APPENDIX 1

Last Updated May 15, 2018

SMART’s GDPR Data Processing Addendum (DPA), is hereby incorporated by reference into SMARTs Privacy Policy found online at https://home.smarttech.com/legal/privacy-policy. Specific to the GDPR, it shall govern the transfer, collection, destruction, and processing of Personal Data between SMART Technologies ULC (SMART), and:

  • Any customer (Customer) installing or using SMART hardware, software, or services (Services)
  • A party subject to SMARTs End User License Agreement (EULA)
  • A party subject to an agreement other than the EULA for the provision of SMART products or services (collectively referred to as “Agreement”) to Customer and Customer's Users, (each SMART and Customer shall be referred to as a “Party” and collectively as “Parties”).

The Parties hereby agree to the following terms and conditions, which will be in effect upon the earlier of:

(i) The Effective Date of the Agreement between the Parties,

OR

(ii) The date of first transfer or disclosure of Personal Data by Customer or Customer's Users to SMART (“Effective Date”).

Any capitalized terms not defined herein shall have the meaning ascribed to such terms in the Agreement.

1. DEFINITIONS

1.1. Customer's Users are any natural persons using or accessing the Services on behalf of, or under authorization of, the Customer, including but not limited to: employees, clients, end-users, contractors, students, and teachers.

1.2. Data refers to Personal Data and Non-Personal Data.

1.3. Data Controller shall have the same meaning as defined in the GDPR, and in this context, is the Customer.

1.4. Data Processor shall have the same meaning as defined in the GDPR, and in this context, is SMART.

1.5. GDPR refers to the Regulation (EU) 2016/679, of the European Parliament and of the Council of 27 April 2016, and repealing Directive 95/46/EC (General Data Protection Regulation).

1.6. Non-Personal Data is any data or information of any kind relating to a Customer or Customer’s Users that is not Personal Data.

1.7. Personal Data, Processing and Special Categories of Personal Data, shall have the same meaning as defined the GDPR’s terms.

1.8. Services refers to the provision of products and services provided by SMART to a Customer under an Agreement.

1.9. Sub-Processors refers to any Processor SMART has engaged in connection with the Processing of Personal Data on behalf of Customer.

2. SCOPE

This DPA applies to Customer Data processed by SMART. In this context, SMART acts as Data Processor to the Customer who is the Data Controller with respect to the Customer and Customers’ User Data.

3. DATA PROCESSING

3.1. The Parties agree and represent that Personal Data is required to be Processed in a manner which is lawful, fair and transparent, and that Personal Data must be:

  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which the Personal Data is Processed
  • Accurate and, where necessary, kept up to date;
  • Kept in a form which permits identification for no longer than is necessary for the purposes for which the Personal Data is Processed

3.2. In rendering Services to a Customer, the Customer may from time to time disclose Personal Data to SMART, concerning the Customer or the Customer's Users.

3.3. The Customer shall only upload, transfer, Process, or disclose Personal Data pursuant to the terms and conditions specified herein and as permitted under applicable law. In the event the Customer considers any upload, Processing, transfer, or disclosure of Personal Data to be inconsistent with the provisions herein, the Customer shall notify SMART.

3.4. SMART will Process Personal Data for the following purposes:

  • The Provision of Services to the Customer and the Customer's Users', including support, updates, and maintenance services
  • To contact the Customer or Customer's Users' in connection with the Services
  • To authenticate Customer or Customer's Users'
  • To send the Customer or the Customer's Users' promotional materials that is requested (opted-in)
    NOTE: A person may opt-out at any time.
  • To protect the security or integrity of Services and to take precautions against legal liability, and to anonymously analyze Services to improve them
  • For the fulfilment of the Agreement and exercising SMART rights and obligations thereunder, provided such Processing is permitted under applicable laws

3.5. The Customer shall not upload, Process, transfer, disclose, or otherwise make available to SMART any Personal Data included in Special Categories of Personal Data.

3.6. Subject to legal and tax requirements, SMART and its Sub-Processors will delete Personal Data which is Processed on behalf of the Customer upon request or within a commercially reasonably timeframe after the termination or expiration of the Agreement or Services.

3.7. SMART retains Personal Data for the duration necessary to:

  1. Fulfill the purposes of Processing described herein, and
  2. Defend or assert legal or tax claims and liability, or as otherwise permitted under applicable law.

3.8. The Customer hereby instructs SMART to Process, on behalf of the Customer and the Customer’s Users, Personal Data transferred or disclosed to SMART by the Customer or the Customer’s Users in connection with the Services.

3.9. SMART uses cookies or similar technologies to gather Data. The Customer hereby explicitly authorizes SMART to use cookies and similar technologies in connection with the provision of the Services.

3.10. The Customer may instruct SMART to cease Processing its Personal Data at any time. No refunds for Services will be given if the Services can no longer be provided as a result of ceasing to Process the Data.

3.11. The provisions set forth in this DPA, the Terms, the Agreement, and as otherwise agreed to between the Parties, shall constitute the Customer's documented instructions to SMART under the meaning of Article 28 of the GDPR.

4. SUBPROCESSING

4.1. Provided Sub-Processors comply with the GDPR, the Customer hereby grants SMART express authorization to engage Sub-Processors for the provision of Services. A list of sub-processors that are currently engaged by SMART to carry out specific processing activities are listed in Exhibit 1.

4.2. Where SMART authorizes any Sub-Processor as described in Section 4.1:

  • SMART will restrict the Sub-Processor’s access to Customer Data only to what is necessary to maintain the Service offerings or to provide the Services to the Customer and any of the Customer’s Users. SMART will prohibit the Sub-Processor from accessing Customer Data for any other purpose.
  • SMART will enter into a written agreement with the Sub-Processor and, to the extent that the Sub-Processor is performing the same data processing services that are being provided by SMART under this DPA, SMART will impose on the Sub-Processor that it comply with the GDPR.
  • SMART will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor that cause SMART to breach any of SMART’s obligations under this DPA.

5. INTERNATIONAL TRANSFERS OF DATA

5.1. The Customer acknowledges that SMART is an international corporation, and that Personal Data will be stored in the Customer’s home jurisdiction as well as transferred to Canada and the United States. The European Commission has recognized Canada (limited to commercial organizations), and the United States of America (limited to the Privacy Shield organizations) as providing adequate protection.

5.2. In the event SMART transfers Personal Data across international borders, SMART will use appropriate safeguards to ensure a level of security appropriate to the risks from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data transferred.

5.3. The Customer shall have sole responsibility to obtain and document all necessary consents from the Customer’s Users to the transfer of their Personal Data.

6. DATA SUBJECTS' RIGHTS

6.1. Upon the Customer's request to SMART, by calling +1 (888) 427-6278, SMART will provide the Customer with its Personal Data. This will enable Customer to verify and correct (if required) the Customer’s Personal Data on file with SMART, not less than thirty (30) days of receipt of such request. In the event any Personal Data is incorrect or outdated, the Customer may update and correct such data by providing SMART with the appropriate information.

6.2. To the extent applicable to the Customer and the Services, the Customer may request the portability of its Personal Data.

6.3. Customer shall have sole liability to comply with obligations in connection with the rights and freedoms of Customer’s Users pursuant to applicable laws.

6.4. The Parties agree that SMART shall not be required to respond and process requests and instructions provided by the Customer’s Users. In the event SMART receives a direct request from the Customer’s Users, SMART’s sole responsibility shall be to communicate such requests or instructions to the Customer, who may then formally make a request to SMART.

6.5. SMART shall make reasonable commercial efforts to assist the Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Customer's obligations to respond to requests for exercising Customer’s Users’ rights pursuant to applicable laws.

7. NON-PERSONAL DATA

7.1. SMART only collects Personal Data regarding its Customers and Customer's Users which the Customer has provided SMART by engaging with SMART for the provision of Services.

7.2. In respect of Non-Personal Data, anonymized or pseudonymized Data, the Customer agrees that SMART has unlimited rights to such information and that SMART may use such information without limitation.

7.3. Non-Personal Data is collected and processed mainly for marketing analysis and to constantly improve and maintain the Services, which includes but is not limited to, ensuring the technical functioning of SMART Services, to help prevent fraudulent use of the Services and for developing new services and products.

8. NOTIFICATIONS

8.1. If SMART becomes aware of a Personal Data breach, it shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the affected Customer and the supervisory authority in accordance with Article 55 of the GDPR, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. SMART shall also take reasonable steps to mitigate the effects and to minimize any damage resulting from a Personal Data breach.

8.2. SMART’s communication of a breach shall be in clear and plain language and contain a minimum of:

  • The contact details of the Data Protection Officer or other contact person
  • A description of the nature of the breach
  • The likely consequences of the breach
  • The measures the organization has taken or proposes to take to address the breach
  • Advice on steps data subjects can take to protect themselves
  • The measures SMART has taken or proposes to take to address the breach.

8.3. SMART may disclose Data to law enforcement, regulatory or other government agencies, or third parties, if SMART reasonably believes that such a disclosure is necessary to comply with a judicial proceeding, court order, or a legal process, provided, however, that SMART shall notify the Customer in writing regarding any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.

9. REPRESENTATIONS AND UNDERTAKINGS OF THE PARTIES

9.1. In connection with the transfer, Processing or disclosure of Personal Data by the Customer and the Customer's Users, and any Processing of such Personal Data by SMART, the Parties hereby agree and represent, that, as between the Parties:

  • The Customer shall be regarded as the Controller of all such Personal Data, and shall solely and fully assume all responsibilities, obligations, and liabilities imposed on the Customer as a Controller of Personal Data under the GDPR.
  • SMART shall be regarded as the Processor of such Personal Data, and shall solely and fully assume all responsibilities, obligations, and liabilities imposed on SMART as a Processor of Personal Data under the GDPR.

9.2. The Customer acknowledges that SMART may not have any direct interaction with the Customer's Users, and therefore, is unable to inform the Customer's Users of relevant information in connection with the Processing of their Personal Data or obtain the Customer's Users' consent to such Processing. As such, the Customer agrees that it is responsible to inform the Customer's Users, clearly and explicitly, of the Processing of their Personal Data, including processing by SMART, pursuant to, and in accordance with, the Customer's engagement with SMART. The Customer further represents that the Customer has all required authorizations to disclose Personal Data to SMART pursuant to this DPA and the Agreement.

9.3. The Parties shall each implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

9.4. SMART will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to:

  1. Satisfy the GDPR requirements
  2. Identify reasonably foreseeable and internal risks to security and unauthorized access to SMART’s network
  3. Minimize security risks, including through risk assessment and regular testing.

SMART has designated one or more employees to coordinate and be accountable for SMART’s information security. SMART conducts periodic reviews of the security of its network and adequacy of its information security program as measured against industry security standards and its policies and procedures. SMART continually evaluates the security of its network and Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by reviews.

9.5. SMART represents and warrants that SMART employees, contractors, agents, or Sub-Processors authorized by SMART to Process Personal Data on behalf of Customer, are bound by adequate contractual obligations.

9.6. SMART shall only Process Personal Data on behalf of Customer and pursuant to the instructions as set forth herein, pursuant to the Agreement, or otherwise agreed to between the Parties.

9.7. The Parties shall Process Personal Data only as lawful and compliant with applicable law, including the GDPR.

9.8. The Customer's use of the Services shall comply with all applicable laws.

10. TERM

10.1. The term of this DPA shall start on the Effective Date and continue until termination or expiration of the applicable Agreement.

11. GENERAL TERMS

11.1. In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail regarding the Parties' data protection and privacy protection obligations.

11.2. SMART agrees to deposit a copy of this DPA with the supervisory authority if it so requests or, if such deposit is required under the applicable data protection law.

11.3. The Parties agree that the supervisory authority has the right to conduct an audit of the Parties.

11.4. If any provision of this DPA shall be adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision shall be limited to the minimum extent necessary so that this DPA shall otherwise remain in effect.

11.5. This DPA shall be governed by and construed in accordance with the same laws as the Agreement. Any claim under this DPA may be solely brought to the competent courts as specified in the Agreement.

11.6. SMART may amend this DPA from time to time and make the amended DPA available to Customer.