Effective as of May 25, 2018
This GDPR Data Processing Addendum, including the Standard Contractual Clauses referenced herein (“DPA”), is dated amends and supplements any existing and currently valid service agreement (the “Agreement”) either previously or concurrently made between you (together with subsidiary(ies) and affiliated entities, collectively, “Customer”) and SembraMedia, a California nonprofit public benefit corporation (together with subsidiary(ies) and affiliated entities, collectively “Processor”) and sets forth other terms that apply to the extent any information you provide to Processor pursuant to the Agreement includes Personal Data (as defined below).
Terms used but not defined in this DPA, such as “personal data breach”, “processing”, “controller”, “processor” and “data subject”, will have the same meaning as set forth in Article 4 of the GDPR. In addition, the following definitions are used in the Addendum:
“EU Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data under the Agreement, including (where applicable) the GDPR.
“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
“Personal Data” means any information relating to an identified or identifiable natural person located in the European Economic Area, Switzerland and United Kingdom. An identifiable natural person is one who can be identified, directly or indirectly, in particular by referencing an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Standard Contractual Clauses” means the model clauses for the transfer of personal data to processors established in third countries approved by the European Commission, the approved version of which is set out in the European Commission’s Decision 2010/87/EU of 5 February 2010 and at http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087, which clauses are incorporated herein by this reference.
This DPA is effective on the later of (a) the start of enforcement of the GDPR or (b) the date Processor begins to process Personal Data on behalf of Customer.
DATA PROCESSING DESCRIPTION
Exhibit A to this DPA describes the data exporter, data importer, data subjects, data categories, special data categories (if appropriate), the processing operations and the technical and organizational measures implemented by Processor to protect the Personal Data. For the purposes of the Standard Contractual Clauses, (a) Customer is the data exporter, and Customer’s execution of this DPA shall be treated as Customer’s execution of the Standard Contractual Clauses and appendices in this DPA; and (b) Processor is the data importer, and Processor’s execution of this DPA shall be treated as Processor’s execution of the Standard Contractual Clauses and appendices in this DPA.
GDPR CONTRACTUAL TERMS
Pursuant to Articles 28, 32 and 33 of the GDPR:
LIMITATION OF LIABILITY
Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability contained in the Agreement. For the avoidance of doubt, each reference herein to the “DPA” means this DPA including its exhibits and appendices.
To the extent that it is determined by any data protection authority that the Agreement or this DPA is insufficient to comply with the applicable EU Data Protection Laws, or to the extent required otherwise by any changes in the applicable data protection laws, Customer and Processor agree to cooperate in good faith to amend the Agreement or this DPA or enter into further mutually agreeable data processing agreements in an effort to comply with any EU Data Protection Laws applicable to the Processor and Customer.
This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail solely to the extent that the subject matter concerns the processing of Personal Data. This DPA does not confer any third-party beneficiary rights, is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person. This DPA only applies to the extent Processor processes Personal Data on behalf of Customer. Except as required under the GDPR, this DPA and any action related thereto shall be governed by and construed in accordance with the laws of the State of California without giving effect to any conflicts of laws principles. Except for disputes subject to arbitration as described in the Agreement, which provisions are incorporated herein by this reference, the parties consent to the personal jurisdiction of, and venue in, the courts of Los Angeles, California. This DPA together with the Agreement is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter.
GDPR Data Processing Addendum
Exhibit A: Appendices to Standard Contractual Clauses
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Standard Contractual Clauses.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
Data exporter is Customer, a user of services provided by Processor, the entity that has executed an Agreement and assented to the Standard Contractual Clauses as a data exporter.
SembraMedia, a global provider of a platform that facilitates an online school and processes Personal Data upon the instruction of the data exporter in accordance with the terms of the Platform, Agreement and the DPA.
Data exporter may submit Personal Data to SembraMedia, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: the data exporter’s representatives and end-users including employees, contractors, business partners, collaborators, and customers of the data exporter.
CATEGORIES OF DATA
Data exporter may submit Personal Data to SembraMedia, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of personal data: (a) First and last name; (b) Title; (c) Position; (d) University; (e) Contact information and payment information (including company name, URLS of company and individual websites, email, phone, physical business address); (f) Connection data; (g) Localization data; and (h) Other data in an electronic form used by Customer in the context of the services.
SPECIAL CATEGORIES OF DATA (IF APPROPRIATE)
The objective of the processing of personal data by data importer is the performance of the contractual services related to the Agreement with the data exporter. The processes may include collection, storage, retrieval, curriculum, training, use, erasure or destruction, disclosure by transmission, dissemination or otherwise making available data exporter’s data as necessary to provide the services in accordance with the data exporter’s instructions, including related internal purposes (such as quality control, troubleshooting, product development, etc.).
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Standard Contractual Clauses.