Data Processing Provisions
In this Annexure, unless the context requires otherwise:
Specific interpretive provision(s)
In this Annexure
“Data Controller” (and “controller”), “Data Processor” (and “processor”), “Data Subject”, “international recipient”, “Personal Data” and “processing” all have the meanings given to those terms in Data Laws (and related terms such as “process” have corresponding meanings);
references to any Applicable Laws (including to the Data Laws and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including particularly the GDPR) and the equivalent terms defined in such Applicable Laws, once in force and applicable;
a reference to a law includes all subordinate legislation made under that law; and,
the terms of this Annexure shall survive termination (for any reason) or expiry of this Agreement (or of any of the Services).
Data processing provisions
1. Data Processor and Data Controller
The parties agree that, for the Protected Data, the Customer shall be the Data Controller and the Supplier shall be the Data Processor.
The Supplier shall comply with all Data Laws in connection with the processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under this Agreement.
The Customer shall comply with all Data Laws in respect of the performance of its obligations under this Agreement.
2. Instructions and details of processing
Insofar as the Supplier processes Protected Data on behalf of the Customer, the Supplier:
unless required to do otherwise by Applicable Law, shall (and shall ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in this clause 2 and the Schedule (Schedule – Data Processing Details), and as updated from time to time by the written agreement of the parties (Processing Instructions); and,
if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest).
The processing to be carried out by the Supplier under this Agreement shall comprise the processing set out in the Schedule (Schedule – Data Processing Details), and such other processing as agreed by parties the parties in writing from time to time.
3. Technical and organisational measures
The Supplier shall implement and maintain, at its cost and expense, appropriate technical and organisational measures in relation to the processing of Protected Data by the Supplier:
such that the processing will meet the requirements of Data Laws and ensure the protection of the rights of Data Subjects;
so as to ensure a level of security in respect of Protected Data processed by it is appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed; and,
without prejudice to clause 5(a), insofar as is possible, to assist the Customer in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Protected Data.
Without prejudice to clause 3(a)(ii), the Supplier shall, in respect of the Protected Data processed by it under this Agreement comply with the requirements regarding security of processing set out in Data Laws and in this Agreement.
4. Using staff and other processors
The Supplier shall not engage another Data Processor (Data Sub-Processor) except those set out in the Schedule (Schedule – Approved Data Sub-Processors) or additional Data Sub-Processors for carrying out any processing activities in respect of the Protected Data without the Customer’s express consent and, if such consent is given, only provided that such other Data Sub-Processor:
agrees to be bound by the same terms as under this Annexure, including in particular this clause and clause 6; and,
remains liable for the acts of its subcontractors as if they were its own.
In addition to clause 4(a), the Customer gives consent to use a Data Sub-Processor by providing account credentials to the Supplier for that Data Sub-Processor and the Customer is liable for the acts of its nominated Data Sub-Processors.
The Supplier shall ensure that all Supplier Personnel processing Protected Data are subject to a binding written contractual obligation with the Supplier to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case the Supplier shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure).
Without prejudice to any other provision of this Annexure, the Supplier shall ensure that the Supplier Personnel processing Protected Data are reliable and have received adequate training on compliance and the Data Laws applicable to the processing.
5. Assistance with the Customers applicable to the processing reason
The Supplier shall:
promptly record and then refer all Data Subject Requests it receives to the Customer within three (3) business days of receipt of the request;
where not available directly to the Customer via the Services, provide such information and cooperation and take such action as the Customer reasonably requests in relation to a Data Subject Request, within the timescales reasonably required by the Customer; and
not respond to any Data Subject Request without the Customer’s prior written approval.
The Supplier shall provide such information, co-operation and other assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to the Supplier) to the Customer in ensuring compliance with the Customer’s obligations under Data Laws, including with respect to:
security of processing;
data protection impact assessments (as such term is defined in Data Laws);
prior consultation with a Supervisory Authority regarding high risk processing; and,
any remedial action and/or notifications to be taken in response to any Personal Data Breach and/or Complaint, including (subject in each case to the Customer’s prior written authorisation) regarding any notification of the Personal Data Breach to Supervisory Authorities and/or communication to any affected Data Subjects.
6. International data transfers
The Supplier shall not transfer any Protected Data to any international organisation (an International Recipient) without the Customer’s prior written consent.
7. Records, information and audit
The Supplier shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of the Customer, containing such information as the Customer may reasonably require, including:
the name and contact details of the Data Processor(s) and of each Data Controller on behalf of which the Data Processor is acting, and of the Supplier’s representative and data protection officer (if any);
the categories of processing carried out on behalf of each Data Controller;
where applicable, details of transfers of Protected Data to an International Recipient; and,
a general description of the technical and organisational security measures referred to in clause 3(a).
The Supplier shall make available to the Customer on request in a timely manner (and in any event within 3 Business Days) copies of the records under clause 7(a) , and such other information as the Customer reasonably requires to demonstrate the Supplier’s compliance with its obligations under Data Laws and these terms and conditions.
The Supplier shall at no cost to the Customer:
allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer for the purpose of demonstrating compliance by the Supplier with its obligations under Data Laws and under this Annexure; and
provide (and procure) reasonable access for the Customer or such other auditor (where practicable, during normal business hours) to
the records, as described in 7(a); and,
to the Supplier Personnel,
provided that the Customer gives the Supplier reasonable prior notice of such audit and/or inspection.
The Supplier shall promptly resolve, at its own cost and expense, all data protection and security issues discovered by the Customer and reported to the Supplier that reveal a breach or potential breach by the Supplier of its obligations under this Annexure.
If the Supplier is in breach of its obligations under this Annexure, the Customer may suspend the transfer of Protected Data to the Supplier until the breach is remedied.
The Customer shall be entitled to share any notification, details, records or information provided by or on behalf of the Supplier under this Annexure with the Customer Group, its professional advisors and/or the Supervisory Authority.
8. Notification of breach
In respect of any Personal Data Breach, the Supplier shall:
notify the Customer of the Personal Data Breach without undue delay (but in no event later than 24 hours after becoming aware of the Personal Data Breach); and
provide the Customer without undue delay (wherever possible, no later than 24 hours after becoming aware of the Personal Data Breach) with such details as the Customer reasonably requires regarding:
the nature of the Personal Data Breach, including the categories and approximate numbers of Data Subjects and Protected Data records concerned;
any investigations into such Personal Data Breach;
the likely consequences of the Personal Data Breach; and,
any measures taken, or that the Supplier recommends, to address the Personal Data Breach, including to mitigate its possible adverse effects,
provided that, (without prejudice to the above obligations) if the Supplier cannot provide all these details within such timeframes, it shall (before the end of this timeframe) provide the Customer with reasons for the delay and when it expects to be able to provide the relevant details (which may be phased), and give the Customer regular updates on these matters.
The Supplier shall promptly (and in any event within three (3) Business Days) inform the Customer if it receives a Complaint and provide the Customer with full details of such Complaint, but not respond to any Complaint without the Customer’s prior written approval.
9. Deletion of Protected Data and copies
The Supplier must promptly carry out requests from the Customer to delete all Protected Data for the purpose of ensuring the Customer’s compliance with the principles relating to processing of personal data, in particular those regarding data minimisation, accuracy and storage limitation.
The Supplier shall without delay, at the Customer’s written request, securely delete all the Protected Data to the Customer in such form as the Customer reasonably requests after the earlier of the end of the provision of the relevant Services related to processing or once processing by the Supplier of any Protected Data is no longer required for the purpose of the Supplier’s performance of its relevant obligations under these terms and conditions, and securely delete existing copies.
10. Liability and indemnities
The Supplier shall indemnify and keep indemnified, up to the cap specified in the Contract, the Customer in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, the Customer or any member of the Customer Group arising from or in connection with:
any breach by the Supplier of any of its obligations under clauses 1 to 9 (inclusive); or,
the Supplier (or any person acting on its behalf) acting outside or contrary to the lawful Processing Instructions of the Customer in respect of the processing of Protected Data.
This clause 10 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Laws to the contrary, except: (i) to the extent not permitted by Applicable Law (including Data Laws); and,
to the extent not permitted by Applicable Law (including Data Laws); and
that it does not affect the liability of either party to any Data Subject
Schedule – Data Processing Details
Subject-matter of processing
Corporate officers and employees and authorised users will have personal data collected
Duration of the processing
For the term the Services is provided.
Nature and purpose of the processing
Personal data relating to educational activities collected by the Customer using the Services deliverables. The data to be collected is determined by the Customer and typically includes, name, email, telephone number, and other personal identification information. In addition, an IP Address is collected. The purpose of processing this information is to assist in the educational activities of the Customer.
Type of Personal Data:
In addition to IP Address and email address, the Type of Personal Data to be collected is determined by the Customer.
Categories of Data Subjects:
The category of Data Subjects is determined by the Customer.
a) Technical and organisational security measures
All Personal Data is to be stored in a cloud database that is not shared with any other customer of the Supplier.
Many features in the Service deliverables can be used by the Customer to Process Personal Data. These include reporting, export, interfaces to external Customer systems, email, consent management, anonymisation and more. The Customer can utilise these features to manage their own Processing Instructions.
Approved Data Sub-Processors:
The Supplier has contracted the following organisations as Data Processors to supply services used in processing and storing Personal Data for the Customer: See Subprocessors
Last revised on 13th June, 2019