Last Updated May 15, 2018
The Parties hereby agree to the following terms and conditions, which will be in effect upon the earlier of:
(i) The Effective Date of the Agreement between the Parties,
(ii) The date of first transfer or disclosure of Personal Data by Customer or Customer's Users to SMART (“Effective Date”).
Any capitalized terms not defined herein shall have the meaning ascribed to such terms in the Agreement.
1.1. Customer's Users are any natural persons using or accessing the Services on behalf of, or under authorization of, the Customer, including but not limited to: employees, clients, end-users, contractors, students, and teachers.
1.2. Data refers to Personal Data and Non-Personal Data.
1.3. Data Controller shall have the same meaning as defined in the GDPR, and in this context, is the Customer.
1.4. Data Processor shall have the same meaning as defined in the GDPR, and in this context, is SMART.
1.5. GDPR refers to the Regulation (EU) 2016/679, of the European Parliament and of the Council of 27 April 2016, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.6. Non-Personal Data is any data or information of any kind relating to a Customer or Customer’s Users that is not Personal Data.
1.7. Personal Data, Processing and Special Categories of Personal Data, shall have the same meaning as defined the GDPR’s terms.
1.8. Services refers to the provision of products and services provided by SMART to a Customer under an Agreement.
1.9. Sub-Processors refers to any Processor SMART has engaged in connection with the Processing of Personal Data on behalf of Customer.
This DPA applies to Customer Data processed by SMART. In this context, SMART acts as Data Processor to the Customer who is the Data Controller with respect to the Customer and Customers’ User Data.
3. DATA PROCESSING
3.1. The Parties agree and represent that Personal Data is required to be Processed in a manner which is lawful, fair and transparent, and that Personal Data must be:
3.2. In rendering Services to a Customer, the Customer may from time to time disclose Personal Data to SMART, concerning the Customer or the Customer's Users.
3.3. The Customer shall only upload, transfer, Process, or disclose Personal Data pursuant to the terms and conditions specified herein and as permitted under applicable law. In the event the Customer considers any upload, Processing, transfer, or disclosure of Personal Data to be inconsistent with the provisions herein, the Customer shall notify SMART.
3.4. SMART will Process Personal Data for the following purposes:
3.5. The Customer shall not upload, Process, transfer, disclose, or otherwise make available to SMART any Personal Data included in Special Categories of Personal Data.
3.6. Subject to legal and tax requirements, SMART and its Sub-Processors will delete Personal Data which is Processed on behalf of the Customer upon request or within a commercially reasonably timeframe after the termination or expiration of the Agreement or Services.
3.7. SMART retains Personal Data for the duration necessary to:
3.8. The Customer hereby instructs SMART to Process, on behalf of the Customer and the Customer’s Users, Personal Data transferred or disclosed to SMART by the Customer or the Customer’s Users in connection with the Services.
3.10. The Customer may instruct SMART to cease Processing its Personal Data at any time. No refunds for Services will be given if the Services can no longer be provided as a result of ceasing to Process the Data.
3.11. The provisions set forth in this DPA, the Terms, the Agreement, and as otherwise agreed to between the Parties, shall constitute the Customer's documented instructions to SMART under the meaning of Article 28 of the GDPR.
4.1. Provided Sub-Processors comply with the GDPR, the Customer hereby grants SMART express authorization to engage Sub-Processors for the provision of Services. A list of sub-processors that are currently engaged by SMART to carry out specific processing activities are listed in Exhibit 1.
4.2. Where SMART authorizes any Sub-Processor as described in Section 4.1:
5. INTERNATIONAL TRANSFERS OF DATA
5.1. The Customer acknowledges that SMART is an international corporation, and that Personal Data will be stored in the Customer’s home jurisdiction as well as transferred to Canada and the United States. The European Commission has recognized Canada (limited to commercial organizations), and the United States of America (limited to the Privacy Shield organizations) as providing adequate protection.
5.2. In the event SMART transfers Personal Data across international borders, SMART will use appropriate safeguards to ensure a level of security appropriate to the risks from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data transferred.
5.3. The Customer shall have sole responsibility to obtain and document all necessary consents from the Customer’s Users to the transfer of their Personal Data.
6. DATA SUBJECTS' RIGHTS
6.1. Upon the Customer's request to SMART, by calling +1 (888) 427-6278, SMART will provide the Customer with its Personal Data. This will enable Customer to verify and correct (if required) the Customer’s Personal Data on file with SMART, not less than thirty (30) days of receipt of such request. In the event any Personal Data is incorrect or outdated, the Customer may update and correct such data by providing SMART with the appropriate information.
6.2. To the extent applicable to the Customer and the Services, the Customer may request the portability of its Personal Data.
6.3. Customer shall have sole liability to comply with obligations in connection with the rights and freedoms of Customer’s Users pursuant to applicable laws.
6.4. The Parties agree that SMART shall not be required to respond and process requests and instructions provided by the Customer’s Users. In the event SMART receives a direct request from the Customer’s Users, SMART’s sole responsibility shall be to communicate such requests or instructions to the Customer, who may then formally make a request to SMART.
6.5. SMART shall make reasonable commercial efforts to assist the Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Customer's obligations to respond to requests for exercising Customer’s Users’ rights pursuant to applicable laws.
7. NON-PERSONAL DATA
7.1. SMART only collects Personal Data regarding its Customers and Customer's Users which the Customer has provided SMART by engaging with SMART for the provision of Services.
7.2. In respect of Non-Personal Data, anonymized or pseudonymized Data, the Customer agrees that SMART has unlimited rights to such information and that SMART may use such information without limitation.
7.3. Non-Personal Data is collected and processed mainly for marketing analysis and to constantly improve and maintain the Services, which includes but is not limited to, ensuring the technical functioning of SMART Services, to help prevent fraudulent use of the Services and for developing new services and products.
8.1. If SMART becomes aware of a Personal Data breach, it shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the affected Customer and the supervisory authority in accordance with Article 55 of the GDPR, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. SMART shall also take reasonable steps to mitigate the effects and to minimize any damage resulting from a Personal Data breach.
8.2. SMART’s communication of a breach shall be in clear and plain language and contain a minimum of:
8.3. SMART may disclose Data to law enforcement, regulatory or other government agencies, or third parties, if SMART reasonably believes that such a disclosure is necessary to comply with a judicial proceeding, court order, or a legal process, provided, however, that SMART shall notify the Customer in writing regarding any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.
9. REPRESENTATIONS AND UNDERTAKINGS OF THE PARTIES
9.1. In connection with the transfer, Processing or disclosure of Personal Data by the Customer and the Customer's Users, and any Processing of such Personal Data by SMART, the Parties hereby agree and represent, that, as between the Parties:
9.2. The Customer acknowledges that SMART may not have any direct interaction with the Customer's Users, and therefore, is unable to inform the Customer's Users of relevant information in connection with the Processing of their Personal Data or obtain the Customer's Users' consent to such Processing. As such, the Customer agrees that it is responsible to inform the Customer's Users, clearly and explicitly, of the Processing of their Personal Data, including processing by SMART, pursuant to, and in accordance with, the Customer's engagement with SMART. The Customer further represents that the Customer has all required authorizations to disclose Personal Data to SMART pursuant to this DPA and the Agreement.
9.3. The Parties shall each implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
9.4. SMART will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to:
SMART has designated one or more employees to coordinate and be accountable for SMART’s information security. SMART conducts periodic reviews of the security of its network and adequacy of its information security program as measured against industry security standards and its policies and procedures. SMART continually evaluates the security of its network and Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by reviews.
9.5. SMART represents and warrants that SMART employees, contractors, agents, or Sub-Processors authorized by SMART to Process Personal Data on behalf of Customer, are bound by adequate contractual obligations.
9.6. SMART shall only Process Personal Data on behalf of Customer and pursuant to the instructions as set forth herein, pursuant to the Agreement, or otherwise agreed to between the Parties.
9.7. The Parties shall Process Personal Data only as lawful and compliant with applicable law, including the GDPR.
9.8. The Customer's use of the Services shall comply with all applicable laws.
10.1. The term of this DPA shall start on the Effective Date and continue until termination or expiration of the applicable Agreement.
11. GENERAL TERMS
11.1. In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail regarding the Parties' data protection and privacy protection obligations.
11.2. SMART agrees to deposit a copy of this DPA with the supervisory authority if it so requests or, if such deposit is required under the applicable data protection law.
11.3. The Parties agree that the supervisory authority has the right to conduct an audit of the Parties.
11.4. If any provision of this DPA shall be adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision shall be limited to the minimum extent necessary so that this DPA shall otherwise remain in effect.
11.5. This DPA shall be governed by and construed in accordance with the same laws as the Agreement. Any claim under this DPA may be solely brought to the competent courts as specified in the Agreement.
11.6. SMART may amend this DPA from time to time and make the amended DPA available to Customer.