Cannabis eLearning Compliance: Europe’s GDPR Requirements

The European Union’s General Data Protection Regulation (GDPR) will affect all cannabis businesses and organizations that handle personal information from European citizens. It harmonizes legislation on the national level, sets rules regarding data uses as well as users’ rights, and sets penalties and fines for improper data privacy management on the part of organizations.

GDPR refers to the European Union (EU) regulation for data protection for all individuals within the EU countries. The regulation (Regulation (EU) 2016/679)2 becomes enforceable on 25 May 2018 and replaces the data protection directive (officially Directive 95/46/EC)3 from 1995.


What Cannabis Businesses Does It Affect?

Any cannabis organization that stores or processes personal information on an identifiable person from an EU member state (regardless if the processing or storage of information occurs in the EU or not). It also applies if the individual or organization themselves is located in an EU member state.

What kind of information comprises personal data?

It is all information that can be associated with a natural person. Each user account and all the activity associated with that user account is classified as personal information. This extends to the information stored in backups, as well as associated information such as web server log files.

What are the penalties for non-compliance with the regulations?



Moodle is GDPR Compliant for the Cannabis Industry

While Moodle HQ prepares to make the core of the open-source Learning Management System (LMS) compliant with the soon-to-be-enforced General Data Protection Regulation (GDPR) by the European Commission.

Even if an LMS does not use or store personal user information, it is still held to the compliance rules laid out by the law, which gives users the right to request information and forces software developers to respond about things such as:

  • Personal data held by the LMS, with each instance of use.
  • The ability to download all their data and to request the deletion of anything stored by the service within a reasonable time frame.
  • The option to consent to the use of personal information, but also to revoke the consent at any time.

In short, even if an LMS does not make any significant use of personal data, it must still be able to respond to user requests. If the user revokes initial consent, the service must be able to report on the user’s consent history. LMSs failing to comply with GDPR could face varying consequences and they have stiff fines on data controllers and processors for non-compliance.


Fines are administered by individual member state supervisory authorities (83.1). The following ten (10) criteria are to be used to determine the amount of the fine on a non-compliant firm:

  1. Nature of Infringement: number of people affected, the damage they suffered, duration of the infringement, and purpose of processing.
  2. Intention: whether the infringement is intentional or negligent.
  3. Mitigation: actions taken to mitigate damage to data subjects.
  4. Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance.
  5. History: (83.2e) past relevant infringements, which may be interpreted to include infringements under the Data.
  6. Protection Directive: and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines.
  7. Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement
  8. Data Type: what types of data the infringement impacts; see special categories of personal data.
  9. Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party.
  10. Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct.
  11. Other: other aggravating or mitigating factors may include the financial impact on the firm from the infringement.


Fine Amount

If a firm infringes on multiple provisions of the GDPR, it shall be fined according to the gravest infringement, as opposed to being separately penalized for each provision.

However, the above may not offer much relief considering the number of fines possible:

Lower Level

Up to €10 million, or 2% of the worldwide annual revenue of the prior fiscal year, whichever is higher, shall be issued for infringements of:

  • Controllers and processors under Articles 8, 11, 25-39, 42, 43
  • Certification body under Articles 42, 43
  • Monitoring body under Article 41(4)

Upper Level

Up to €20 million, or 4% of the worldwide annual revenue of the prior fiscal year, whichever is higher, shall be issued for infringements of:

  • The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9
  • The data subjects’ rights under Articles 12-22
  • The transfer of personal data to a recipient in a third country or an international organization under Articles 44-49
  • Any obligations under Member State law adopted under Chapter IX
  • Any non-compliance with an order by a supervisory authority (83.6)

Let us know what you think.