-
Login
Privacy Notice - Learning Experience Platform (LXP)
1. Introduction
This Privacy Notice is intended to describe the practices EY follows in relation to the Learning Experience Platform
(LXP) "Tool" with respect to the privacy of all individuals whose personal data is processed and stored in the
Tool. This Privacy Notice should be read together with the ey.com Privacy Statement, and in case of any conflict
with the ey.com Privacy Statement, the terms of this Privacy Notice will prevail. Please read this Privacy Notice
carefully.
2. Who manages the Tool?
"EY" refers to one or more of the member firms of Ernst & Young Global Limited ("EYG"), each of which is a
separate legal entity and can determine the purposes and means for data processing in its own right (i.e. act as a
data controller or in a similar capacity). The entity that is acting as data controller (or similar capacity) by providing
this Tool on which your personal data will be processed and stored is EYGM Limited.
The personal data in the Tool is shared by EYGM Limited with one or more member firms of EYG (see "Who can
access your personal data" section 6 below).
The Tool is hosted on servers externally in an EY Managed MS Azure Data Centre: US Virginia or Ireland.
3. Why do we need your personal data?
The Tool is used to develop and deploy training content to client users.
Your personal data processed in the Tool is used as follows: personal data is processed and used to track
completion of learning content, create individual behavioral competency-based reports, and to create
benchmark reports and thought leadership. Information used for such benchmark reports is de-identified and
aggregated so that your personal information is not shared.
EY relies on the following basis to legitimize the processing of your personal data in the Tool:
Processing of your personal data is necessary for the purposes of the legitimate interests pursued by the data
controller or by a third party, except where such interests are overridden by the interests or fundamental rights
and freedoms of the data subject which require protection of personal data. The specific legitimate interest(s) is:
Conducting client engagements.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of
personal data concerning you based on the above legitimate interest(s).
4. What type of personal data is processed in the Tool?
The Tool processes these personal data categories:
*First name and last name
*UUID (unique user ID)
*Work email address
*Company name
*Work function
*Work rank
*Work role
*Assessment results
*Completion status of learning content (not started, in-progress, completed)
5. Sensitive personal data
Sensitive personal data reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs,
trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or
sexual orientation.
EY does not intentionally collect any sensitive personal data from you via the Tool. The Tool's intention is not to
process such information.
6. Who can access your personal data?
Your personal data is accessed in the Tool by the following persons/teams:
LXP Builder: EY employees will have access to the data in the system. The client only has access to the static
files generated from the system.
LXP Portal: EY employees and any client-identified system administrators will have access to the data within the
system. In some cases that super admin will be an EY employee or client employee depending on who is hosting
the content.
Anonymized UUID may be shared with a third-party learning content provider to track learning completion
status.
Your personal data is accessed for the following purposes and levels of access.
LXP Builder:
*User - user role has assigned access to specific client/project data. Admins assign this access on an as needed
basis. (user needs access in order to develop the courses) - (read/write)
*Admin - admin role can add/remove/edit clients and projects as well as add/remove/edit users and
assign them to projects. (admins are responsible for assigning users to projects when they are part of
the client engagement) - (read/write/delete)
LXP Portal:
*User - user role can login and access learning objects assigned to them. (users need access to take the
training and manage their content) - (read, write limited account-based data)
*Admin - admins can run reports as well as manage user roles and access. (admins need access to
perform their duties assigned by the client) - (read/write access-based privilege assigned by super
admins)
*Super - super admins have all admin access as well as ability to add/remove/edit content objects.
(these users have full access to act as system administrators, they ultimately are required to manage
content and users).
Users could be located anywhere based on the client need and type of deployment.
The access rights detailed above involves transferring personal data in various jurisdictions (including jurisdictions
outside the European Union) in which EY operates (EY office locations are listed at www.ey.com/ourlocations).
An overview of EY network entities providing services to external clients is accessible here (See Section 1 (About
EY) - !View a list of EY member firms and affiliates"). EY will process your personal data in the Tool in accordance
with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY
network are governed by EY's Binding Corporate Rules"
We transfer or disclose the personal data we collect to third-party service providers (and their subsidiaries and
affiliates) who are engaged by us to support our internal ancillary processes. For example, we engage service
providers to provide, run and support our IT infrastructure (such as identity management, hosting, data analysis,
back-up, security and cloud storage services) and for the storage and secure disposal of our hard copy files. It is
our policy to only use third-party service providers that are bound to maintain appropriate levels of data
protection, security and confidentiality, and that comply with any applicable legal requirements for transferring
personal data outside the jurisdiction in which it was originally collected.
To the extent that personal data has been rendered anonymous in such a way that you or your device are no
longer reasonably identifiable, such information will be treated as non-personal data and the terms of this Privacy
Notice will not apply.
For data collected in the European Economic Area (EEA) or which relates to individuals in the EEA, EY requires
an appropriate transfer mechanism as necessary to comply with applicable law. The transfer of personal data
from the Tool to Microsoft is governed by an agreement between EY and the service provider that includes
standard data protection clauses adopted by the European Commission.
7. Data retention
Our policy is to retain personal data only for as long as it is needed for the purposes described in the section !
Why do we need your personal data#. Retention periods vary in different jurisdictions and are set in accordance
with local regulatory and professional retention requirements.
In order to meet our professional and legal requirements, to establish, exercise or defend our legal rights and for
archiving and historical purposes, we need to retain information for significant periods of time. $
The policies and/or procedures for the retention of personal data in the Tool are: Data retention is in
accordance with EY Records Retention Global Policy and the applicable Global, Area, Region or Country
Retention Schedule. Note: All client confidential data used to develop the courses is used for engagement
purposes only. Once the engagement is over the data is delivered to the client and is then under their
management. All source material is retained for a shorter period in order to support any immediate needs of
the client only. (Source Material i.e. Client Confidential Information used for an engagement and then
destroyed in line with Contractual Retention Agreement.) The application has audit logs of all admin activity.
Admins can run reports on user completion activity.
All data retention of processed data in the portal will be based on the client retention policies.
After the end of the data retention period, your personal data will be deleted.
8. Security
EY protects the confidentiality and security of information it obtains in the course of its business. Access to such
information is limited, and policies and procedures are in place that are designed to safeguard the information
from loss, misuse and improper disclosure. Additional information regarding our approach to data protection and
information security is available in our Protecting your data brochure.
9. Controlling your personal data
EY will not transfer your personal data to third parties (other than any external parties referred to in section 6
above) unless we have your permission or are required by law to do so.
You are legally entitled to request details of EY's personal data about you.
To confirm whether your personal data is processed in the Tool or to access your personal data in the Tool or
(where applicable) to withdraw your consent, contact your usual EY representative or email your request to
global.data.protection@ey.com.
10. Object, rectification, erasure, restriction of processing or data portability
You can confirm your personal data is accurate and current. You can object to the processing of your personal
data or request rectification, erasure, restriction of processing or a readily portable copy of your personal data
by contacting your usual EY representative or by sending an e-mail to global.data.protection@ey.com.
11. Complaints
If you are concerned about an alleged breach of privacy law or any other regulation, contact EY%s Global Privacy
Leader, Office of the General Counsel, 6 More London Place, London, SE1 2DA, United Kingdom or via email at
global.data.protection@ey.com or via your usual EY representative. An EY Privacy Leader will investigate your
complaint and provide information about how it will be handled and resolved.
If you are not satisfied with how EY resolved your complaint, you have the right to complain to your country's
data protection authority. You can also refer the matter to a court of competent jurisdiction.
Certain EY member firms in countries outside the European Union (EU) have appointed a representative in the
EU to act on their behalf if, and when, they undertake data processing activities to which the EU General Data
Protection Regulation (GDPR) applies. Further information and the contact details of these representatives are
available here.
12. Contact us
If you have additional questions or concerns, contact your usual EY representative or email
global.data.protection@ey.com