DATA PROCESSING AGREEMENT. (1) You or your organization or entity as The Data Controller ( The Client or The Data Controller ); and

Similar documents
UNIVERSITY OF ULSTER THIRD PARTY PROCESSING AGREEMENT

SUPPLIER DATA PROCESSING AGREEMENT

FUJITSU Cloud Service K5: Data Protection Addendum

Trócaire General Terms and Conditions for Procurement

DocuSign Envelope ID: D3C1EE91-4BC9-4BA9-B2CF-C0DE318DB461

Data Processing Agreement

DATA PROCESSING ADDENDUM. 1.1 The User and When I Work, Inc. ("WIW") have entered into the Terms of Service, for the provision of the Service.

Telekom Austria Group Standard Data Processing Agreement

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

SOFTWARE LICENCE. In this agreement the following expressions shall have the following meanings:

EU GDPR - DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CDNETWORKS CUSTOMERS

Appendix 1 Data Processing Agreement

VIETNAM LAWS ONLINE DATABASE License Agreement Multi-user (Special)

Data Processing Agreement

OTrack Data Processing Terms

March 2016 INVESTOR TERMS OF SERVICE

Annex 1: Standard Contractual Clauses (processors)

Model Data Processing Agreement (GDPR)

MDP LABS SERVICES AGREEMENT

The Scottish Further and Higher Education Funding Council. Standard Terms and Conditions of Contract for professional services.

Data Processing Addendum

License Agreement. 1.4 Named User License A Named User License is a license for one (1) Named User to access the Software.

IDL Solutions Licence Agreement

RETS DATA ACCESS AGREEMENT

EUKLEIA SOFTWARE-AS-A-SERVICE AGREEMENT LEARNING MANAGEMENT SYSTEM. Standard Terms and Conditions Schedule

Conditions of Contract for Purchase of Goods and Services

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Directorate C: Fundamental rights and Union citizenship Unit C.3: Data protection

In this agreement, the following words and phrases shall have the following meanings unless the context otherwise requires:

Purchasing Terms and Conditions

DATA PROCESSING ADDENDUM

NON-DISCLOSURE AGREEMENT

Website Development Agreement

AGREEMENT FOR ACCESS, WHICH MAY RESULT IN PERSONAL DATA PROCESSING

EU STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

General Terms for Use Of The BBC Logo By Licensee Of Independent Producers

LFMI MEDIA SERVICES LIMITED T/A RUE POINT MEDIA

GENERAL TERMS AND CONDITIONS FOR THE SUPPLY OF GOODS AND SERVICES

AnyComms Plus. End User Licence Agreement. Agreement for the provision of data exchange software licence for end users

Presidion IBM SPSS Academic Licence Agreement

Attachment 1. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

Terms of Business

BASECONE DATA PROCESSING AGREEMENT (BASECONE AS PROCESSOR)

1. THE SYSTEM AND INFORMATION ACCESS

Licence shall mean the terms and conditions for use of the Software as set out in this Agreement.

SOFTWARE SUBLICENSE AGREEMENT

Last revised: 6 April 2018 By using the Agile Manager Website, you are agreeing to these Terms of Use.

AGREEMENT FOR KIB KENANGA AGENCY NETWORK SERVICE

End User License Agreement (EULA) Savision Inc. 2017

OZO LIVE EVALUATION SOFTWARE LICENSE AGREEMENT

Serco Limited Purchase Order Terms and Conditions (the "PO Terms")

Terms and Conditions. 1. Element 7 Digital's obligations 1.1 Performance of Services

Terms and Conditions for the use of

LICENSE AGREEMENT THIS AGREEMENT is dated the of, 2014.

TERMS OF SERVICE FOR SUPPORT NETWORK COMMUNITY HEART AND STROKE REGISTRY SITE Last Updated: December 2016

Ameri- can Thoracic Society, 1. Key definitions Authorized Users Outsource Provider Effective Date Fee Licensed Material Licensee

Terms of Use. Ownership and copyright

DACS Website Licence Terms and Conditions November 2014

DocuSign Envelope ID: 93578C7C-0B BEE9-0536AB6EDE32

CLOUDVELOX, INC. Terms of Service

INTERFACE TERMS & CONDITIONS

PERSONAL DATA PROCESSING AGREEMENT

USTOCKTRAIN TRADING SIMULATOR TERMS AND CONDITIONS

Princes International Events Pty Ltd Terms & Conditions

OZO LIVE SOFTWARE LICENSE AGREEMENT. (Single or Multi-Node License Agreement) Version 2.0

EMPOWER SOFTWARE HOSTED SERVICES AGREEMENT

BaxEnergy GmbH ( BaxEnergy ) Software License and Services Agreement

TERMS & CONDITIONS OF SERVICE

DACS DIGITAL PLATFORM LICENCE TERMS AND CONDITIONS 2016

TM2/TM3 Online Terms and Conditions

SSLI \6.0 v1.0

Exhibit MC - Standard Contractual Clauses (processors)

Terms and Conditions Belfius via SWIFT

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

1 V9 February 2018 SAAS AGREEMENT

END-USER LICENSE AGREEMENT

Application Terms of Use

Customer Data Annual Privacy Agreement

askmid User Agreement

Your signature below will constitute acceptance of the provisions of this Agreement and of the attached General Terms and Conditions of Sale.

OPICO LIMITED STANDARD TERMS AND CONDITIONS OF SALE

Terms of Service. 1. Acceptance of Terms of Use, Conditions, Notices and Disclaimers:

IRB RELIANCE EXCHANGE PORTAL AGREEMENT

Connecticut Multiple Listing Service, Inc.

Municipal Code Online Inc. Software as a Service Agreement

Data Protection Transfer Agreement. Reference Number: CORP_142-a01 Policy

Evident Laboratory Management End User License and Services Agreement

NITRO READER END USER LICENSE AGREEMENT

GENERAL TERMS AND CONDITIONS 1. Term: This Contract will apply from the Commencement Date and will continue until further notice unless this Contract

END-USER SOFTWARE LICENSE AGREEMENT FOR TEKLA SOFTWARE

EasyVote grants you the following rights provided that you comply with all terms and conditions of this Agreement:

END USER LICENSE AGREEMENT FOR FOUNDRY PRODUCTS VIA ATHERA

ASSETMARK TRUST COMPANY TOTALCASH MANAGER TM ACCESS AUTHORIZATION AGREEMENT

USER AGREEMENT FOR AMERICAN HEART ASSOCIATION HEALTHY FOR GOOD

C-LABS SA STANDARD TERMS OF USE FOR SGS DIGICOMPLY SERVICES ( TERMS ) Version:

AGREEMENT WHEREAS Product ). WHEREAS WHEREAS WHEREAS NOW, THEREFORE, Appointment & License End-users Reseller Obligations Sales Exhibit 1

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

TERMS AND CONDITIONS OF USE OF THE ELECTRONIC EXCHANGE SYSTEM. external experts in the context of EU funding programmes.

Manchester University Press Online Journals: Institutional, Single Site Licence Agreement

JW PLASTIC SURGERY. Terms of Service

NON-TRANSFERABLE AND NON-EXCLUSIVE LICENSE AGREEMENT

Transcription:

DATA PROCESSING AGREEMENT BETWEEN: (1) You or your organization or entity as The Data Controller ( The Client or The Data Controller ); and (2) Moodle Pty Ltd being a company registered within Australia under ABN registered number 55116 513 636 having its registered office at 2/18 Richardson Street, West Perth, 6005 Australia ( The Data Processor"). BACKGROUND A. This agreement is to ensure the protection and security of data passed from The Client to The Data Processor for processing or accessed by The Data Processor on the authority of The Client for processing or otherwise received by The Data Processor for processing on behalf of The Client. B. The Data Processor provides to the Data Controller the Services described in Schedule 1. C. The provision of the Services by the Data Processor involves it in processing Personal Data on behalf of the Data Controller. D. The GDPR and the Data Protection Acts place certain obligations upon a Data Controller to ensure that any data processor it engages provides sufficient guarantees to ensure that the processing of the data carried out on its behalf is secure. E. This agreement exists to ensure that there are sufficient security guarantees in place and that the processing complies with obligations equivalent to those of the GDPR and Data Protection Acts. F. The terms of this Agreement are to apply to all processing of Personal Data carried out for the Data Controller by the Data Processor and to all Personal Data held by the Data Processor in relation to all such processing. IT IS AGREED 1. DEFINITIONS AND INTERPRETATION 1.1 In this agreement: The Data Protection Acts or "The Acts" means the Data Protection Acts 1988 and 2003 and The Data Protection Act 2018 (when enacted) and EU Directive 95/46/EC; 1

"Data" means any information of whatever nature that, by whatever means, is provided to The Data Processor by The Client, is accessed by The Data Processor on the authority of The Client, or is otherwise received by The Data Processor on behalf of the Client, for the purposes of the Processing specified in clause 3.1(a), and shall include, without limitation, any Personal Data; "Data Subject", "Personal Data" and "Processing" shall have the same meanings as are assigned to those terms in the Acts; GDPR means the General Data Protection Regulation, being Regulation (EU) 2016/679; Schedule means the schedule annexed to and forming part of this Agreement; "Services" means processing of the Data by The Data Processor in connection with and for the purposes of the provision of the services to be provided by The Data Processor to The Client under the Services Agreement; Services Agreement means the agreement for the provision of services between The Client and The Data Processor identified in the Schedule 1. Security Measures means the security measures set out in the Schedule 2. 1.2 In this agreement any reference, express or implied, to any enactment (which includes any legislation in any jurisdiction) includes references to: (a) (b) (c) that enactment as re-enacted, amended, extended or applied by or under any other enactment (before, on or after the date of this agreement); any enactment which that enactment re-enacts (with or without modification); and any subordinate legislation made (before, on or after the date of this agreement) under that enactment, as re-enacted, amended, extended or applied as described in clause 1.2(a), or under any enactment referred to in clause 1.2(b). 1.3 In this agreement: (a) references to a person include an individual, a body corporate and an unincorporated association of persons; 2

(b) references to a party to this agreement include references to the successors or assignees (immediate or otherwise) of that party. 2. APPLICATION OF THIS AGREEMENT 2.1 The terms of this Agreement are to apply to all processing of Personal Data carried out for the Data Controller by the Data Processor and to all Personal Data held by the Data Processor in relation to all such processing whether such Personal Data is held at the date of this Agreement or received afterwards. The terms of this Agreement supersede any other arrangement, understanding or agreement including any Services Agreement made between the parties at any time relating to protection of Personal Data. 3 CHARGE 3.1 The Client will pay to the Data Processor a fee for the provision of the services as set out in the Schedule 1 hereto or in any associated master agreement. Without prejudice to those agreements, The Data Processor accepts the obligations in this Agreement in consideration of the payment of 1.00 from the Data Controller which the Data Processor hereby acknowledges. 4. DATA PROCESSING 4.1 The Client acknowledges that it is the Data Controller in respect of any personal data that The Data Processor processes in the course of providing Services to The Client on its own behalf, and that Moodle Pty Limited is the Data Processor. 4.2 The Data Processor acknowledges that it is the Data Processor in respect of any personal data that the Client allows access to or provides to it for the purposes of providing Services to The Client and that, in such a context, the Client is the Data Controller. 4.3 The Data Processor takes sole responsibility for its compliance, as data processor, with the requirements of the GDPR and the Data Protection Acts and of the contract herein. 4.4 If the Data Processor processes personal data other than as instructed by The Client, The Data processor shall be considered to be a controller in respect of that processing and shall be subject to the rules and legal obligations on data controllers as laid down in the Acts. 4.5 In consideration of the undertakings provided by The Client in clause 5 of this agreement, The Data Processor agrees to Process the Data to which this agreement applies by reason of clause 2 in accordance 3

with the terms and conditions set out in this agreement, and in particular The Data Processor agrees that it shall: a. process the Data at all times in accordance with the GDPR and the Data Protection Acts and solely for the purposes (connected with provision by The Data Processor of the Services), to the extent and in such manner as is necessary for those purposes and in the manner specified from time to time by The Client in writing and for no other purpose or in any manner except with the express prior written consent of The Client; b. in a manner consistent with the GDPR and the Data Protection Acts and with any guidance issued by the relevant Data protection authority, implement appropriate technical and organizational measures to safeguard the Personal Data from unauthorized or unlawful Processing or accidental loss, destruction or damage, and that having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorized or unlawful processing or accidental loss, destruction or damage and to the nature of the Data to be protected. The details of those security measures for the time being are set out in Schedule 2 hereto; c. in particular, ensure that appropriate security measures shall be taken against unauthorized access to, or unauthorized alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. The details of those security measures for the time being are set out in Schedule 2 hereto; d. comply, in processing of the data, with The Client s information security policies and procedures as defined or as may be communicated from time to time or specified in the context of a particular project or instance of processing; e. ensure that each of its employees, agents and subcontractors are made aware of its obligations under this agreement with regard to the security and protection of the Data and shall require that they enter into and enforce binding obligations with The Data Processor in order to maintain the levels of security and protection provided for in this agreement, including the agreement Appended at Schedule 2; f. not divulge the Data whether directly or indirectly to any person, firm or company or otherwise without the express prior written consent of The Client except to those of its employees, who are engaged in the Processing of the Data and are subject to written 4

terms substantially the same as the terms contained in this processor agreement or except as may be required by any law or regulation; g. not divulge the Data, whether directly or indirectly to any person, firm or company or otherwise except with the express prior written consent of The Client, and to agents or subcontractors who are subject to written terms substantially the same as the terms contained in this processor agreement, or except as may be required by any law or regulation; h. provide The Client on demand with the text of any such written terms to which its employees, subcontractor or agents are subject with regard to their processing of Data; i. upon the request of The Client, promptly provide a written description of the technical and organizational measures employed by it and/or any of its permitted sub-contractors, detailed to such a level that The Client can determine whether or not, in connection with personal data, the Supplier and its permitted subcontractors are complying with their obligations under this Agreement. If, as a result of an independent audit by The Client, its Agents, or the Office of the Data Protection Commissioner, the measures employed by the Data Processor and/or its permitted subcontractors are not sufficient to ensure compliance with their obligations under this Agreement, the Data Processor shall take all steps (or procure that its permitted subcontractors take all steps) which are reasonably required to ensure that such compliance is achieved; j. afford to The Client (and procure that its permitted subcontractors afford to The Client) access on at least 14 working days notice, and at reasonable intervals, to any premises where the relevant personal data are being processed to enable The Client to ensure that the Data Processor is complying with its obligations under this Agreement and/or that the Data Processor s permitted subcontractors are complying with the equivalent contractual obligations imposed on them; k. notify the Data Controller (within 2 working days) if it receives: i. a request from a data subject to have access to that person s Personal Data ii. or a complaint or request relating to the Data Controller obligations under the Act; b. provide the Data Controller with full cooperation and assistance in relation to any complaint or request made, including by: 5

i. providing the Data Controller with full details of the complaint or request ii. complying with a data access request within the relevant timescale set out in the Act and in accordance with the Data Controller s instructions; providing the Data Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Data Controller) iii. providing the Data Controller with any information requested by the Data Controller; b. notify the Data Controller immediately if it becomes aware of: i. any unauthorized or unlawful processing, loss of, damage to or destruction of any of the Personal Data ii. or any advance in technology and methods of working which mean that the Data Controller should revise the security measures set out in Schedule 2; b. in the event of the exercise by Data Subjects of any of their rights under the Acts in relation to the Data directly to the Data Processor, inform The Client as soon as possible, and The Data Processor further agrees to assist The Client with all data subject information requests which may be received from any Data Subject in relation to any Data; c. in the event that The Data Processor receives a request for any information contained in the Data pursuant to the acts, not to respond to the person making such request but to notify The Client within 2 working days, and The Data Processor further agrees to assist The Client with all such requests for information which may be received from any person within such reasonable timescales as may be prescribed by The Client; d. for the purposes of this Agreement, procure a right in favour of The Client to enforce the obligations imposed on The Data Processor s permitted subcontractors directly against such sub-contractors and shall also procure that the terms of any sub-contract shall be governed by the Laws of Ireland and be subject to the jurisdiction of the Irish courts; e. not Process or transfer the Data outside of the European Economic Area except for limited specified purpose and with the express consent of The Client; f. to notify all incidents of loss of control of personal data in manual or electronic form to the Client, as soon as it becomes aware 6

of the incident, such that the The Client can notify the Data Protection Commissioner within 24 hours; g. in the event of any such breach, to take prompt action to remedy the cause of the breach and to share the costs of such remedy with the Data Controller equally; h. in the event of any such breach, to share the costs of investigation into said breach with the Data Controller equally; i. in the event of any such breach, to promptly, and at its own expense provide The Client on request with all information required to fulfil its obligations, as Data Controller, under all applicable laws, regulations and codes of practice; j. to otherwise comply with all applicable laws and regulations and with the Personal Data Security Breach Code of Practice insofar as they apply to it; k. The Data Processor shall maintain the Personal Data processed by the Data Processor on behalf of the Data Controller in confidence, and in particular, unless the Data Controller has given written consent for the Data Processor to do so, the Data Processor shall not disclose any Personal Data supplied to the Data Processor by, for, or on behalf of, the Data Controller to any third party. The Data Processor shall not process or make any use of any Personal Data supplied to it by the Data Controller otherwise than in connection with the provision of the Services to the Data Controller. The above obligations in this Clause 4.5 (w) shall continue for a period of five (5) years after the cessation of the provision of Services by the Data Processor to the Data Controller. Nothing in this Agreement shall prevent either party from complying with any legal obligation imposed by the Data Protection Commissioner or a court. Both parties shall however, where possible, discuss together the appropriate response to any request from the Data Protection Commissioner or court for disclosure of information; l. The Data Processor shall take appropriate measures to ensure that the people processing the data on its behalf are subject to a duty of confidence; m. The Data Processor shall not subcontract to any third party any of its rights or obligations under this Agreement without the prior written consent of the Data Controller. Where the Data Processor, with the written consent of the Data Controller, does subcontract, it shall do so only by way of a written sub-processing agreement with the subcontractor which imposes the same obligations on the subcontractor as are imposed on the Data Processor under this Agreement and which permits both the Data Processor and the Data 7

Controller to enforce those obligations. For the avoidance of doubt, where the subcontractor does not meet its obligations under any subprocessing agreement, the Data Processor shall remain fully liable to the Data Controller for meeting its obligations under this Agreement; n. The Data Processor shall delete or return all personal data to The Client, as requested, on the termination of this contract; o. The Data Processor shall submit to audits and inspections by or on behalf of The Client, provide the Client with whatever information it needs to ensure that they are both meeting their obligations under Article 28 of the GDPR, and will tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state; p. All copyright, database right and other intellectual property rights in any Personal Data processed which is subject to this Agreement (including but not limited to any updates, amendments or adaptations to the Personal Data by either the Data Controller or the Data Processor) shall belong to the Data Controller. The Data Processor is licensed to use such Personal Data under such rights only for the term of, for the purposes of the Services, and in accordance with this Agreement; q. This Agreement shall continue in full force and effect for so long as the Data Processor is processing Personal Data on behalf of the Data Controller, and thereafter as provided in Clause 4.5 (w). 5. OBLIGATIONS OF THE CLIENT 5.1 In consideration of the obligations undertaken by The Data Processor in clause 3, The Client agrees that it shall ensure that it complies at all times with any applicable enactment, and in particular with its obligations as Data Controller under the GDPR and Data Protection Acts. 5.2 In particular, The Client shall ensure that any disclosure of Personal Data made by it to The Data Processor is made with the data subject's consent, which consent shall have been obtained freely, fairly and after the data subject has been fully informed as to all processing to be applied or is otherwise lawful. 5.3 The Client shall comply with its responsibilities under with all applicable laws, regulations and codes of practice. 6. INDEMNITY 6.1 Without prejudice to the right of The Client to pursue any other remedies which are available to it under this contract or any 8

applicable legal provision, in the event of loss or damage to Data while it is in The Data Processor s possession or control, or as a result of any act or default of the Data Processor, the Data Processor shall immediately notify The Client of same and take immediate steps to remedy the said loss or damage in the terms of Clause 4.5 (s). Other than as set out in Clause 4 of this agreement, The Client acknowledges that it shall indemnify the Data Processor for any loss or damage suffered by the Data Processor, its servants or agents in the performance of this Agreement, howsoever they arise. 7. DISCLAIMER OF LIABILITY 7.1 The Data Processor hereby disclaims any liability for any loss or damage suffered by The Client in consequence of any failure by The Client, its servants or agents, to comply with the laws, regulations and codes of practice of any jurisdiction. 8. TERMINATION 8.1 This agreement shall terminate automatically upon termination or expiry of The Data Processor obligations in relation to the Services, and on termination of this agreement The Data Processor shall forthwith deliver to The Client or destroy, at The Client s sole option, all Data in its possession or under its control which has been provided by Direct. Either party may terminate this contract on 30 days written notice to the other party, or without notice in the event of a breach of any of the terms of this agreement. 9. GOVERNING LAW 9.1 This agreement will be governed by the laws of the Republic of Ireland, and the parties submit to the exclusive jurisdiction of the Irish courts for all purposes connected with this agreement, including the enforcement of any award or judgment made under or in connection with it. 10. WAIVER 10.1 Failure by either party to exercise or enforce any rights available to that party or the giving of any forbearance, delay or indulgence shall not be construed as a waiver of that party's rights under this agreement. 11. INVALIDITY 11.1 If any term or provision of this agreement shall be held to be illegal or unenforceable in whole or in part under any enactment or rule of law such term or provision or part shall to that extent be deemed not to form part of this agreement but the enforceability of the remainder of 9

this agreement shall not be affected provided however that if any term or provision or part of this agreement is severed as illegal or unenforceable, the parties shall seek to agree to modify this agreement to the extent necessary to render it lawful and enforceable and as nearly as possible to reflect the intentions of the parties embodied in this agreement including without limitation the illegal or unenforceable term or provision or part. 12. ENTIRE AGREEMENT 12.1 This agreement and the documents attached to or referred to in this agreement shall constitute the entire understanding between the parties and shall supersede all prior agreements, negotiations and discussions between the parties. In particular the parties warrant and represent to each other that in entering into this agreement they have not relied upon any statement of fact or opinion made by the other, its officers, servants or agents which has not been included expressly in this agreement. Further, each party hereby irrevocably and unconditionally waives any right it may have: (a) (b) to rescind this agreement by virtue of any misrepresentation; to claim damages for any misrepresentation whether or not contained in this agreement; save in each case where such misrepresentation or warranty was made fraudulently. 13. NOTICES 13.1 Notices shall be in writing and shall be sent to the other party marked for the attention of the person at the address set out below. Notices may be sent by mail, email or facsimile transmission. Correctlyaddressed notices sent by mail shall be deemed to have been delivered 72 hours after posting and correctly directed email or facsimile transmissions shall be deemed to have been delivered instantaneously on transmission providing that they are confirmed as set out as above. If for The Client: email address provided to the Data Processor If for The Data Processor: privacy@moodle.com; 10

SCHEDULE 1 THE SERVICES AGREEMENT Description of all Personal Data Accepted by way of Data Transfer from the Data Controller: 1) Data Controller s end users personal data processed to setup their profile The Data Controller instructs Moodle Pty Ltd to process any and all personal data relating to themselves or to their end users which is uploaded into the Moodle hosted learning platform. The Controller warrants that they have received any necessary consents from end users or third parties, if applicable. The personal data required includes, but is not limited to, the following fields: - First name - Surname - Email address - Country - Time zone - City/Town - End user Picture/Avatar - Webpage - ICQ number - Skype ID - AIM ID - Yahoo ID, MSN ID - ID number - Institution - Department - Phone number - Mobile phone - Address - Photographs uploaded by end users - any additional personal data uploaded by end users 11

2) All the activities and functions processed on the Moodle website (as Data Controller) The Moodle hosted learning platform is intended to allow data controllers to specify the nature of data processed, according to their own usage needs. Depending on the choices and setting selected by the Data Controller, these activities may include, but may not be limited to, the upload and storage of documents containing personal data, participation in forum discussions, which will require personal data to be collected and stored on the participants, the collection and processing on usage data, participation in examinations or assessment procedures and video webinars (including personal data of the participants and observers of the webinar). Moodle Pty Ltd uses a number of third party organisations to provide certain functionality which allow for the features of the Moodle hosted learning platform and user experiences. It is important that the Data Controller has notified their end users of these third party processors, in order to ensure that they have obtained full and informed consent to the data processing involved in the Moodle hosted learning platform. Moodle Pty Ltd uses: - Amazon Web Services as a hosting provider. Amazon acts as a subprocessor for Moodle in respect of all data uploaded to the Moodle service. - Blindside Networks Inc, a Canadian company which enables the BigBlueButton webconferencing service on all Moodle websites. This includes Voice, Video, audio and chat messages. All the data involved is processed on the Blindside Networks Inc servers and is stored for a maximum of 7 days before being erased. - Google Analytics is used to measure pageviews on all Moodle websites and solely for statistical purposes. This data can include a user s IP address, geographical location and browser information. Its purpose: The purpose for this data processing is to provision a functional Moodle website, this allows the Moodle website end users to login and use an hosted learning management system. The purpose of the Google Analytics data processing is to provide aggregated analysis of how the service is used and performs. 12

The processing the Data Controller requires to be performed upon it: The Data controller requires The Data Processor to process the data provided within the applicable Moodle website in the normal operation of a Moodle website and to include any of the features specified in the relevant Terms of Service agreed by the Data Controller for the provision of the service. The Moodle hosted learning platform is intended to allow data controllers to specify the nature of data processed, according to their own usage needs. Depending on the choices and setting selected by the Data Controller, these activities may include, but may not be limited to, the upload and storage of documents containing personal data, participation in forum discussions, which will require personal data to be collected and stored on the participants, the collection and processing on usage data, participation in examinations or assessment procedures and video webinars (including personal data of the participants and observers of the webinar). Consideration Agreement As per Clause 3 of this Data Processing Agreement, in consideration of the provision of the services the Data Processor acknowledges that consideration in the sum of 1.00 shall be paid on request. 13

SCHEDULE 2 The following are the Security Measures referred to in Sub-Clause 1.1.: 1. The Data Processor will ensure that in respect of all Personal Data it receives from or processes on behalf of the Data Controller it maintains security measures to a standard appropriate to: 1.1 the harm that might result from unlawful or unauthorized processing or accidental loss, damage or destruction of the Personal Data; and 1.2 the nature of the Personal Data. 2. In particular the Data Processor shall: 2.1 ensure that it 2.1.1 defines security needs based on a risk assessment; 2.1.2 allocates responsibility for implementing the policy to a specific individual or members of a team; 2.1.3 that the required information is disseminated to all relevant staff; and 2.1.4 provides a mechanism for feedback and review. 2.2 ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice; 2.3 prevent unauthorized access to the Personal Data; 2.4 ensure the storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled; 2.5 have secure methods in place for the transfer of Personal Data whether in physical form (for instance, by using couriers rather than post) or electronic form (for instance, by using encryption); 14

2.6 put password protection on computer systems on which Personal Data is stored and ensure that only authorized personnel are given details of the password; 2.7 take reasonable steps to ensure the reliability of employees or other individuals who have access to the Personal Data; 2.8 ensure that any employees or other individuals required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Agreement; 2.9 ensure that none of the employees or other individuals who have access to the Personal Data publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Data Controller; 2.10 have in place methods for detecting and dealing with breaches of security (including loss, damage or destruction of Personal Data) including: 2.10.1 the ability to identify which individuals have worked with specific Personal Data; 2.10.2 having a proper procedure in place for investigating and remedying breaches of the data protection principles contained in the Acts; and 2.10.3 notifying the Data Controller as soon as any such security breach occurs. 2.11 have a secure procedure for backing up and storing backups separately from originals; 2.12 have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print outs and redundant equipment. 15

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback