Data Processing Addendum
Last Updated January 5, 2019
1.1 This Personal Data Processing Addendum (“DPA”) is an integral part of the Service Agreement (”Service Agreement”) entered into between Learning Agents Inc., a Canadian corporation (“Service Provider”), the provider of the CanCred Factory service, which is a service issuing and managing digital credentials (“Service”) and its customer (“Customer”) concerning the Service .
1.2 The purpose of this DPA is to agree on the privacy and data protection of the Personal Data of the Customer and/or its employees, agents, subcontractors and customers Processed by the Service Provider as part of the Service on behalf of the Customer pursuant to or in connection with the Service Agreement (“Customer Personal Data”). The Service Provider is committed to complying with the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) and this DPA incorporates to the Service Agreement the relevant provisions of the GDPR.
1.3 If the terms concerning the Processing of the Customer Personal Data of the DPA and the Service Agreement are in conflict, the parties will apply the terms of this DPA.
2.1 In accordance with the GDPR, the terms below are defined as follows:
(a) “Controller” means the Customer, who determines the purposes and means/methods of the Processing of the Customer Personal Data.
(b) “Processor” means the Service Provider, who processes the Customer Personal Data on behalf of the Customer based on and for the purposes of fulfilling its obligations under the Service Agreement, this DPA and the documented instructions of the Customer.
(c) “Processing” means any operation or set of operation which is performed on the Customer Personal Data or sets of Customer Personal Data whether or not by automated means, such as data collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The words “process” and “processed” will have the same meaning as “processing”.
(d) “Personal Data” means any information relating to an identified or identifiable natural person (”Data Subject”) Processed by the Service Provider on behalf of the Customer. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(e) “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed by the Customer and/or the Service Provider and/or its Subprocessors.
3. Rights and Obligations of the Service Provider
3.1 Controller-Processor Designation. The Customer determines the purpose and means/methods of the Customer Personal Data Processing activities performed by the Service Provider to deliver the Services under the Service Agreement and is considered the Controller. The Service Provider Processes the Customer Personal Data on behalf of the Customer, on the grounds of the Service Agreement, this DPA and the written instructions of the Customer, and is considered the Processor. The Customer Personal Data that the Service Provider Processes may relate to the Customer’s employees, agents, subcontractors or customers.
3.2 Compliance with Laws. (a) The Service Provider undertakes to abide by the current and in force applicable data protection laws and data protection authority orders concerning its Personal Data Processing activities, including GDPR and if necessary, to amend the terms of this DPA to conform to them. (b) The Service Provider is obligated, taking into account the nature of the Processing of the Customer Personal Data and the extent of the Processing, to assist the Customer in ensuring that the Customer complies with its legal obligations. The Customer’s legal obligations may include obligations regarding data security, notifying of Personal Data Breaches, data protection impact assessments and prior consultations with data protection authorities. The Service Provider is obligated to assist the Customer only to the extent that applicable laws obligate any personal data processor.
3.3 Grounds for Processing. The Service Provider is only entitled to Process the Customer Personal Data on the grounds of the Service Agreement, this DPA and according to the written instructions of the Customer and only to the extent and in the manner it is necessary in order to provide the Services.
3.4 Conflict. The Service Provider will immediately notify the Customer if, in the Service Provider’s opinion, an instruction from the Customer may infringe or conflict with any applicable data protection laws of the EU or the relevant country in the EU. If such conflict is detected by the Service Provider, the Service Provider may immediately decline and stop providing the Services to the Customer.
3.5 Records of Processing. The Service Provider will maintain the Service description and other records of the Processing operations of the Service prescribed by the GDPR for personal data processors.
3.6 Deletion/return of data. After the expiry or termination of the Service Agreement, the Service Provider will return or delete, according to the instructions of the Customer and/or the Service Agreement, all Customer Personal Data and delete all duplicates, unless applicable laws require the retention of the Customer Personal Data.
3.7 Subcontractors. (a) The Service Provider may use subcontractors (“Subprocessors”) for Processing the Customer Personal Data. (b) The Service Provider is responsible for its Subprocessors’ actions as for its own. (c) The Service Provider will enter into written service agreements with the Subprocessors concerning the Processing of any Customer Personal Data, under which the Subprocessors will be obligated (i) to comply with the applicable data protection laws, including GDPR and (ii) to provide the same data protection obligations as set out by this DPA. (d) Customer authorizes the Service Provider to appoint (and permit each Subprocessor appointed in accordance with this section) Subprocessors in accordance with this section. (e) The Service Provider may continue to use those Subprocessors already engaged by the Service Provider as at the effective date of this DPA if they meet the requirements of this section’s subsection (b). (f) The Service Provider will inform the Customer beforehand of identity of Subprocessors the Service Provider intends to use in Processing the Customer Personal Data pursuant to the Service Agreement. (g) The Customer is entitled to oppose the use of a new Subprocessor on reasonable grounds by notifying the Service Provider in writing of its objective reasons to oppose within thirty (30) business days after receipt of Contractor’s notice. In the event the Customer objects to a new Subprocessor, the Service Provider will use reasonable efforts to make available to the Customer a change in the Services to avoid Processing of Customer Personal Data by the objected-to new Subprocessor. If the Parties are unable to reach an agreement concerning the use of a new Subprocessor, the Customer is entitled to terminate the Service Agreement with thirty (30) days’ notice, in so far as the change of Subprocessor affects the Processing of Customer Personal Data pursuant to the Service Agreement.
3.8 Data Subject Requests. The Service Provider will immediately forward all Data Subject requests to exercise the Data Subject’s right (a) of access, (b) to correct, (c) to erase, (d) to restrict, (e) to data portability, (f) to object to the Processing or (g) not to be subject to an automated decision-making (“Data Subject Requests”), to the Customer. It is the Customer’s duty to ensure a response to such Data Subject Requests. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject’s request, the Service Provider shall provide reasonable assistance and cooperation to the Customer in responding to such request in terms of implementing appropriate and feasible technical and organizational measures to respond to Data Subject Requests, taking into account the nature of the Processing.
3.9 Security Cooperation and Assistance. Taking into account the nature, scope, context and purposes of the Processing, the Service Provider will provide reasonable cooperation and assistance to fulfill the Customer’s obligation under the GDPR to implement appropriate technical and organisational measures, insofar as this obligation related to the Services.
3.10 Data Protection Impact Assessment and Prior Consultation. Upon the Customer’s request, the Service Provider will provide the Customer with reasonable cooperation and assistance to fulfil the Customer’s obligation under the GDPR to carry out a data protection impact assessment related to the Customer’s use of the Services, to the extent the Customer does not otherwise have access to the relevant information. Upon the Customer’s request, the Service Provider will provide reasonable cooperation and assistance to the Customer in the prior consultation with the relevant data protection authority.
3.9 Communication with Data Protection Authorities. The Service Provider will direct all inquiries of data protection authorities directly to the Customer, and the Service Provider will not be authorized to represent the Customer, or act on behalf of the Customer with the data protection authorities supervising the Customer.
3.10 Anonymous Data. In accordance with the Service Agreement, the Service Provider is entitled to collect anonymous and statistical data on the use of the Services that does not identify the Customer or other Data Subjects and the Service Provider only uses it for analysing and developing the Services.
4. Rights and Obligations of the Customer
4.1 Legal Bases of Processing. As Controller, the Customer is liable for that its Processing activities are lawful and it relies on the appropriate and lawful legal bases in order to Process Customer Personal Data pursuant to the Agreement.
4.2 Records of Processing, Data Subject and Data Protection Authority Notifications. The Customer will be responsible for creating and keeping records of Processing as required of personal data controllers, as well as informing the Data Subjects and providing notifications to the relevant data protection authorities.
4.4 Compliance with Laws. (a) The Customer undertakes to abide by the current and in force applicable data protection legislation and data protection authority orders concerning its Customer Personal Data Processing activities, including GDPR.
5. Processing outside of EU/EEA
5.1 Prior Written Approval. The Service Provider and its Subprocessors will not Process Personal Data outside the EU/European Economic Area (“EEA”) area without the prior written approval of the Customer.
5.2 Appropriate Safeguards. The Service Provider will maintain appropriate safeguards for the duration of this DPA with respect the transfer of Customer Personal Data outside of the EU/EEA. The Service Provider agrees to reasonably execute necessary additional terms with the Customer, as instructed by the Customer from time to time, to provide appropriate safeguards including as appropriate the standard data protection contractual clauses adopted and approved by the European Union’s European Commission concerning the transfer of Personal Data outside of the EU/EEA.
6.1 Customer’s Audit Rights. Upon the Customer’s request and to the extent reasonably required, the Service Provider will make available to the Customer relevant information necessary to demonstrate compliance with GDPR. The Customer or an auditor authorized by the Customer (however, not a competitor of the Service Provider) is entitled to audit that the Service Provider’s Processing activities are in compliance with the Service Agreement, this DPA and the written instructions of the Customer. The Parties will agree on the time of the auditing and other details ahead of time no less than 30 days before the inspection. The auditing will be carried out in a way that avoids causing any damage or disruption to the Service Provider’s or its Subprocessors’ premises, equipment and business.
6.2 Access. Access to the Service Provider’s premises for the purposes of such an audit is subject to: (a) the production of reasonable evidence of identity and authority by the auditors; (b) normal business hours; (c) audit personnel have committed themselves to confidentiality by executing written confidentiality obligations; and (d) access only to information that is strictly relevant to the Services.
6.3 Expenses. The Customer will be responsible for its own and the Service Provider’s expenses caused by the auditing. If notable defects are discovered during auditing, the Service Provider will be liable for the costs incurred from the auditing.
7. Data Security
7.1 Technical and Organisational Measures. The Service Provider will implement the appropriate technical and organisational measures to protect the Customer Personal Data especially from the unauthorized, unlawful or accidental destruction, loss, damage, alteration, disclosures or access to Personal Data, taking into account the nature, scope, context and purposes of Processing, as well as all the risks of Processing affecting the Customer and other Data Subjects. In the implementation of appropriate technical and organizational measures, the Service Provider will take into account the state of the art of the technical options and their costs to ensure a level of security appropriate to the special risks of the Processing at hand and the sensitivity of the Personal Data Processed.
7.2 Customer’s Obligations. The Customer will notify the Service Provider about all the circumstances concerning the Customer Personal Data, such as risk assessments and the handing of special categories of sensitive Personal Data that affect the technical and organisational measures to be implemented by the Service Provider pursuant to this DPA.
7.3 Limited Access and Confidentiality. Customer Personal Data will be made available only to the Service Provider’s personnel or Subprocessors that require access to such Customer Personal Data for the performance of the Services. The Service Provider will ensure that its personnel and Subprocessors have committed themselves to confidentiality of the Customer Personal Data by executing the appropriate written non-disclosure agreements.
8. Personal Data Breaches
8.1 Notification. In the event that the Service Provider discovers, receives notice of, or suspects a Personal Data Breach, by the Service Provider and/or its Subprocessors, the Service Provider will notify the Customer without undue delay after becoming aware of the Personal Data Breach.
8.2 Information Provision. The Service Provider will make reasonable efforts to identify the cause of such Personal Data Breach and take those steps as the Service Provider deems necessary and reasonable in order to remediate the cause of such a Personal Data Breach to the extent the remediation is within the Service Provider’s reasonable control. If requested by the Customer, the Service Provider will, without undue delay, give the Customer all relevant information concerning the Personal Data Breach. In so far as the information in question is available to the Service Provider, the Service Provider will describe the following to the Customer:
(a) the description of the Personal Data Breach,
(b) the number of Data Subjects affected, as well as the types and number of Personal Data affected,
(c) a description of the likely consequences caused by the Personal Data Breach, and
(d) a description of remedial or mitigation measures, that the Service Provider has implemented or will implement in order to prevent Personal Data Breaches in the future.
8.3 Documentation. The Service Provider will document and report the (i) results of any Personal Data Breach investigation, (ii) the effects of the Personal Data Breach and (iii) the implemented remedial measures to the Customer.
8.4 Notification of a Personal Data Breach. The Customer is liable for the necessary notifications to Data Subjects and the relevant data protection authorities. Upon the Customer’s request, the Service Provider will provide the Customer with reasonable cooperation and assistance to fulfil the Customer’s obligation under the GDPR to notify a Personal Data Breach to the relevant data protection authority and to communicate on a Personal Data Breach to the Data Subject, insofar as this obligation relates to the Services.
9. Other provisions
9.1 Damages. If any tangible or intangible damage is caused to a Data Subject due to any Personal Data Breach, the Service Provider will be liable for the damage only in so far that it has not explicitly abided by the obligations directed to personal data processors in the GDPR or this DPA, except if the Service Provider proves that it is not in any way responsible for the event giving rise to the damage.
9.2 Proportionate Liability. Where both the Customer and the Service Provider are responsible for any damage caused by Processing to a Data Subject, each party shall be held liable for the entire damage in order to ensure effective compensation of the Data Subject. The party who paid full compensation for the damage suffered, shall be entitled to claim back from the other party involved in the same processing, that part of the compensation corresponding to their part of responsibility for the damage that corresponds to the liability for damages confirmed in the final decision of a data protection authority or a court of law.
9.3 Change Notification. The Service Provider will notify the Customer in writing of all changes that may affect its ability to abide by this DPA and the written instructions of the Customer.
9.4 Amendments. The Parties must agree on all amendments to this DPA writing.
9.5 Effect. This DPA will enter into force upon the Customer’s acceptance of the Service Agreement. The DPA will remain in force (i) as long as the Service Agreement is in force or (ii) the parties have obligations regarding the Processing of Customer Personal Data towards one another.
9.6 Survival. Those obligation that due to their nature are meant to survive the expiry or termination of this DPA will remain in force after the expiry or termination of this DPA.