Data Processing Agreement

Introduction

This Data Processing (“DPA”) reflects the parties’ agreement with respect to the terms governing the processing of Personal Data under Permission Click’s Terms of Service (the “TOS”) and/or any services agreement executed between Permission Click Inc. and the Customer identified in such agreement (together with the TOS, the “Services Agreement”).

This DPA applies to the extent you are using the Services in the context of your data processing activities that are subject to the EU General Data Protection Regulation (“GDPR”). This DPA is made in light of the requirements set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “GDPR”) and applicable Data Protection Legislation (as that term is defined below). Definitions used in this agreement shall have the same meaning as set out in the GDPR. This agreement is based on the requirements set out in article 28 of the GDPR.

The purpose of this Agreement is to ensure that Permission Click Inc. (“Vendor”) provides the services under the Services Agreement (the “Services”) to Customer in a manner that complies with the Data Protection Legislation.

General

In respect of the parties’ rights and obligations under this Agreement regarding the Personal Data, the parties hereby acknowledge and agree that Customer is the “Data Controller” and Vendor is the “Data Processor” and accordingly Vendor agrees that it shall process all Personal Data in accordance with its obligations pursuant to this Agreement.

The Data Processor guarantees that has appropriate technical and organizational measures in place to meet the requirements of the GDPR and ensure protection of the rights of the data subject.

Engagement of Sub-Processors

The Data Processor shall not engage another processor without prior specific or general written authorization of the Data Controller. In case of general written authorization, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

Where the Data Processor engages another processor (sub-processor) for carrying out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out this processor agreement or other legal act between the Data Controller and the processor as referred to in article 28, paragraph 3, of the GDPR, shall be imposed on that other processor (sub-processor) by way of contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor (sub-processor) fails to fulfil its data protection obligations, the initial Data Processor shall remain fully liable to the Data Controller for the performance of that other processor’s (sub-processor’s) obligations.

The Data Processor uses the sub-processors as identified on Data Processor’s website here, which list may be updated by Data Processor from time to time. By using the Services, Data Controller hereby provides authorization to to engage such sub-processors.

Subject-Matter and Duration of the Processing

Permission Click provides a place for educators, school administrators, not-for-profits and other organizations to manage electronic or digital documents, forms, data, information, and content (“eRecords”) and collect electronic signatures from teachers, staff, parents, and third parties and collect payments from parents for events.

Nature and Purpose of the Processing

The performance of the Services will involve the processing of Personal Data as follows:

  1. The categories of Personal Data to be processed are as determined by the Data Controller in its creation of forms and templates, including, but not limited to teacher, student or parent contact information (title, first name, last name, address, email address, etc.); payment and billing information related to payment of Customer’s accounts); organizational and administrative data (District/organization, role, contact information, permissions, etc.);
  2. The duration of the processing will be until the earliest of (i) expiry/termination of the Services Agreement or (ii) the date upon which processing is no longer necessary for the purposes of either party performing its obligations under the Services Agreement (to the extent applicable);
  3. The nature of the processing will be as required to fulfill the service, including collection, reporting, analysis, storage, duplication, deletion, disclosure to Customer’s designated users;
  4. The processing is as necessary for the provision of the Services under the Services Agreement;
  5. The categories of data subjects include Customer’s representatives and end users (teachers, administrators, parents, and students).
Compliance with Controller’s Instructions

The Data Processor shall process the Personal Data only on documented instructions from the Data Controller, including any transfer of data to third countries or international organizations.

If, in the performance of this Agreement, Data Processor transfers any Personal Data received from or on behalf of Data Controller to any third party (which shall include without limitation any affiliates of Data Processor) where such third party is located outside the European Economic Area, Data Processor shall ensure that such transfer is made in accordance with one or more of the following requirements under the GDPR:

  1. the requirement for Data Processor to execute or procure that the third party execute Standard Contractual Clauses for transfers from Data Controllers to Data Processors approved by the Commission pursuant to Decision 2010/87/EU, as amended by Commission Implementing Decision (EU) 2016/2297;
  2. the requirement for the third party to be certified under the Privacy Shield framework; or
  3. the existence of any other specifically approved safeguard for data transfers (as recognized under the GDPR) and/or a European Commission finding of adequacy.
Confidentiality

The Data Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality by way of a written agreement or are under an appropriate statutory obligation of confidentiality.

Security of Processing

The Data Processor shall implement appropriate technical and organizational measures in accordance with article 32 of the GDPR to ensure a level of security appropriate to the risk, including as appropriate:

  1. the pseudonymization and encryption of data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
  4. a process for regularly testing, accessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Requests by Data Subjects

As further set out in Chapter III of the GDPR, data subject has certain rights (e.g. information and access to Personal Data, rectification and erasure, restriction of processing, data portability, right to object and automated individual decision-making). The Data Controller is obliged to facilitate the exercise of these data subject rights under articles 15 to 22 of the GDPR. The Data Processor shall assist the Data Controller by appropriate technical and organizational measures for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR.

Security of Processing, Personal Data Breach, Impact Assessment and Prior Consultation

As further set out in articles 32 to 36 of the GDPR, Data Controller has certain obligations (e.g. notification of data breach to the supervisory authority, communication of data breach to the data subject, making a data protection impact assessment and prior consultation with the supervisory authority in certain cases).

The Data Processor shall notify the Data Controller of any actual or suspected data breaches and in all other aspects assist the Data Controller in ensuring compliance with articles 32 to 36 of the GDPR. In particular, the Data Processor shall promptly provide the Data Controller with full cooperation and assistance in respect of the data breach and all information in Data Processor’s possession concerning the data breach, including the following:

  1. the probable cause and consequences of the breach;
  2. the categories of Personal Data involved;
  3. a summary of the probable consequences for the relevant data subjects;
  4. a summary of the unauthorized recipients of the Personal Data; and
  5. the measures taken by Data Processor to mitigate any damage.
Return and Deletion of Personal Data

The Data Processor shall, at the choice of Data Controller, delete or return all the personal data to the Data Controller at the end of the provision of services relating to processing, and delete any existing copies unless Union or Member State law requires storage of the personal data.

Audit, Compliance and Duty to Inform

The Data Processor shall maintain written records of all categories of processing activities carried out on behalf of the Data Controller.

The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

If Data Controller believes that an on-site audit is necessary, Data Processor agrees to give Data Controller access to Data Processor’s premises (subject to any reasonable confidentiality and security measures at a mutually acceptable time), and to any stored Personal Data and data processing programs it has on-site. Data Controller is entitled to have the audit carried out by a third party.

No additional compensation

The Data Processor’s compensation is being included in the services charges set out in the Services Agreement referred above, and the Data Processor shall thus not be entitled to any additional compensation for carrying out its obligations under this Addendum.

Governing law and dispute resolution

The Data Processor’s compensation is being included in the services charges set out in the Services Agreement referred above, and the Data Processor shall thus not be entitled to any additional compensation for carrying out its obligations under this Addendum.

Definitions

“Data Controller” has the meaning set out in the Data Protection Legislation;

“Data Processor” has the meaning set out in the Data Protection Legislation;

“Data Protection Legislation” means all privacy laws applicable to any Personal Data processed under or in connection with this Agreement, including, without limitation, the Data Protection Directive 95/46/EC (as the same may be superseded by the General Data Protection Regulation 2016/679 (the “GDPR”)), the Privacy and Electronic Communications Directive 2002/58/EC and all national legislation implementing or supplementing the foregoing and all associated codes of practice and other guidance issued by any applicable data protection authority, all as amended, re-enacted and/or replaced and in force from time to time;

“Personal Data” has the meaning set out in the Data Protection Legislation and relates only to personal data of which Customer is the Data Controller and in relation to which the Vendor is providing the Services under the Services Agreement;

“process” and other derivations such as “processed” and “processing” means any use of or processing applied to any Personal Data and includes “processing” as defined in the Data Protection Legislation;