Data Processing Addendum ("DPA")
Effective: 11 June 2020
For Customers located in countries subject to the EU’s General Data Protection Regulation (GDPR) or whose data is otherwise subject to the GDPR, this Data Processing Addendum (“DPA”) supplements the CareMonkey Terms of Service, as those Terms are updated from time to time, or supplements any other agreement between Customer and the Company governing Customer’s use of the Services. This DPA is an agreement between the Organization subscribing to the CareMonkey service (the “Customer”, “you” or “your”) and CareMonkey (the “Company”). Capitalised terms that are not defined in this DPA or in the Terms of Service have the meanings given to them in the GDPR.
As background, in their relationship:
(A) The Customer acts as a Data Controller.
(B) The Company acts as a Data Processor.
(C) The Customer’s students, members, employees and similar individuals associated with the Customer are Data Subjects.
(D) The Customer wishes to use Company’s Services, which entail the processing of personal data by the Data Processor.
(E) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (as implemented by the Data Protection Act 2018, if the Customer is in the UK).
(F) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
- Definitions and Interpretation
1.1 Capitalised terms and expressions used in this Agreement shall have the following meanings:
1.1.1 “Agreement” means this Data Processing Addendum and all Schedules;
1.1.2 “Customer Personal Data” means any Personal Data Processed by the Company or one of its Subprocessors on behalf of Customer pursuant to, or in connection with, the Terms of Service;
1.1.3 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.4 “EEA” means the European Economic Area;
1.1.5 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.6 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.7 “Processor” means both the Company and each of its Subprocessors;
1.1.8 “Restricted Transfer” means:
184.108.40.206 a transfer of Customer Personal Data from the Customer or one of its Data Subjects to the Company or directly to one of its Subprocessors; or
220.127.116.11 an onward transfer of Customer Personal Data from one Processor to another Processor, or between two establishments of a Processor,
in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the adoption of an applicable Standard Contractual Clause. For the avoidance of doubt, transfers to a Processor in a country that has received an adequacy decision from the European Commission or to a Processor that is a part of the Privacy Shield Framework are not Restricted Transfers.
1.1.9 “Services” means the solution described in the section of the Terms of Service entitled “Our Services”.
1.1.10 “Standard Contractual Clauses” means the Standard Contractual Clauses for data transfers between EU and non-EU countries [or between EEA and non-EEA countries] as published from time to time by the European Commission.
1.1.11 “Subprocessor” means any person appointed by or on behalf of the Company to process Personal Data on behalf of the Customer in connection with the Agreement.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
- Processing of Customer Personal Data
2.1 The Company shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data.
2.2 The Company shall not Process Customer Personal Data other than on the Customer’s documented instructions, unless Processing is required under Applicable Laws in which case the Company shall (to the extent permitted by Applicable Laws) inform the Customer of that legal requirement before the relevant Processing of that Customer Personal Data. The nature and purpose of the Processing is the collection, storage and manipulation of the Customer Personal Data in connection with providing the Services to the Customer.
2.3 The Customer instructs the Company (and authorises the Company to instruct each Subprocessor) to process the Customer Personal Data, and to transfer Customer Personal Data to any country or territory solely to the extent compliant with Section 11, all as reasonably necessary for the provision of the Services and consistent with the Terms of Service.
2.4 The Customer warrants that it is (and at all relevant times it will remain) duly authorised to give the instruction set out in Section 2.3.
2.5 The following are certain details regarding the Processing of the Customer Personal Data, as required by Article 28(3) of the GDPR:
2.5.1 Subject Matter of the Processing: The Company’s provision of the Services to the Customer.
2.5.2 Duration of the Processing: The period during which the Customer maintains a valid subscription for the Services, including all renewals, and thereafter for so long as the Company or any Subprocessor has any Customer Personal Data in its or their possession or control.
2.5.3 Nature and Purpose of the Processing: The collection, storage and manipulation of the Customer Personal Data in connection with, and for the purpose of, providing the Services to the Customer.
2.5.4 Categories of Data Subjects: Authorised Users of the Customer together with their family members or other members of their household, commonly consisting of students of the Customer and their parents or guardians; members of Customer’s organization and their parents or guardians; and / or Customer’s employees.
2.5.5 Types of Customer Personal Data to be Processed: Contact information, health information, and other information regarding the Data Subjects, all as ultimately determined by the Customer. Common information includes email addresses, telephone numbers, health and dietary information, educational information, preferred language, job title, and any other electronic data received during the usage of the Service.
2.5.6 Obligations and Rights of the Customer. The obligations and rights of the Customer are set out in the Terms of Service.
- Processor Personnel
The Company shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Customer Personal Data, as strictly necessary for the purposes of providing the Services, and to comply with Applicable Laws in the context of that individual’s duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall, in relation to the Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, the Company shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5.1 To support the delivery of the Services, the Company engages third party Subprocessors to provide certain infrastructure services. These currently consist of Amazon Web Services for hosting services, Twilio for SMS messaging, Google for language translation services, and Zoho for customer support live chat services. The Company has entered into written data processing agreements with each such Subprocessor providing at least the same level of protection as this Agreement, and (where the Customer Personal Data will be transferred outside the EEA) each such Subprocessor has certified that it complies with the Privacy Shield Framework. The Company shall remain fully responsible for the performance and compliance of its Subprocessors.
5.2 The Company undertakes to inform the Customer of any intended addition or replacement of any Subprocessor by providing prior written notice to the Customer’s business contact. If the Customer documents objective and valid reasons not to accept a proposed new Subprocessor, the Customer may object to the use of that Subprocessor. If the Company chooses not to propose an alternative new Subprocessor or if the parties cannot agree upon a mutually acceptable new Subprocessor, the Customer will be entitled to terminate its subscription to the Services upon 30 days’ notice and to receive a refund of a pro-rated portion of any prepaid subscription fees. If the Company engages any such new Subprocessor, the Company will enter into a written data processing agreement with such Subprocessor providing at least the same level of protection as this Agreement.
5.3 The Customer authorizes the Company to appoint and utilize the Subprocessors disclosed in Section 5.1 or hereafter appointed in accordance with Section 5.2.
- Data Subject Rights
6.1 Taking into account the nature of the Processing, the Company shall provide reasonable assistance to the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations, as reasonably understood by Customer, to respond to requests by Data Subjects seeking to exercise their rights under the Data Protection Laws.
6.2The Company shall:
6.2.1 promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
6.2.2 ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before the Processor responds to the request.
6.3 The Customer shall have sole ultimate responsibility for responding to any Data Subjects’ requests. The Customer shall reimburse the Company for its reasonable costs (if material) arising from assistance in responding to any such Data Subject requests.
- Personal Data Breach
7.1 Processor shall notify Customer without undue delay upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 Processor shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
- Data Protection Impact Assessment and Prior Consultation.
8.1 The Company shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Processors.
- Deletion or return of Customer Personal Data
9.1 Subject to this section 9, the Company shall promptly and in any event within 30 days following the date of cessation of the Services involving the Processing of Customer Personal Data, delete and procure the deletion of all copies of those Customer Personal Data.
- Audit rights
10.1 Subject to this section 10, the Company shall make available to the Customer on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by the Processors.
10.2 Information and audit rights of the Customer only arise under section 10.1 to the extent that the Terms of Service do not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
- Restricted Transfers
11.1 A Processor may not conduct or authorize a Restricted Transfer of Customer Personal Data to a country outside the EU and/or the EEA without the prior written consent of the Customer. If Customer Personal Data to be Processed under this Agreement will be the subject of a Restricted Transferred from a country within the EEA to a country outside the EEA, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, enter into a mutually acceptable agreement incorporating one or more of the Standard Contractual Clauses for the transfer of personal data.
- General Terms
12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party, except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the subscription registration, purchase order, or similar document under which the Services were procured by the Customer, or at such other address as notified from time to time by the Parties changing address.
- Governing Law and Jurisdiction
13.1 This Agreement is governed by the laws of the member state in which the Customer is established.
13.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be handled according to the section of the Terms of Service entitled “Disputes”.
Student Privacy Pledge
CareMonkey has taken the Student Privacy Pledge, which was introduced to safeguard student privacy regarding the collection, maintenance, and use of student personal information. The commitments are intended to concisely detail existing federal law and regulatory guidance regarding the collection and handling of student data.