Data Processing Agreement
Data Processing Agreement
This Data Processing Agreement (DPA) constitutes a legal agreement between you or your organisation (“Client”) and lan Smythe trading as Ibis Consultants, owner and operator of Learner Profiler, with respect to the terms governing the Processing of Personal Data antler the Ibis Consultants contract (the “Agreement”). This DPA is an amendment to the Agreement and is effective from midnight at the start of 1 October 2020 (the “Variation Dale”)
This Data Processing Agreement contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/670) (“GDPR”) for contracts between controllers a. processors.
Any terms not explicitly defined in this DPA have the meaning set forth in the Agreement, unless otherwise stated.
1. Definitions
Data Protection Law: Means GDPR unless and until GDPR is no longer directly applicable in the EU, together with any national implementing laws, regulations and secondary legislation as amended or updated from time-to-time in the UK and (iii) any successor legislation to the GDPR. The terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Process” and “Processing” have the meanings set out in the Data Protection Law.
GDPR: Means the General Data Protection Regulation (EU) 2016/679a.
Personal Data: Means any information relating to an identified or identifiable natural person that is processed by the Learner Profiler as a result of, or in connection with, the provision of the services under the Learner Profiler Terms and Conditions; an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing, processes and process: Either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisa0on, structuring, storage, adaptation or alteration, retrieval consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.
Anonymised Personal Data: Means any information relating to an identified or identifiable natural person that is processed by the Learner Profiler as a result of, or in connection with, the provision of the services user the Learner Profiler Terms and Conditions but does not contain information that may he used to identify the individual such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
End User: an individual who is the subject of Personal Data.
2. Details of Processing
2.1 Roles of the Parties.
Each Party shall comply with applicable requirements of the Data Protection Law. This paragraph is in addition to and does not replace a Party’s obligations under the Data Protection Law.
The Parties acknowledge and agree that with regard to the Processing of Personal Data, the Customer is the Data Controller, Ibis Consultants is the Data Processor and that Ibis Consultants will engage sub-processors pursuant to the requirements set forth in section in below. Ibis Consultants analyse response content and system usage, and further Process the Personal Data of Authorised Users in order deliver services requested by clients and to improve our products and services and respond to evaluation comments and support queries.
2.2 The purpose of processing by Ibis Consultants
The duration of the Processing and the types of Personal Data and categories of Data Subject are set out below:
Purpose of Processing
Personal Data will be Processed for purposes of providing the Services set out and otherwise agreed upon in the Agreement. Typically, this will be the provision of summary details pertaining to skills and abilities related to the services offered by the Client.
Categories of Data Subjects.
Authorised Users of the Client (employees, customers, partners or any other authorised user as defined by the Customer).
Types of Personal Data
All information collected on behalf of the Client is ultimately determined by the Client at its discretion. Common information includes name, job title, application usage information, or any other electronic data received during the usage of the services.
Duration of Processing
Personal Data will be processed for the duration stipulated within the Agreement. Where agreed we will retain relevant Anonymized Personal Data beyond the termination of the Agreement ad infinitum, in order to maintain our commitment to service improvements.
3.Client Obligations
3.1 Client Personal Data
The Client’s instructions to Ibis Consultants for processing any Personal Data shall comply with the Data Protection Law. The Customer will ensure that any Personal Data provided by Client or Client’s Authorised Users to Ibis Consultants will not violate the Data Protection Law. If the Customer finds out it is carrying out activities contrary to the Data Protection Law, it will immediately notify us.
4.Ibis Consultants Obligations
4.1 Instructions
Where the Customer is sole Data Controller, Ibis Consultants is instructed to Process Personal Data only for the purposes of providing the data Processing services set out within the scope of the Agreement. Ibis Consultants will only process Personal Data on the written instructions of the Customer. If Ibis Consultants is required by any applicable laws to process Personal Data it shall, to the extent legally permitted notify the Customer before doing so.
If Ibis Consultants considers an instruction from the Customer to be in violation of the Data Protection Law, Ibis Consultants shall immediately inform the Customer about this.
4.2 Confidentiality
Ibis Consultants shall keep Personal Data confidential and will ensure that persons authorised to process the Personal Data have completed relevant training, committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Security
Ibis Consultants will maintain appropriate organisational and technical security measures to prevent the Personal Data being accidentally lost, destroyed or damaged, processed unlawfully or on an unauthorised basis, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected.
Ibis Consultants will be responsible for the sufficiency of the security, prim, and confidentiality safeguards of all Ibis Consultants personnel with respect to Customer Personal Data.
4.4 Data Breach
Ibis Consultants will without undue delay of a Personal Data breach (which has the meaning given to it in the Data Protection Law) notify the Customer about any suspicion or finding of breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by the Processor under the Agreement.
4.5 Data Subject Requests
Ibis Consultants will provide reasonable assistance, including by appropriate technical and organizational measures account taking into account the nature of the Processing to enable Customer to respect to any request from a Data Subject. If such request is made directly to Ibis Consultants, We will promptly inform Customer and will advise the Data Subject to submit their request to the Customer.
4.6 Sub-processors
Ibis Consultants shall be entitled to engage sub-processors to fulfil its obligations in the Agreement only with the Customer’s written consent. For these purposes, the Customer consents to the engagement as sub-processors of Ibis Consultants’ affiliated companies and the third parties listed in Appendix A. For the avoidance of doubt, the above authorisation constitutes the Customer’s prior written consent to the sub-processing by Ibis Consultants for purposes of the Data Protection Law.
Where We engage sub-processors, the sub-processing shall be carried out in accordance with the Data Protection Law and with at least the same level of protection for the Processing of Personal Data as the Ibis Consultants under this DPA
5. Transfer
Ibis Consultants shall not transfer Personal Data outside of the agreed economic area without the prior written consent of the Customer and shall ensure that the transfer is made in accordance with the Data Protection Law and that the organisations to which the Personal Data is transferred ensure an adequate level of protection.
6. Destruction of Personal Data
At the written direction of the Customer, where the Customer is sole Data Controller, Ibis Consultants shall delete or return Personal Data to the Customer on termination of the Agreement unless Ibis Consultants is required by law to store the Personal Data.
7. Audits
Ibis Consultants shall maintain complete and accurate records and information to demonstrate its compliance with this DPA. Upon written consent and within a reasonable time period, in order to ensure Ibis Consultants complies with this DPA the Customer has the right from time-to-time to but not more than once in any year to:
- Request information from Ibis Consultants,
- Appoint an independent third-party consultant to conduct an onsite inspection.
In the event of the above Ibis Consultants shall provide the Customer with all information necessary for such audit, provided such information is within the Ibis Consultants control and is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
Furthermore, the Customer agrees that any audit will not disrupt normal business operations and any individual – whether employed by the Customer or an independent third-party consultant – is of the required professional qualifications and bound by a duty of confidentiality.
General Provisions
This DPA is an amendment to and forms part of the Agreement. In case of any conflict this DPA shall take precedence over the regulations of the Agreement. Where individual provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be impact.
Appendix A - List of Sub-processors
- Microsoft Azure Web
- Services Paypal
- PayFast
Appendix B - Type of data processed
The types of data collected by Ibis Consultants (Data Processor) are entirely at the discretion of the Client (Data Controller) and may be contained in appropriate contracts. That data may include (but not limited to):
- Name
- Geographic information
- Disability Information
- Job related information
- Literacy and numeracy skills
- Work-related skills and abilities
- Ethnicity
- Health and Wellbeing
- Gender
If your organisation requires a signed copy of this agreement, please contact your Account Manager or email us at ian “AT” learnerprofiler.com