The General Data Protection Regulation Addendum (“GDPR Addendum”) is incorporated by reference into the services agreement (commonly named an end user subscription agreement, end user services agreement or master subscription and services agreement) and all related orders for Subscription Services (defined below) between customer (defined below) and Teaching Strategies named therein (“Agreement”). This GDPR Addendum is entered into as of the later of the dates beneath the parties’ signatures below.
This GDPR Addendum is supplemental to the Agreement and sets out the terms that apply when Personal Data (defined below) is processed by Teaching Strategies under the Agreement. The purpose of the GDPR Addendum is to ensure such processing is conducted in accordance with applicable laws, including EU Data Protection Legislation, and with due respect for the rights and freedoms of individuals whose Personal Data are processed.
HOW TO EXECUTE THIS GDPR ADDENDUM
When Teaching Strategies receives the completed and signed GDPR Addendum as specified below, this GDPR Addendum will become a legally binding addendum to the Agreement. To make the GDPR Addendum a part of the Agreement, Customer must do the following:
A. Complete the information in the signature block of this GDPR Addendum and have an authorized representative sign.
HOW THIS GDPR ADDENDUM APPLIES
A. If the Customer entity signing this GDPR Addendum is a party to the Agreement, the Teaching Strategies entity that is a party to the Agreement is a party to this GDPR Addendum.
B. If the Customer entity signing this GDPR Addendum has executed orders under the Agreement but is not a party to the Agreement, this GDPR Addendum will be incorporated in such order(s) and the Teaching Strategies entity that is a party to such order(s) will be a party to this GFPR Addendum.
C. This GDPR Addendum will not be valid and legally binding if the signing Customer entity is not a party to the Agreement or order(s) or is an indirect customer through an authorized reseller about its contract with that seller.
DATA PROCESSING TERMS
In providing the Services to Customer pursuant to the Agreement, Teaching Strategies may process Personal Data on behalf of Customer. Teaching Strategies will comply with the provisions in this GDPR Addendum with respect to its processing of any Personal Data.
Capitalized terms used but not defined in this GDPR Addendum have the same meanings as set out in the Agreement.
DATA PROCESSING TERMS DEFINITIONS
“Affiliate(s)” means any legal entity directly or indirectly controlling, controlled by or under common control with a party, where control means the ownership of a majority share of the stock, equity or voting interests of such entity.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Customer” means the entity which alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Customer Data” means what is defined in the Agreement as “Customer Data” or “Your Data.”
“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“EEA” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland and Liechtenstein, as well as, for the purposes of this GDPR Addendum, the United Kingdom.
“EU Data Protection Legislation” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, including any applicable national implementations thereof; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”), as amended, replaced or superseded.
“Personal Data” means any Customer Data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Teaching Strategies” means the Teaching Strategies entity which is a party to this GDPR Addendum, as specified in the section “HOW THIS GDPR ADDENDUM APPLIES” above, being Teaching Strategies, LLC, a limited liability company incorporated in Delaware.
“Sub-processor” means any Processor engaged by Teaching.
“Subscription Services” means the early childhood assessment and child care operations services provided by Teaching Strategies, LLC.
APPLICABILITY OF GDPR ADDENDUM
Applicability. This GDPR Addendum shall apply only to the extent Customer is established within the EEA or Switzerland and/or to the extent Teaching Strategies processes Personal Data of Data Subjects located in the EEA or Switzerland on behalf of Customer or a Customer Affiliate.
ROLES AND RESPONSIBILITIES
Parties’ Roles. Customer, as Controller, appoints Teaching Strategies as a Processor to process the Personal Data on Customer’s behalf. In some circumstances Customer may be a Processor, in which case Customer appoints Teaching Strategies as Customer’s sub-processor, which shall not change the obligations of either Customer or Teaching Strategies under this GDPR Addendum, as Teaching Strategies will remain a Processor with respect to the Customer in such event.
Purpose Limitation. Teaching Strategies shall process Personal Data for the purposes set forth in the Agreement and only in accordance with the lawful, documented instructions of Customer, except where otherwise required by applicable law. The Agreement and this GDPR Addendum set out Customer’s complete instructions to Teaching Strategies in relation to the processing of Personal Data and any processing required outside of the scope of these instructions (inclusive of the rights and obligations set forth under the Agreement) will require prior written agreement of the parties.
Training. Teaching Strategies shall ensure that its relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the processing, protection and confidentiality of Personal Data.
Compliance. Customer, as Controller, shall be responsible for ensuring that, in connection with Customer Data and the Subscription Services:
(i) It has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including EU Data Protection Legislation; and
(ii) It has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Teaching Strategies for processing in accordance with the terms of the Agreement and this GDPR Addendum.
Security. Teaching Strategies shall implement appropriate technical and organizational measures designed to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use (each a “Security Incident”) and in accordance with Teaching Strategies’ security standards set forth in the Agreement.
Confidentiality or Processing. Teaching Strategies shall ensure that any person that it authorizes to process the Personal Data (including its staff, agents and subcontractors) shall be subject to a duty of confidentiality (whether a contractual or a statutory duty) that shall survive the termination of their employment and/or contractual relationship.
Security Incidents. Upon becoming aware of a Security Incident, Teaching Strategies shall notify Customer without undue delay and pursuant to the terms of the Agreement, but within no more than seventy-two (72) hours, and shall provide such timely information as Customer may reasonably require to enable Customer to fulfil any data breach reporting obligations under EU Data Protection Legislation. Teaching Strategies will take steps to immediately identify and remediate the cause of such Security Incident.
Sub-processors. Customer agrees that Teaching Strategies may engage Teaching Strategies Affiliates and third party sub-processors (collectively, “Sub-processors) to process the Personal Data on Teaching Strategies behalf. The Sub-processors currently engaged by Teaching Strategies and authorized by Customer are listed at Teaching Strategies’ Sub-processor web page (the “Sub-processor List”). The Sub-processor List shall include a mechanism for Customer to subscribe to notifications of any new Sub-processors or changes to the Sub-processor List. Teaching Strategies shall impose on such Sub-processors data protection terms that protect the Personal Data to the same standard provided for by this GDPR Addendum and shall remain liable for any breach of GDPR Addendum caused by a Sub-processor.
Changes to Sub-processors. Teaching Strategies may, by giving no less than thirty (30) days’ notice to Customer, add or make changes to the Sub-processors. Customer may object to the appointment of an additional Sub-processor within fourteen (14) calendar days of such notice on reasonable grounds relating to the protection of the Personal Data, in which case Teaching Strategies shall have the right to cure the objection through one of the following options (to be selected at Teaching Strategies’ sole discretion): (a) Teaching Strategies will cancel its plans to use the Sub-processor with regard to Personal Data or will offer an alternative to provide the Subscription Services without such Sub-processor; or (b) Teaching Strategies will take the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the Sub-processor with regard to Personal Data; or (c) Teaching Strategies may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the Subscription Services that would involve the use of such Sub-processor with regard to Personal Data, subject to a mutual agreement of the parties to adjust the remuneration for the Subscription considering the reduced scope of the Subscription Services. Objections to a Sub-processor shall be submitted to Teaching Strategies by following the directions set forth in the Sub-processor List. If none of the above options are reasonably available and the objection has not been resolved to the mutual satisfaction of the parties within thirty (30) days after Teaching Strategies’ receipt of Customer’s objection, either party may terminate the agreement and Customer will be entitled to a pro-rata refund for prepaid fees for Subscription Services not performed as of the date of termination.
Emergency Replacement. Teaching Strategies may replace a Sub-processor if the reason for the change is beyond Teaching Strategies reasonable control. In such instance, Teaching Strategies shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Sub-processor pursuant to “Changes to Sub-processor” above.
Data Subject’s Rights. Teaching Strategies shall provide commercially reasonable assistance, including by appropriate technical and organizational measures as reasonably practical, to enable Customer to respond to any inquiry, communication or request from a Data Subject seeking to exercise his or her rights under EU Data Protection Legislation, including rights of access, correction, restriction, objection, erasure or data portability, as applicable. In the event such inquiry, communication, or request is made directly to Teaching Strategies, Teaching Strategies shall promptly inform Customer by providing the full details of the request. For the avoidance of doubt, Customer is responsible for responding to Data Subject requests for access, correction, restriction, objection, erasure or data portability of that Data Subject’s Personal Data.
Data Protection Impact Assessments and Prior Consultation. Teaching Strategies shall, to the extent required by EU Data Protection Legislation, provide Customer with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under EU Data Protection Legislation.
SECURITY REPORTS AND AUDITS
Any provision of security attestation reports (such as SOC 2, Type II or equivalent report) or audits shall take place in accordance with Customer’s rights under the Agreement. If the Agreement does not include a provision regarding security attestation reports, Teaching Strategies shall provide a copy of its most current security attestation report upon Customer’s written request no more than once annually. If the Agreement does not include audit rights, Teaching Strategies and Customer will discuss and agree in advanced on the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit; and Teaching Strategies reserves the right to charge a fee (based on Teaching Strategies reasonable costs) for any such audit. Teaching Strategies will provide further details of any applicable fee and the basis of its calculation to Customer in advance of such audit.
DELETION OR RETURN OF CUSTOMER DATA
Deletion or Return of Data. Teaching Strategies will process and store Personal Data only for the period necessary to achieve the purpose of the storage, or as permitted by law. In the event Teaching Strategies is required by law to retain some or all of the Personal Data, the protections of the Agreement and this GDPR Addendum shall extend to such Personal Data and limit any further processing of such Personal data to only those limited purposes that require the retention for so long as Teaching Strategies maintains the Personal Data.
Except as amended by this GDPR Addendum, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this GDPR Addendum, the terms of this GDPR Addendum will control. Any claims brought under this GDPR Addendum shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.