal data stored in your LMS.
LMS storing personal learner data?
Request our DPA for your managed LMS infrastructure and discuss how to document your learning platform in your Record of Processing Activities.
Request a DPA