Last updated: July 4th, 2022
This Data Processing Agreement is based on The Danish Data Protection Agency’s standard template for Data Processing Agreements. The Danish Data Protection Agency is the independent authority that supervises compliance with the rules on protection of personal data in Denmark.
Please find the Danish Data Protection Agency’s standard template here.
Following the EDPB opinion (July 2019) on the draft standard contractual clauses (SCCs) for contracts between controller and processor submitted to the Board by the Danish Supervisory Authority (SA), the final text of the Danish SCCs, as adopted by the Danish SA, has been published in the EDPB's Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
This Data Processing Agreement is based on this standard processor agreement, that has been adopted by the Danish SA pursuant to art. 28(8) GDPR and aims at helping organizations to meet the requirements of art. 28 (3) and (4), given the fact that the contract between controller and processor cannot just restate the provisions of the GDPR but should further specify them, e.g. with regard to the assistance provided by the processor to the controller.
The possibility of using SCCs adopted by a SA does not prevent the parties from adding other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the adopted clauses or prejudice the fundamental rights or freedoms of the data subjects.
For the purposes of Article 28(3) of Regulation 2016/679 (the GDPR)
the data processor
and
the data controller
each a ‘party’; together ‘the parties’
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to meet the requirements of the GDPR and to ensure the protection of the rights of the data subject.
On termination of the provision of personal data processing services, the data processor shall be under obligation to delete all personal data processed on behalf of the data controller and certify to the data controller that it has done so unless Union or Member State law requires storage of the personal data.
The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and the Clauses and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller. The data controller and data processor agree on the procedures for audit and inspections as stated in appendices C.7 and C.8, with the inspection report obtained by the data processor from external auditors to verify the adequacy of its security measures.
This audit:
(i) Will be performed at least annually.
(ii) Will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001.
(iii) Will be performed by independent third party security professionals at the data processor’s selection and expense.
At the data controller’s written request and without charge and without prejudice to any further information or audit rights the data controller may exercise pursuant to this DPA, the data processor will provide the data controller with a confidential summary of the Report (“Summary Report”) so the data controller can reasonably verify the data processor’s compliance with the security and audit obligations under this DPA. The Summary Report will constitute the data processor’s Confidential Information and shall be treated with confidentiality by the data controller.
On behalf of the data processor
Name: Flemming Blåbjerg
Position: Head of Compliance
Telephone: +45 7027 9191
E-mail: [email protected]
A.1. The purpose of the data processor’s processing of personal data on behalf of the data controller is:
The data controller and the data processor have entered into the SaaS Agreement pursuant to which the data controller is granted a license to access and use the service for the duration of the subscription term. In providing the service, the data processor will engage, on behalf of the data controller, in the processing of personal data submitted to and stored within the service by the data controller or third parties with whom the data controller transacts using the service.
A.2. The data processor’s processing of personal data on behalf of the data controller shall mainly pertain to (the nature of the processing):
The data processor will host and process personal data in the course of providing its cloud-based Learning Management System (LMS) platform services to the data controller.
A.3. The processing includes the following types of personal data about data subjects:
The data processor processes personal data defined as:
"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier of that person, or as the term may be defined under the GDPR from time to time.
The data processor does not process sensitive personal data, following the definition of "sensitive personal data" as personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade or union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offenses and convictions are addressed separately (as criminal law lies outside the EU's legislative competence).
The data processor does not process data specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person, including identifiers such as genetic data and all data pertaining to a data subject’s health status.
The data processor processes the following data on employees and authorised users (data subjects) from the data controller that is relevant for the processing of training:
* Training records consist of information about which training a learner has historically enrolled into, started and/or completed. This includes data on pass/fail information of assessments as well as assessment scores, if used.
A.4. Processing includes the following categories of data subject:
The data processor processes personal data about the following categories of data subjects on behalf of the data controller:
A.5. The data processor’s processing of personal data on behalf of the data controller may be performed when the Clauses commence. Processing has the following duration:
When a subscription expires, data is not longer processed but will be subject to the procedures for storage, retention, and deletion as stated in Appendix C.4 The LMS365 SaaS terms and conditions can be downloaded here: https://lms365.com/lms365-saas-terms/
B.1. Approved sub-processors
On commencement of the Clauses, the data controller authorises the engagement of the following sub-processors:
The data processor provides installation and other support services to the data controller using its affiliates as sub-suppliers, including for 24/7 support and local services (“Purpose”). For this Purpose, and if the data controller admits access to encrypted data, the affiliates may become sub-processors and have access to personal data in form of account name, user display name, email address, department, job title, office, country, city, manager ID/email, training records, competencies.
The data controller shall, on the commencement of the Clauses, authorise the use of the abovementioned sub-processors for the processing described for that party. The data processor shall not be entitled – without the data controller’s explicit written authorisation – to engage a sub-processor for a different processing than the one which has been agreed upon or have another sub-processor perform the described processing.
C.1. The subject of/instruction for the processing
The data processor’s processing of personal data on behalf of the data controller shall be carried out by the data processor performing the following instruction. The instruction for the processing, being what the data processor is instructed to do with the data types being processed related to fulfilling and achieving the purpose of the processing activities on behalf of the data controller and the data subjects, is:
Deliver and manage training (add, use, record, store, edit, structure, organise, analyse, export and delete personal data) on behalf of the data controller and its employees and authorised data subjects to provide the LMS365 platform, its components and features. The data processor processes:
* Training records consist of information about which training a learner has historically enrolled into, started and/or completed. This includes data about pass/fail information of assessments as well as assessment scores, if used.
C.2. Security of processing
The level of security shall take into account the nature, scope, context and purposes of the processing activity, as well as the risk for the rights and freedoms of natural persons.
Since processing activities involve processing of personal data a “high” level of security has been established. The data processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security.
The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller. This sets out the minimum security requirements that the data processor and its sub-processors will adhere to in relation to the processing of personal data.
The data processor is developing its products according to “best practices” and use of secure development procedures:
Secure Development Lifecycle (SDLC) – Trust Center (elearningforce.com)
Data processor, shall ensure by itself, and on behalf of all its sub-processors, that always complies with the following minimum-security requirements:
Availability
Data processor leverages the Microsoft Azure cloud platform and implements applicable and recommended security features available on Microsoft Azure.
As such data processor has security features in place including, but not limited to, firewall, DDOS protection, antimalware protection, anomaly detection on server behaviour and antivirus.
Further, data processor has access restrictions implemented throughout the platform in terms of authenticating both users and applications access to services which interact with data.
Data processor monitors every service and has alarm systems in place if anything out of the ordinary occurs. Also, data processor continuously evaluates the measures in place based on the implemented Information Security Policy.
Integrity
Every application in data processor's services has logging services implemented which record all operations on the data.
Logging services have both audit logs and application logs which log historical events.
Further access to manipulating data is restricted to specific user roles and hence governed by managed access in the form of both implemented systems and organisational structures, preventing unintended and/or malicious or accidental access to data.
Being a multitenant environment and SaaS, data processor's data architecture ensures the integrity and isolation of the data controller’s data by separating data logically based on universally unique identifiers (UUIDs) so customer data is separated logically and secured from other customers. Customers, therefore, share the cloud platform and application, but each tenant’s data is isolated and remains invisible to other tenants.
Confidentiality
Data processor leverages different technologies in terms of securing data, depending on the nature of the data. All databases are encrypted. Data stored in databases is further encrypted using industry-standard encryption algorithms.
Extremely sensitive data such as secrets and credentials are secured by an encryption service using Microsoft Azure Key Vault.
Data processor has confidentiality agreements with all employees. All data processor employees are required to use two-factor authentication and strong passwords that are unique from other services.
Furthermore, data processor maintains automatic access and security logs in multiple locations.
Personal data access is governed by our documented security policies and limited to a small set of employees as required for support and maintenance. Access is further limited to a small whitelist of IP addresses via VPN and requires public key authentication.
Individual employee access follows a principle of least access. Access rights are reviewed quarterly.
Data security and encryption:
Data at rest:
Database encryption
Azure SQL Transparent Data Encryption (TDE)* helps protect the Azure SQL server and database(s) against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups and transaction log files at rest. Each database page is decrypted when read into memory and then encrypted before being written to disk. Hence, data is never written to disk without first being encrypted.
*LMS365 uses TDE with a customer-managed key (BYOK) stored and managed securely within an Azure Key Vault within the Azure data region selected by the data controller while installing LMS365.
For further information, please visit: https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-azure-sql
Storage data (large file storage)
Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. All Azure Storage resources are encrypted, including blobs, disks, files, queues and tables. All object metadata is also encrypted.
For further information, please visit: Azure Storage encryption for data at rest | Microsoft Docs.
Data in transit
Transmission of data between the application and Azure is secured using an encrypted TLS 1.2+ connection with AES encryption. SSL/TLS certificates are signed by a publicly known Certificate Authority using the SHA256 with a 2048 bit key.
Cookies containing session information and other sensitive data from the LMS365 platform are all configured with HttpOnly and Secure flags enabled. This protects the cookie contents from being accessed by scripting as well as from being transmitted over unencrypted connections.
Furthermore, the LMS365 application domain is included in the HTTP Strict Transport Security (HSTS) preload list of all major browsers, meaning that these browsers will never connect to the LMS365 application without an encrypted connection.
Portability
LMS365 supports export of data in Excel, ZIP & JSON formats using built-in Export actions or the LMS365 Cloud API.
Resilience of systems
LMS365 is built entirely using Azure’s platform as a service component, all operated securely in the Microsoft Azure cloud fully managed by data processor. Maintenance and updates are included in your subscription to LMS365.
Currently, LMS365 is available in seven regional Azure data centres, and in the US Government Azure cloud.
Each customer can select which Azure data centre they would like to use for data location upon the first installation. The options are:
Data Center Locations & Physical Security – Trust Center (elearningforce.com)
Azure facilities, premises and physical security
Data processor doesn't have any in-house data centres, physical networks and/or servers connected to the LMS365 platform. Microsoft manages the physical and environmental security of our Azure-based data centres. The Azure physical security is described here and in our Platforms and Standards:
Advanced Platform Security & Threat Protection – Trust Center (elearningforce.com)
Our internal security program covers physical security at our offices.
Data breach detection and notification
How data processort detects and responds to a breach of personal data, and notifies the data controller under the GDPR
All our services and personnel follow internal incident management procedures to ensure that we take proper precautions to avoid data breaches in the first place. However, in addition, LMS365 and Microsoft’s Azure cloud services have specific security controls in place across our platforms to detect data breaches in the rare event that they occur.
In the event of a breach, i.e. a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, data processor will, without undue delay, but no later than in 24 hours after becoming aware of the breach, notify the data controller in writing and, additionally, in any other reasonable and prompt manner (e.g. by phone or email).
In the event of a security breach, our team will promptly notify the data controller of unauthorised access to its data. Service availability incidents are published to our status page at status.lms365.com with additional information.
Should the data controller’s security team need additional logs for their investigation of an incident determined to affect its organisation, our security team will coordinate and provide access as needed.
The breach notification will contain at least the following:
Where, and as far as, it is not possible to provide the information listed at the same time, the information may be provided in phases without undue further delay.
Data processor takes all the necessary steps to protect the data after having become aware of the breach. After having notified the data controller in accordance with the above, data processor will, in consultation with the data controller, take appropriate measures to secure the data and limit any possible detrimental effect to the data subjects.
Data processor will cooperate with the data controller, and with any third parties designated by the data controller, to respond to the breach. The objective of the breach response will be to restore the confidentiality, integrity and availability of the LMS365 platform services, to establish root causes and remediation steps, to preserve evidence and to mitigate any damage caused to data subjects or the data controller.
Data backup, retention and media sanitation
LMS365 stores all data securely with full redundancy on Microsoft Azure. Each customer has their own dedicated Azure SQL Database with data and backups encrypted with Transparent Data Encryption (TDE) - see Appendix C – C.2. – Data Security and Encryption.
All database backups are managed automatically by Microsoft Azure and are backed up as follows:
Full backups: Weekly
Differential: Every few hours
Transaction log: Every 5 - 10 minutes
Retention: 35 days
Note that database backups will be geo-replicated to the paired region.
For further information please visit Automatic, geo-redundant backups - Azure SQL Database & Azure SQL Managed Instance | Microsoft Docs.
Physical security of locations at which personal data is processed
Data processor’s Information Security Policy contains specific controls, rules and guidelines regarding the locations at which personal data is processed, such as a password policy, rules of the password manager and enforcement of two-factor authentication.
Servers used by data processor belong to Microsoft, where main access to the data centre facilities are typically restricted to a single point of entry that is manned by security personnel. The main interior or reception areas have electronic card access control devices on the perimeter door(s), which restrict access to the interior facilities. Rooms within the Microsoft data centres that contain critical systems (servers, generators, electrical panels, network equipment etc.) are restricted through various security mechanisms, such as electronic card access control, keyed lock on each individual door, man traps and/or biometric devices.
Requirements for the use of home/remote working
Data processor’s employees are instructed in appropriate technical and organisational measures in order to uphold Confidentiality, Integrity and Availability (CIA) principles at the data processor office, and when remote working
Requirements for logging
Data processor uses Azure policies to ensure that all Azure resources are collecting the correct security and audit logs according to the Microsoft Azure ISO 27001:2013 Regulatory Compliance standards.
For log management and review, data processor has implemented Azure Sentinel. Azure Sentinel is a cloud-native Security Information and Event Management (SIEM) system that analyses all security and audit logging data in real time using cloud based compute power and artificial intelligence for automated investigation and response (AIR). These capabilities enable our security operations centre to operate more efficiently and effectively 24/7.
C.3. Assistance to the data controller
The data processor shall insofar as this is possible – within the scope and the extent of the assistance specified below – assist the data controller in accordance with Clause 9.1. and 9.2. by implementing the following technical and organisational measures:
Assistance to the data controller is provided by implementing a suitable set of standards and controls, including policies, processes, communication channels, procedures, organisational structures, software and hardware systems, that enable the data processor to provide the right level of assistance to the controller. These controls and standards are established, implemented, monitored, reviewed and improved where necessary to ensure that the specific security and compliance objectives, as well as the purposes of the data protection law GDPR, are met.
The data processor has defined and implemented a policy for information security and privacy and will, for personal data, maintain the following technical and organisational measures to assist the data controller:
Organisation of Information Security, risk assessment and treatment
Appointed responsible for Information Security and assistance to the data controller
The data processor, , has appointed a responsible for delegating, coordinating and monitoring the security rules and procedures.
Information security policy
An information security policy governing how data processing, protection and privacy of personal data is ensured in compliance with relevant legislation, regulations and as required in the data processor Information Security Policy, and to ensure assistance of the data controller with compliance for exercising the data subjects’ rights, assistance of the data controller in relation to audits and inspections, and assistance of the data controller in relation to ensuring compliance with the obligations pursuant to Articles 32 – 36, are implemented.
Security roles and responsibilities
Data processor personnel with access to personal data are subject to confidentiality obligations.
Risk management
Data processor performs a risk assessment on processing activities before processing the personal data or launching new modules, components and features as part of the data processor LMS platform.
Data processor retains its security documents pursuant to its retention requirements after they are no longer in effect.
Data processor’s Information Security Policy may be sent via request.
Asset management
Asset inventory
All critical assets required for running the business are identified, have an owner and are documented in a register that is kept up-to-date by the pointed-out employer.
Asset handling
Data processor classifies personal data to help identify it and to allow for access to it to be appropriately restricted.
Data processor personnel must obtain authorisation prior to storing personal data on portable devices or remotely accessing personal data.
Human resources security
Security training, education and awareness
Data processor informs its personnel about relevant security procedures and their respective roles. Data processor also informs its personnel of possible consequences of breaching the security rules and procedures. Data processor will only use anonymous data in training.
Physical and environmental security
Access to processing physical processing activities
Data processor’s personnel and authorised and approved third party users protect assets from unauthorised access, disclosure, modification, destruction or interference.
Physical access to components
Data processor’s personnel has no physical access to physical components nor data centres for processing activities since the data processor’s LMS platform is a hosted on a cloud platform.
Component disposal
Data processor controls that vendors use industry standard processes to delete personal data when it is no longer needed.
Communications and operations management
Operational policy
Data processor maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to personal data.
Data recovery procedures
Backups are made continuously of all critical data and software, and everything is stored in the cloud by approved cloud vendors (sub-processors).
Malicious software
Data processor has anti-malware controls to help avoid malicious software gaining unauthorised access to personal data, including malicious software originating from public networks.
Encryption
All personal data is to be encrypted and protected against physical or digital theft of the raw data. This implies all data is encrypted from the outside. Further some data is to be encrypted and/or inaccessible by unauthorised access such as data processor’s personnel who are not required to see the data in its raw format.
Application and event logging
All applications and/or services are required to log their internal behaviour with respects to understanding failures and daily operation. Any application and/or service that deals with sensitive information is required to keep an audit log which allows for complete auditing of the service. The log format is required to be viewable in a way which does not compromise data security in terms of sensitive information.
Data deletion
Data is continuously deleted after the respective retention period has ended or upon request by the data controller.
Access control
Access policy
Data processor maintains a record of security privileges of individuals that have access to personal data.
Access authorisation
Least privilege
Integrity and confidentiality
Authentication
Information security incident management
Incident response process
Service monitoring
Data processor personnel verify logs at least every six months to propose remediation efforts if necessary, in accordance with our Information Security Policy.
Incident management
Data processor takes all necessary steps to protect the personal data after having become aware of an incident. After having notified the data controller in accordance with above, data processor will, in consultation with the data controller, take appropriate measures to secure the personal data and limit any possible detrimental effect to the data subjects. data processor will cooperate with the data controller, and with any third parties designated by the controller, to respond to the incident. The objective of the incident response will be to restore the confidentiality, integrity and availability of the data processor’s LMS platform and personal data affected, to establish root causes and remediation steps, preserving evidence and to mitigate any damage caused to data subjects or the data controller.
Business continuity management
Data processor maintains emergency and contingency plans for the facilities and the devices in which data processor access and process personal data. data processor’s contingency plan is tested at least once a year.
Data processor redundant storage and its procedures for recovering personal data are designed to attempt to reconstruct personal data in its original or last-replicated state from before the time it was lost or destroyed.
C.4. Storage period/erasure procedures
What happens to your data if you leave the service?
It is data processor’s responsibility to permanently destroy the date controller’s data upon the data controller’s request, with special emphasis on destroying all data in the scope in all locations and ensure all copies have been discarded.
Data processor shall at its own discretion determine data destruction schedules but shall wherever possible perform such destruction in accordance with the data controller’s requested timetable. data processor shall have the obligation to wipe persistent media used for storing the data controller’s data or secure deletion of the data controller’s data with related techniques before it is released into re-use.
Data deletion and retention period
When the LMS365 subscription ends, the data controller’s data will be deleted after 90 days from the LMS365 Azure Subscription. The data will still be available on the backup to a maximum of 35 days after which time the data will be completely unobtainable. This Data Processing Agreement will continue to apply during the continued storage of data controller’s data.
Data deletion on physical storage devices on Azure
Due to LMS365 being built on Microsoft Azure as a SaaS solution, data processor does not have physical access to wipe and destroy media used for storing the data controller’s data on Azure. The media used for storing the data on Azure follows Microsoft Media Sanitation guidelines below.
If a disk drive used for storage suffers a hardware failure, it is securely erased or destroyed before Microsoft returns it to the manufacturer for replacement or repair. The data on the drive is completely overwritten to ensure the data cannot be recovered by any means.
When such devices are decommissioned, they are purged or destroyed according to NIST 800-88 Guidelines for Media Sanitation.
Microsoft is governed by strict standards and removes cloud customer data from systems under our control, overwriting storage resources before reuse, and purging or destroying decommissioned hardware.
Course catalogues (SharePoint site collections), courses (subsites of the site collections) and content within these (objects stored - e.g., word documents, PDFs etc.):
These sites and their content belong entirely to the client's Microsoft 365 tenant and, therefore, data processor does not delete these sites or their content.
Upon termination of the provision of personal data processing services, the data processor shall either delete or return the personal data in accordance with Clause 11.1., unless the data controller – after the signature of the contract – has modified the data controller’s original choice. Such modification shall be documented and kept in writing, including electronically, in connection with the Clauses.
C.5. Processing location
Processing of the personal data under the Clauses cannot be performed at other locations than the following without the data controller’s prior written authorisation:
Please see table in Appendix C.2., locations of data processing.
C.6. Instruction on the transfer of personal data to third countries
By entering into this data processing agreement, the data controller agrees that the data processor transfers personal data to and stores personal data in third countries to the extent necessary using the sub-data processors listed in Appendix B.1.
The data processor uses the EU Commission's Standard Contractual Clauses as a basis for the transfer of personal data to third countries and, upon an assessment of risk, appropriate supplementary measures.
If the data controller does not in the Clauses or subsequently provide documented instructions pertaining to the transfer of personal data to a third country, the data processor shall not be entitled within the framework of the Clauses to perform such transfer.
C.7. Procedures for the data controller’s audits, including inspections, of the processing of personal data being performed by the data processor
The data processor shall once a year obtain an ISO 27001 certification report from an independent third party concerning the data processor's compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.
The parties have agreed that the following types of inspection report may be used in compliance with the Clauses:
ISO 27001 certification report:
The inspection report shall, without undue delay, be submitted to the data controller for information. The data controller may contest the scope and/or methodology of the report and may in such cases request a new audit/inspection under a revised scope and/or different methodology.
Based on the results of such an audit/inspection, the data controller may request further measures to be taken to ensure compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.
The data controller or the data controller’s representative shall in addition have access to inspect, including physically inspect, the places, where the processing of personal data is carried out by the data processor, including physical facilities as well as systems used for and related to the processing. Such an inspection shall be performed, when the data controller deems it required.
C.8. Procedures for audits, including inspections, of the processing of personal data being performed by sub-processors
The Parties acknowledge that, data processor uses external auditors to verify the adequacy of its security measures.
This audit:
(i) Will be performed at least annually.
(ii) Will be performed according to ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001.
(iii) Will be performed by independent third party security professionals at the data processor’s selection and expense.
At the data controller’s written request and without charge, the data processor will provide the data controller with a confidential summary of the report (“Summary Report”) so the data controller can reasonably verify the data processor’s compliance with the security and audit obligations under this DPA. The Summary Report will constitute the data processor’s confidential information under the confidentiality provisions of the data processor's Saas-agreement.
D.1. Compliance with Clause 6.6.
The parties agree that the data processor shall only comply with the obligation in Clause 6.6 to include the data controller as a beneficiary third party in its agreements with sub-data processors to the extent that this can reasonably be implemented vis-à-vis the relevant sub-data processors.
D.2 Assistance to the data controller and extra documentation
The data processor's assistance to the data controller in accordance with Clause 8 and regarding "extra documentation" in Clause C.7 and C.8 is remunerated. The remuneration is calculated on the basis of the data processor's hourly rates and expenses incurred for external assistance, including from sub-data processors or advisors.
D.3 EU Standard Contractual Clauses for transfer of personal data to third countries
Before the data controller is applying LMS365 for transferring (including by access rights) personal data protected under the Regulation (EU) 2016/679 (“GDPR”) into a third country not recognized by the European Commission under an adequacy decision, the data controller represents, covenants, and warrants that the data controller and its counterpart have adopted the EU Standard Contractual Clauses (“SCC”) for transfer of personal data , either as a data importer or a data exporter, respectively, in order to provide privacy rights under the GDPR for such personal data as uploaded, posted, delivered, provided or otherwise transmitted or stored into the LMS365.
The data processor represents, covenants, and warrants that the data processor, as a data exporter, and its US Affiliate, ELEARNINGFORCE Corporation, as a data importer, in respect to the GDPR, have accepted and submitted to the Clauses and the SCC covering delegations to ELEARNINGFORCE Corporation for participating in providing services offered to the data controller and, incidental to these services, access and process personal data on customized learning portals on LMS365.
*References to ”Member States” made throughout the Clauses shall be understood as references to “EEA Member States”.
*Information Security Policy can be sent on request