Search

Quickly search for top schools and explore our insightful articles. Discover the perfect path to your MBA success.

×
Cancel
Sorry, no results were found

EDUNAHKO | Data processing addendum

This document contains the DPA of EDUNAHKO. This DPA is applicable to any Agreement for the provision of Services by EDUNAKHO entered into by EDUNAKHO and the Customer that opens an Account on one of the Websites of EDUNHAKO. For this DPA, EDUNAHKO will be referred to as the Processor and the Customer will be referred to as the Controller. Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the same meaning as given in the terms and conditions for educational institutions. Where definitions are used, written with a capital letter, which correspond to the definitions in the General Data Protection Regulation EU 2016/679 (‘GDPR’), these definitions shall have the same definition.

Controller has instructed Processor to provide the Services in accordance with the Agreement whereby Processor processes personal data on behalf of Controller. The Processing of Personal Data is subject to GDPR and the Dutch GDPR Implementation Act (‘UAVG’). Therefore, the Parties, also in view of the requirement in Article 28(3) of the GDPR, wish to set out their rights and obligations in writing by means of this DPA.

The Parties have agreed as follows:

Article 1. Scope

1.1 This DPA shall apply if one or more Processing of Personal Data takes place in the provision of Services in the Agreement.

1.2 The natural persons who effectively will make use of the Services of Processor under the Agreement and, where applicable, their representatives, are hereinafter referred to as ‘Data Subjects’.

1.3 If more and other Personal Data are processed on behalf of the Controller, under its documented instructions and for purposes authorized by Controller, this DPA shall also apply to those processes to the extent possible.

Article 2. Subject matter

2.1 This DPA shall apply to the Services provided by Processor under the Agreement and shall take effect from the same date

2.2 This DPA supersedes all previous agreements regarding the Processing of Personal Data between the Parties.

2.3 Processor shall only process Personal Data for the benefit of and in accordance with written (‘Written’) instructions of Processor and its affiliated entities for the purposes of providing the Services.

2.4 Processor is not permitted to process Personal Data for other purposes, except with the prior Written consent of Controller or when required by law.

Article 3. Obligations of Processor

3.1 With regard to the Processing of Personal Data on behalf of Controller, Processor shall comply with all laws and regulations, including, but not limited to, the laws and regulations on the protection of Personal Data, such as the GDPR.

3.2 Upon Controllers first request, Processor shall inform them about the measures it has taken regarding its obligations under this DPA

3.3 The obligations of Processor arising from the DPA also apply to those who process personal data under the authority of Processor, including but not limited to employees, in the broadest sense of the world.

3.4 Processor shall promptly notify the Controller if, in its opinion, any instructions are in conflict with the GDPR or are otherwise unreasonable.

3.5 If necessary, Processor shall assist Controller in fulfilling its obligations under Articles 32 to 36 of the GDPR.

3.6 The Processor is entitled to charge the Controller for all reasonably incurred costs in the context of fulfilling the obligations in Articles 3.1 and 3.5.

Article 4. Transfer of Personal Data

4.1 Processor processes Personal Data in countries within the European Economic Area (‘EEA’). Processor shall not transfer Personal Data to countries outside the EEA without prior Written consent of Controller.

4.2 Processor shall inform Controllers about the country or countries where the personal data is being processed.

Article 5. Engagement of Subprocessors

5.1 Controller hereby grants Processor general authorization to engage third parties (‘Subprocessors’).

5.2 Upon request of Controller, Processor shall inform Controller of the Subprocessors engaged.

5.3 On the basis of duly justified arguments, Controller has the right to object to new or to be changed Subprocessors. In such case, the Parties shall consult each other to find a workable solution.

5.4 Processor ensures that Subprocessors will be obliged to agree in writing to the same duties as are agreed between Controller and Processor.

Article 6. Security

6.1 Processor shall take adequate technical and organizational measures against loss or any form of unlawful processing (such as unauthorized disclosure, deterioration, alteration or disclosure of personal data).

6.2 Processor does not guarantee that the security will be effective under all circumstances. If an expressly described security measure is missing in the DPA, Processor will strive to ensure that the security meets a level that, considering the state of the art, the sensitivity of the personal data, and the costs associated with implementing the security, is not unreasonable.

6.3 Processor will provide Controller, upon request, insight in its security policy, insofar is relevant for the Services.

Article 7. Duty to report

7.1 Controller is at all times responsible for reporting a Personal Data Breach (‘Data Breach’) to the supervisory authority and/or Data Subjects.

7.2 Processor shall, without undue delay, notify Controller of the Data Breach upon becoming aware of it.

7.3 The duty to report shall, as far as known, at least include

  1. the nature of the Data Breach;
  2. the categories of Data Subjects and Personal Data;
  3. the number of Data Subjects and Personal Data;
  4. the name and contact details of a contact point where further information can be obtained;
  5. the likely consequences of the Data Breach
  6. the measures proposed or taken by Processor to address the Data Breach and limit any adverse effects thereof.

Article 8. Handling of requests from Data Subjects

8.1 In the event that a Data Subject directs a request to exercise his/her legal rights (Articles 15-23 GDPR) to Processor, Processor will forward the request to Controller, and Controller will further handle the request. Processor may inform the Data Subject of the Data Breach.

8.2 Processor shall, if requested by Controller, provide assistance in handling requests from Data Subjects through appropriate technical and organizational measures to the extent possible and reasonable.

Article 9. Audit

9.1 Controller has the right to have audits conducted by an independent third party bound by confidentiality to verify compliance with the DPA. The audit by Controller will always be limited to the systems used by Processor for the Processing.

9.2 This audit may take place once every twenty-four (24) months as well as in the case of a concrete suspicion of misuse of Personal Data. This suspicion must be sufficiently substantiated by Controller.

9.3 Controller shall announce the audit at least four (4) weeks in advance and ensure that the audit minimally disrupts Processor’s operations.

9.4 Processor shall cooperate with the audit and provide all information reasonably relevant to the audit, including supporting data such as system logs, and employees as soon as possible.

9.5 Recommendations resulting from the audit will, as far as possible, be implemented by Processor in consultation with Controller.

9.6 The costs of the audit shall be borne by Controller. Processor is entitled to invoice Controller for all costs associated with this audit.

Article 10. Miscellaneous

10.1 This DPA is entered into for the duration as specified in the Agreement

10.2 Upon termination of the Agreement, Processor will, at the choice of Controller, either return all Personal Data in its possession in original or copy form to Controller, and/or delete and/or destroy these original Personal Data and any copies thereof. Processor is entitled to charge all reasonable costs for this

10.3 Controller may verify at its own expense what is stipulated in the preceding clause in accordance with Article 10 of the DPA (‘Audit’).