As part of the ISO 27001:2022 ISMS implementation cycle (Cycle 1) and ongoing GDPR compliance work, the public-facing Privacy Notice (`/privacy.php`) and Terms and Conditions of Use (`/tsncs.php`) were reviewed in full against:

– GDPR Articles 5, 6, 13, 14, 17, 28, 44–49

– EU Consumer Rights Directive 2011/83/EU

– Irish Consumer Protection Act 2007

– Irish Arbitration Act 2010

– Irish Copyright and Related Rights Act 2000

– Companies Act 2014 (CLG obligations)

Both documents were found to contain material deficiencies. Remediation was completed on 28 March 2026.

—

| # | Issue | Risk |

|—|——-|——|

| 1 | No lawful basis stated for any processing activity | GDPR Art. 13(1)(c) — mandatory disclosure |

| 2 | No retention periods stated | GDPR Art. 13(2)(a) — mandatory disclosure |

| 3 | Data subject rights not listed | GDPR Art. 13(2)(b) — mandatory disclosure |

| 4 | No right to lodge complaint with DPC stated | GDPR Art. 13(2)(d) — mandatory disclosure |

| 5 | Section 9 (“International Transfers”) written as an EU company addressing US users — reversed | Legally misleading; company is Irish, users are EU/EEA |

| 6 | False claims about use of “pixel tags” and “web beacons” | No such tracking in use; constitutes inaccurate disclosure |

| 7 | Outdated template language (“we,” “our affiliates”) inconsistent with CLG structure | Misleading as to corporate structure |

| 8 | No processor (sub-processor) disclosure | GDPR Art. 13(1)(e) — mandatory where applicable |

| 9 | Cookie section did not confirm strictly-necessary-only use | Created ambiguity about consent obligations |

| 10 | No third-country transfer mechanism stated for Facebook/Google OAuth | GDPR Art. 13(1)(f) — mandatory |

The Privacy Notice was fully rewritten to GDPR Article 13 standard. The new notice contains:

1. **Controller identity** — full legal name, CRO number, registered address, and contact email

2. **Processing activities table** — 9 activities with purpose, lawful basis (Article 6), data categories, and third-party recipients for each

3. **Cookies** — confirmed as strictly necessary session cookies only; no consent banner required

4. **Third-party OAuth** — Facebook and Google disclosed as processors; EU Standard Contractual Clauses confirmed as transfer mechanism

5. **Processor table** — Web Hosting Ireland (hosting), Google (OAuth), Facebook/Meta (OAuth) disclosed as Article 28 processors

6. **Third-country transfers** — EEA transfers only via SCCs; Twitter/UptimeRobot confirmed as no personal data

7. **Retention periods** — table of retention periods per data category

8. **Children** — policy on under-13 enrolment via partner organisations confirmed

9. **Security measures** — HTTPS/TLS, hashed passwords, access controls, audit logging disclosed

10. **Data subject rights** — full table covering Arts. 15–22 (Access, Rectification, Erasure, Restriction, Portability, Objection) with how to exercise each

11. **DPC complaint right** — Data Protection Commission contact details included as required by Art. 13(2)(d)

12. **”Last updated: 28 March 2026″** added

**CSS:** Changed `list-style-type: none` to `list-style-type: disc`; added `.privacyWrap` class (60% width, auto margins); added table styling for the data tables.

—

| # | Issue | Risk |

|—|——-|——|

| 1 | Duplicate Table of Contents | User confusion; document quality |

| 2 | Section 5 cited `17 U.S.C. § 512` (US DMCA) | Legally inapplicable; Irish/EU copyright law governs |

| 3 | Section 2 stated users “consent to our use of data” | Misrepresents GDPR lawful basis (contract/legitimate interests, not consent) |

| 4 | Indemnification clause (Section 12) referred to “shareholders” | WhereWeLearn is a CLG — has members, not shareholders |

| 5 | Fitness/health disclaimer included | Wholly irrelevant to an LMS; creates false impression of service scope |

| 6 | Section 7 (Opportunities) contained “federal, state and local laws” boilerplate | US law reference; inapplicable and misleading |

| 7 | Section 7 (Opportunities) not applicable to platform | Boilerplate for a different platform type; removed |

| 8 | Section 9 (Mobile Features) included wireless billing language | Not applicable to this service; misleading |

| 9 | Section 17/18 numbering reversed (anchor `#17` linked to “18. Contact”, anchor `#18` to “17. YouTube”) | Broken in-page navigation |

| 10 | Arbitration clause contained no EU consumer rights carve-out | Mandatory arbitration for EU consumers is unenforceable and misleading |

| 11 | LinkedIn and Tumblr listed as connected Social Media Sites | Neither service is supported; inaccurate |

| 12 | Spelling errors: `PRECEEDING`, `compontents`, `treatement` | Document quality |

| 13 | American English throughout (`license`, `authorize`, `labor`) | Inconsistent with Irish company |

The Terms and Conditions were rewritten from 18 sections to 16 sections:

| Old Section | New Section | Change |

|—|—|—|

| 1. Changes | 1. Changes | Retained; minor language tidy |

| 2. Privacy Policy | 2. Privacy Policy | Retained; removed consent misstatement |

| 3. Account Registration | 3. Account Registration | Retained; changed to British English |

| 4. Intellectual Property | 4. Intellectual Property; Licence | Retained; `license`→`licence`, `authorize`→`authorise` |

| 5. Legal Complaints | 5. Legal Complaints | Retained; replaced `17 U.S.C. § 512` with Irish/EU law language |

| 6. User Submissions | 6. User Submissions | Retained; British English |

| 7. Opportunities | *(removed)* | Removed — not applicable to this platform |

| 8. Third-Party Content | 7. Third-Party Content | Retained; removed LinkedIn and Tumblr |

| 9. Mobile Features | *(removed)* | Removed — wireless billing language not applicable |

| 10. Acceptable Use | 8. Acceptable Use | Retained; British English; updated cross-reference |

| 11. Access to Services | 9. Access to Services | Retained |

| 12. Indemnification | 10. Indemnification | Retained; `shareholders`→`board members` |

| 13. Disclaimers | 11. Disclaimers; Limitation of Liability | Retained; removed fitness disclaimer; fixed `PRECEEDING`→`PRECEDING`, `compontents`→`components`, `treatement`→`treatment` |

| 14. Governing Law | 12. Governing Law | Retained |

| 15. Disputes; Arbitration | 13. Disputes; Arbitration | Retained; added EU/EEA consumer carve-out; ODR platform link |

| 16. Miscellaneous | 14. Miscellaneous | Retained; updated surviving sections cross-reference |

| 17/18 YouTube *(reversed)* | 15. YouTube API Services | Corrected numbering |

| 18/17 Contact *(reversed)* | 16. Contact Us | Corrected numbering |

**”Last updated: 28 March 2026″** added.

**CSS:** Changed `list-style-type: none` to `list-style-type: disc`; added `.tsncsWrap` class (60% width, auto margins).

—

| File | Change type |

|——|————-|

| `privacy.php` | Full rewrite of HTML body |

| `tsncs.php` | Full rewrite of HTML body |

—

| Document | Location |

|—|—|

| GDPR Record of Processing Activities | `docs/gdpr-ropa.md` |

| GDPR Lawful Basis Register | `docs/gdpr-lawful-basis.md` |

| GDPR Breach Notification Procedure | `docs/gdpr-breach-notification-procedure.md` |

| GDPR Data Subject Rights Procedure | `docs/gdpr-data-subject-rights-procedure.md` |

| ISO 27001 ISMS Management Review | `docs/isms-management-review.md` |

| ISO 27001 Plan | `docs/iso27001-plan.md` |