Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP/E > Compliance Considerations > Flashcards

Compliance Considerations Flashcards

1
Q

What does the GDPR say about employee data (include article)?

A

Article 88

Member states may, by law or collective agreements, provide more specific rules around the processing of employee personal data.

The rules must include measures to safeguard the data subject’s:
-human dignity
-legitimate interests
-fundamental rights
with particular regard for:
-transparency of processing
-transfer of personal data within a group of undertakings or a group of enterprises engaged in joint economic activity and monitoring system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are examples of legal bases for processing employee personal data?

A

Fulfillment of an employment contract: collecting and using bank account information to process salaries

Legal obligation: sharing salary information with tax authorities (this must be an obligation under EU or member state law)

Legitimate interests of the employer: migrating employee information from one data management system to another.

Consent: may be difficult to prove because of the unequal distribution of power between the employer and the employee. The processing of employee data may be unlawful or unfair under local law, even if the employee has consented. Yet, under some local labor laws, employers are obligated to obtain consent from employees to process their personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is unique about legitimate interest being used as a basis for processing employee data?

A

The legitimate interest cannot be adverse to employees’ rights and freedoms and it cannot be used as grounds for processing special categories of data.

Public authorities may not rely on this ground.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What must happen when employers process sensitive personal data of employees?

A

Employers must comply with one of the exceptions specified in Article 9 of the GDPR (exceptions):

  • explicit consent (last resort bc employees might feel pressured to provide consent)
  • legal claims

Article 9(2) recognizes that employers might need to process sensitive personal data to comply with obligations and rights, such as social security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

If employers are required to retain employee data after the end of the employment lifecycle, what should happen?

A

Generally, the records should be archived and internal access should be limited

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does compliance with works councils look like?

A

Might include notifying, consulting with, and seeking approval with works councils

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a works council?

A

Internal trade union

When internal employees gather together and create a works council.

Most common in Germany

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the issues with BYOD?

A

BYOD= Bring Your Own Device

Compliance issues because the employer remains the controller for any personal data processed on the employee’s device for work-related purposes using the work email settings

Opens the door to data protection issues, such as data breaches, which result in large fines.

Also have to manage security of the organization and balance individuals’ personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How can employers effectively manage BYOD?

A

Have a BYOD policy that explains to employees how they can use BYOD and their responsibilities.

Employers should also know where the data processed via the device is stored, measures required to keep data secure, ensure the methods of transferring from the device to the company’s server is secure, know how to manage data stored on the device once the employee leaves the company or the device is lost or stolen, and provide notice to employees explaining the consequences of BYOD and the information the organization will be able to access (with lawful basis for processing personal data).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What should a BYOD policy include?

A

The policy should:

  • align with the law
  • protect personal data
  • protect organizational data
  • enable employee productivity
  • mitigate network risks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are different types of legal employee monitoring?

A

Background checks (e.g. from verifying education to checking for past criminal activity). May not be used to create blacklists.

Data Loss Prevention (DLP): tools used to protect IT infrastructure and confidential business info from internal and external threats, but they inevitably process employee personal data since they operate on networks and systems used by employees.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the requirements to lawfully monitor employees and what are examples of questions employers can ask themselves?

A

The employer must make sure that the monitoring is:

  • necessary: can you demonstrate that the monitoring is really necessary? (a DPIA might be required under certain circumstances)
  • proportional: is the monitoring proportionate to the issue that the employer is dealing with? (linked to GDPR’s principle of data minimization). collective bargaining agreements are useful markers for employers considering the proportionality.
  • transparent: have employees been clearly informed of the monitoring that will be carried out? the employer cannot argue that lack of workplace privacy is acceptable because employees have been warned. employers should introduce an acceptable use policy.
  • legitimate: do you have lawful grounds for collecting and processing personal data? is the processing fair? this will often mean relying on legitimate interest balancing test.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the the Sarbanes-Oxley Act (SOX) and when was it passed?

A

2002 in the US

Requires companies to have a system in place to receive anonymous complaints about potential wrongdoing, including fraud, misappropriation of assets and/or material misstatements in financial reporting.

Mostly about accounting or auditing fraud-type activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Where is the tension between the EU and US on whistleblowing schemes?

A

The US focuses on protecting the identity of the whistleblower while the EU focuses on protecting the personal data of the employee accused of wrongdoing

In the US, we encourage anonymous reporting. In the EU, they strongly discourage anonymous reporting (concerned about malicious reports being made). So in the EU, they promise confidentiality, but they usually ask the whistleblower to identify themselves as part of the whistleblowing report. Of course, the EU would not ignore a serious report that is submitted on an anonymous basis, but they are not encouraged.

*In some countries, DPAs will consider a whistle blowing scheme illegal if it mentions the ability to make anonymous reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What should be considered for whistleblowing schemes?

A

Transparency: a whistle-blowing policy that explains to people their ability to report violations and also how their info will be treated in the context of a whistleblowing report.

Security and confidentiality

Retention: If the report cannot be proven, then the report should be deleted after a short period of time (3-6 months).

Different rules on who can be reported (data subjects) depending on the country (some countries believe the only types of people who should be allowed to be the subjects of whistle-blowing reports should be the ones who are capable of serious organizational harm)

Data transfers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the types of reports permissible under EU whistleblowing law?

A

Auditing and fraud (as under SOX in the US)

Health and safety violations

Discriminatory activities

*Diversion across member states. Some member states have wide variety of activities permissible for reporting and others will limit it strictly to just Sarbanes-Oxley accounting and auditing fraud-type activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is unique about whistleblowing reports in the EU and the privacy rights of the subject of the report?

A

Individuals have privacy rights–to access and correction and deletion–and those apply to whistleblowing reports.

If an individual has been the subject of a whistleblowing report, you have to tell them they’ve been subject of a report (but you can wait until you’ve secured evidence for the investigation first).

They can have access to the report and to seek any corrections to it that they think are inaccurate (but you still have to protect individuals’ rights so you can black out names/the whistleblower for a period of time)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is surveillance?

A

Observation of an individual or group.

May be covert or carried out openly, conducted in real time or by access to stored material.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What does the GDPR say about surveillance (include article)?

A

Article 23

Allows EU or Member State law to restrict the rights of the data subject. Such a restriction must:

1) Respect the essence of the fundamental rights and freedoms
2) Be a necessary and proportionate measure in a democratic society

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Who may conduct surveillance and when is it permissible?

A

Public and state agencies for national security or law enforcement

Private entities for their own purposes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

When public and state agencies conduct surveillance, what must they consider?

A

They must conduct surveillance in a manner that respects individual rights enshrined in the Charter of Fundamental Rights, specifically the right to a private and family life (Article 7) and protection of personal data (Article 8)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is Recital 66 of the Law Enforcement Data Protection Directive (LEDP Directive)?

A

It recognizes that although the processing of personal data must be lawful, fair, and transparent, this should not prevent law enforcement authorities from carrying out activities (e.g., covert investigations and video surveillance) to:
prevent, investigate, detect, and prosecute criminal offenses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How can private entities conduct surveillance?

A

It must be based on legitimate purposes

In addition to the GDPR, it must comply with national laws concerning confidentiality, privacy, data protection and other civil rights; e.g., employment law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

How are personal data from electronic communications categorized?

A

As content data: the content of the communication

Metadata: “data about data” or information generated as a consequence of a communication’s transmission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Examples of metadata

A

CC/Bcc

Message delivery time

Message creation time

Priority of message

To/from

Reply message time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is content data protected by?

A

The right to freedom of expression

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is metadata protected by?

A

The GDPR because it can be used to identify an individual, so it falls within the GDPR’s definition of personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the ePrivacy Directive’s official title? What else is it known as?

A

Directive 2002/58

Cookie Directive

Privacy and Electronic Communications Directive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What does the ePrivacy Directive do?

A

It sets out rules governing the processing of location, content, and traffic data over a public electronic communications network or publicly available communications system. In other words, data passing over public telephone or internet carriers, or services that use a public communications network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is required for the collection of an individual’s precise location-based data?

A

Opt-in consent (with exception of carriers who need the data to provide the service)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What does article 5(1) of ePrivacy Directive say?

A

Confidentiality of the content of communications must be ensured and cannot be intercepted or disclosed to third parties unless there is consent from all users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What does Article 15(1) of ePrivacy Directive say?

A

Member states can introduce some exemptions if necessary for very limited purposes, such as national security and law enforcement.

Access to traffic data is limited. However, telecommunications carriers can process for the purpose of conveying communication and for some limited marketing activities with the user’s consent. Otherwise, it’s very restricted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

When do ePrivacy rules not apply?

A

When data is passing over a private network, such as a corporate intranet. However, monitoring considerations are still relevant: necessity, proportionality, legitimacy, and transparency.

34
Q

Lawful interception under the ePrivacy Directive

A

A provision within the ePrivacy Directive allows for the interception of a communication when an organization has a lawful business purpose for accessing data going through their public networks. Member states, under individual laws, may pass laws defining “business purpose.”

35
Q

When collecting data through Closed Circuit Television (CCTV), what must be considered?

A

GDPR Compliance Considerations

Lawfulness of Processing

Data Protection Impact Assessment (DPIA)

Prior Checking

Proportionality

Information Provision

Information Rights

Measures to protect the personal data and rights of individuals

36
Q

CCTV and lawfulness of processing

A

Prior to carrying our surveillance, the controller should determine the lawfulness of processing (e.g., legitimate interest, the establishment, exercise, or defense of legal claims, in the public interest for a public area, or in the exercise of public authority, such as for monitoring traffic).

*Consent is likely not possible

A controller may need to rely on a provision in member state law to conduct video surveillance in certain circumstances

Biometric data is a special category of data within the GDPR, so processing can only be carried out if one of the permitted conditions, as specified in Article 9, applies.

37
Q

DPIA and CCTV

A

Required if video surveillance is considered to be high risk, if it involves the systematic monitoring of a publicly accessible area on a large scale, or if video surveillance has been included by the relevant supervisory authority on a list of data processing operations that require a DPIA.

Decision to use CCTV should be made only if other, less-intrusive solutions that do not require image acquisition have been considered and found to be clearly inapplicable or inadequate for the intended lawful purpose. The DPIA should document these investigations and inadequacies.

38
Q

Prior checking and CCTV

A

In many countries, using CCTV triggers the requirement to notify the local regulator, and in some circumstances, seek authorization.

39
Q

CCTV and Proportionality

A

The selected system and technology used for surveillance should be proportional to the purpose.

For example, remote control, zooming, facial-recognition, and sound-recording may not be necessary.

Key aspects of the CCTV and processing of its footage must be proportionate to the purpose.

These aspects include operational and monitoring arrangements (such as visual angle so that the monitoring of irrelevant spaces is minimized), retention of footage, the need to disclose footage to third parties (such as the police), whether the footage will be combined with other information (in particular, to identify individuals), and the surveillance of areas where people have high expectations of privacy.

40
Q

CCTV and Information Provision

A

For overt video surveillance, controllers must comply with the transparency requirement of the GDPR to the extent that is possible in cases where the controller may not have a direct relationship with the affected data subjects, such as where the cameras cover a large, public space.

All the information that may be made available is unlikely to contain all details prescribed by Articles 13 and 14 of the GDPR, the controller should be prepared to provide the full information necessary when a data subject makes contact.

41
Q

CCTV and Individual Rights

A

Data subjects have rights related to processing of their personal data under GDPR. So an individual may request a copy of a CCTV recording they are on. This may pose a challenge with protecting others’ privacy, specifically others on the recording. Given that CCTV footage is usually only retained for a shorter period of time, the right to access is normally of narrower scope compared to other contexts.

42
Q

CCTV and measures to protect the personal data and rights of individuals

A

Measures may include staff training, a CCTV policy, and regular reviews to ensure compliance.

43
Q

What are location-based services (LBS)

A

Services that utilize information about location to deliver a wide array of applications and services. May derived from GPS, cell-based mobile network data, or chip card-generated data.

44
Q

Location data and GDPR

A

It is an identifier under GDPR’s definition of personal data

If it can be used alone or in combination with other information to identify someone, then it should be considered personal data

45
Q

What is biometric data (include article)?

A

Article 4(14)

Biometric Data: Personal data resulting from specific technical processing relating to the physical, phsyiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person.

Examples include: DNA, fingerprints, retina and eye patterns, voice, and gait.

46
Q

What must happen for biometric data to be considered a special category?

A

To be included as a special category of data, the purpose of processing must be for uniquely identifying a natural person.

47
Q

What is biometric data used for?

A

Used in private and public sectors for:

  • identification (who are you)
  • authentication (are you who you claim to be?)
48
Q

What is direct marketing?

A

A communication, by whatever means of advertising or marketing material, directed toward specific individuals.

49
Q

What is NOT considered direct marketing?

A

Messages that do not process personal data or are purely service-related

50
Q

Why is direct marketing complex?

A

It triggers data protection requirements and consumer protection regulatory requirements that vary from country-to-country, so controllers must meet all national rules applicable to the direct marketing communications they send.

Also no longer limited to postal mail and email, and can now be sent via third platform messages, push messages, and in-app messaging.

51
Q

GDPR vs. ePrivacy Directive application to direct marketing

A

GDPR: Applies to all direct marketing communications, regardless of channel and to online advertising targeted at individuals based on their internet browsing history.

ePrivacy Directive: Applies to “digital” marketing communications–direct marketing communicated over electronic communication networks, such as phone, fax, email, MMS, and SMS. Also specifies rules that impact the use of online behavioral advertising.

52
Q

GDPR v. ePrivacy Directive and Individual Rights

A

GDPR: Individuals have absolute right to object to any form of direct marketing at any time. Already applies to processing based on consent since consent can be withdrawn at any time, but it extends to processing based on legitimate interest as well in the case of direct marketing.

ePrivacy Directive: implemented into national laws, so up to the member states

53
Q

GDPR Controller Requirements for Direct Marketing

A

Inform individuals, explicitly and clearly, of their right to opt out when they first communicate.

Allow individuals to opt out across all marketing channels.

Honor opt-out requests in a timely fashion and at no-cost to the individual.

Remove any personal data and profiling after an individual has opted out (unless retention is strictly required).

Controllers should repress, rather than delete contact details, because they do not want to risk reacquiring that individuals details later and re-starting marketing to them again.

Must meet all compliance requirements as well: lawful basis, provide fair processing information explaining their personal data will be used for marketing purposes, implement appropriate technical and organizational measures, not exporting data outside EEA without adequate protection.

Some member states require controllers to amend their contact lists against applicable national opt-out registers before marketing

54
Q

ePrivacy Directive and controller requirements

A

Most forms of digital marketing, except person-to-person telephone marketing, require prior opt-in consent

55
Q

Postal Marketing Requirements

A

Not subject to ePrivacy, but must satisfy general requirements under GDPR:

In the absence of mandated consent, controllers may rely on legitimate interests based on a careful balancing test that examines:

  • whether the individual is an existing customer
  • the nature of the products and services
  • whether the data controller has previously told the individual that it will not send any direct marketing communications
56
Q

Telemarketing Requirements

A

Is subject to the ePrivacy Directive because it is a form of digital marketing. Must also satisfy compliance with GDPR.

Under ePrivacy though, consent is not required for person-to-person telemarketing. It is, however, required for marketing through automated calling systems. Article 13(3) of the ePrivacy Directive allows member states to decide whether person-to-person telemarketing should be conducted on an opt-in or opt-out basis.

At a minimum, individuals must have a means to opt out without an associated fee. Additional rules and best practices around telemarketing vary from country to country, including treatment and permissibility of B2B direct telephone marketing. Some do not distinguish between B2B and B2C direct marketing and as of 2009, the ePrivacy Directive applies to both B2C and B2B Communications.

57
Q

Electronic Mail Requirements

A

Is subject to the ePrivacy Directive as a form of digital marketing. Controllers must ensure they satisfy the general compliance requirements of the GDPR as well. It includes SMS/MMS communications. It requires prior consent for these types of marketing.

Allows a limited exemption from strict opt-in requirement for direct marketing by electronic mail to individuals whose details the data controller obtained “in the context of the sale of a product or service.”

For this exemption to be used:

  • the controller must market its own similar products and services
  • individuals must have the ability to opt out at the time their contact details are collected
  • individuals must be reminded of their ability to opt out in each subsequent marketing communication

Stipulates specific info that must be provided to recipients of direct marketing via electronic mail, including:

  • a valid address to which they can send an opt-out request that is appropriate to the medium of the marketing communication
  • clear identity of the sender
  • clear indication that the message is a commercial communication
  • clearly identified promotional offers with easily accessible, unambiguous conditions to qualify
  • clearly identified promotional competitions or games with easily accessible, clear, unambiguous conditions for participation
58
Q

What is online behavioral advertising (OBA)?

A

Website advertising targeted at individuals based on observation of their behavior over time. Can happen through website itself, but often done through third-party advertising networks that have relationships with partnering websites that allow them to place cookies on individuals’ computers with unique identifiers.

As websites track individuals’ activities, profiles are assigned to unique identifiers, enabling ad networks to deliver advertising based on individuals’ interests.

59
Q

Is information collected for OBA considered personal data under GDPR?

A

Yes, it’s an “online identifier.”

60
Q

Define potential compliance responsibilities for parties involved in OBA under GDPR

A

Ad network: may be a controller

Website publisher: may be a joint controller

Advertisers: may qualify as independent controllers

61
Q

ePrivacy Directive and OBA

A

Applies regardless whether information is personal data

62
Q

Article 5(3) of ePrivacy Directive

A

The use of cookies to store or access information is allowed only with individual consent.

63
Q

What is cloud computing?

A

Provision of information technology services over the internet

May provide infrastructure, platform, or application services, or these services in combination.

64
Q

List commonalities among cloud computing

A

Infrastructure is shared among customers and accessible in numerous countries

Data is transferred according to capacity

The supplier determines the location, security measures, and service standards applicable to processing

65
Q

When is a cloud service provider a controller?

A

When it determines substantial and essential elements of the means of processing (e.g., data retention periods)

When it processes data for its own purposes

When it determines aspects of processing outside controller’s instructions

66
Q

Can a cloud service provider be a processor?

A

Yes, if it determines technical and organizational means of processing (e.g., hardware)

67
Q

What is a web cookie and what does it enable?

A

A text file stored on a computer by a website for later use

It enables:

  • authentication of web visitors
  • personalization of web content
  • delivery of targeted advertising
68
Q

What is the distinction between first- and third-party cookies?

A

First-party cookies: Placed by the operator of the website visited; the website is the controller of the personal data gathered by its own first party cookies

Third-party cookies: Sent by an entity other than the website operator. When the third party determines the means and purpose of processing the personal data gathered from its third-party cookies, it’s a controller.

69
Q

List some best practices for using cookies

A

Storing only encrypted personal data

Providing notice

Using persistent cookies only if justified by the need

Setting reasonable expiration dates for cookies

70
Q

What type of cookies are exempt from ePrivacy Directive consent requirement?

A

Strictly necessary cookies

71
Q

What is a search engine?

A

A service that finds information on the internet

Process large amounts of data, including user IP addresses, cookies, user log files, and third-party web pages.

72
Q

Are search engines controllers or processors?

A

Because they determine the purpose and means of processing, they are controllers.

73
Q

Google v. AEPD

A

2014

CJEU ruled on the case, which required that Google remove from its search results links to a 1998 newspaper article links about the plaintiff’s foreclosed house

Established that search engines are also controllers of the personal data contained in third-party web pages

Because of the decision, search engines outside the EU are also likely subject to the GDPR in respect of their processing of personal data contained in third-party webpages if they have an EU establishment whose activities are economically linked to the search engine’s core activities

74
Q

Web traffic data as analytics and GDPR

A

When web traffic data is processed by search engines and provided as analytics (Google analytics) to search engine marketers that fall within the scope of the GDPR, the organizations conducting the search engine marketing are also controllers.

However, search engine marketers can take certain steps ensuring that aspects of the web traffic analysis process are anonymized, including:

  • making sure that the data, including IP addresses, is not stored in analytics even after the user accepted placement of cookies
  • anonymizing IP addresses before storage or processing takes place
75
Q

Social networking services (SNS) and controllers

A

Create opportunities for various parties and individuals to collect and use personal data, so there might be multiple controllers:

1) social network services: controllers bc they provide platforms for publishing and exchanging personal information, as well as determining the use of personal info for advertising
2) authors of apps designed for SNS platforms: might be considered controllers as well
3) users who act on behalf of an organization or knowingly extend access to personal data beyond selected contacts: may be controllers as well

76
Q

How can SNS providers be open and transparent?

A

They can provide notice:

  • including marketing purposes and the right to opt-out
  • if personal data will be shared with specific third parties
  • an explanation of any profiling that will be conducted
  • information about the processing of sensitive personal data
  • warnings about risks to privacy
  • consent of the third party
77
Q

Processing sensitive personal data via SNS under GDPR

A

Explicit consent is required to publish personal data on the Internet, unless it is published by the data subject

An SNS requesting personal data (e.g. for an individual’s profile) must ensure the individual knows that provision of the data is voluntary

78
Q

Processing third-party data via SNS under GDPR

A

If third-party individuals’ personal data is published (e.g. photo tags), the SNS must have a legal basis for processing that personal data

According to the former Article 29 Working Party, third-party data of individuals who are not members of the SNS may not be aggregated to form profiles of those individuals

79
Q

Processing children’s personal data via SNS under GDPR

A

Requires parental consent (if children are under 16, but member states may also lower the age limit to 13)

Additionally, processing on the grounds of legitimate interest may not be possible. A controller should have regard for the best interests of the child.

80
Q

What is artificial intelligence?

A

Simulation of human intelligence created by machines and computers. AI has the ability to learn, reason, and evaluate.

81
Q

What is the EU Initiative on AI?

A

Initiative focused on:

  • boosting technology and industry capacity and AI uptake across public and private sectors
  • preparing for socio-economic changes as AI modernizes education, training, labor markets, and social systems
  • ensuring ethical and legal frameworks

CIPP/E (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions