PERSONAL DATA PROCESSING PURPOSES AND DETAILS
Subject matter and duration of the processing of User and Authorized User personal data: The subject matter and duration of the processing of the User Data are set out in the Agreement and this Addendum.
The nature and purpose of the processing of User personal data: Provider will process personal data as necessary to perform the services or provide the Products pursuant to the Agreement, as further instructed by User (as expressly set forth in this Addendum) in its use of the Products or Services.
The types of User personal data to be processed: User may submit personal data to Provider to enable Provider to perform the Services and provide the Products, the extent of which is determined and controlled by User in its sole discretion, and which may include (depending on the nature of the Services or Products): • First and last name and title; • Employer and position; • Course title: • Contact information (email or username), cell / mobile phone number); • Device identification data (Device ID); • Electronic identification data (IP address; MAC address); • Technical data (operating system information; software logs; crash reports); • Username and password to access the Products.
DATA PROCESSING (GDPR, EU STANDARD CONTRACTUAL CLAUSES AND CCPA)
This Addendum amends and forms part of the Agreement between the Parties that references this Addendum. In the event that any terms and conditions contained herein are in conflict with the terms and conditions set forth in the Agreement, the terms and conditions set forth in this Addendum shall be deemed to be the controlling terms and conditions. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
In the course of providing the Services or Products to User pursuant to the Agreement, Provider may process personal data on behalf of User. This Addendum sets out the additional terms, requirements and conditions on which Provider will process personal data as far as such processing relates to the performance of the Services or provision of the Products.
1. Processing of Personal Data.
1.1. Roles of the Parties. The Parties acknowledge that for the purposes of the Data Protection Legislation and solely in respect of personal data submitted by or on behalf of User (“User Personal Data”) to Provider for processing in the course of providing the Services or Products, User is the controller and Provider is the processor. As used in this Attachment, “Data Protection Legislation” means all applicable privacy and data protection laws including (i) the General Data Protection Regulation ((EU) 2016/679) (the “GDPR”) and any applicable national implementing laws, regulations and secondary legislation including the UK Data Protection Act 2018, (ii) the Privacy and Electronic Communications Directive (2002/58/EC) and any applicable national implementing laws including the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426), and (iii) any replacement legislation implemented by the United Kingdom (“UK”) pursuant to the withdrawal of the UK from the European Union, in each case as amended, replaced or updated from time to time. Where used in this Addendum, the terms “controller”, “processor”, “data subject”, “personal data”, and “processing” (including “process”) shall have the meanings given to them or to similar terms in the applicable Data Protection Legislation.
1.2. Details of Processing. Both Parties will comply with all applicable requirements of the Data Protection Legislation. User appoints Provider as a processor to process such personal data on behalf of User, and in accordance with User’s documented instructions. The scope of such instructions is initially defined by the Agreement. Provider shall inform User if it cannot comply with User’s documented instructions for whatever reason. In any such case, the parties shall work together to find an alternative. If Provider notifies User that neither the instruction nor an alternative is feasible, User may terminate the affected Services in accordance with the terms of the Agreement. Any previously accrued rights and obligations will survive such termination. User acknowledges that certain specific instructions may result in additional fees payable by User to Provider, such fees to be agreed by User and Provider.
1.3. User Responsibilities. User will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to Provider. User shall not cause Provider to violate any applicable laws in its processing of the personal data in accordance with User’s instructions.
1.4. California Consumer Privacy Act (“CCPA”). Provider is a “Service Provider” as defined in CCPA Section 1798.140(v). User discloses personal data to Provider solely for: (i) a valid business purpose; and (ii) Provider to perform the Services or provide the Products. Provider is prohibited from: (i) selling User’s personal data; (ii) collecting, retaining, using, or disclosing User’s personal data for any purpose other than providing the Services and Products to User; and (iii) collecting, retaining, using, or disclosing User’s personal data outside of the direct business relationship between Provider and User. Provider certifies that it understands the prohibitions outlined in this Section 1.4
and will comply with them. User understands and agrees that Provider may use sub-processors to provide the Services and process personal data on User’s behalf in accordance with Section 7 below. The parties agree that any monetary consideration provided by User to Provider is provided for the provision of the Services and not for the provision of personal data.
1.5 Federal Education Rights and Privacy Act (“FERPA”).
Included in the link is language relevant to Provider’s Products which normally only require a student’s name and e-mail address (either through the educational institution or their personal or work e-mail):
Directory Information Exception: Another exception to consent that permits the disclosure of PII from education records is the directory information exception. Information designated by the school or district as directory information may be disclosed without consent and used without restriction in conformity with the policy, unless the parent/guardian or eligible student opts out. Examples of directory information about students include name, address, telephone number, email address, date and place of birth, grade level, sports participation, and honors or awards received. Before a school or district can disclose directory information, it must first provide public notice to parents and eligible students of the types of information designated as directory information, the intended uses for the information, and the right of parents or eligible students to “opt out” of having their information shared.
2.1. Security Measures. Provider shall maintain appropriate technical and organizational measures to protect against a Security Incident as defined below, appropriate to the harm that might result from a Security Incident and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.
2.2. Breach Notification. Provider shall, to the extent permitted by law, notify User without undue delay upon discovery of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, User Personal Data processed by Provider (each a “Security Incident”).
Provider shall ensure that all personnel who process, or have access to, personal data have committed themselves to keep the personal data confidential in accordance with Provider’s confidentiality obligations under the Agreement.
4. Cooperation with User.
Taking into account the nature of the processing and the information available to Provider, Provider shall reasonably assist User, at User’s expense, in responding to any request from a data subject exercising its rights (such as rights to rectification, erasure, blocking, accessing their personal data, objection, restriction of processing, data portability, and the right not to be subject to automated decision making) and in responding to any inquiries from, or communicating with, a data protection regulator or data subject (including with regard to a Security Incident), and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
5. Return and Deletion of Personal Data.
At the written direction of User, Provider shall delete or return personal data and copies thereof to User following termination of the Agreement unless required by applicable law (including any Data Protection Legislation) to store the personal data.
6.1. Audit Requirements. The parties acknowledge that User must be able to assess Provider’s compliance with its obligations under Data Protection Legislation, to the extent that Provider is acting as a processor on behalf of User. User agrees to exercise any right it may have to conduct an inspection or audit (including under the Standard Contractual Clauses, as applicable) by written notice to Provider to carry out the audits described in Section 6.2.
6.2. Audit Procedures. Upon not less than thirty (30) days’ advance written notice to Provider and no more frequently than once annually, with Provider’s reasonable costs of complying with any such request to be met by User, Provider shall (i) make available all information necessary to demonstrate to User its compliance with Article 28 of the GDPR, including without limitation, executive summaries of its information security and privacy policies, and (ii) cooperate with and respond promptly to User’s reasonable privacy and/or security questionnaire(s). Notwithstanding the above, if User’s request for audit occurs during Provider’s quarter or year end, or such other time during which Provider cannot reasonably accommodate such request, the parties shall mutually agree on an extension to the thirty (30) days’ advance written notification. User shall execute a confidentiality agreement in form and substance reasonably satisfactory to Provider prior to such audit. For the avoidance of doubt, nothing contained herein will allow User to review data pertaining to Provider’s other Users or partners. User shall bear its own costs and expenses with respect to the audits described in this Section 6.2. The parties shall use all reasonable endeavors when exercising rights under this Section 6 to minimize disruption to Provider’s business activities.
7.1. Use of Sub-Processors. User provides general written authorization for: (a) Provider to engage sub-processors (b) Provider to engage Provider’s Affiliates as sub-processors, and (c) Provider’s Affiliates to engage third-party sub-processors (including other Affiliates as sub-processors). For purposes of this Addendum, “Affiliate” means an entity controlling, controlled by, or under common control with a party (an entity will be deemed to have control if it owns over 50% of another entity). Provider and its Affiliates may engage such sub-processors to process personal data for the purposes set forth in the Addendum, provided that:
7.1.1.Provider has entered into a written agreement with the third-party processor containing data protection terms that require it to protect the personal data to the same standard required under this Addendum; and
7.1.2. Provider remains liable for the acts and omissions of its sub-processors to the same extent Provider would be liable if performing the Services of each sub-processor directly under the terms of this Addendum.
7.2. Changes to Sub-Processors. If Provider or its Affiliates appoint a new (or removes an existing) sub-processor, it shall notify User.
Copyright © 2020 Competitive Collaboration - All Rights Reserved.