DATABEHANDLERAFTALE / Data Processing Agreement
Xxxxxxxxx, xxx 00. oktober 2019
Mod På Matematik
DATABEHANDLERAFTALE / Data Processing Agreement
De følgende sider indeholder detaljerne i den aftale vi i forhold til databeskyttelsesforordningen (GDPR) skal have imellem Area9 Lyceum og den enkelte boligorganisation.
Aftalen skal indgås, da den enkelte boligorganisation er dataansvarlig for de personoplysninger som Area9 Lyceum behandler i forbindelse med projektet Mod På Matematik. Aftalen fungerer dermed som en instruktion i, hvordan Area9 Lyceum er forpligtet til at behandle persondataen ordentligt og trygt.
Herefter vil Area9 Lyceum underskrive og derefter returnere den endelige og gældende aftale til boligorganisationen.
Med venlig hilsen
Xxx Xxxxx Xxxxxx, Area9 Lyceum
Data Processing Agreement
The following Data Processing Agreement is entered into between Licensee ("Controller") and Area9 Lyceum ApS, Company Xxx.xx. DK 39089976, Galionsvej 37, XX-0000 Xxxxxxxxxx X, Xxxxxxx, ("Processor") concerning Processing of Personal Data.
1
2 DEFINITIONS AND INTERPRETATION
2.1 The DPA forms part of and uses the same definitions as set out in the Commercial Agreement between the Parties. In addition, the following words and expressions have the meanings stated below unless the context requires otherwise.
DPA; this data processing agreement including any schedules, appendices and amendments hereto in the Contract Period.
Contract Period; the period from the day the DPA enters into force until the expiry of the DPA or termination for any other reason.
Controller; Licensee, who as controller decides the purposes and means of the Processing of Personal Data.
Data Protection Law; the legislation, as amended, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the Processing of Personal Data applicable to a controller in the EU or EEA country where the Controller is established, including but not limited to the GDPR. If the Controller is not established in an EU or EEA Country, Data Protection Law shall include the laws where the Processor is established, including but not limited to the GDPR.
Data Subject; an identified or identifiable natural person (an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person) as further described in Appendix A.
EEA; the European Economic Area.
Effective Date; the date of the parties entering into this DPA or the effective date of the Commercial Agreement.
EU; the European Union.
GDPR; Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Commercial Agreement; Any commercial agreement between the parties, e.g. license agreements concerning the Area9 Adaptive Platform accepted by Licensee, Statements of Work, etc.
Personal Data; any information, in whatever form, relating to a Data Subject which is Processed under the DPA.
Personal Data Breach; a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Process/Processing; any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processing Operations; the processing operations described in Appendix A.
Processor; The Area9-entity as defined above, who as processor Processes Personal Data on behalf of the Controller.
Purpose of the DPA; the purpose of the Processing as described in clause 2 of the DPA.
Sub-processor; as defined in clause 7.
2.2 Any words following the terms "including", "include", "in particular" or "for example" or any similar phrase shall be construed as illustrative and shall not limit the generality of the related general words.
2.3 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
3 PURPOSE AND BACKGROUND
3.1 The Processor Processes Personal Data on behalf of the Controller, as a part of carrying out the Processing Operations.
3.2 The Purpose of the DPA is to:
(i) describe the terms and conditions for the Processor's Processing of Personal Data on behalf of the Controller as set out in Data Protection Law;
(ii) ensure the security and the protection of the Personal Data that the Processor Processes on behalf of the Controller;
(iii) ensure that all Processing of Personal Data is carried out in accordance with Data Protection Law and
(iv) ensure that the rights of the Data Subject are respected and appropriately secured at any time.
3.3 The DPA applies to any Processing of Personal Data performed by the Processor in connection with the performance of the Services to the Controller under the Commercial Agreement.
3.4 The types of Personal Data which the Processor Processes and the categories of data subjects to whom the Personal Data relate under the DPA are set out in Appendix A.
4 INSTRUCTION
4.1 The Processor may only Process the Personal Data on documented instruction from the Controller, including with regard to transfers of personal data to a third country or an international organisation unless required to do so by mandatory EU or member state law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
4.2 The Processor is instructed to perform the Processing Operations in accordance with the DPA.
5 OBLIGATIONS OF THE PROCESSOR
5.1 Processor shall:
a) immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Law or other applicable EU or member state law;
b) taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subjects' rights as these are stated in the Data Protection Law, including without limitation the Data Subjects' rights laid down in the GDPR Chapter III;
c) assist the Controller in ensuring compliance with the Controller's obligations under GDPR articles 32-36 taking into account the nature of the Processing and the information available to the Processor;
d) at the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the term of the DPA, and deletes existing copies unless EU or member state law requires storage of the Personal Data as further set out in clause 11; and
e) make available to the Controller all information necessary to demonstrate compliance with the DPA and Data Protection Law and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller as further set out in clause 8.
5.2 If the Processor receives any complaint, notice or communication which relates directly or indirectly to the Processing of Personal Data or to either party's compliance with Data Protection Law, it shall without delay notify the Controller.
5.3 The Processor may charge the Controller for all services provided and costs held by Processor in relation to Processor's fulfilment of its obligations under clauses 4.1b), 4.1c), 4.1d), 4.1e), 8 and 11 in accordance with the Processor's applicable time and material rates.
6 OBLIGATIONS OF THE CONTROLLER
6.1 The Controller will be solely responsible and liable for its compliance with applicable law as Controller.
6.2 The Controller warrants that the Controller has all necessary rights to Process all Personal Data and to let the Processor process the Personal Data on behalf of the Controller as set out in the Commercial Agreement, including the DPA, including but not limited to having acquired relevant consents.
6.3 The Controller warrants that Processing of the Personal Data in accordance with the Controller's instructions will not violate Data Protection Law.
6.4 The Controller will promptly notify the Processor if it becomes aware that Processor's Processing of the Controller's Personal Data may be contrary to Data Protection Law.
7 SECURITY MEASURES
7.1 The Processor is obligated to take all measures required pursuant to article 32 of the GDPR.
8 SUBPROCESSORS
8.1 The Controller gives its general written authorisation for the Processor to engage other processors to perform Processing of the Personal Data ("Sub- processor"). The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors with at least 1 month's written notice, thereby giving the Controller the opportunity to object to such changes. If the Controller objects to the changes, the Processor may terminate the Commercial Agreement, including the DPA, upon 3 months' written notice.
8.2 If the Processor makes use of Sub-processors in accordance with clause 7.1, the Processor must enter into a written agreement with each Sub- processor which imposes the same obligations on the Sub-processors as are imposed on the Processor under this DPA.
8.3 Where a Sub-processor fails to fulfil its data protection obligations under the data processing agreement referred to in clause 7.2, the Processor shall remain fully liable to the Controller for the performance of the Sub-processor's fulfilment of obligations.
8.4 The Controller has given its authorisation for the Processor to engage the Sub-processors listed in Appendix A to perform Processing of the Personal Data.
8.5 The Controller has instructed the Processor to use Amazon Web Services EMEA SARL, including its Sub- processors, as a Sub-processor on the terms set out on
xxxxx://xxx.xxxxxx.xxx/xxxxxxxxx/ and xxxxx://x0.xxxxxxxxx.xxx/xxxxx/xxx-
which are hereby incorporated into the DPA by reference.
8.6 The Controller agrees that the agreement available on
xxxxx://x0.xxxxxxxxx.xxx/xxxxx/xxx- gdpr/AWS_GDPR_DPA.pdf
fulfils all Processor obligations under clause 7.2 in relation to Processor's use of Amazon Web Services EMEA SARL, and its Sub-processors, as a Sub-processor when entered into between the Processor and Amazon Web Services EMEA SARL.
8.7 Under the Commercial Agreement, the Parties have agreed that the Personal Data may be processed by Amazon Web Services EMEA SARL in data region centres specifically agreed in Appendix A to the DPA.
8.8 The Processor may update the web links provided in this clause 7 if the referenced documents are moved to other web addresses.
9 AUDITS
9.1 Upon request, the Controller is entitled to receive copies of auditor reports and security certificates covering Processor's Processing of the Personal Data (if any).
9.2 Upon request, the Controller (or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality appointed by the Controller) will be entitled to perform audits and inspections of the Processor's facilities and security practices directly related to the Processing of Personal Data under the DPA in order to monitor compliance with this DPA. Any audit request is to be given with a reasonable written notice of not less than thirty 30 days, unless otherwise required by law or a relevant data protection agency. For the avoidance of doubt, audits and inspections do not include access to information about the general cost structure of the Processor or to information concerning other customers of the Processor. At the request of the Controller, any persons participating in any audits or inspections under this clause 8.2 must sign a non-disclosure agreement. Irrespective of whether a non-disclosure agreement has been signed or not, any information gathered or received from the Processor must be kept confidential and may under any circumstances only be shared with the Controller. The Controller may not disclose the information to any third party or use the information for any other purpose than to evaluate whether the Processor complies with the DPA.
10 PERSONAL DATA BREACH
10.1 The Processor shall inform the Controller without undue delay if the Processor comes to know/becomes aware of any Personal Data Breach.
11 CONFIDENTIALITY
11.1 The Processor will ensure that the persons authorised to Process Personal Data have committed themselves to the same duty of confidentiality as the Processor under the DPA.
12 DELETION ETC.
12.1 On request from the Controller and no later than by the termination of the Commercial Agreement, the Processor shall either, at the Controller's discretion, return or delete Personal Data comprised by this DPA, including any copies – both physical and electronic – that may exist including any Personal Data transferred to Sub-processors in accordance with clause 7.
12.2 Deletion of Personal Data is to be an irrevocable removal resulting in no possibility of re-creation from all storage media where the Personal Data has been stored.
13 TERM AND TERMINATION
13.1 The DPA will take effect upon the Effective Date and shall continue in force until the latest of (i) as long as the Processor delivers services to the Controller under the Commercial Agreement or (ii) as long as the Processor Processes Personal Data on behalf of the Controller.
14 OTHER PROVISIONS
14.1 As the DPA is a part of the Commercial Agreement, to the extent possible under Data Protection Law all terms of the Commercial Agreement apply to the DPA, including without limitation clauses 4, 6, 7 and 11.
14.2 Both Parties shall be entitled to require the DPA renegotiated if changes to the law or inexpediency of the provisions contained herein should give rise to such renegotiation.
Processor: Area9 Lyceum ApS Controller:
_ _
[NAME] [NAME]
Appendix A to the DPA
In connection with the Processor's Processing of Personal Data on behalf of the Controller, the Controller gives the Processor the instruction to Process Personal Data for the purposes set out below:
1. General description and purpose of the Processing Operations (instruction)
The Processor is making a generic learning platform available to the Data Controller and the end users that are designated by the Data Controller on the Data Controller's or a Sub-processor's servers.
The Processor shall process the Personal Data of the Controller for the purpose of providing the Services as set out in the Commercial Agreement, including:
● to have an ability to provide access to a the Area9 adaptive learning platforms for the Data Subjects.
● to have an ability to personalize an educational curriculum during use for the Data Subjects.
● to provide data and analytics regarding competence and completion regarding Data Subjects and group performance for Data Controller's consumption.
● to allow employees or consultants on behalf of the Data Controller to author content.
2. Categories of Data Subjects
The Categories of Data Subjects are:
(i) Employees of the Data Controller working with the Platform, producing content, learning and/or accessing information about learning.
(ii) Customers of the Data Controller who have purchased access to the Platform via the Data Controller.
(iii) Customers of the Data Controller who have purchased access to the Platform via the Data Processor.
3. Types of Personal Data
The types of Personal Data are:
● Company ID (if provided)
● First and last name
● Organizational meta-data (as provided by data-controller), including:
o Department
o Manager
o Employees
● Recorded actions within the system during regular use, including:
○ Content accessed
○ Answers given
○ Time spent
○ Self evaluation scores
○ Completion score
○ Comments and feedback
○ Content created
4. Duration of the Processing:
The Processor will retain Personal Data regarding each end user for as long as the Controller consider the individual account active and up to 6 months following that. Upon notification to the Processor of an account becoming inactive, the Processor will schedule removal no earlier than 4 months and no later than 6 months after the notification date. No further notification or confirmation to Controller will be given.
In the event of termination of the Commercial Agreement, the Processor will remove the data from the servers within 30 days. A copy of the data can be provided to the Controller on request. Such request must be received within 7 days of the termination date of the Commercial Agreement.
5. The Controller has currently given its consent to the Processor's use of the following Sub-processors:
Company name and address: | Description of processing |
Amazon Web Services EMEA SARL 0 xxx Xxxxxxx X-0000 Xxxxxxxxxx | Data center provider and cloud provider of virtual computer power and software services |
Amazon Web Services EMEA SARL Regions to utilize for end- user data: | X Germany – AWS Region Frankfurt (EU) □ Ireland – AWS Region Ireland (EU) |
□ Asia Pacific – AWS Region Singapore (Non-EU) □ US East – AWS Region Ohio (Non-EU) | |
Area9 Technologies ApS Company xxx.xx: 34489343 Xxxxxxxxxx 00, XX 0000 Xxxxxxxxxx X, Xxxxxxx | IT support and server hosting |
Area9 Labs ApS Company xxx.xx: 25167406 Xxxxxxxxxx 00, XX 0000 Xxxxxxxxxx X, Xxxxxxx | IT support and server hosting |
Area9 Innovation ApS Company xxx.xx: 36921897 Xxxxxxxxxx 00, XX 0000 Xxxxxxxxxx X, Xxxxxxx | IT support and server hosting |
Area9 Lyceum ApS Company xxx.xx: 39079976 Xxxxxxxxxx 00, XX 0000 Xxxxxxxxxx X, Xxxxxxx | IT support and server hosting |