CLOUD ASSESS DATA PROCESSING AGREEMENT FOR UK CLIENTS
CLOUD ASSESS DATA PROCESSING AGREEMENT FOR UK CLIENTS
This Data Processing Agreement (DPA) is incorporated by reference into the Cloud Assess Terms & Conditions of Service (T&Cs), and forms part of the Agreement between Cloud Assess and the entity identified in the Application Form as a Client of Cloud Assess (Client), where Client is located in the UK. All capitalized terms not defined in this DPA shall have the meaning set forth in the T&Cs.
This DPA sets out the additional terms, requirements and conditions on which Cloud Assess will process Client’s personal data when providing the Products and Services under the Agreement.
1.1 The terms “controller”, “processor”, “data subject”, “personal data”, “processing” (and “process”) and “special categories of personal data” have the meanings given in Applicable Data Protection Law;
1.2 “Applicable Data Protection Law” means, to the extent applicable to each party:
(a) the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”);
(b) the Data Protection Act 2018 (the “DPA 2018”);
(c) the Privacy and Electronic Communications (EC Directive) Regulations 2003 as they continue to have effect by virtue of section 2 of the European Union (Withdrawal) Act 2018 (“PECR”); and
(d) any other laws in force in the UK from time to time applicable (in whole or in part) to the processing of personal data,
each as amended or superseded from time to time.
2. Relationship of the parties
The Client (the controller) appoints Cloud Assess as a processor to process the personal data described in Annex A (the “Data”). Each Party shall comply with the obligations that apply to it under Applicable Data Protection Law.
3. Prohibited data
The Client shall not disclose (and shall not require any data subject to disclose) any special categories of Data to Cloud Assess for processing.
4. Purpose limitation
Cloud Assess shall process the Data as a processor as necessary to perform its obligations under the Agreement and strictly in accordance with the documented instructions of Client (the “Permitted Purpose”), except where otherwise required by any UK law applicable to Cloud Assess. In no event shall Cloud Assess process the Data for its own purposes or those of any third party. Cloud Assess shall immediately inform Client if it becomes aware that Client’s processing instructions infringe Applicable Data Protection Law.
5. International transfers
5.1 In this clause 5:
(a) “SCCs” means contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council; and
(b) “UK Addendum” means the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018.
5.2 Cloud Assess will process the Data in Australia and may transfer the Data to its third party sub-processors located in Australia and other countries outside the UK (Third Countries) in accordance with this DPA. Cloud Assess will only transfer Data from the UK to a Third Country where:
(a) the UK Secretary of State has declared that the Third Country affords adequate protection for personal data; or
(b) where no such declaration in (a) has been made, the transfer is made subject to the UK Addendum which shall apply as set out in clause 5.3 below. 5.3
5.3 Where clause 5.2(b) above applies, the UK Addendum shall apply to such transfers as follows:
(a) the UK Addendum shall be appended to the SCCs and those SCCs shall be considered the “Addendum EU SCCs” for the purposes of the UK Addendum;
(b) The SCCs will apply as follows:
(i) Module Two will apply to the extent that Client is a controller of the Data, and Module Three will apply to the extent that Client is a processor of the Data on behalf of a third party controller;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub processor changes shall be as set out in Clause 9.1 of this DPA;
(iv) in Clause 11, the optional language will not apply;
(c) The details of Tables 1 to 3 of the UK Addendum shall be completed with the relevant information from this DPA. In particular:
(i) the start date of the UK Addendum (as set out in Table 1) shall be the date of this DPA; and
(ii) for the purposes of Table 3 of the UK Addendum, the “Appendix Information” will be completed using the information set forth in Annex A of this DPA;
(d) for the purposes of Table 4 of the UK Addendum, neither party may end the UK Addendum as set out in section 14 of the UK Addendum; and
(e) for the purposes of section 13 of the UK Addendum, section 15 of the UK Addendum will apply, and no other alternative amendments will be made.
6. Additional safeguards
6.1 If Cloud Assess becomes aware that any law enforcement, regulatory, judicial or governmental authority outside the UK (an “Authority”) wishes to obtain access to or a copy of some or all Data, whether on a voluntary or a mandatory basis, then unless legally prohibited as part of a mandatory legal compulsion that requires disclosure of Data to such Authority, Cloud Assess shall:
(a) immediately notify Client of such Authority’s data access request;
(b) inform the Authority that it is a Processor of Data and that Client has not authorised them to disclose that Data to the Authority;
(c) inform the Authority that any and all requests or demands for access to Data should be notified to or served upon Client in writing; and
(d) not provide the Authority with access to Data unless and until authorised by Client.
6.2 In the event Cloud Assess is under a legal prohibition or a mandatory legal compulsion that prevents them from complying with clause 6.1 in full, Cloud Assess shall use reasonable and lawful efforts to challenge such prohibition or compulsion. Client acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended Authority access request.
6.3 If Cloud Assess makes a disclosure of Data to an Authority (whether with Client’s authorisation or due to a mandatory legal compulsion) Cloud Assess shall only disclose such Data to the extent Cloud Assess is legally required to do so and in accordance with applicable lawful process. 6.4 Clauses 6.1 to 6.3 shall not apply in the event that, taking into account the nature, scope, context and purposes of the intended Authority’s access to the Data, Cloud Assess has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual. In such event, Cloud Assess shall notify Client as soon as possible following such Authority’s access and provide Client with full details of the same, unless and to the extent Cloud Assess is legally prohibited from doing so.
6.5 Cloud Assess shall not knowingly disclose Data in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.
6.6 Cloud Assess shall have in place and maintain in accordance with good industry practice measures to protect Data from interception (including in transit from Client to Cloud Assess and between different systems and services). This includes having in place and maintaining network protection to deny attackers the ability to intercept data and encryption of Data whilst in transit to deny attackers the ability to read data.
7. Confidentiality of processing
Cloud Assess shall ensure that any person that it authorises to process the Data (including Cloud Assess’ staff, agents and subcontractors) (an “Authorised Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Cloud Assess shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose.
Cloud Assess shall implement and maintain appropriate technical and organisational measures to protect the Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Data (a “Security Incident”).
9. Sub processing
9.1 Cloud Assess shall not subcontract any processing of the Data to a third party sub processor without the prior written consent of Client. Notwithstanding this, Client consents to Cloud Assess engaging third party sub processors to process the Data provided that:
(a) Cloud Assess provides at least 10 days’ prior notice of the addition or removal of any service providers or sub processor (including details of the processing it performs or will perform), which may be given by posting details of such addition or removal at the following URL: www.cloudassess.co/uk/privacy.
(b) Cloud Assess imposes data protection terms on any sub processor it appoints that protect the Data to the same standard provided for by this Clause; and
(c) Cloud Assess remains fully liable for any breach of this Clause that is caused by an act, error or omission of its sub processor.
9.2 A list of approved service providers and sub processors as at the date of this DPA is set out at www.cloudassess.co/uk/privacy, and Cloud Assess shall maintain and make available updated copies of this list to Client when it adds or removes sub processors in accordance with this Clause.
9.3 If Client refuses to consent to Cloud Assess’ appointment of a third party sub processor on reasonable grounds relating to the protection of the Data, then either Cloud Assess will not appoint the sub processor or Client may elect to suspend or terminate the Agreement without penalty.
10. Cooperation and data subjects’ rights
10.1 Cloud Assess shall provide reasonable and timely assistance to Client (at Client’s expense) to enable Client to respond to:
(a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and
(b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data.
10.2 In the event that any such request, correspondence, enquiry or complaint is made directly to Cloud Assess, Cloud Assess shall promptly inform Client providing full details of the same.
11. Data Protection Impact Assessment
Upon Client’s request, Cloud Assess shall provide Client with such reasonable and timely assistance as Client may require in order to conduct a data protection impact assessment in accordance with Applicable Data Protection Law including, if necessary, to assist Client to consult with its relevant data protection authority.
12. Security Incidents
Upon becoming aware of a Security Incident, Cloud Assess shall inform Client without undue delay and shall provide all such timely information and cooperation as Client may reasonably require in order for Client to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law.
13. Deletion or return of Data
Upon termination or expiry of the Agreement, Cloud Assess shall (at Client’s election) destroy or return to Client all Data (including all copies of the Data) in its possession or control in accordance with clause 12 of the T&Cs (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Cloud Assess is required by any applicable law to retain some or all of the Data, in which event Cloud Assess shall isolate and protect the Data from any further processing except to the extent required by such law until deletion is possible.
Upon Client’s request, Cloud Assess shall make available to Client all information necessary to demonstrate compliance with this DPA. Further, Cloud Assess shall permit Client (or its appointed third party auditors) to audit Cloud Assess’ compliance with this DPA, and shall make available to Client all information, systems and staff necessary for Client (or its third party auditors) to conduct such audit. Client must give Cloud Assess reasonable prior notice of its intention to audit, conduct its audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to Cloud Assess’ operations. Client will not exercise its audit rights more than once in any twelve (12) calendar month period.
Data Processing Description
|This Annex A forms part of the DPA and describes the processing that Cloud Assess will perform on behalf of the Client.|
|Categories of data subjects whose personal data is transferred:||The Client’s Users, meaning any individual that the Client has authorised to access the Cloud Assess System or a learner with an active enrolment. These include Users classified or nominated as administrators, assessors, learners, third parties and/or power users.|
|Categories of personal data transferred:||Names, e-mail addresses, learning and assessment activity responses and progress data. Images, photos or videos may be uploaded by a user.|
|Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:||None.|
|The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):||Continuous.|
|Nature of the processing:||Cloud Assess will process the personal data as required to provide the Client with the Cloud Assess System and the Products and Services as set out in the Agreement.|
|Purpose(s) of the data transfer and further processing.||To enable the Client to obtain the full benefit of the Cloud Assess System and the Products and Services, as set out in the Agreement.|
|The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:||During the term of the Agreement.|
|For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:||All images, photos and videos are processed, encrypted and stored on our data centre. The processor does not retain this data.|