Data processing agreement
This Data Processing Agreement is concluded between EasyLMS B.V. (“Processor”) and its clients (the client is the “Controller”) for which it processes personal data as a processor;
Hereinafter each a “Party” and collectively the “Parties”;
Whereas:
A. This Data Processing Agreement forms an integral part of the Easy LMS Terms and Conditions (“Terms and Conditions”) as well as the agreement between Processor and the Controller, with respect to the online learning management system offered by Processor to the Controller (the “Service(s)”);
B. In order for Controller and its participants to make use of the Services, Processor must process the personal data (“Personal Data”) of the Controller’s employees and/or other participants (jointly: “Data Subjects”) who use the content created by the Controller in the Services;
C. The categories of Personal Data as well as the other details with respect to the processing of the Personal Data are described in Schedule 1 to this Data Processing Agreement;
D. The General Data Protection Regulation (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC), (“GDPR”) is applicable to the processing of the Personal Data;
E. On the basis of the GDPR, the Parties are required to conclude this Data Processing Agreement.
1. Definitions
1.1. In addition to the defined capitalized terms above, the following capitalized terms shall have the following meanings:
1.2. “DPA”: a competent Data Protection Authority.
1.3. “EEA”: the European Economic Area.
1.4. “Personal Data Breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data.
1.5. “Processing”: those processing actions carried out with the Personal Data as defined in the GDPR, including without limitation storing it, viewing it, portioning it off, deleting it, altering it, forwarding it.
1.6. “Schedule”: a schedule to this Data Processing Agreement.
1.7. “Services Agreement”: the agreement on the basis of which the Services are provided, which may consist of the Terms and Conditions and/or another type of agreement.
1.8. “Sub-processor”: a third party to which Processor subcontracts the Processing of the Personal Data, whether in whole or in part.
2. General obligations
2.1. With regard to the Personal Data, Processor takes appropriate technical and organizational measures to ensure compliance with the GDPR and the protection of the rights of the Data Subjects.
2.2. Controller declares that it complies with the GDPR with regard to the Personal Data that are Processed by the Processor. It is the Controller’s responsibility to comply with the applicable personal data legislation with regard to the Personal Data created in or uploaded to the Service. This includes without limitation having a legal ground for the Processing (e.g. valid consent if so required) of the Personal Data, informing the Data Subjects about the Processing of their Personal Data and making sure the Data Subjects have the legal age for submission of their Personal Data, if applicable.
3. Processing solely on Controller’s instructions
3.1. The purpose of the Processing by the Processor is to enable the Processor to provide the Services.
3.2. Processor will only Process the Personal Data on Controller’s written instructions, which are the Processing activities set out in Schedule 1, or those reasonable instructions otherwise given by the Controller in writing (which may include by email). Processor shall only Process the Personal Data outside the Controller’s instructions if required to do so to comply with an applicable legal obligation. In this case, article 3.3 below applies.
3.3. In the event the Processor becomes legally obliged under European law to disclose any of the Personal Data, Processor shall provide the Controller with prompt notice and notify the relevant legal requirement, unless the legal requirement prohibits Processor from such notification on important grounds of public interest. If Processor is not prohibited from notifying Controller, Processor will refrain from disclosing any Personal Data until Controller has taken steps to obtain a protective order or other appropriate remedy. If such protective order is not obtained, the Processor shall furnish only such Personal Data which it is advised is required by timely written notice of Controller, or, in absence of such timely notice, Processor will furnish such Personal Data it deems is required pursuant to the legal requirement.
3.4. Processor shall notify the Controller if, in its opinion, an instruction given by the Controller infringes the GDPR, in which case Processor will not have to comply with the instruction.
4. Assisting the Controller
4.1. Processor shall provide the assistance reasonably requested by the Controller to:
(i) taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations to respond to the Data Subjects’ requests for exercising their rights, insofar as Processor can factually do so in light of the Services. In case Processor receives a request from a Data Subject, it will forward such request to the Controller and the Controller will further handle the request;
(ii) taking into account the nature of the Processing and the information available to Processor, assist the Controller in complying with the Controller’s obligations relating to security, notifying Personal Data Breaches (see article 5.4), investigations by DPA’s, data protection impact assessments and prior consultation if so required.
5. Security Measures and Personal Data Breaches
5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk involved with the Processing.
5.2. Controller warrants and guarantees that it will not ask Data Subjects to submit Personal Data to the Service that are regarded as a special category or sensitive personal data under applicable laws. This concerns for example: data related to health, religious beliefs, political opinions, race, ethnic background, sexual preference or behavior, trade union membership, criminal records, biometric data for identification purposes, genetic data. The Services’ security measures are not suitable for these types of Personal Data.
5.3. Processor has implemented appropriate technical and organizational measures to ensure the Personal Data can only be accessed by those persons within its organization that are required to gain access thereto for the purpose of providing the Services, e.g. by limiting the amount of persons with access rights.
5.4. On its website, Processor makes available information about its security measures. In addition, at the Controller’s request, Processor will submit an overview of the security measures in place at the time of the request. Controller may submit such request once each calendar year, unless there is a well-founded reason to submit the request more frequently, for example in case of a Personal Data Breach.
5.5. Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach. Such notice shall:
(i) contain the available information with regard to the Personal Data Breach, including without limitation a description of the Personal Data Breach, the cause thereof; the categories, nature and (estimated) amount of affected Personal Data and Data Subjects and the Personal Data Breach’s scope;
(ii) explain the effect of the Personal Data Breach on Controller and the relevant Data Subjects;
(iii) explain the corrective action taken or to be taken by Processor, the Controller and/or the Data Subjects and the time scale for completion of such action.
5.6. Processor will provide the co-operation reasonably requested by the Controller, and submit the information within its control, in relation to notifying the Personal Data Breach to the DPA, and, as applicable, to the Data Subjects.
5.7. Processor cannot be required to notify a Personal Data Breach to any DPA, nor to the Data Subjects, unless Processor explicitly agrees to do so in writing in case of a specific Personal Data Breach.
5.8. To make use of the Services, Controller must use log-in details to access its account. The Controller must keep these log-in details secure and confidential, as it gives access to the Personal Data. It is also the Controller’s responsibility to make sure the Data Subjects who use the Services keep their own log-in information secure and confidential as it gives access to their own Personal Data.
6. Confidentiality
6.1. Processor shall take into account confidentiality with regard to the Personal Data.
6.2. In respect of the foregoing, Processor:
(i) shall not disclose the Personal Data to any third party, unless this is explicitly permitted in this Data Processing Agreement;
(ii) has implemented appropriate technical and organizational measures to ensure that any person who has access to the Personal Data shall be informed of and bound by confidentiality.
7. Sub-contractors
7.1. Processor uses Sub-processors that Process the Personal Data. At the Controller’s request, Processor will submit the Sub-processors’ names and locations. If Processor intends to hire another or additional Sub-processor to Process the Personal Data, it shall notify Controller thereof in advance, including the start date of the Sub-processor’s Processing activities. Controller may object to the change or addition within seven (7) working days after the notification. If the Processing of the Personal Data is not adversely affected by such change or addition, Controller will not reasonably object so that Processor can continue offering the Services. In case Controller does timely object and Processor cannot amend the Services to accommodate Controller’s objection with fourteen (14) days of such objection, Controller and/or Processor may terminate the Services and the Services Agreement and Processor shall reimburse those fees the Controller has paid in advance, if any, for the remaining subscription period during which the Service is discontinued. Per the start date of the new Sub-processor’s Processing activities, Schedule 2 will be updated (or deemed updated) with the notified information about the new Sub-processor; if this is a Sub-processor Processing Personal Data outside the EEA, article 8 also applies.
7.2. Processor ensures that Sub-processors:
(i) declare to have implemented appropriate technical and organizational measures to ensure compliance with the GDPR and the protection of the rights of the Data Subjects;
(ii) are bound in writing to comply with the same obligations as set out in this Data Processing Agreement, that are relevant in relation to the Sub-processor’s Processing activities.
7.3. For the avoidance of doubt: if Controller uses functionality through the Services where a connection is made with services that are offered to the Controller by third parties, such third parties are not the Processor’s Sub-processors; the Controller has a direct legal relationship with such third parties. By way of example, these third parties may be social media platforms, email providers and Controller’s service providers where the Controller has its own account that receive data using integrations in the platform.
8. Data export (transfers outside the EEA)
8.1. Processor transfers Personal Data to the country or countries (if any) listed in Schedule 2.
8.2. Processor ensures that the countries or parties to which the Personal Data are transferred, offer an adequate level of protection. In absence of this, if the Controller’s cooperation is required, Controller agrees to provide the cooperation requested by the Processor to arrange for one of the transfer mechanisms set out in the GDPR for transfer to such a country without an adequate level of protection, in which case Processor and/or Sub-processor, if necessary, implements supplementary measures to safeguard the Personal Data.
9. Reporting, audit rights
9.1. Processor will allow the Controller, under the terms and conditions set out in this article, access to its administration in order for the Controller to audit Processor’s compliance with the terms and conditions of this Data Processing Agreement. Processor does not allow the Controller access to personal data of data subjects other than the Data Subjects.
9.2. Controller may appoint a third party to perform the audit. Controller will in that case ensure the third party is bound to keep confidential the Processor’s information to which the third party has access in relation to the audit and not disclose this to any third party.
9.3. Controller shall not make use of its audit rights under this clause more than once per calendar year. Controller will notify Processor at least two weeks in advance of the audit to allow Processor to prepare for it.
9.4. If the audit evidences that Processor does not comply with its obligations pursuant to this Data Processing Agreement, Processor will take those measures reasonably requested by the Controller to comply with those obligations.
10. Term and termination
10.1. This Data Processing Agreement shall have the same term as the Services Agreement. This Data Processing Agreement shall therefore terminate when the Services Agreement terminates.
10.2. If the Services Agreement does not provide for termination thereof – and thus subsequently of this Data Processing Agreement – the following termination grounds apply: each Party is entitled to terminate this Data Processing Agreement for the future, without obligation to pay damages, in case:
(i) The other Party applies for bankruptcy protection, or this is requested by a third party;
(ii) The other Party applies for or is granted suspension of payment;
(iii) The other Party applies for insolvency or similar proceedings under the applicable law, or a receiver is appointed for it;
(iv) The other Party ceases to carry on its business.
10.3. The Parties may at any time jointly decide to terminate this Data Processing Agreement by written agreement.
11. Exit assistance
11.1. Processor will Process the Personal Data during the Controller’s use of the Services.
11.2. Controller must ensure that it has extracted and deleted the Personal Data from its account before ending the Services Agreement. If Processor blocks the Controller’s account due to non-compliance with the Services Agreement, Processor will, upon Controller’s request, which is to be made within a ten (10) day period after the account was blocked, and upon payment of any fees still due under the Services Agreement, hand over to Controller the Personal Data or, at Processor’s discretion, allow Controller access to its account during a three (3) day period solely to extract and delete the Personal Data. If, after these periods, Controller has not deleted the Personal Data, Processor reserves the right to do so unilaterally, and will delete the Personal Data after two (2) years, unless Processor is required by applicable laws to retain certain Personal Data. In the latter case, Processor will delete the Personal Data after the legal retention term has expired.
12. Miscellaneous
12.1. The provisions in the Services Agreement apply to the Processing of the Personal Data and shall prevail with regard to the clauses that do not concern data protection, such as liability. If the Services Agreement contains data protection provisions, this Data Processing Agreement prevails over such provisions.
12.2. In case Processor’s activities in relation to this Data Processing Agreement exceed Processor’s normal activities for the Services, Processor is entitled to a reasonable compensation based on Processor’s regular fee at that time. Processor will provide a specification of the invoiced compensation.
12.3. This Data Processing Agreement can be amended or modified by Processor pursuant to the provisions in the Services Agreement.
12.4. If any provision of this Data Processing Agreement is held invalid or unenforceable by a court of competent jurisdiction, such decision shall in no way affect the validity or enforceability of any other provision hereof, and this Data Processing Agreement shall be interpreted as if such term or provision were not included in it.
12.5. The considerations under “whereas”, as well as the Schedules form an integral part of this Data Processing Agreement.
13. Applicable law, dispute resolution
13.1. This Data Processing Agreement is governed exclusively by the laws of the Netherlands, excluding its conflict laws.
13.2. The dispute resolution clause in the Services Agreement applies for any disputes arising between the Parties.
SCHEDULE 1 – Information regarding the Processing
1. Description of the Services and Processing activities:
Type of Service: online learning management system.
Processing activities: storage, access, amendment and deletion upon the Controller’s request.
2. Categories of Personal Data:
The Controller can choose the types of Personal Data that are requested from the Data Subjects, such as:
- name
- phone number
- job title
- gender
- date of birth
- street name
- postal code
- city or town
- country
- employee ID
- Data Subject’s answers to free text questions
- Data Subject’s answers to dropdown questions
The Data Subjects may themselves also create Personal Data as a result of accessing and using the content created by the Controller in the Easy LMS system, such as:
- test results
- exam results
- comments added to the system
- certification documents
The Controller must not ask Data Subjects to submit special categories of Personal Data, or upload any such Personal Data, which concerns: data related to health, religious beliefs, political opinions, race, ethnical background, sexual preference or behaviour, trade union membership, criminal records, biometric data for identification purposes, genetic data.
SCHEDULE 2 – Sub-processors
The Personal Data are transferred to the following sub-processors:
|
Sub-processors |
|
|
|
|
Sub-processor |
Country |
Country outside the EEA without an adequate level of protection?: |
Transfer mechanism / appropriate safeguards: |
|
Amazon Web Services (AWS) (hosting and email services) |
Germany |
No, EEA country |
Not applicable |
|
Intercom (support chat) |
Ireland |
No, EEA country |
Not applicable |
This Schedule is deemed to have been updated after notification of the changes per article 7.1.