Great Learning ↗

Overview

Great Learning is a massive upskilling platform that partners with top universities. Because they offer professional certifications, they don’t just have your email—they have your resume, salary details, work history, and even webcam recordings from proctored exams.

If you’re a student or a business partner, you should care because your entire professional identity is sitting in their database. If their policy doesn’t follow the new rules, your data is at risk.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

Great Learning uses the old-school “by using this site, you agree” approach. In the new law, this is a major problem.

What the policy says: “By using the Services, you agree to the terms of this Privacy Policy… Great Learning has the individual’s implied consent to collect or receive any supplementary information.”

What the law requires: The Data Principal (that’s you, the person whose data is being collected) must give consent that is free, specific, informed, and unconditional.

The problem: There is no such thing as “implied consent” under the DPDP Act for most commercial activities. You can’t just assume someone agrees because they clicked a link. Consent must be an affirmative action (like checking a box that isn’t pre-checked).

Section 7 — Certain Legitimate Uses ⚠️

Great Learning tries to use “legitimate interests” as a bucket to process data without asking you every time.

What the policy says: They process data for “legitimate interests, i.e. registering and administering accounts… and to facilitate the efficient running and operation of our business.”

What the law requires: Section 7 of the DPDP Act allows processing without consent for “Certain Legitimate Uses.” This is mostly for voluntary data sharing for a specific purpose, medical emergencies, or government functions.

The problem: “Efficient running of business” is a very broad term. Under the DPDP Act, using data for business efficiency or marketing usually requires clear consent, not a “legitimate use” excuse.

Section 8 — Obligations of Data Fiduciary ✅

The Data Fiduciary (the company that decides why and how your data is processed—in this case, Great Learning) has a duty to keep your data safe.

What the policy says: They describe using “Data Collection Tools” and state that service providers are “required to protect the information we provide them.”

What the law requires: You must have reasonable security safeguards to prevent data breaches.

The strength: Great Learning is very clear about who they share data with—mentors, universities, and payment processors. They acknowledge their responsibility to choose safe partners, though they do try to limit their liability if a third party messes up.

Section 9 — Data Retention 🔴

This is the biggest red flag in their current policy.

What the policy says: “It is not possible for us to determine a specific period for which we may retain your data.”

What the law requires: Data must be deleted as soon as the purpose for collecting it is over. If you finish your course and close your account, they shouldn’t keep your data forever “just in case.”

The problem: Saying “we don’t know how long we’ll keep it” is a direct violation of Section 9. The DPDP Act requires companies to have a clear deletion policy. You can’t keep a student’s salary slip and PAN card details indefinitely.

Section 11 — Rights of Data Principal ⚠️

What the policy says: They mention your right to “access, correct, or restrict” use of your data.

What the law requires: You have the right to access, correction, erasure, and notably, the right to nominate someone to manage your data if you pass away or become incapacitated.

The problem: Great Learning misses the “Right to Nominate” entirely. They also don’t provide a clear, easy way to exercise the “Right to be Forgotten” (erasure), which is a cornerstone of the DPDP Act.

Section 12 — Right of Grievance Redressal ⚠️

What the policy says: They mention a Data Protection Officer (DPO) you can contact.

What the law requires: You must have a clear, effective mechanism to solve complaints. If the company doesn’t fix your issue, you have the right to go to the Data Protection Board of India.

The problem: Their policy doesn’t mention the Data Protection Board at all. If a student is unhappy with how their data is handled, the policy makes it seem like the DPO is the final stop. It isn’t.

Section 16 — Cross-Border Data Transfer ✅

What the policy says: They mention sharing data with “international affiliates.”

What the law requires: Data can be sent abroad unless the Indian government specifically “blacklists” certain countries.

The problem: While not a “fail,” Great Learning needs to be careful. As an EdTech firm with global university partners, they must ensure that your data doesn’t end up in a jurisdiction that India has restricted.

Risk Assessment

Recommendations

1. Stop relying on “Implied Consent”: Great Learning needs to add clear “I Agree” checkboxes for different things—one for the course, one for marketing, and one for sharing data with universities.
2. Set a “Use-By” Date: They must define how long they keep data. For example: “KYC data deleted 6 months after course completion.”
3. Add the “Right to Nominate”: Update the policy to let students name a person who can manage their academic records if something happens to them.
4. Link to the Data Protection Board: Tell users they can escalate complaints to the government board if the DPO doesn’t respond.
5. Ditch the GDPR language: Phrases like “General Data Protection Regulations 2018” (which is European) should be replaced with references to the Digital Personal Data Protection Act 2023.

How Does Your Policy Compare?

Not sure if your company’s privacy policy has similar gaps? Run a free instant check:

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.