Cisco NetAcad GDPR FAQ
1. What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets rules for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. GDPR came into effect across the EU on May 25, 2018.
2. What kind of information does the GDPR apply to?
GDPR applies to personal data which "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. For more information on this, please visit Cisco Trust Center.
3. What are the basic concepts around GDPR?
Any information relating to an identified or identifiable natural person (i.e., the data subject).
Any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
The entity responsible for making decisions regarding the processing of personal data and has the direct relationship with the individual data subjects (e.g., when handling employee data, Cisco acts as the Data Controller).
The natural or legal person processing personal data on behalf of the data controller. The GDPR has significantly changed the level of responsibility and accountability of the data processor. Under GDPR, data processors have direct liability and are directly subject to regulatory enforcement and civil actions. The GDPR also imposes statutory obligations with regard to documenting processing, reporting data breaches to the data controller, deleting personal data, etc. Notably, when providing products and services to our customers, Cisco acts primarily as a data processor with respect to customer content.
4. Is Cisco and Cisco Networking Academy program GDPR ready?
We have done what is necessary to meet the legal and contractual requirements of GDPR as it stands today. We will closely follow how the interpretation of GDPR will evolve and make changes as deemed necessary.
5. What has Cisco done to be GDPR ready?
1. Implemented Data Protection Program
Cisco has developed an industry-leading, enterprise-wide Data Protection Program. This program is focused on data protection policies, risk landscape, impact assessment management, incident response processes, and data valuation analysis. Cisco’s roadmap for GDPR readiness is based on 6 main pillars which we believe every company striving to be “GDPR-ready” should follow. These include:
Policies and Standards - Develop standards and processes to define the Personal Data lifecycle and help ensure data accuracy, accessibility, completeness, and consistency.
Identification and Classification – An inventory and map of our data landscape, including per offering, identifying what data we have, where it is, where it flows, and who has access to it.
Data Risk and Organizational Maturity – Focus on understanding the risks and conduct threat modeling for each of the unique data sets. Assess the risk and organizational strengths and weaknesses to understand maturity.
Incident Response – An enterprise-wide, data incident response process that is integrated with our business continuity processes.
Oversight and Enforcement – A centralized data protection governance overseeing, monitoring and enforcing the adherence to policy and standards, including data and security remediation, third party vendor oversight, monitoring and audit
Privacy and Security by Design – Integration of privacy and security requirements into our product design and development methodologies. In doing so, our offerings are created with privacy requirements embedded in the development cycle from concept to validation.
2. Adopted International Transfer of EU and Swiss Personal Data
GDPR requires companies to adopt certain legal mechanisms when transferring personal data from EU countries. To address this requirement and our customers’ requests on how Cisco will lawfully transfer personal data outside of the EU and Switzerland, Cisco has taken the following steps:
Cisco is certified under the EU-US and Swiss-US Privacy Shield frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, processing, and cross-border transfer of personal data from the EU and Switzerland.
Cisco has a publicly available Cloud Services EU Data Processing Addendum for cloud offerings that includes model contractual clauses to lawfully allow the transfer of personal data from the EU to the rest of the world.
3. Completed Third-party Reviews
Cisco has obtained several third-party certifications for our products and services. For example, Cisco WebEx is ISO 27001 and SSAE-16, SOC2 certified. Cisco also successfully completed the ISO 27001 certification across our entire services business worldwide. These certifications reinforce our commitment to protecting Cisco and our customers. With Cisco as a trusted partner, customers can be confident that safeguards are in place to protect their data.
For more information, review the following:
6. Who are EU Minors according to GDPR? What are requirements for Minors as per GDPR?
EU Minors for the purposes of GDPR are those children who are in Europe and are less than 16 years of age. EU Minors are required to provide a Parental/Guardian consent to access any online resources.
7. How can Members or Users access or modify their personal data that is saved, used, and processed by Cisco Networking Academy?
The GDPR provides Users with the right to access their personal data. Cisco Networking Academy allows Members of the platform to access view or change all User-generated Information in their Cisco NetAcad.com Profile. User may print all the information using standard browser functionality. The date of birth is used for validating a User in the event of any fraud and can only be changed by contacting Cisco NetAcad Support or opening a support ticket. There is no time restriction on accessing this data for active Cisco Networking Academy members.
8. How can Members or Users of Cisco Networking Academy Program request a list of Cisco Partners - Third Parties with whom their personal information is being shared?
Cisco Academies and Third parties are Cisco Partners. The Cisco Academies are authorized by Cisco to use Cisco content and learning offerings to teach IT and Networking classes. Third parties are contractually bound to provide managed services to Cisco Networking Academy Program like support, application development, integration, etc.
If Member or Users would like more information about the Third-Party Service providers that their personal data is shared with and the purposes for the same, they may send an email to firstname.lastname@example.org with a Subject that includes, “Request for information about NetAcad Third parties”.
9. How can Members or Users request their personal information to be removed from Cisco NetAcad Platform?
In the event that current members or alumni students want to delete their personal information from the Cisco NetAcad Platform, then they may do so by emailing email@example.com. Cisco will process their request in a timely manner.
Note:After a Member’s PII (Personal Identifying Information) has been removed from Cisco NetAcad Platform, you will no longer be able to find the account or reactivate it.
10. What changes have been made to business policies, systems and processes of the Cisco Networking Academy Program to support the Parental/Guardian consent requirement for EU Minors under the age of 16 years old?
The following changes have been made by the Cisco Networking Academy program and within the Cisco NetAcad Platform:
- No EU Minors can enroll in self-paced learning courses offered directly by Cisco unless a change in business policy takes place.
- EU Minors who are already enrolled on self-paced learning courses offered directly by Cisco will continue having access to these courses if they provide a Parental/Guardian consent to Cisco.
- EU Minors who are enrolled with self-paced learning or Instructor led courses offered by Cisco Academies will have to provide Parental/Guardian consent to that Cisco Academy per the guidelines of that Cisco Academy.
- If an EU Minor is enrolled in courses with Cisco and a Cisco Academy, they will have to provide Parental/Guardian consent to both Cisco and the Cisco Academy separately.
- If Parental/Guardian consent is not received by Cisco within a reasonable time as included in communications sent by Cisco, their access to the courses offered directly by Cisco will be impacted, their NetAcad account may be de-activated, and eventually their account may be deleted by Cisco.
11. In which languages is the Cisco Networking Academy Program GDPR FAQ available?
The Cisco Networking Academy Program GDPR FAQ will be available in Spanish and French languages apart from standard American English.