Data Protection Addendum for Educational Institutions

Last Updated Date: May 11, 2024

Introduction

This Data Protection Addendum (“Addendum”) applies to the processing of personal data by System Technology Online Spain SL, operating as EduLegit (“EduLegit”, “we”, “us”, “our”), on behalf of educational institutions (“Institution”, “you”) in connection with the services provided through the EduLegit platform. This Addendum forms part of the contract between EduLegit and the Institution (collectively referred to as the “Parties”) that governs the provision of the EduLegit services (“Services”).

Purpose:

This addendum reflects the parties’ agreement to process personal data in compliance with the requirements of applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR).

Scope:

This Addendum applies to all activities in which EduLegit processes personal data on behalf of the Institution as a data processor while providing Services. The personal data processed under this Addendum is subject to the provisions set out in the main service agreement between EduLegit, the Institution, and this Addendum.

Data Processing Terms:

In providing the Services, EduLegit will process personal data on behalf of the Institution according to the terms specified in this Addendum and the main service agreement. EduLegit agrees to comply with any reasonable instructions of the processing of personal data provided by the Institution that are consistent with the terms of this Addendum.

This introduction sets the framework for the responsibilities and obligations of EduLegit as a data processor and the Institution as a data controller under the applicable data protection laws. This Addendum ensures that both parties understand and commit to adhering to these laws to protect the rights and freedoms of data subjects whose personal data is processed as part of the Services.

Data Processing Terms

Definitions:

  • “Personal Data” refers to any information relating to an identified or identifiable natural person processed by EduLegit on behalf of the Institution as part of the Services.
  • “Processing” encompasses any operation performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data Processing Obligations:

  1. Compliance with Instructions: EduLegit will process personal data only on documented instructions from the Institution, including with regard to transfers of personal data to a third country or an international organization unless required to do so by European Union or member state law to which EduLegit is subject; in such a case, EduLegit shall inform the Institution of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
  2. Confidentiality: EduLegit ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Security of Processing: EduLegit will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, considering state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
  4. Sub-processing: EduLegit will not engage another processor without the institution’s prior specific or general written authorization. In the case of general written authorization, EduLegit will inform the Institution of any intended changes concerning the addition or replacement of other processors, thereby allowing the Institution to object to such changes.
  5. Data Subject Rights: Taking into account the nature of the processing, EduLegit will assist the Institution by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Institution’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR.
  6. Data Breach Notification: EduLegit will notify the Institution without undue delay after becoming aware of a personal data breach. Furthermore, EduLegit will assist the Institution in ensuring compliance with the obligations pursuant to Articles 33 and 34 of the GDPR concerning the notification of personal data breaches.
  7. Data Deletion and Return: Upon termination of the services related to processing, EduLegit will, at the institution’s choice, delete or return all the personal data to the Institution and delete existing copies unless European Union or member state law requires storage of the personal data.

Data Transfers

International Data Transfers:

  • Transfer Mechanisms: EduLegit may transfer personal data processed under this Addendum to countries outside the European Economic Area (EEA). Such transfers comply with the requirements of applicable data protection laws. EduLegit will implement suitable safeguards to protect personal data, which may include using standard contractual clauses approved by the European Commission, adherence to binding corporate rules, or other legally recognized mechanisms.
  • Documentation and Compliance: Upon request, EduLegit will provide the Institution with all necessary documentation to demonstrate compliance with obligations under this section. This may include data protection impact assessments, if applicable.

Sub-processors and Third Parties:

  • Use of Subprocessors: EduLegit shall ensure that any subprocessor it engages to process personal data on behalf of the Institution provides the same data protection obligations as set out in this Addendum. EduLegit will be liable for the acts and omissions of its subprocessors to the same extent It would be liable if performing the services of each subprocessor directly.
  • Approval and List of Subprocessors: The Institution agrees to a general authorization for EduLegit to engage subprocessors. EduLegit shall maintain an up-to-date list of the names and locations of all subprocessors. This list will be available to the Institution upon request, and the Institution will be notified of any intended changes concerning the addition or replacement of subprocessors to allow the Institution to object to such changes.

Audits and Inspections:

  • Audit Rights of the Institution: The Institution has the right to conduct audits and inspections to verify compliance with the data protection obligations set out in this Addendum and the applicable data protection laws. EduLegit will cooperate fully with such audits and provide all necessary assistance.
  • Third-Party Audits: EduLegit may satisfy this requirement by providing an up-to-date audit report conducted by an independent external auditor demonstrating that EduLegit’s technical and organizational measures are sufficient to protect the rights of data subjects.

Data Protection Impact Assessment and Consultation:

  • EduLegit will assist the Institution, upon request, in fulfilling its obligation to carry out a data protection impact assessment related to the Institution’s use of EduLegit’s services. This assistance may include providing necessary information and data about the processing activities conducted by EduLegit on behalf of the Institution.
  • EduLegit will also assist the Institution in consulting with supervisory authorities, where required.

Termination and Liability

Termination of Data Processing Services:

  • Termination Conditions: This Addendum remains in effect as long as EduLegit processes personal data on behalf of the Institution or until the termination of the Services agreement under which this Addendum is a part. Upon termination of the Services, all personal data processed on behalf of the Institution must be returned or deleted according to the terms specified in this Addendum.
  • Post-Termination Obligations: After the termination of the Services, EduLegit will, at the Institution’s choice, delete all remaining copies of the personal data unless European Union or member state law requires storage of the personal data. EduLegit will certify to the Institution that it has done so unless legally impeded from doing so.

Liability:

  • Scope of Liability: EduLegit shall be liable only for the damage caused by processing where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to the controller’s lawful instructions. In such cases, EduLegit’s liability will be limited to the extent of its direct involvement in the cause of the damage.
  • Indemnification by Institution: The Institution agrees to indemnify and hold harmless EduLegit and its employees, officers, directors, and agents from any claims, damages, liabilities, costs, harms, inconveniences, business disruptions, or expenditures of any kind that may arise out of or in connection with EduLegit’s lawful processing of personal data in accordance with this Addendum, provided that such indemnity shall not apply where the claims result from EduLegit’s negligent or willful misconduct.

Dispute Resolution:

  • Mutual Effort to Resolve: The parties agree to work together in good faith to resolve any data protection disputes arising from this Addendum. If the dispute cannot be resolved through negotiation within a reasonable time frame, the parties may pursue other available legal remedies.
  • Jurisdiction and Venue: Disputes arising under this Addendum shall be resolved in the courts in Alicante, Spain unless otherwise agreed upon by the parties. Both parties agree to submit to such courts’ personal jurisdiction and venue.

Changes to the Addendum

Amendment Procedure:

  • Right to Amend: EduLegit reserves the right to amend this Data Protection Addendum at any time to reflect changes in the law or updates to our data processing procedures.
  • Notification of Changes: Any amendments will be communicated to the Institution in writing and will become effective no sooner than 30 days after they are communicated unless the changes are required immediately due to legal or regulatory changes.
  • Acceptance of Changes: Continued use of the Services after any such changes shall constitute the Institution’s consent. If the Institution does not agree with the changes, it may terminate the agreement with EduLegit by providing written notice within the notice period specified for amendment acceptance.

Record-Keeping:

  • Documentation of Changes: EduLegit will maintain records of all changes to this Addendum and provide such records to the Institution upon request. These records will include details of the changes, the dates they were made, and any notices given to the Institution.

This section ensures that both parties know how changes to this Addendum are handled and how these changes are communicated and implemented. It provides a clear method for updating the terms in response to evolving legal requirements or operational changes, ensuring that both EduLegit and the Institution remain compliant with data protection laws and regulations.

Closing Statements

Integration with Other Agreements:

  • This Data Protection Addendum is incorporated into and governed by the terms of the Service Agreement between EduLegit and the Institution. If there is any conflict between this Addendum and the Service Agreement, the terms of this Addendum will take precedence in relation to the processing of personal data.

Legal Effectiveness:

  • This Addendum takes effect on the date the Institution begins using EduLegit’s Services or on the effective date of the Service Agreement, whichever is earlier. The obligations set forth in this Addendum are legally binding on both parties as of this date.

Severability:

  • Suppose any provision of this Addendum is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable. In that case, the invalidity or unenforceability of that provision will not affect the other provisions of this Addendum, which will remain in full force and effect.

Concluding Remarks:

  • EduLegit is committed to ensuring the security and protection of the personal data processed on behalf of the Institution. We appreciate the trust that educational institutions place in us and are dedicated to maintaining the highest privacy and compliance standards.