DPA and GDPR Compliance
Data Protection Addendum and GDPR Compliance
Last updated: September 1, 2020
Data Processing Agreement
Please note: If you require a signed copy of the agreement, please request one via email to email@example.com
When a User adds Beedle to their Microsoft Teams account the current Data Processing Agreement on Beedle’s website applies. If a new feature is introduced to Beedle the Data Processing Agreement may be updated and will apply to the User’s use of those new features.
- The User acts as a Data Controller (the “Controller”).
- The Controller wishes to add Beedle to his Microsoft Teams account, which implies processing of Personal Data by Beedle ehf., Höfðabakka 9, 110 Reykjavík, Iceland, acting as a Data Processor (the” Processor”).
- The Parties seek to implement a Data Processing Agreement that complies with the requirements of Art 28 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Both Parties will comply with GDPR and applicable Data Protection Laws and regulations.
IT IS AGREED AS FOLLOWS:
- Definitions and Interpretation
Unless otherwise defined herein, capitalized terms and expressions used in this agreement shall have the following meaning:
“Agreement” means this Data Processing Agreement and Appendices A and B.
“EEA” means the European Economic Area.
“Data Protection Laws” means EU/EEA Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.
“GDPR” means EU General Data Protection Regulation 2016/679.
“Sub-processor” means other processors used by Beedle to process Controllers personal data in connection with the Service, for example to storage the personal data.
“Data transfer” means a transfer of Controller Personal Data to the Processor or a transfer of Controllers Personal Data to a Sub-processor.
The terms, “Controller”, “Processor” Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
- Processing of Controllers Personal Data
The Processor shall process the Controller’s personal data only on documented instructions from the Controller, unless required to do so by national law to which the Processor is subject. The instructions shall be specified in Appendix A.
The Processor shall take reasonable steps to ensure the reliability of any employee, agent or any Sub-processor who may have access to the Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant Personal Data, as strictly necessary for the purposes of the Processor service, and to comply with applicable laws in the context of that individual’s duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
- Security of processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) (a-d) of the GDPR. Depending on their relevance, the measures may include the following:
- the pseudonymisation and encryption of personal data.
- the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In assessing the appropriate level of security, Processor shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.
- Use of Sub-processor
The Processor has the Controller’s general authorisation for the engagement of Sub-processors. The processor shall inform in writing the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 21 days in advance, thereby giving the Controller the opportunity to object to such changes. A list of sub-processors already authorised by the Controller can be found in Appendix B.
Where the Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in the agreement shall be imposed on that Sub-processor by way of an agreement.
- Assistance to the Controller
Taking into account the nature of the processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controllers obligations, to respond to requests to exercise Data Subject rights under GDPR and other Data Protection Laws.
- If the Processor receives a request from a Data Subject to exercise one or more of its rights under the GDPR, it will be forward to the Controller at once.
The Processor shall provide reasonable assistance to the Controller with any Data Protection Impact Assessments (DPIA) and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Controllers Personal Data by, and taking into account the nature of, the processing and information available to the Processor.
- Notification of Personal Data Breach
The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller Personal Data. Such notification shall meet the Controller’s obligation to notify the competent Supervisory Authority and the Data Subject if applicable, and include that information a Processor must provide to a Controller under Art 33 (3) of the GDPR to the extent such information is reasonably available to the Processor.
The Controller shall immediately notify the Processor if he becomes aware of a Personal Data Breach or has any suspicion of a breach in connection with the use of Beedle.
- Deletion or return of Personal Data
- Audit rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and the Agreement, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
- Data Transfer
For Controllers covered by the GDPR the Processor may not transfer or authorize a transfer of Personal Data to countries outside the European Economic Area (EEA) without a prior written consent of the Controller. If Personal Data processed under this Agreement is transferred from a country within the EEA to a country outside the EEA, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
- The rights and obligations of the Controller
The Controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (Art. 24), the applicable national Data Protection Laws and this Agreement.
The Controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.
The Controller shall be responsible for ensuring that the processing of personal data, which the Processor is instructed to perform, has a legal basis.
- Notices and updates
All notices and communications given by the Processor under this Agreement must either be in writing, published on the website or sent by email.
The Processor shall be notified by email sent to the address: firstname.lastname@example.org
- Governing Law
This agreement is governed by Icelandic laws.
- Commencement and duration
This agreement becomes effective when Controller adds Beedle in Microsoft Teams.
The Agreement shall apply for the duration of the Personal Data processing by Beedle ehf. on behalf of the Controller.
Nature of processing: The data processing performed by Beedle add-in to Microsoft Teams on behalf of the Controller relates to the service of Beedle ehf. Beedle is an add-in dedicated to extending the functionality of Microsoft Teams for teachers and educators. Beedle provides functionality inside of Teams for teachers to store digital lesson resources, organise their daily work and share content with other teachers and students.
Purpose of processing: Enable Beedle Users to create, store and share with fellow teachers and pupils for example lessons plans, class lists and notes regarding students’ behaviour, learning progress and more.
Type of personal data:
- Pupils: Name, E-mail address, Diary notes, Assessment and Attendance.
- Teachers/employees: Name and IP address (IP address is only recorded for security reasons).
Categories of Data Subjects:
Students, Teachers and other staff.
Appendix B: Sub-processor
Microsoft Azure Cloud Computing Service
Region: North Europe
Description of processing: Storage of Personal Data