Data sharing addendum

This data sharing addendum ("Addendum") forms part of the Agreement between you and GetSmarter.

1. Definitions

The terms “controller,” “data subject” and “supervisory authority” shall have the same meanings given to them by Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”), or other applicable Data Protection Laws wherein such terms are defined.

Business,” “Business Purpose,” “Consumer,” and “Sell” shall be interpreted in accordance with the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100-1798.199 (the “CCPA”), or other applicable Data Protection Laws wherein such terms are defined.

Data Protection Laws“ means any applicable laws relating to the data protection or privacy of individuals in a particular jurisdiction, including, but not limited to, the UK GDPR as defined in the Data Protection Act 2018, the GDPR, Data Protection Act 2018, CCPA, and the Protection of Personal Information Act No. 4 of 2013 (“POPIA”).

Europe” means the European Economic Area, Switzerland and the United Kingdom.

Personal Information” means any information pertaining to an identified or identifiable individual or as such similar terms are otherwise defined in Data Protection Laws applicable to such information (e.g., Personal Data, Personally Identifiable Information, etc.).

Personal Information Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information transmitted, stored or otherwise processed, or as such similar terms are otherwise defined in Data Protection Laws applicable to such Personal Information (e.g., Personal Data Breach, Data Incident, etc.)

Process / Processing” means the collection, use, exchange, or processing of Personal Information or as such similar terms are otherwise defined in Data Protection Laws applicable to such Personal Information;

Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses set out in the Annex to the Commission Implementing Decision on standard contractual clauses dated 4 June 2021 for the transfer of Personal Information to third countries pursuant to the GDPR, as appended hereto and executed by the Parties, where applicable, at Appendix 1.

This Addendum refers to you and GetSmarter each as a “Party” and collectively as the “Parties.” Any other capitalised terms in this Addendum shall have the meaning given to them in the Agreement.

2. Obligations of the Parties

In the course of GetSmarter providing services to you under the Agreement, the Parties will share the Personal Information described in the attached schedule (the “Schedule”) with each other, where applicable, for the purposes described in the Schedule.

For the purposes of the GDPR, the Parties acknowledge that they each act as a separate controller in respect of the Personal Information shared with each other under this Addendum, and for the purposes of the CCPA, the Parties acknowledge that they each act as a Business in respect of the Personal Information shared with each other under this Addendum.

2.1 Each Party shall:

  1. comply in all material respects with the Data Protection Laws, and shall not take any action or make any omission which might reasonably be expected to put the other Party in breach of the Data Protection Laws;
  2. Process the Personal Information shared by the other Party only for the purposes described in the Schedule, keep such Personal Information confidential, and not share it with any party outside of the purposes described in the Schedule;
  3. take all steps required by the Data Protection Laws to provide notice to individuals about their own processing of Personal Information for the purposes described in the Schedule, and assist the other Party with such notices, if and where necessary;
  4. respond in full to any requests they receive from data subjects to exercise their rights in relation to their Personal Information under applicable Data Protection Laws;
  5. notify the other Party, as soon as reasonably practical and without undue delay, in the event that:
    1. it receives a complaint from any data subject and/or supervisory authority concerning the processing activities governed by this Addendum; or
    2. any Personal Information shared or received by that Party under this Addendum is affected by a Personal Information Breach; and
  6. provide reasonable assistance on request to the other in relation to any matter relating to the processing of Personal Information for the purposes described in the Schedule, including but not limited to assistance in relation to the matters described in clauses 2.3(b) and (d) above.

3. Transfers Outside of the European Union / European Economic Area

3.1 The Standard Contractual Clauses shall apply to the extent that either Party transfers Personal Information that originated in Europe, or relates to data subjects based in Europe. For the purposes of the Standard Contractual Clauses:

  1. The Schedule to this Addendum shall be deemed to replace Annex I.B. of the Standard Contractual Clauses; and
  2. You shall provide GetSmarter the name and email address of your contact point for data protection enquiries and the location of your EU representative or establishment, without undue delay.

4. Miscellaneous

4.1 Should any provision or condition of this Addendum be held or declared invalid, unlawful or unenforceable by a competent authority or court, then the remainder of this Addendum shall remain valid.

4.2 Any amendments to this Addendum shall be in writing duly signed by authorised representatives of the parties.

4.3 The governing law and jurisdiction of this Addendum shall be governed by the terms of the Agreement.

SCHEDULE

DESCRIPTION OF TRANSFER

Categories of data subjects whose Personal Data is transferred
The Personal Data transferred by both GetSmarter and the Customer concern the following categories of data subjects:
Employees and/or other Students funded by the Customer.
Categories of Personal Data transferred
The Personal Data transferred by both GetSmarter and the Customer concern the following categories of data:
  1. Basic personal details (e.g., full names)
  2. Contact details (e.g., telephone number, email address); and
  3. Performance data in relation to the Courses, including last login details, time spent online, grades, and status (pass or fail).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
None
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Transfers from the Customer will take place with each enrolment of new Students. Transfers from GetSmarter will take place upon conclusion of the Course and/or at set intervals during a Course presentation.
Purpose(s) of the data transfer and further processing
The Personal Data is shared between the Parties for the purposes of the registration and enrolment of the data subjects on the Courses, as well as the delivery of the Courses, providing performance data in relation to data subjects; and to fulfil their respective obligations in terms of the Agreement.
Nature of the processing
The nature of the processing is the carrying out of multiple operations on Personal Data shared between the parties, including the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, combination, rectification, erasure and destruction of Personal Data.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period
Each Party shall retain Personal Data for as long as it has a relationship with a particular data subject. Each Party also shall retain Personal Data for a longer period of time in order to:
  • Maintain business records for analysis and/or audit purposes;
  • Comply with record retention requirements under the law;
  • Defend or bring any existing or potential legal claims;
  • Address any complaints regarding the services; and
  • Enforce our commercial agreements.

Contact points for data protection enquiries:

GetSmarter
Name: Katherine Race Brin, Chief Privacy Officer
Email: kbrin@2u.com
Date of last amendment: 27 October 2021