LMS and GDPR compliance: guide to choosing a compliant training platform

Posted on
May 11, 2026
-
Modified on
May 11, 2026
-
X
Minutes
LMS and GDPR compliance

Key takeaways

  • An LMS processes sensitive personal data: learner identity, progress, behaviours, and sometimes geolocation data
  • The GDPR compliance of an LMS isn't limited to a 'GDPR compliant' label on a sales brochure. It covers hosting, encryption, individual rights, the DPA, sub-processors and AI data governance
  • Frontline uses add specific challenges: offline mode, synchronisation, data stored on smartphones with varying levels of security.
  • Make sure your LMS ensures sovereign hosting, robust security (DPA, sub-processors) and strict respect of individual rights (forgetting, retention), while framing AI usage and protection of mobile data.
  • Watch out: compliance doesn't stop at the vendor: your company remains responsible for data processing and must make sure the use of the LMS (settings, access, retention duration) complies with its own GDPR obligations.
Summary

Why is GDPR a critical topic for an LMS?

An LMS handles a lot of personal data: identity, results, progress, sometimes geolocation. Mishandling this data exposes the company to legal, financial and reputational risks. Choosing a GDPR-compliant LMS isn't an option, it's a basic prerequisite.

What types of personal data are processed by an LMS?

An LMS centralises a wide range of personal data, more or less sensitive depending on the configuration:

  • Identity data: name, first name, email, phone, role, site or department
  • Pedagogical data: results, progress, time spent, paths followed, completed modules
  • Behavioural data: connection frequency, time slots, type of device used
  • Geolocation data for some mobile uses (frontline teams, multi-site networks)
  • Documents and free content generated by learners (comments, files uploaded into a module)

This data is qualified as personal under the GDPR. It must be processed with the same rigour as the company's other HR data.

What are the concrete risks of non-compliance?

The risks of non-compliance with the GDPR are financial, legal and reputational:

  • Financial penalties of up to 20 million euros or 4% of global turnover, whichever is higher
  • Civil claims from learners whose rights were not respected
  • Reputational damage in case of a publicly disclosed data leak
  • Internal blockers: refusal of the DPO or IT department to deploy the platform, loss of trust from social bodies

These risks aren't theoretical. The CNIL has already fined several companies for misconfigured HR or training tools.

The 8 GDPR criteria to check before choosing an LMS

Beyond a generic "GDPR compliant" claim, here are the 8 criteria to systematically check during your selection.

1. Hosting location

Where is the data physically hosted? A European hosting under European law remains the most protective answer. Hosting in the United States, even by an American provider with European data centres, can fall under the CLOUD Act, which lets US authorities request access to data.

Ask the vendor for the exact location of data centres and the legal status of the hosting provider. A sovereign cloud hosting (OVH, Scaleway, Outscale) gives the highest level of legal protection.

2. DPA (Data Processing Agreement)

The DPA is the contractual document that formalises the obligations of the vendor as a sub-processor, in accordance with Article 28 of the GDPR. Without a DPA, your company has no opposable legal framework against the platform.

A serious vendor offers a standardised DPA, ideally already aligned with the European Data Protection Board's recommendations. Make sure it clearly mentions categories of data, retention durations, security measures and the mechanism for handling personal data breaches.

3. Sub-processors and transfers

An LMS rarely operates alone. It often relies on third-party services: hosting, analytics tools, email providers, AI providers. Each of these sub-processors handles personal data.

Ask the vendor for the complete updated list of sub-processors and the location of their hosting. Check that transfers out of the EU rely on standard contractual clauses or valid adequacy decisions. The vendor must commit to informing you in case of a sub-processor change.

4. Right to be forgotten and portability

GDPR rights aren't a theoretical concept. The platform must technically allow them to be exercised:

  • Right to be forgotten: effective deletion of the data of a learner who leaves the company
  • Right to portability: export of their training history in a readable format
  • Right of access: ability to provide a learner with the full set of data held on them

Check that these features exist as self-service, without going through a vendor support ticket each time.

5. Encryption and data security

Data must be encrypted at rest and in transit (TLS 1.2 minimum). Beyond that, the vendor should document:

  • Access management policy (multi-factor authentication, granular rights)
  • Connection logging and audit traces
  • Documented breach procedure, with a commitment on notification time (72 hours under GDPR)
  • Recent security certifications (ISO 27001, SOC 2) when available

6. AI usage of data

An LMS with AI features exposes learner data to processing that goes beyond classic storage. Three points must be clarified contractually:

  • Are learner data used to train the vendor's AI models?
  • Are they transferred to third-party AI providers (OpenAI, Anthropic, etc.)? Under which contractual framework?
  • Is there a documented opt-out for sensitive uses?

A serious vendor publishes a specific AI charter answering these questions transparently. The absence of such a document is a red flag.

7. Retention duration

The GDPR requires keeping personal data only for the time strictly necessary for the purpose of the processing. For an LMS, that means:

  • Active data during the contractual relationship (employment of the learner)
  • Archived data for a limited period (often 5 years) to meet possible legal obligations
  • Automatic deletion beyond that

The platform must allow this retention duration to be configured and apply the deletion automatically, without manual intervention.

8. Frontline specifics: mobile data and offline mode

Frontline LMS bring an additional dimension: data is stored locally on learners' smartphones to enable offline mode. That changes the threat model:

  • What is stored locally? Personal identifiers, content, results?
  • How is this local data protected in case of phone loss or theft? Encrypted, accessible only via biometrics?
  • How does synchronisation handle end-to-end encryption between the device and the server?
  • Is remote wipe possible if a smartphone is lost?

These questions are rarely asked during a generic selection, but they're essential as soon as you deploy training on personal smartphones in the field.

What "GDPR compliant" means (and doesn't mean) for an LMS vendor

Compliance is neither a label nor a certification

There is no official GDPR certification from the CNIL or any other body to date. The "GDPR compliant" claim is therefore a self-declaration from the vendor, whose value depends entirely on the documents they're able to provide.

A vendor that displays "GDPR compliant" without offering a DPA, without listing its sub-processors and without documenting its security measures has no real opposable compliance. The compliance level is measured by the documents, not by the marketing.

Vendor compliance doesn't exempt the company from its obligations

Even with a perfectly compliant LMS, your company remains the data controller. That means it remains responsible for:

  • Configuring the platform consistently with its own retention obligations
  • Informing learners of data processing (information notice, internal regulations)
  • Managing rights requests, even those routed via the vendor
  • Performing a Data Protection Impact Assessment (DPIA) if the processing is at risk
  • Maintaining a record of processing activities mentioning the LMS

The vendor's compliance is a prerequisite, not a guarantee of overall compliance.

FAQ

Which LMS are GDPR compliant?

Several European LMS claim mature GDPR compliance, notably Beedeez, Didask, 360Learning and Rise Up, with EU hosting and a standardised DPA. Compliance, however, also depends on the company's settings: retention duration, access management and internal data processing policy.

Can a US-hosted LMS be GDPR compliant?

It's possible, but legally riskier. US hosting falls under the CLOUD Act, which lets US authorities access data. GDPR compliance then requires standard contractual clauses, a transfer impact assessment and a solid transfer framework. To avoid that risk, European hosting remains the simplest and most protective solution.

How to check the GDPR compliance of an LMS before buying?

Ask the vendor for the DPA, the list of sub-processors, the exact hosting location, the encryption and breach-management policy, and the technical mechanism for exercising the rights of the persons. A "GDPR compliant" mention on a brochure has no value without these documented elements.

Is training data personal data?

Yes. The learner's identity, results, progress history, time spent on each module and sometimes geolocation are personal data within the meaning of the GDPR. They're subject to the same obligations as the company's other HR data.

Does an AI-powered LMS create additional risks?

Yes, because learner data can be exposed to third-party AI models (OpenAI, Anthropic, etc.) when content or recommendations are generated. You need to check that the vendor frames these transfers contractually, offers an opt-out and that data isn't used to train the providers' models.

How long does an LMS retain data?

The retention duration must be configurable and aligned with the company's legal obligations. Generally, training data is kept during the contractual relationship, then for a limited archive period (often 5 years) to meet potential legal or regulatory obligations.

Request a demo to discover how Beedeez ensures sovereign hosting, a standardised DPA and end-to-end protection of your frontline teams' data.

Your field teams deserve the best in training
Book a demo
Cleo Ginisty-Gold
Cleo Ginisty-Gold
Responsable Equipe CSM

Explore more post

LMS with built-in AI
Technologies

LMS with built-in AI: which platforms to create personalised training content?

This is some text inside of a div block.
This is some text inside of a div block.
LMS authoring tool
Technologies

LMS authoring tool: 6 platforms to create training without technical skills

This is some text inside of a div block.
This is some text inside of a div block.
LMS with adaptive learning
Technologies

Which LMS offer adaptive learning to personalise training paths?

This is some text inside of a div block.
This is some text inside of a div block.

Toute The news LMS in one click