Version: Feb 14, 2018
These terms become applicable between Eduten and a customer with whom Eduten has concluded an agreement if Eduten is considered as data processor and customer a data controller in the meaning as given in EU General Data Protection Regulation. These terms may become applicable between Eduten and its reseller, if Eduten acts in the role of a sub-processor to a reseller who is a processor to its own end-customer. In that case “controller” refers to the reseller and “processor” to Eduten as a sub-processor of the reseller.
The terms used herein shall have the same meaning as given in Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “Regulation”). Such terms include without limitation controller, processor, personal data, data subject, processing and personal data breach.
With these terms, the parties agree that customer, the controller, appoints Eduten as its processor to process customer’s personal data during the term of an agreement under the terms agreed herein.
Processor shall process the personal data only to further its obligations set forth in an agreement and in accordance with the written instructions provided by controller.
Controller shall be the sole controller for the personal data and shall be responsible for complying with the obligations the Regulation and other applicable laws set for data controllers, such as ensuring that there is a legal basis for processing personal data, informing data subjects about processing activities with privacy policies, complying with other controller’s documentation obligations and ensuring that the data is kept accurate. If and to the extent the legal basis for processing personal data is individual’s consent, the controller is liable for obtaining the consent and managing it as provided in the Regulation. Controller is liable for the data entered into processor’s services and its lawfulness, as it has sole control over such data.
Processor is not entitled to process personal data for any other purpose or for anyone else. If processor transfers data outside the EU/EEA processor must comply with the obligations that the Regulation specifies for international transfers. Processor must immediately notify controller, if it considers that the written instructions provided by controller for processing personal data are in violation of the Regulation or national data protection laws. In addition to the terms of this annex, the parties agree to comply with the Regulation as applicable to each party.
Additional details regarding processing may be described in the agreement or in a separate document.
Processor is entitled to use sub-processors for processing personal data. Additional information about sub-processors can be provided at request. If the processor plans to make changes to its sub-processors, it will notify the controller by giving at least 7 days written notice. Processor’s obligation to notify concerns intended adding, removal or change of a sub-processor. After receiving notification, controller has the right to object the intended change in the use of a sub-processor. If the controller objects the intended change and the data processor cannot reasonably use another sub-processor or another method in processing the personal data, then the processor is not liable for damages or harm caused by such objection. In this situation the processor is entitled to terminate the agreement by giving at least 1-month’s written notice to the controller.
When using sub-processors for processing personal data, processor agrees that it will impose data protection terms on any sub-processor it appoints that protect the personal data to the same standard as provided for by this Annex. Processor is fully liable that its sub-processors comply with the requirements of this Annex.
All personal data processed by processor on behalf of controller is considered controller’s confidential information and processor shall not disclose the personal data to anyone or use it for any other than agreed purpose. Processor ensures that only such people shall have access to the personal data that is necessary for furthering processor’s obligations relating to the purpose and that such people shall be subject to a strict duty of confidentiality, contractual or statutory, and shall not permit any person to process the personal who is not under such a duty of confidentiality. The duties of confidentiality shall survive the termination or expiration of the Agreement.
Processor shall implement appropriate technical and organisational measures to protect the personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the personal data. Such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for natural persons’ rights and freedoms.
Such measures can include, as appropriate:
Processor must notify controller without undue delay about personal data breaches it becomes aware of, so that controller can comply with the provisions of the Regulation regarding personal data breach notifications within the set time limits. When notifying controller, processor must include necessary details about the personal data breach and also otherwise provide reasonable assistance for the controller. Processor must also take all such other necessary measures to mitigate or remedy the effects of the personal data breach and to prevent further breaches.
If processor becomes aware that the planned processing would cause a high risk for the rights and freedoms of natural persons it must notify controller about this and assist the controller, if necessary, in conducting a data protection impact assessment.
Taking into consideration the nature of the data processing, processor must reasonably and without undue delay assist controller, including by applicable technical and organisational measures, to fulfill any request from a data subject to exercise its rights under the Regulation. Such rights may include, as they are described in the Regulation, rights of access, correction, objection, erasure (“right to be forgotten”) and data portability. If such requests are made directly to processor, it must notify controller about the request without undue delay.
Processor shall permit controller to audit processor’s compliance with these terms, and shall provide access and make available to controller all systems, premises, resources, information and staff as necessary for controller to conduct such audit. Audits will be performed during normal business hours with the aim of causing as little disruption to processor’s business operation as reasonably possible. Controller must also provide reasonable advance notification of planned audits. Both parties are responsible for their own costs and expenses relating to an audit.
If the processor must assist the controller in fulfilling the controller’s obligations related to data breaches, data subjects’ rights and data protection impact audits, the processor is entitled to invoice the reasonable actual time used for the assistance tasks in accordance with the hourly rates agreed between the parties. Invoicing the time used for the assistance tasks requires that the controller has accepted that the processor can use time to perform assistance tasks.
Processor is not liable to the controller for any indirect, consequential or special damages or for claims made by third parties. The liability of processor to controller in respect of any claim for loss, damage, cost or expense that is attributable to a specific order, shall in no event exceed in the aggregate a sum equal to 30 % of the amount paid by controller for the services (excluding VAT) relating to the order.
Regarding services or software that is invoiced (or priced) on a monthly basis, processor’s liability to controller in respect for any claim for loss, damage, cost or expense shall not exceed in aggregate the sum paid by the customer (excl. VAT) for the services or software within the 2-month period prior to making first claim for damages.
These terms into force on the same date as the agreement between the parties and shall thereafter remain in force until the agreement is terminated or expires under its terms.
Within a reasonable time after the termination or expiration of the agreement, processor shall delete or return all personal data to controller and delete also all copies of the personal data, unless national or EU or member state law requires processor to retain some or all of that data. In such event any further processing of the personal data is prohibited, except to the extent required by law. The controller is obligated to make sure that it has backup copies of the data prior to deletion, if it considers the data still necessary.
If the controller has not notified the processor about deletion or return of data within 12 months from the termination or expiration of the agreement, the processor shall delete all personal data in its possession, including any copies, unless national or EU or member state law requires processor to retain some or all of that data. In such event any further processing of the personal data is prohibited, except to the extent required by law. The controller is obligated to make sure that it has backup copies of the data prior to deletion, if it considers the data still necessary.
Provision of Eduten’s services and related support to its customers and resellers. Eduten collects, processes and stores personal data relating to its customers, users and resellers in accordance with the agreement, applicable laws and these terms. Personal data relating to the customer may include for instance the following categories of personal data: name, email address and other data.
The personal data mainly concerns such data subjects that are teachers or students within the end-customer organization.
Approved subprocessors at the date of this document: