Last updated: November 2018
Drafting note: These Data Processor Terms are designed specifically to comply with Article 28 GDPR, to contain the compulsory contractual terms that are required between data controllers and data processors.
The terms are also designed to fit our specific processes for all subscribers of the Elucidat software platform. For example, we have defined a process to notify and agree any new sub-processors. Key deadlines are also aligned within these terms, for example for passing on data subject requests and breach notifications.
Please note that, in the interests of consistency and compliance, we are unable to agree to any different data processor terms on a case by case basis.
If you have any questions, please contact us at firstname.lastname@example.org.
If you have any questions, comments or requests regarding these Terms, please email email@example.com or get in touch via our contact us page.
1.) Processing of Subscriber Personal Information
Where processing of Personal Information controlled by the Subscriber (“Subscriber Personal Information”) is to be carried out by Elucidat on behalf of the Subscriber pursuant to the License Agreement, appropriate technical and organizational measures shall be implemented by Elucidat in such a manner that processing will meet the requirements of the EU General Data Protection Regulation 2016/679 (“GDPR”), as may be amended or superseded and other applicable data protection laws and regulations in the UK and EU (together, “Data Protection Laws”) and ensure the protection of the rights of the data subject.
2.) Restriction on subprocessing
Elucidat shall not engage a subprocessor to process Subscriber Personal Information (“Subprocessor”) without prior specific or general written authorization of the Subscriber, which may be given in electronic form. In the case of general written authorization, Elucidat shall inform the Subscriber of any intended changes concerning the addition or replacement of other processors, thereby giving the Subscriber the opportunity to object to such changes. Details of this process are set out below in paragraph 5.3.
3.) Compulsory processor terms pursuant to Article 28(3) GDPR
3.1) Details of the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects are set out in Appendix 1 hereto.
3.2) In respect of any processing of Subscriber Personal Information pursuant to the License Agreement, Elucidat shall:
3.2.1) process Subscriber Personal Information only on documented instructions (including electronic instructions) from the Subscriber, including regarding transfers of personal data to a third country or an international organization, unless required to do so by applicable law to which Elucidat is subject; in such a case, Elucidat shall inform the Subscriber of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
3.2.2) ensure that persons authorized to process Subscriber Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3.2.3) take all measures required pursuant to Article 32 GDPR (Security of processing), to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;
3.2.4) respect the conditions referred to in paragraphs 2 and 4 for engaging another processor;
3.2.5) taking into account the nature of the processing, assist the Subscriber by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Subscriber’s obligation to respond to requests for exercising the data subject's rights laid down in Chapter III GDPR. This shall include promptly notifying the Subscriber if Elucidat receives a request to exercise any data subject rights under Data Protection Laws without delay and using best endeavours to do so within 2 working days of receiving such request and thereafter assisting Subscriber as reasonably necessary to comply with such request promptly. Elucidat shall not respond to such requests directly to any data subject except on the Subscriber’s documented instructions, or as required by applicable laws to which Elucidat is subject;
3.2.6) assist the Subscriber in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (Security of processing; Notification of a personal data breach to the supervisory authority; Communication of a personal data breach to the data subject; Data protection impact assessment; and Prior consultation) taking into account the nature of processing and the information available to Elucidat. This shall include notifying the Subscriber without delay and using best endeavours to do so within 24 hours, after having become aware of any Personal Data Breach, of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Subscriber Personal Information transmitted, stored or otherwise processed hereunder;
3.2.7) at the choice of the Subscriber, delete or return all the Subscriber Personal Information to the Subscriber after the end of the provision of services relating to processing, and delete existing copies unless Data Protection Laws require storage of the personal data;
3.2.8) make available to the Subscriber all information necessary to demonstrate compliance with the obligations laid down in these Terms and allow for and contribute to audits, including inspections, conducted by the Subscriber or another auditor mandated by the Subscriber.
3.3) With regard to point 3.2.8 above, Elucidat shall immediately inform the Subscriber if, in its opinion, an instruction infringes Data Protection Laws.
4.) Compulsory subprocessor contract terms (Article 28(4))
4.1) Where Elucidat engages another processor for carrying out specific processing activities on behalf of the Subscriber (“Subprocessor”), such engagement shall contain the same, or equivalent, data protection obligations as are referred to in paragraph 3 by way of a binding contract or other other legal act, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of GDPR.
4.2) Where any Subprocessor engaged by Elucidat fails to fulfill its data protection obligations in respect of Subscriber Personal Information, Elucidat shall remain fully liable to the Subscriber for the performance of that Subprocessor's obligations.
5.) Documented instructions to process Subscriber Personal Information
5.1) Processing by Elucidat: The Subscriber hereby instructs Elucidat in accordance with these Terms to process Subscriber Personal Information as reasonably necessary for the provision of the Services and in compliance with the License Agreement.
5.2) Subcontractors: With respect to each Subprocessor, Elucidat shall:
5.2.1) before the Subprocessor first processes Subscriber Personal Information, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Subscriber Personal Information required by the License Agreement;
5.2.2) ensure that the arrangement between Elucidat and the Subprocessor is governed by a contract that complies with these Terms;
5.2.3) if that arrangement involves a transfer of Subscriber Personal Information to a third country, a territory or one or more specified sectors within a third country or international organization outside the EEA that does not benefit from a formal adequacy decision by the European Commission (pursuant to Article 45 GDPR), ensure that such transfer is subject to appropriate safeguards within the meaning of Article 46 GDPR, which may include the use of EU Model Contractual Clauses, Binding Corporate Rules or recognized legal frameworks or accreditations, such as the EU-US Privacy Shield;
5.2.4) provide to the Subscriber for review (via Elucidat Support Pages or otherwise) details of all Subcontractors.
5.3) Approval process: Elucidat shall give the Subscriber prior notice of the appointment of any new Subprocessor to be appointed after the date of these Terms, including full details of the processing to be undertaken by the Subprocessor. This notice may be given electronically via the Elucidat Support Pages, etc. If, within 5 days of receipt of that notice, Subscriber notifies Elucidat in writing of any objections (on reasonable grounds) to the proposed appointment, Elucidat shall not disclose any Subscriber Personal Information to that proposed Subprocessor and/or (as applicable) the Subscriber shall not access any optional Services affected by this issue until reasonable steps have been taken to address the objections raised by the Subscriber. If no such objections are raised, the Subscriber shall be deemed to have consented to the appointment of the Subprocessor.
6.) Charges and costs mitigation
6.1) Elucidat shall be entitled to charge Subscriber for the reasonable and verified costs of its assistance and cooperation provided pursuant to these Terms in response to specific requests made at Subscriber's own initiation, except to the extent that such measures have been necessitated by a breach of these Terms by Elucidat or its Subprocessors or as are strictly necessary to comply with Data Protection laws. Elucidat’s charges shall be on a time and materials basis according to the then applicable rate card and invoiced according to Elucidat’s standard payment terms.
6.2) In the event that Elucidat is able to demonstrate that itself and/or any Subprocessor adheres to an approved code of conduct or approved certification mechanism as referred to in Article 40 GDPR, Subscriber accepts that Elucidat may rely on the same to demonstrate its compliance with these Terms, so as to mitigate or avoid incurring unnecessary administration and costs, unless otherwise required by Data Protection Laws or as may be mutually agreed by the parties.
7.) Elucidat as data controller
These Data Processor Terms may change from time to time. We will not reduce your rights under these Data Processor Terms without your explicit consent. We will post any changes on this page and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of Data Processor Terms changes).
APPENDIX 1 TO ELUCIDAT DATA PROCESSOR TERMS: DETAILS OF PROCESSING OF SUBSCRIBER PERSONAL INFORMATION
This Appendix 1 includes details of the processing of Subscriber Personal Information as required by Article 28(3) GDPR.
Subject matter and duration of the processing of Subscriber Personal Information
The subject matter and duration of the processing of the Subscriber Personal Information are set out in the License Agreement and these Terms.
The nature and purpose of the processing of Subscriber Personal Information
All reasonable purposes in relation to Elucidat’s performance of its obligations under the License Agreement. This may include the regular review of the performance, usage and functioning of the Software and the use of aggregated statistics and analytics on an anonymized basis in compliance with the License Agreement.
The types of Subscriber Personal Information to be processed
All personal data processed in the normal use, management and development of Elucidat’s Site and Software including:
- Email addresses
- Contact details
- Profile information provided by Subscribers and learners
- Personal Information included in Course Content
- Usage data
- Preferences/personalization details
- Evidence of opt-ins/contact permissions and other privacy consents/unsubscribe requests
The categories of Data Subject to whom the Subscriber Personal Information relates
All users of Elucidat’s Site and Software, mobile applications and other features, services and technology provided by Elucidat pursuant to the License Agreement.
The obligations and rights of Subscriber
The obligations and rights of the Subscriber are set out in the License Agreement and these Terms.