Data Processing Agreement
WARNING
- Customers within EU Member States - Are you a Customer using the Ziber Education platform (ziber.eu) and located in an EU member state, and do we process personal data on your behalf? Then this Data Processing Agreement applies to you.
- Exceptions per EU Member State - If you are located in a specific EU member state, there may be exceptions that apply to you. You can read these exceptions here.
- Customers outside the EU - At this time, Ziber does not provide services outside the EU and therefore does not process personal data for Customers outside the EU. Read more at Customers outside the EU.
This Data Processing Agreement is made between:
Customer, the organization that has subscribed to Ziber Services for education & childcare, hereinafter referred to as "Educational Institution"
and
Supplier Ziber (Ziber B.V., Chamber of Commerce number 37088655, located and headquartered at Zijperweg 4 J, (1742 NE) Schagen, Netherlands), hereinafter referred to as "Processor"
hereinafter jointly referred to as "Parties", or individually: "Party"
Consider the following:
a. The Educational Institution and the Processor, on the date provided by Ziber as confirmation of the Customer Subscription, or the date on which the Customer Subscription is renewed (whichever applies), have entered into an agreement where it has been agreed that the Processor will provide the Ziber parent communication platform to the Educational Institution. This agreement (hereinafter: Underlying Agreement), entered into in writing or otherwise, results in the Processor processing Personal Data on behalf of the Educational Institution.
b. The Parties wish to establish their mutual rights and obligations for the Processing of Personal Data in this Data Processing Agreement, in accordance with Article 28(3) of the GDPR.
Terms written with a capital letter have the meaning given to them under “Definitions”.
ARTICLE 1. Subject and Assignment of the Data Processing Agreement
- This Data Processing Agreement applies to the Processing of Personal Data in the context of the execution of the Underlying Agreement.
- This Data Processing Agreement replaces any previous Data Processing Agreements concluded between the Parties in the context of the products/services mentioned under Consideration a., as specified in the Underlying Agreement.
- The Educational Institution, in its capacity as Data Controller, instructs the Processor in accordance with Article 28 of the GDPR to Process Personal Data on behalf of the Educational Institution. The Instructions from the Educational Institution are described in Appendix 1 of this Data Processing Agreement. These instructions and any additional instructions are provided in writing by and to the authorized contact persons of the Parties. These contact persons are listed in the aforementioned appendix.
- The Processor shall inform the Educational Institution as soon as possible if, in the Processor’s opinion, an Instruction violates the GDPR or other applicable legislation. In such a case, the Educational Institution is required to assess whether the Instruction indeed violates the GDPR or other applicable legislation, during which time the Processor will not be obliged to follow the Instruction.
- The provisions of this Data Processing Agreement apply to all Processing activities as described in Appendix 1 carried out in the execution of the Underlying Agreement. The Processor shall promptly inform the Educational Institution if the Processor has reason to believe that it can no longer comply with the Data Processing Agreement.
ARTICLE 2. Roles and Responsibilities
- The Educational Institution is the Data Controller concerning the Processing of Personal Data carried out on its behalf. The Educational Institution retains independent control over (and determination of) the purpose and means of the Processing of Personal Data.
- The Processor ensures that the Educational Institution is adequately informed, at the time of entering into this Data Processing Agreement, about the services provided by the Processor and the Processing activities to be performed. The information provided allows the Educational Institution to understand which Processing activities are inherently linked to a provided service and which Processing activities are associated with any optional services offered by the Processor.
- In addition to paragraph 2, and without prejudice to the provisions elsewhere in this Data Processing Agreement, the Processor informs the Educational Institution, upon entering into this Data Processing Agreement, in Appendix 1 about the services referred to in paragraph 2, including any optional services and the Processing activities performed in that context. The information in Appendix 1 must be written in clear language, enabling the Educational Institution to give informed consent for the use of these services and the related Processing activities.
- If Article 30(5) of the GDPR requires it, the Processor maintains a record of all categories of Processing activities performed on behalf of the Educational Institution, in accordance with Article 30(2) of the GDPR.
- The Educational Institution and the Processor provide each other with all necessary information to ensure proper compliance with applicable laws and regulations concerning the Processing of Personal Data.
ARTICLE 3. Use of Personal Data
- The Processor undertakes not to use the Personal Data obtained from the Educational Institution for purposes other than those for which the data was provided or for any other purpose than that which has been communicated. The Processor will only Process the Personal Data on behalf of the Educational Institution and in accordance with the Instructions of the Educational Institution. The Processor will not Process the Personal Data for its own purposes or for third-party purposes, unless a Union or Member State law applicable to the Processor requires such Processing, such as transferring data to a third party. In that case, the Processor will notify the Educational Institution of the legal requirement prior to the Processing unless that legislation prohibits such notification for reasons of important public interest.
- In addition to paragraph 1, the Processing of Personal Data relating to Digital Educational Tools will never take place for advertising purposes or for making unsolicited offers by the Processor.
- The Educational Institution and the Processor specify in Appendix 1 the purposes for which Personal Data is Processed in the use of its product and/or service, the Processing activities that are performed for that purpose, and the categories of Personal Data of which Data Subjects are Processed. The Educational Institution ensures that no more Personal Data than what is stipulated in Appendix 1 is provided to the Processor.
- If the Processor, in violation of the GDPR, determines the purpose and means of the Processing of Personal Data, the Processor will be considered the Data Controller for that Processing.
- In cases where the Processor (hereinafter referred to in this paragraph as the Distributor) focuses on the distribution of Digital Educational Tools as part of the execution of the Underlying Agreement, the following additional provisions apply:
- The Distributor, in the role of Processor, exchanges data with the suppliers of educational materials, who also assume the role of Processor concerning the Educational Institutions.
- The Educational Institution is responsible for establishing and documenting agreements with each supplier of educational materials in a Data Processing Agreement.
- The Educational Institution indemnifies the Distributor against any third-party claims arising from the failure (or untimely) establishment of Processing agreements with the supplier of educational materials, and the Educational Institution indemnifies the supplier of educational materials against any third-party claims arising from the failure (or untimely) establishment of Processing agreements with the Distributor.
- The Distributor's responsibility for managing Personal Data transfers to the supplier of educational materials from the moment the supplier receives the data from the Distributor.
ARTICLE 4. Confidentiality
- The Processor guarantees that all Personal Data will be treated with strict confidentiality. The Processor ensures that anyone involved in the Processing of Personal Data, including its employees, representatives, and/or Sub-processors, is bound by a confidentiality obligation covering at least the Personal Data and the circumstances under which it is Processed.
- The confidentiality obligation mentioned in paragraph 1 does not apply in the following cases:
- if the Educational Institution has explicitly authorized the Processor to provide the Personal Data to a Third Party;
- if providing Personal Data to a Third Party is necessary due to the nature of the services provided by the Processor to the Educational Institution as outlined in the Underlying Agreement; or
- if the Processor is required to provide the Personal Data under a Union or Member State law.
- In cases where a Third Party invokes a legal obligation as referred to in paragraph 2, subsection 3, the Processor shall verify the legal basis and the identity of the party invoking it before disclosing the data. Additionally, the Processor shall inform the Educational Institution of the relevant information regarding the disclosure immediately prior to the provision, unless prohibited by law for reasons of significant public interest.
- The Processor ensures that only persons working under its authority and/or responsibility have access to Personal Data, and only to the extent necessary for the fulfillment of their duties.
ARTICLE 5. Security and Monitoring
- In compliance with Article 32 of the GDPR, both Parties shall take appropriate technical and organizational measures to secure Personal Data and protect it against unauthorized or unlawful Processing and against accidental loss, destruction, or damage.
- In addition to the measures mentioned in Article 32(1) of the GDPR, the following measures will be taken where appropriate:
- an appropriate security policy for the Processing of Personal Data (comparable to the applicable ISO standards and/or the applicable Information Security and Privacy Certification Scheme ROSA);
- measures to ensure that only authorized persons working under the authority and/or responsibility of the Processor have access to the Personal Data processed under this Data Processing Agreement;
- the establishment of procedures for granting access to Personal Data, including a registration and deregistration procedure for the assignment of access rights, and the logging of events related to user activities, exceptions, and information security incidents. The Educational Institution shall have the opportunity to periodically review these log files.
- In Appendix 2, the Parties record the agreements on the appropriate technical and organizational security measures referred to in paragraphs 1 and 2.
- Both Parties shall periodically evaluate and, where necessary, strengthen, supplement, or improve their own security measures, taking into account evolving requirements or (technological) developments.
- The Processor shall cooperate in good faith with the Educational Institution to ensure that it can effectively fulfill its legal obligation to monitor the Processor's compliance with the technical and organizational security measures and the obligations concerning Data Breaches, as described in Article 6.
- In addition to the preceding paragraphs, the Educational Institution has the right, at any time, to conduct an audit to verify compliance with Applicable laws and regulations regarding the Processing of Personal Data, the Processing of Personal Data in relation to the Underlying Agreement, and this Data Processing Agreement, including the technical and organizational security measures taken by the Processor:
- The Parties shall agree that the audit will be conducted by an independent, certified external expert, approved by both Parties, who will issue a third-party statement (TPM).
- The auditor will provide the audit report only to the Parties.
- The Parties shall agree on how to handle the audit findings.
- The Parties may agree that a valid (inter)nationally recognized certification or equivalent control or verification method can be used in lieu of an audit, with the Educational Institution being informed of the audit outcomes.
- The Parties agree that the costs of an audit as described in subsection a shall be borne by the Educational Institution unless the audit reveals significant deficiencies attributable to the Processor. In such a case, the Parties shall discuss the cost-sharing arrangement for the audit.
ARTICLE 6. Data Breaches
- Both Parties have an appropriate policy for handling Data Breaches.
- If the Educational Institution or the Processor identifies a Data Breach during the execution of the Underlying Agreement or this Data Processing Agreement, the identifying Party will inform the other Party without undue delay upon becoming aware of the Data Breach. In the event of a Data Breach, the Processor will provide all relevant information to the Educational Institution regarding the Data Breach, including any developments related to the breach and the measures the Processor is taking to mitigate the effects of the breach on its side and prevent recurrence.
- In addition to paragraph 2, the Processor will promptly inform the Educational Institution if there is a suspicion that the Data Breach is likely to result in a high risk to the rights and freedoms of natural persons, as referred to in Article 34(1) of the GDPR.
- In the event of a Data Breach, the Processor will enable the Educational Institution to take (or arrange) appropriate follow-up steps concerning the Data Breach. The Processor shall align with the existing processes established by the Educational Institution for this purpose, to the extent that these have been communicated to the Processor. The Parties will take all reasonably necessary measures as soon as possible to prevent or mitigate further violations or breaches related to the Processing of Personal Data, and in particular, further violations of the Applicable laws and regulations regarding the Processing of Personal Data.
- In the event of a Data Breach, the Educational Institution shall comply with any legal notification obligations.
- The Parties will, in good faith, negotiate the reasonable allocation of any costs associated with fulfilling the notification obligations.
- The Parties shall document all Data Breaches in an (incident) register, including the facts surrounding the Personal Data breach, its consequences, and the corrective actions taken.
- For security incidents unrelated to a Data Breach, the Processor will inform the Educational Institution in accordance with the agreements described in Appendix 2.
ARTICLE 7. Cooperation
- The Processor shall assist the Educational Institution in fulfilling its obligations as the Data Controller under the GDPR and other Applicable laws and regulations concerning the Processing of Personal Data, including but not limited to:
- fulfilling the Educational Institution’s duty, as reasonably possible, to respond to requests by Data Subjects under Chapter III of the GDPR within the legal deadlines, such as requests for access, rectification, erasure, or restriction of Processing of Personal Data;
- conducting controls and audits as referred to in Article 5 of this Data Processing Agreement;
- carrying out a Data Protection Impact Assessment (DPIA) and any resulting required prior consultation with the Data Protection Authority;
- complying with requests from a Supervisory Authority or another government body;
- investigating, assessing, and reporting Data Breaches as referred to in Article 6 of this Data Processing Agreement.
- Any complaint or request from a Data Subject or a request or inquiry from a Supervisory Authority regarding the Processing of Personal Data shall be forwarded by the Processor, to the extent legally permissible, to the Educational Institution, which is responsible for handling the request or complaint.
- The Parties shall not charge each other for reasonable assistance, except as provided in Article 5 paragraph 6, Article 6 paragraph 6, and Article 11 paragraph 3. If one Party intends to charge the other Party, the charging Party shall notify the other Party in advance.
ARTICLE 8. Transfer to third countries outside the European Economic Area
- The Processor is only authorized to transfer Personal Data to a third country outside the European Economic Area (EEA) or to an international organization if the Educational Institution has given specific written consent for such a transfer, unless a Union or Member State law applicable to the Processor requires the transfer. In such a case, the Processor shall inform the Educational Institution in writing before the transfer, unless the relevant law prohibits such notification for reasons of significant public interest.
- If, with the consent of the Educational Institution, Personal Data is transferred to third countries outside the EEA or to an international organization as referred to in Article 4 section 26 of the GDPR, the Parties shall ensure that this is done in compliance with legal requirements and any obligations that rest on the Educational Institution in this context. If applicable, Appendix 1 of this Data Processing Agreement includes a list of the third countries or international organizations that Process the Personal Data. It will also indicate how the GDPR conditions for transferring Personal Data to third countries or international organizations are met.
- If the transfer to a third country outside the EEA is based on a model contract (standard contractual clauses) approved by the European Commission, then additional safeguards must be put in place where necessary to ensure that the level of protection of Personal Data during and after the transfer is equivalent to the protection level within the EEA. These safeguards must be outlined in Appendix 1.
ARTICLE 9. Engagement of Sub-processors
- By signing this Data Processing Agreement, the Educational Institution grants the Processor permission to engage Sub-processors, whose identity and location details are included in Appendix 1.
- During the term of the Data Processing Agreement, the Processor will inform the Educational Institution of any intended addition of a new Sub-processor or change in the composition of the existing Sub-processors, allowing the Educational Institution the opportunity to object to such changes. The objection period is 6 weeks following written notification to the Educational Institution of the intended addition or change.
- The Processor is obligated to impose at least the same data protection obligations on each Sub-processor via a contract or other legal act as those imposed on the Processor in this Data Processing Agreement. Upon request, the Processor shall provide the Educational Institution with copies of these Sub-processor agreements or the relevant sections of the Sub-processor agreements, other contracts, or binding legal acts between the Processor and the Sub-processor engaged under paragraph 1 of this article.
ARTICLE 10. Retention periods and destruction of Personal Data
- The Educational Institution shall inform the Processor in Appendix 1 about the applicable (statutory) retention periods for the Processing of Personal Data by the Processor. The Processor shall not Process the Personal Data for longer than these retention periods.
- The Educational Institution requires the Processor, upon termination of the Data Processing Agreement, to return and/or destroy the Personal Data Processed on behalf of the Educational Institution within a timeframe mutually agreed upon by the Parties, unless the Personal Data must be retained longer due to a Union or Member State legal obligation or at the request of the Educational Institution.
- The Processor shall confirm in writing to the Educational Institution that the destruction of the Processed Personal Data, as referred to in paragraph 2, has occurred. The Educational Institution may, at its own expense, conduct an audit to verify that the destruction has taken place.
- The Processor ensures and guarantees that all Sub-processors involved in the Processing of Personal Data also return and/or destroy the Personal Data after the retention periods or the timeframe for return and/or destruction as referred to in paragraph 2 has expired.
ARTICLE 11. Liability
- The Parties may include arrangements regarding liability arising from this Data Processing Agreement in the Underlying Agreement or in another agreement or arrangement between the Parties.
- Notwithstanding the first paragraph, the Parties may not invoke a limitation of liability included in the Underlying Agreement or another agreement or arrangement between the Parties in the event of:
- a recourse action under Article 82 of the GDPR; or
- a compensation action under this Data Processing Agreement, if and insofar as the action involves the recourse of a fine paid to the Supervisory Authority that is wholly or partly attributable to the other Party.
- The provisions of this article are without prejudice to any legal remedies available to the Party held liable under applicable law. The provisions of paragraph 2, subparagraph 2, are without prejudice to the provisions of Article 12, paragraph 2.
- Each Party is required to notify the other Party without undue delay of any (potential) liability claim or (intention to impose) an administrative fine by the Supervisory Authority, both in connection with this Data Processing Agreement. Each Party is reasonably required to provide information and/or assistance to the other Party to defend against a (potential) liability claim or (intention to impose) a fine, as referred to in the previous sentence. The Party providing information and/or assistance is entitled to charge the other Party any reasonable costs incurred. The Parties will inform each other about these costs as much as possible in advance.
- The Party (hereinafter the "Approached Party") that has been notified by the Supervisory Authority of the intention to impose an administrative fine (hereinafter referred to as the "Enforcement Intent") in connection with this Data Processing Agreement shall:
- take into account the reasonable interests of the other Party when defending against the Enforcement Intent;
- reasonably allow the other Party to express its views regarding the Enforcement Intent to the Approached Party, and
- not accept a settlement offer from the Supervisory Authority, nor waive any legal remedy against the Enforcement Intent or a fine, without first consulting the other Party.
ARTICLE 12. Conflict and Amendment of the Data Processing Agreement
- In the event of a conflict between the provisions of this Data Processing Agreement and the provisions of the Underlying Agreement, the provisions of this Data Processing Agreement shall prevail.
- Notwithstanding the provisions of Article 9 paragraph 2, in the event of significant changes to the product and/or the (supplementary) services after the conclusion of this Data Processing Agreement that affect the Processing of Personal Data as described in Appendix 1 and Appendix 2, the Educational Institution will be informed in clear language by the Processor about the consequences of these changes before accepting them. Significant changes include, in any case, the addition or modification of a feature that may lead to an increase in the Personal Data to be Processed and may affect the purposes determined by the Educational Institution for which the Personal Data are Processed. These changes will be included in Appendix 1 or Appendix 2.
- Changes to the articles of the Data Processing Agreement after its conclusion can only be agreed upon jointly and in writing between the Parties.
- If any provision of this Data Processing Agreement is null, voidable, or otherwise unenforceable, the remaining provisions of this Data Processing Agreement shall remain in full force. In that case, the Parties shall consult with each other to replace the null, voidable, or otherwise unenforceable provision with an enforceable alternative provision, taking into account the purpose and intent of the null, voided, or otherwise unenforceable provision as much as possible.
ARTICLE 13. Duration and Termination
- The duration of this Data Processing Agreement is equal to the duration of the Underlying Agreement between the Parties, including any extensions thereof.
- This Data Processing Agreement will automatically terminate upon the termination of the Underlying Agreement. Until the Personal Data have been returned and destroyed by the Processor in accordance with Article 10, the Processor shall ensure compliance with the provisions of this Data Processing Agreement.
ARTICLE 14. Applicable Law and Dispute Resolution
All disputes arising between the Parties in connection with the Data Processing Agreement shall be submitted to the court designated in the Underlying Agreement. If no court is designated in the Underlying Agreement, the court of the place where the Educational Institution is located shall have jurisdiction.
ARTICLE 15. Translation
This Data Processing Agreement was originally written in the Dutch (NL) language. We may translate this Data Processing Agreement into other languages to ensure readability. In the event of a conflict between a translated version of this Data Processing Agreement and the Dutch version, the Dutch version shall prevail.
ARTICLE 16. Appendices
The following Appendices are part of this agreement:
- Appendix 1: Privacy Annex
- Appendix 2: Security Annex