Last updated: October 2022
These Data Processor Terms form part of the License Agreement between Elucidat and the Subscriber. During the course of providing the Software and/or Professional Services, Elucidat may Process Subscriber Personal Information that is subject to Data Protection Laws. The Subscriber appoints Elucidat to Process such Subscriber Personal Information in accordance with these Data Processor Terms.
1. Definitions
1.1 In these Data Processor Terms, the following words shall have the following meaning:
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;
“Data Protection Laws” means, as applicable, the laws and regulations relating to Processing of Personal Data, including the (i) EU General Data Protection Regulation 2016/679 (“GDPR”); (ii) the GDPR as it forms part of the law of England and Wales by virtue of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (iii) the Data Protection Act 2018 (and regulations made thereunder) or any successor legislation; as may be amended or superseded from time to time. The term “Controller”, “Data Subject”, “Personal Data”, “Processing” and “Processor” shall have the meaning as defined in the GDPR;
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Subscriber Personal Information;
“Standard Contractual Clauses” means as applicable (a) the standard contractual clauses available at https://eurlex.europa.eu/legalcontent/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR ("EU SCCs"); and (b) the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner's Office under S119A(1) of the Data Protection Act 2018 available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf ("UK Addendum");
“Subprocessor” means any Processor engaged by Elucidat and/or its Affiliates engaged in the Processing of Subscriber Personal Information;
“Subscriber Personal Information” means any Personal Data which is submitted to, and stored within, the Software by the Subscriber or Authorized Personnel in connection with the Subscriber’s use of the Software.
1.2 Unless otherwise defined herein, all capitalised terms in these Data Processor Terms shall have the meaning given to them in the License Agreement.
2. Processing of Subscriber Personal Information
2.1 Unless expressly stated otherwise in the Elucidat Privacy Policy (https://support.elucidat.com/hc/en-us/articles/4822881454993), the parties acknowledge and agree that with regard to the Processing of the Subscriber Personal Information, the Subscriber is the Controller and Elucidat is the Processor.
2.2 Subscriber confirms it has the right to transfer, or provide access to, the Subscriber Personal Information to Elucidat (including its personnel and subprocessors) for Processing in accordance with the terms of the License Agreement and these Data Processor Terms. The Subscriber shall comply with all Data Protection Laws in connection with the Subscriber Personal Information.
2.3 The Subscriber hereby instructs Elucidat in accordance with these Data Processor Terms to Process Subscriber Personal Information as reasonably necessary for the provision of the Software and Professional Services and in compliance with the License Agreement.
3. Compulsory Processor terms pursuant to Article 28(3) GDPR/ UK GDPR
3.1 Details of the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Subscriber Personal Information and categories of Data Subjects are set out in Appendix 1 hereto.
3.2 In respect of any Processing of Subscriber Personal Information pursuant to the License Agreement, Elucidat shall:
3.2.1 Process Subscriber Personal Information only on documented instructions (including the terms of the License Agreement and electronic instructions) from the Subscriber, unless required to do so by applicable law to which Elucidat is subject; in such a case, Elucidat shall inform the Subscriber of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Elucidat shall immediately inform the Subscriber if, in its opinion, an instruction infringes Data Protection Laws;
3.2.2 ensure that persons authorized to Process Subscriber Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3.2.3 take all measures required pursuant to Article 32 GDPR/ UK GDPR (Security of Processing) in accordance with the Elucidat Security Policy, to ensure a reasonable level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;
3.2.4 At all times during the applicable Subscription period, the Subscriber, via its Elucidat Account, shall be able to access, extract, and delete the Subscriber Personal Information in accordance with the specification of the Software in order to respond to Data Subject requests to exercise one or more of their rights under applicable Data Protection Laws;
3.2.5 respect the conditions referred to in paragraph 4 for engaging another Processor;
3.2.6 taking into account the nature of the Processing, assist the Subscriber by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Subscriber’s obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III GDPR/ UK GDPR. To the extent legally permitted, the Subscriber shall be responsible for any costs arising from Elucidat’s provision of such assistance beyond the existing functionality of the Software. Elucidat shall not respond to such requests directly to any Data Subject except on the Subscriber’s documented instructions, or as required by applicable laws to which Elucidat is subject;
3.2.7 assist the Subscriber in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR/ UK GDPR (Security of Processing; Notification of a Personal Data Breach to the supervisory authority; Communication of a Personal Data Breach to the Data Subject; Data protection impact assessment; and Prior consultation) taking into account the nature of Processing and the information available to Elucidat. This shall include notifying the Subscriber without undue delay and in any event within 48 hours after having become aware of any Personal Data Breach;
3.2.8 in accordance with clause 12 of the License Agreement, delete or return all the Subscriber Personal Information to the Subscriber after the end of the provision of services relating to Processing, and delete existing copies unless Data Protection Laws require storage of the Subscriber Personal Information;
3.2.9 make available to the Subscriber all information necessary to demonstrate compliance with the obligations laid down in these Data Processor Terms and allow for and contribute to audits, including inspections, conducted by the Subscriber or another auditor mandated by the Subscriber. The Subscriber may only exercise its right to audit once per calendar year and any costs shall be borne by the Subscriber. Elucidat and the Subscriber will discuss and agree in advance on the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any audit and the Subscriber shall take all necessary steps to minimize the disruption to Elucidat’s business. Elucidat may elect to provide the Subscriber with documents and records demonstrating its compliance with the obligations of these Data Processor Terms and the Subscriber shall refrain from exercising its audit right if the records are sufficient to demonstrate compliance. Any information obtained pursuant to an audit shall be deemed to be confidential information of Elucidat.
4. Compulsory Subprocessor contract terms (Article 28(4))
4.1. Where Elucidat engages a Subprocessor for carrying out specific Processing activities on behalf of the Subscriber, such engagement shall contain the same, or equivalent, data protection obligations as are referred to in paragraph 3 by way of a binding contract or other legal act, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of GDPR/ UK GDPR.
4.2 Where any Subprocessor engaged by Elucidat fails to fulfil its data protection obligations in respect of Subscriber Personal Information, Elucidat shall remain fully liable to the Subscriber for the performance of that Subprocessor's obligations.
4.3 In addition to the Elucidat Affiliates, the Subscriber consents to the current list of Subprocessors (https://support.elucidat.com/hc/en-us/articles/4822659822225-Third-Party-Subprocessors) and to Elucidat engaging Subprocessors for the Processing of Subscriber Personal Information in accordance with the following provisions.
4.4 With respect to each Subprocessor, Elucidat shall:
4.4.1 before the Subprocessor first Processes Subscriber Personal Information, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Subscriber Personal Information required by the License Agreement and these Data Processor Terms;
4.4.2 ensure that the arrangement between Elucidat and the Subprocessor is governed by a contract that complies with these Data Processor Terms;
4.4.3 provide to the Subscriber for review (via Elucidat Support Pages or otherwise) details of all Subprocessors.
4.5 Approval process: Elucidat shall give the Subscriber prior notice of the appointment of any new Subprocessor to be appointed after the date of these Data Processor Terms, including full details of the Processing to be undertaken by the Subprocessor. This notice may be given electronically via the Elucidat Support Pages. If, within 5 days of receipt of that notice, the Subscriber notifies Elucidat in writing of any objections (on reasonable grounds relating to data protection) to the proposed appointment, Elucidat shall not disclose any Subscriber Personal Information to that proposed Subprocessor and/or (as applicable) the Subscriber shall not access any optional Software affected by this issue until reasonable steps have been taken to address the objections raised by the Subscriber. If no such objections are raised, the Subscriber shall be deemed to have consented to the appointment of the Subprocessor. If the objection has not been resolved to the mutual satisfaction of the parties within 30 days after receipt of the Subscriber’s objection, either party may terminate the License Agreement (in whole or in part solely to the extent necessary to terminate access to the Software and/or Professional Services affected by the addition of the new Subprocessor), which will be the Subscriber’s sole and exclusive remedy.
5. International transfers
5.1 The Subscriber acknowledges that Elucidat and its Subprocessors may maintain data Processing operations in countries that are outside of the United Kingdom and the European Economic Area (“EEA”). As such, both Elucidat and its Subprocessors may Process Subscriber Personal Information in non-EEA or non-United Kingdom countries. This will apply even where Elucidat has agreed with the Subscriber to host Subscriber Personal Information in the EEA or the United Kingdom if such Processing is necessary to provide support or other related services requested by the Subscriber.
5.2 Elucidat shall ensure that transfers of Subscriber Personal Information from the EEA and/ or the United Kingdom to a third country or an international organization are subject to appropriate safeguards as described in Article 46 of the GDPR/ UK GDPR and that such transfers and safeguards are documented according to Article 30(2) of the GDPR/ UK GDPR (to the extent applicable).
5.3 To the extent required by relevant Data Protection Laws, all transfers of Subscriber Personal Information out of the United Kingdom and the EEA shall be governed by the Standard Contractual Clauses), except for transfer to and from any country which as a valid adequacy decision from the European Commission or the United Kingdom as the case may be. Subject to the foregoing, the Standard Contractual Clauses are hereby incorporated by reference as if they had been set out in full herein where indicated as applicable in accordance with Appendix 2. In the event any updates or replacements to the Standard Contractual Clauses include a transition period for implementation, Elucidat shall ensure the updated Standard Contractual Clauses shall be implemented prior to the expiration of such transition period (including in respect of transfers to any Subprocessors which rely on the Standard Contractual Clauses)
6. Charges and costs mitigation
6.1 Elucidat shall be entitled to charge Subscriber for the reasonable and verified costs of its assistance and cooperation provided pursuant to these Data Processor Terms in response to specific requests made at Subscriber's own initiation, except to the extent that such measures have been necessitated by a breach of these Data Processor Terms by Elucidat or its Subprocessors or such charges are expressly prohibited by Data Protection Laws. Elucidat’s charges shall be on a time and materials basis according to the then applicable rate card and invoiced according to Elucidat’s standard payment terms.
6.2 In the event that Elucidat is able to demonstrate that itself and/or any Subprocessor adheres to an approved code of conduct or approved certification mechanism as referred to in Article 40 GDPR/ UK GDPR, Subscriber accepts that Elucidat may rely on the same to demonstrate its compliance with these Data Processor Terms, so as to mitigate or avoid incurring unnecessary administration and costs, unless otherwise required by Data Protection Laws or as may be mutually agreed by the parties.
7. Liability
For the avoidance of doubt, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to these Data Processor Terms, whether in contract, tort or under any other theory of liability, is subject to the limitations and exclusions of liability contained within the License Agreement, and any reference to the liability of a party means the aggregate liability of that party and all of its Affiliates under the License Agreement and these Data Processor Terms together.
8. Contact Details
The Subscriber can contact Elucidat at support@elucidat.com for any further information as to how Elucidat processes Subscriber Personal Information. Elucidat has appointed an EU representative, details of which can be found within Elucidat's privacy notice at (https://support.elucidat.com/hc/en-us/articles/4822881454993-Privacy-Policy).
9. Changes
Elucidat will not reduce the Subscriber’s rights under these Data Processor Terms without explicit written consent.
APPENDIX 1 TO ELUCIDAT DATA PROCESSOR TERMS: DETAILS OF PROCESSING OF SUBSCRIBER PERSONAL INFORMATION
This Appendix 1 includes details of the Processing of Subscriber Personal Information as required by Article 28(3) GDPR/ UK GDPR.
Subject matter and duration of the Processing of Subscriber Personal Information
The subject matter and duration of the Processing of the Subscriber Personal Information are set out in the License Agreement and these Data Processor Terms.
The nature and purpose of the Processing of Subscriber Personal Information
All reasonable purposes in relation to Elucidat’s performance of its obligations under the License Agreement. This may include the regular review of the performance, usage and functioning of the Software.
The types of Subscriber Personal Information to be Processed
All Subscriber Personal Information Processed in the normal use, management and development of Elucidat’s Site and Software including:
- Names
- Addresses
- Email addresses
- Contact details
- Passwords
- Profile information provided by Subscribers and learners
- Subscriber Personal Information included in Course Content
- Usage data
- Preferences/personalization details
- Evidence of opt-ins/contact permissions and other privacy consents/unsubscribe requests
- special categories of Personal Data to the extent contained in the Course Content (any such special category Personal Data is subject to security measures detailed in the Elucidat Security Policy).
The categories of Data Subject to whom the Subscriber Personal Information relates
All users of Elucidat’s Site and Software, mobile applications and other features, services and technology provided by Elucidat pursuant to the License Agreement.
Frequency, duration and retention: The Subscriber Personal Information is transferred and processed by Elucidat on a continuous basis to provide the Software and related services. Elucidat will process the Subscriber Personal Information for the duration of the License Agreement and will retain the personal data in accordance with the following retention periods:
- active learner account data shall be retained for a period of two (2) years from the date such data is created or uploaded to the Software;
- closed learner account data shall be retained for a period of two (2) months following closure of the account;
- active author account data shall be retained for the full duration of the Subscription; and
- closed author account data shall be retained for a period of three (3) years following closure of the account (or upon expiry or termination of the relevant Subscription).
APPENDIX 2:
The parties agree that the Standard Contractual Clauses are incorporated into these Data Processor Terms by reference, as if they had been set out in full, and are populated as follows. Unless expressly stated below, any optional clauses contained within the Standard Contractual Clauses shall not apply.
The following Module of the Standard Contractual Clauses shall apply where Personal Data is transferred to a third country (unless the transfer is permitted on the basis of an adequacy decision):
a) CONTROLLER → PROCESSOR (Module Two) ("Controller to Processor Model Clauses") if the Subscriber, acting as a Controller, makes a restricted transfer of Personal Data subject to the GDPR and/ or the UK GDPR (as applicable) to Elucidat, acting as a Processor;
b) PROCESSOR → PROCESSOR (Module THREE) ("Processor to Processor Model Clauses") if Subscriber, acting as a Processor, makes a restricted transfer of Personal Data subject to the GDPR and/ or the UK GDPR (as applicable) to Elucidat as a Processor; and/or
c) PROCESSOR → CONTROLLER (Module Four) ("Processor to Controller Model Clauses") if Elucidat, acting as a Processor, makes a restricted transfer of Personal Data subject to the GDPR and/ or the UK GDPR (as applicable) to the Subscriber, acting as a Controller.
UK Addendum
The Parties agree that the UK Addendum is incorporated into the DPA by reference, as if it had been set out in full, and is populated and shall be read against the EU SCCs as follows. Unless expressly stated below, any optional clauses contained within the UK Addendum shall not apply.
Start Date
The UK Addendum is effective from the date of the Agreement;
1. Table 1: Parties
Exporter and key contact: As set out in Annex 1 of the Standard Contractual Clauses.
Importer and key contact: As set out in Annex 1 of the Standard Contractual Clauses.
2. Table 2: Selected SCCs, Modules and Clauses
As applicable, Module 2, Module 3 or Module 4 of the EU SCCs as incorporated by reference into Appendix 2 of these Data Processor Terms including any supplementary clauses set out within Appendix 2 of these Data Processor Terms.
3. Table 3: Appendix Information
As set out in Annex 1 and Annex 2 of the of the Standard Contractual Clauses.
4. Table 4: Ending this Addendum when the Approved Addendum Changes
In the event the Information Commissioner's Office issues a revised Approved Addendum, in accordance with Section 18 of the UK Addendum which as a direct result of such changes has a substantial, disproportionate and demonstrable increase in: (a) the data importer's direct costs of performing its obligations under the Addendum; and/or (b) the data importer's risk under the Addendum, the data importer may terminate this UK Addendum on reasonable written notice to the data exporter in accordance with Table 4 and paragraph 19 of the UK Addendum.
Supplementary Clauses for Module Two and Module Three:
1. ERASURE AND DELETION
1.1 For the purposes of Clause 8.5, Section II of Module Two and Module Three of the Standard Contractual Clauses (Duration of processing and erasure or return of data)), the data importer shall delete the personal data in accordance with clause 12 of the License Agreement.
2. DOCUMENTATION AND COMPLIANCE
2.1 The parties acknowledge that the Importer complies with its obligations under Clause 8.9, Section II of Module Two and Module Three of the Standard Contractual Clauses (Documentation and compliance)) by exercising its contractual audit rights it has agreed with its sub-processors. For the purposes of Clause 8.9(e), Section II of Module Three of the Standard Contractual Clauses the data exporter shall ensure the results are provided to the relevant controller(s) on a confidential basis and that the controller(s) have committed themselves to confidentiality in respect of the same.
3. NOTIFICATIONS
3.1 For the purposes of Clause 8, Section II of Module Three of the Standard Contractual the data exporter shall use all reasonable endeavors to ensure any instructions provided by the relevant controller(s) are directed via the data exporter. The data exporter shall be responsible for ensuring any notifications provided by the data importer are promptly notified to the relevant controller(s) in order to fulfil the data importer's notification obligations pursuant to Clause 8.
4. SUB-PROCESSORS
4.1 For the purposes of Clause 9, Section II of Module Two and Module Three of the Standard Contractual Clauses (Use of sub-processors)), the parties agree that option 2, general written authorization shall apply and the data importer shall notify the data exporter of any changes in accordance with paragraph 4 of the Data Processor Terms. For the purposes of Clause 9, Section II of Module Three of the Standard Contractual Clauses the data importer shall notify the data exporter of any changes to a sub-processor and the data exporter shall be responsible for ensuring such notifications are provided to the relevant controller(s) and shall inform the data importer of any objections within the time frames specified. Copies of any sub-processor agreements requested from the data importer shall be provided to the data exporter for onward provision to the relevant controller as applicable.
5. DATA SUBJECT RIGHTS
5.1 For the purposes of Clause 10(a) to (c), Section II of Module Three of the Standard Contractual Clauses, the Parties acknowledge that given the nature of the processing by the data importer it would not be appropriate for the data importer to notify or assist the controller directly in respect of any requests received from a data subject.
6. LOCAL LAWS AND PRACTICES AFFECTING COMPLIANCE WITH THE CLAUSES
6.1 For the purposes of Clause 14(c), Module Two (Section III to the Standard Contractual Clauses (Local laws and practices affecting compliance with the Clauses)) the data exporter has been provided with a transfer impact assessment by the data importer which the data exporter accepts as sufficient to fulfil the data importer's obligations pursuant to Clause 14(c) and 14(a) to the extent the data exporter has been provided with such a transfer impact assessment by the data importer.
6.2 For the purposes of Clause 14(c), 15.1(b) and 15.2, Section IV of Module Two and Module Three of the Standard Contractual Clauses (Local laws and practices affecting compliance with the Clauses)) the parties agree that "best efforts" and the obligations of the data importer under clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.
7. GOVERNING LAW AND JURISDICTION
7.1 For the purposes of Clauses 17 and 18, Section IV of Module Two and Module Three of the EU SCCs (Governing law and Choice of forum and jurisdiction)), the parties agree that the laws and courts of the Republic of Ireland will apply. For the purpose of the UK Addendum, the Parties acknowledge and accept that the laws and courts of England and Wales will apply.
Supplementary Clauses for Module Four:
1. ERASURE AND DELETION
1.1 For the purposes of Clause 8.1(d), Section II of Module Four of the Standard Contractual Clauses the data exporter shall delete the personal data in accordance with clause 11 of the License Agreement.
2. GOVERNING LAW AND JURISDICTION
For the purposes of Clauses 17 and 18, Module Four of the EU SCCs and the UK Addendum, the parties agree that the laws and courts of England and Wales will apply.
ANNEX 1 to the Standard Contractual Clauses (Module Two and Module Three)
A. PARTIES
- The Exporter shall be the Subscriber and the Importer shall be Elucidat, the contact details as provided at the outset of the License Agreement shall apply.
B. Description of transfer
- Categories of data subject whose personal data is transferred;
- Categories of personal data transferred;
- Details of sensitive Personal Data transferred;
- Frequency of the transfer;
- Nature of the Processing;
- Purpose of the data transfer and further processing; and
- The period for which the personal data will be retained,
shall be as set out in Appendix 1 of the Data Processor Terms.
- The Competent Supervisory Authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses.
Annex 1 to the Standard Contractual Clauses (Module Four)
A. Parties
- The Exporter shall be Elucidat, and the Importer shall be the Subscriber, the contact details as provided at the outset of the License Agreement shall apply.
B. Description of transfer
- Categories of data subject whose personal data is transferred;
- Categories of personal data transferred;
- Details of sensitive Personal Data transferred;
- Frequency of the transfer;
- Nature of the Processing;
- Purpose of the data transfer and further processing; and
- The period for which the personal data will be retained,
shall be as set out in Appendix 1 of the Data Processor Terms.
Annex 2 to the Standard Contractual Clauses (Module Two and Module Three)
- A description of the technical and organisational measures applying to this Schedule are set out in Elucidat's Security Policy, a copy of which can be found at https://support.elucidat.com/hc/en-us/articles/4822811178641-Security. The Exporter acknowledges that the security measures applied to the personal data as set out in this clause are in compliance with these Standard Contractual Clauses.