EU Data Processing Addendum
Updated 17 March 2023
Influence Ecology, LLC DBA Influential U. (“Influential U”) and the Licensee agreeing to these terms (“Licensee”) have entered into a written agreement involving the processing of certain personal data (as amended from time to time, the “Agreement”). Influential U and Licensee are hereinafter collectively referred to as “the Parties” or each individually as a “Party.”
This Data Protection Addendum, including its attachments (the “Addendum”) will be effective and replace any previously applicable data processing and security terms as of the Addendum Effective Date (as defined below). This Addendum forms part of the Agreement and consists of (a) the main body of the Addendum; (b) Attachment 1 (Subject Matter and Details of the Data Processing); and (c) Attachment 2 (Security Measures).
1. Definitions
The following terms have the meanings set out below for this Agreement:
1.1. “Addendum Effective Date” means, as applicable, (a) 01 January 2023, if the Parties agreed to this Addendum prior to or on such
date; or (b) the date on which the parties agreed to this Addendum, if such date is after 01 January 2023.
1.2. “European Data Protection Legislation” means the GDPR and other data protection laws of the EU, its Member States, and the United
Kingdom, applicable to the processing of Customer Personal Data under the Agreement.
1.3. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.4. “Information Security Incident” means a breach of a Party’s security leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, personal data in a Party’s possession, custody or control. “Information Security Incidents”
will not include unsuccessful attempts or activities that do not compromise the security of personal data, including unsuccessful log-in attempts,
pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
1.5. “Standard Contractual Clauses” mean the standard data protection clauses for the transfer of personal data to processors and
controllers established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR.
1.6. “Security Measures” means technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data as further described in Attachment 2.
1.7. “Services” means the services and/or products to be provided by Influential U to Licensee or by Licensee to Influential U, as
applicable, under the Agreement.
1.8. “Transfer Solution” means the Standard Contractual Clauses (SET II for the transfer of personal data from the Community to third countries (controller to controller transfers)) or another solution that enables the lawful transfer of personal data to a third country in accordance with Article 45 or 46 of the GDPR.
1.9. The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in this Addendum have the meanings given in the GDPR, and the terms “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses.
2. Applicability. This Addendum will apply only to the extent that the Data Protection Legislation applies to the processing of personal data.
3. Roles of the Parties. For the purpose of the Agreement, the Parties acknowledge and agree that each Party acts a controller for the processing of personal data for its own purposes (as defined in Attachment 1) in the context of the Services. The Parties acknowledge and agree that
each Party operates as an independent controller and that the Parties do not operate as joint controllers.
4. Obligations of the Parties.
4.1. Each Party represents and warrants that in connection with the processing performed in connection with the Services, it will:
4.1.1. Comply with European Data Protection Legislation.
4.1.2. Establish one or more valid legal grounds under European Data Protection Legislation for its processing, to include disclosures of personal data to the other Party.
4.1.3. Transfer personal data out of the EEA or Switzerland only pursuant to a Transfer Solution if the European Data Protection Legislation applies to such transfer.
4.1.4. Provide such notice to data subjects regarding its processing of personal data as may be required by European Data Protection legislation.
4.1.5. Cooperate with the other Party to fulfil the other Party’s obligations under European Data Protection Legislation.
4.2. Without prejudice to section 4.1.2, in each case where consent is the legal ground for the processing of personal data involving a transfer of such personal data to Influential U, Licensee shall be solely responsible for obtaining the specific, informed, unambiguous, and freely given consent of each Data Subject for the processing of their personal data by Influential U. Influential U’s Privacy Notice, currently available at https://influentialu.global/privacy/ and which may be updated from time to time, provides information about Influential U’s processing that may assist Licensee in obtaining consent from data subjects for Influential U’s processing of personal data for its own purposes.
5. Processing Restrictions. If Licensee receives personal data from Influential U, it agrees to process such personal data only for limited and specified purposes consistent with the consent provided by the data subject to Influential U (or such other legal grounds as may be established for the processing under European Data Protection Legislation). Licensee will promptly notify Influential U if it determines that it can no longer meet this obligation; in such event, Licensee will cease the processing of personal data received from Influential U or, in consultation with Influential U and with Influential U’s written consent, take other reasonable and appropriate steps to remediate.
6. Data Disclosures. Each Party represents and warrants that it will require any third parties to which it transfers personal data originating from the other Party to protect the data with at least the same level of protection as provided in this Addendum. In the event of a transfer to a processor, the Party must enter into a written agreement that meets the requirements of Article 28 of the GDPR. Each Party will promptly notify the other Party if it determines that it can no longer meet the foregoing obligations; in such event, the notifying Party will cease the processing of personal data received from the non-notifying Party or, in consultation with the non-notifying Party and with the non-notifying Party’s written agreement, take other reasonable and appropriate steps to remediate.
7. Data Security
7.1. Security Measures and Controls.
7.1.1. Each Party agrees to implement and maintain Security Measures.
7.1.2. Each Party agrees to grant access to personal data only to employees, contractors and subprocessors who need such access for the scope of their performance, and who are subject to appropriate confidentiality arrangements.
7.2. Information Security Incidents.
7.2.1. Information Security Incident Notification. If a Party becomes aware of an Information Security Incident that relates to Personal Data it processes in the context of the Service for which it is a Controller and for which the other Party is also a controller, the Party will: (a) notify the other Party of the Information Security Incident without undue delay after becoming aware of the Information Security Incident; and (b) take reasonable steps to identify the case of such Information Security Incident, minimize harm and prevent a recurrence.
7.2.2. Details of Information Security Incident. Notifications made pursuant to this Section (Information Security Incidents) will describe, to the extent possible, details of the Information Security Incident, including steps taken to mitigate the potential risks and steps the Party recommends that the other Party take to address the Information Security Incident.
7.2.3. Notification. Unless otherwise agreed in writing by the Parties, the Party experiencing an Information Security Incident is solely responsible for complying with incident notification laws applicable to the Party and fulfilling any third-party notification obligations related to any Information Security Incident. The non-notifying Party will provide reasonable assistance to the notifying Party in complying with the notifying Party’s notification obligations.
8. Liability. In the event that one Party is held responsible for any damage caused in connection with the other Party’s processing of personal data and pays compensation for such damage, the non-paying Party agrees that the Paying Party may seek from it payment corresponding to the non-Paying Party’s quantum of responsibility for the damage.
9. Notices. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by either Party may be given (a) in accordance with the notice clause of the Agreement; (b) the Parties’ Party’s primary points of contact; and/or (c) to any email address provided by the Party for the purpose of providing it with Service-related communications or alerts. Each Party is solely responsible for ensuring that the email address(es) it provides are valid.
Effect of These Terms.
Notwithstanding anything to the contrary in the Agreement, to the extent of any conflict or inconsistency between this Addendum and the remaining terms of the Agreement, this Addendum will govern.
Attachment 1 – Subject Matter and Details of the Data Processing
Subject Matter | Training on Courses; Certification Exams; Confirmation of Course/Exam Registration, Certification |
Duration of the Processing | For as long as necessary to fulfill the purpose(s) for which the information was collected, depending on the purpose(s) for which the information was collected, the nature of the information, any contractual relationship that may governs the retention of the data, and our legal or regulatory obligations |
Nature and Purpose of the Processing | Processing personal data for the purposes of providing the Services in accordance with the Addendum, as further described below: Licensee’s Processing of Personal Data Received from Influential U: Influential U may share certification data, exam results and whether students have taken an exam with Licensee, only if Licensee has received positive confirmation from its students to share such information. Influential U’s Processing of Personal Data Received from Licensee: Maintain records regarding individuals’ participation in our courses, exams, and certifications, such as information about the courses and exams an individual has taken, and the certifications an individual has obtained. Communicate about the products and services we offer, and respond to requests, inquiries, comments, and suggestions. Operate, evaluate and improve our business, our websites, and other products and services we offer (including to research and develop new products and services). Comply with legal or regulatory requirements, judicial process, and our company policies. Aggregation and de-identification. For Influential U’s legitimate business purposes, or for purposes authorized by the data subject, or as otherwise permitted by applicable law. |
Categories of Data | Data relating to individuals provided by one Party to the other Party in connection with the Services, by (or at the direction of) the Party, which may include: Personal and business contact information (such as name, job title and employer name, email address, mailing address, and phone number). Information about individuals’ participation in courses, exams, and certifications, such as information about the courses and exams an individual has taken, and certifications an individual has obtained. |
Data Subjects | Data subjects include: Registrants and attendees of a course offered by Influential U or a Licensee. Individuals who have registered for, taken, or passed a IU certification exam. |
Attachment 2
– Security Measures
Taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, and the risks to data subjects’ rights and freedoms, as of the Addendum Effective Date each Party will implement and maintain appropriate Security Measures to protect the security, confidentiality and integrity of personal data appropriate to the risk including, as appropriate, the measures described in Article 32(1) of the GDPR.
