Updated: June 2020
Data Processor Terms
These Data Processor Terms form part of the License Agreement between Elucidat and the Subscriber. During the course of providing the Software and/or Professional Services, Elucidat may Process Subscriber Personal Information that is subject to Data Protection Laws. The Subscriber appoints Elucidat to Process such Subscriber Personal Information in accordance with these Data Processor Terms.
1.1 In these Data Processor Terms, the following words shall have the following meaning:
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;
“Data Protection Laws” means, as applicable, the laws and regulations relating to Processing of Personal Data, including the EU General Data Protection Regulation 2016/679 (“GDPR”), as may be amended or superseded from time to time. The term “Controller”, “Data Subject”, “Personal Data”, “Processing” and “Processor” shall have the meaning as defined in the GDPR;
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Subscriber Personal Information;
“Subprocessor” means any Processor engaged by Elucidat and/or its Affiliates engaged in the Processing of Subscriber Personal Information;
“Subscriber Personal Information” means any Personal Data which is submitted to, and stored within, the Software by the Subscriber or Authorized Personnel in connection with the Subscriber’s use of the Software.
1.2 Unless otherwise defined herein, all capitalised terms in these Data Processor Terms shall have the meaning given to them in the License Agreement.
2. Processing of Subscriber Personal Information
2.2 Subscriber confirms it has the right to transfer, or provide access to, the Subscriber Personal Information to Elucidat (including its personnel and subprocessors) for Processing in accordance with the terms of the Licence Agreement and these Data Processor Terms. The Subscriber shall comply with all Data Protection Laws in connection with the Subscriber Personal Information.
2.3 The Subscriber hereby instructs Elucidat in accordance with these Data Processor Terms to Process Subscriber Personal Information as reasonably necessary for the provision of the Software and Professional Services and in compliance with the License Agreement.
3. Compulsory Processor terms pursuant to Article 28(3) GDPR
3.1 Details of the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Subscriber Personal Information and categories of Data Subjects are set out in Appendix 1 hereto.
3.2 In respect of any Processing of Subscriber Personal Information pursuant to the License Agreement, Elucidat shall:
3.2.1 Process Subscriber Personal Information only on documented instructions (including the terms of the License Agreement and electronic instructions) from the Subscriber, unless required to do so by applicable law to which Elucidat is subject; in such a case, Elucidat shall inform the Subscriber of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Elucidat shall immediately inform the Subscriber if, in its opinion, an instruction infringes Data Protection Laws;
3.2.2 ensure that persons authorized to Process Subscriber Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3.2.3 take all measures required pursuant to Article 32 GDPR (Security of Processing) in accordance with the Elucidat Security Policy, to ensure a reasonable level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;
3.2.4 respect the conditions referred to in paragraph 4 for engaging another Processor;
3.2.5. taking into account the nature of the Processing, assist the Subscriber by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Subscriber’s obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III GDPR. To the extent legally permitted, the Subscriber shall be responsible for any costs arising from Elucidat’s provision of such assistance beyond the existing functionality of the Software. Elucidat shall not respond to such requests directly to any Data Subject except on the Subscriber’s documented instructions, or as required by applicable laws to which Elucidat is subject;
3.2.6 assist the Subscriber in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (Security of Processing; Notification of a Personal Data Breach to the supervisory authority; Communication of a Personal Data Breach to the Data Subject; Data protection impact assessment; and Prior consultation) taking into account the nature of Processing and the information available to Elucidat. This shall include notifying the Subscriber without undue delay and in any event within 48 hours after having become aware of any Personal Data Breach;
3.2.7 in accordance with clause 11 of the License Agreement, delete or return all the Subscriber Personal Information to the Subscriber after the end of the provision of services relating to Processing, and delete existing copies unless Data Protection Laws require storage of the Subscriber Personal Information;
3.2.8 make available to the Subscriber all information necessary to demonstrate compliance with the obligations laid down in these Data Processor Terms and allow for and contribute to audits, including inspections, conducted by the Subscriber or another auditor mandated by the Subscriber. The Subscriber may only exercise its right to audit once per calendar year and any costs shall be borne by the Subscriber. Elucidat and the Subscriber will discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any audit and the Subscriber shall take all necessary steps to minimize the disruption to Elucidat’s business. Elucidat may elect to provide the Subscriber with documents and records demonstrating its compliance with the obligations of these Data Processor Terms and the Subscriber shall refrain from exercising its audit right if the records are sufficient to demonstrate compliance. Any information obtained pursuant to an audit shall be deemed to be confidential information of Elucidat.
4. Compulsory Subprocessor contract terms (Article 28(4))
4.1 Where Elucidat engages a Subprocessor for carrying out specific Processing activities on behalf of the Subscriber, such engagement shall contain the same, or equivalent, data protection obligations as are referred to in paragraph 3 by way of a binding contract or other legal act, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of GDPR.
4.2 Where any Subprocessor engaged by Elucidat fails to fulfil its data protection obligations in respect of Subscriber Personal Information, Elucidat shall remain fully liable to the Subscriber for the performance of that Subprocessor's obligations.
4.3 In addition to the Elucidat Affiliates, the Subscriber consents to the current list of Subprocessors and to Elucidat engaging Subprocessors for the Processing of Subscriber Personal Information in accordance with the following provisions.
4.4 With respect to each Subprocessor, Elucidat shall:
4.4.1 before the Subprocessor first Processes Subscriber Personal Information, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Subscriber Personal Information required by the License Agreement and these Data Processor Terms;
4.4.2 ensure that the arrangement between Elucidat and the Subprocessor is governed by a contract that complies with these Data Processor Terms;
4.4.3 provide to the Subscriber for review (via Elucidat Support Pages or otherwise) details of all Subprocessors.
4.5 Approval process: Elucidat shall give the Subscriber prior notice of the appointment of any new Subprocessor to be appointed after the date of these Data Processor Terms, including full details of the Processing to be undertaken by the Subprocessor. This notice may be given electronically via the Elucidat Support Pages. If, within 5 days of receipt of that notice, the Subscriber notifies Elucidat in writing of any objections (on reasonable grounds relating to data protection) to the proposed appointment, Elucidat shall not disclose any Subscriber Personal Information to that proposed Subprocessor and/or (as applicable) the Subscriber shall not access any optional Software affected by this issue until reasonable steps have been taken to address the objections raised by the Subscriber. If no such objections are raised, the Subscriber shall be deemed to have consented to the appointment of the Subprocessor. If the objection has not been resolved to the mutual satisfaction of the parties within 30 days after receipt of the Subscriber’s objection, either party may terminate the License Agreement (in whole or in part solely to the extent necessary to terminate access to the Software and/or Professional Services affected by the addition of the new Subprocessor), which will be the Subscriber’s sole and exclusive remedy.
5. International transfers
5.1 The Subscriber acknowledges that Elucidat and its Subprocessors may maintain data Processing operations in countries that are outside of the European Economic Area (“EEA”). As such, both Elucidat and its Subprocessors may Process Subscriber Personal Information in non-EEA countries. This will apply even where Elucidat has agreed with the Subscriber to host Subscriber Personal Information in the EEA if such non-EEA Processing is necessary to provide support or other related services requested by the Subscriber.
5.2 Elucidat shall ensure that transfers of Subscriber Personal Information from the EEA to a third country or an international organization are subject to appropriate safeguards as described in Article 46 of the GDPR and that such transfers and safeguards are documented according to Article 30(2) of the GDPR (to the extent applicable).
5.3 To the extent required by relevant Data Protection Laws, all transfers of Subscriber Personal Information out of the EEA shall be governed by the standard contractual clauses in the form adopted by the European Commission under Decision 2010/87/EU (“Standard Contractual Clauses”), except for transfer to and from: (i) any country which as a valid adequacy decision from the European Commission: (ii) the transfer to an importing entity that is a certified member of the EU-US or Swiss-US Privacy Shield or the importing entity is subject to the onward transfer principles of the Privacy Shield; or (iii) any organization which ensures an adequate level of protection in accordance with the applicable Data Protection Laws. In the event that the transfer is covered by more than one transfer mechanism, the transfer of Subscriber Personal Information will be subject to a single transfer mechanism in accordance with the following order of precedence: (i) Privacy Shield, (ii) any other transfer mechanism set out in Article 46 of the GDPR; and (iii) the Standard Contractual Clauses. Subject to the foregoing, the Standard Contractual Clauses are hereby incorporated by reference as if they had been set out in full herein. For the purpose of the Standard Contractual Clauses: (i) the governing law in clause 9 and 11 shall be that of England and Wales; (ii) Appendix 1 to these Data Processor Terms shall form Appendix 1 of the Standard Contractual Clauses; (iii) the technical and organizational measures detailed in paragraph 3.2.3 of these Data Processor Terms shall form Appendix 2 the Standard Contractual Clauses; and (iv) the illustrative indemnity is deemed deleted.
6. Charges and costs mitigation
6.1 Elucidat shall be entitled to charge Subscriber for the reasonable and verified costs of its assistance and cooperation provided pursuant to these Data Processor Terms in response to specific requests made at Subscriber's own initiation, except to the extent that such measures have been necessitated by a breach of these Data Processor Terms by Elucidat or its Subprocessors or such charges are expressly prohibited by Data Protection Laws. Elucidat’s charges shall be on a time and materials basis according to the then applicable rate card and invoiced according to Elucidat’s standard payment terms.
6.2 In the event that Elucidat is able to demonstrate that itself and/or any Subprocessor adheres to an approved code of conduct or approved certification mechanism as referred to in Article 40 GDPR, Subscriber accepts that Elucidat may rely on the same to demonstrate its compliance with these Data Processor Terms, so as to mitigate or avoid incurring unnecessary administration and costs, unless otherwise required by Data Protection Laws or as may be mutually agreed by the parties.
For the avoidance of doubt, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to these Data Processor Terms, whether in contract, tort or under any other theory of liability, is subject to the limitations and exclusions of liability contained within the License Agreement, and any reference to the liability of a party means the aggregate liability of that party and all of its Affiliates under the License Agreement and these Data Processor Terms together.
Elucidat will not reduce the Subscriber’s rights under these Data Processor Terms without explicit written consent.
APPENDIX 1 TO ELUCIDAT DATA PROCESSOR TERMS: DETAILS OF PROCESSING OF SUBSCRIBER PERSONAL INFORMATION
This Appendix 1 includes details of the Processing of Subscriber Personal Information as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Subscriber Personal Information
The subject matter and duration of the Processing of the Subscriber Personal Information are set out in the License Agreement and these Data Processor Terms.
The nature and purpose of the Processing of Subscriber Personal Information
All reasonable purposes in relation to Elucidat’s performance of its obligations under the License Agreement. This may include the regular review of the performance, usage and functioning of the Software.
The types of Subscriber Personal Information to be Processed
All Subscriber Personal Information Processed in the normal use, management and development of Elucidat’s Site and Software including:
• Email addresses
• Contact details
• Profile information provided by Subscribers and learners
• Subscriber Personal Information included in Course Content
• Usage data
• Preferences/personalization details
• Evidence of opt-ins/contact permissions and other privacy consents/unsubscribe requests
The categories of Data Subject to whom the Subscriber Personal Information relates
All users of Elucidat’s Site and Software, mobile applications and other features, services and technology provided by Elucidat pursuant to the License Agreement.