Data Processing Agreement
- “Applicable Law” means all applicable laws and regulations relating to the privacy, confidentiality, security and protection of Personal Data, including, without limitation: the Personal Information Protection and Electronic Documents Act, 2000 (“PIPEDA”); the UK Data Protection Act 2018 the GDPR as it forms part of United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018, and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (the “UK GDPR”); the Swiss Federal Act on Data Protection; the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”) as applied, supplemented, modified and/or replaced from time to time by the laws of the United Kingdom, Switzerland and/or the relevant member state of the European Union and European Economic Area (as the case may be); EU Directive 2002/58/EC on Privacy and Electronic Communications (“e-Privacy Directive”); the California Consumer Privacy Act of 2018 and any regulations promulgated thereunder, as amended from time to time (“the CCPA”); and any other directly applicable laws or regulation relating to privacy and data rights of natural persons having effect or enacted in the United States, Switzerland, United Kingdom, the European Economic Area, and/or the European Union or a relevant state or member state thereof (as the case may be), or anywhere else in the world, in each of the foregoing instances, as applicable to the Processing of Personal Data by Processor. “Company Personal Data” means any Personal Data processed by EC-Council on behalf of Company pursuant to or in connection with the Principal Agreement;
- “Contracted Processor” means a Sub-processor;
- “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the applicable data protection or privacy laws of any other country;
- “Data Transfer” means:
- (a) a transfer of Company’s Personal Data from the Company to Processor; or
- (b) an onward transfer of Company’s Personal Data from a Processor to a Subcontracted Processor, or between two establishments of Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
- “EEA” means the European Economic Area;
- “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
- “Europe” means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.
- “European Data” means Personal Data that is subject to the protection of European Data Protection Laws.
- “GDPR” means EU General Data Protection Regulation 2016/679;
- “Instruction” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
- “Personal Data” means any information relating to an identified or identifiable individual where (i) such information is contained within Company’s Data; and (ii) is protected similarly as personal data, personal information or personally identifiable information under Applicable Laws
- “Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed. “Personal Data Breach” will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
- “Platform” shall have the meaning set forth in the specific Terms of Service for any EC-Council Service and where not defined therein shall mean EC-Council’s platform through which EC-Council provides the Service availed by the Company.
- “Service(s) ” means the services provided by EC-Council to the Company under the Principal Agreement.
- “Sub-Processor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Controller in connection with the Principal Agreement.
- The terms, “Commission”, “Data Controller”, “Data Subject”, “Data Processor” “Member State”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Data Processing
- Scope and Roles. This DPA applies only when Company Personal Data is processed by EC-Council, under the Principal Agreement. Company and EC-Council agree that Company is the controller of Company Personal Data and EC-Council is the processor of such data, except when Company acts as a processor of Personal Data, in which case EC-Council is a Sub-processor.
- Legitimacy of Processing. The Company is responsible for ensuring a valid legal basis for processing the Company Personal Data.
- Compliance with Law. Each party agrees it will comply with its obligations under the Applicable Laws relating to any Company Personal Data it processes under or in relation to this Agreement. Without prejudice to the foregoing, EC-Council will not process Company Personal Data in a manner that will, or is likely to, result in the Data Controller breaching its obligations under the Data Protection Law. EC-Council will promptly inform the Company if any of the Company’s Instruction(s) infringes Applicable Law.
3. Company’s Responsibilities:
- Company Personal Data. In particular but without prejudice to the generality of the foregoing, Company acknowledges and agrees that Company shall be solely responsible for: (i) the accuracy, quality, and legality of Company Personal Data and the means by such data is acquired; (ii) complying with all necessary transparency and lawfulness requirements under Applicable Laws for the collection and use of the Company Personal Data, including obtaining any necessary consents and authorizations; (iii) ensuring Company has the right to transfer, or provide access to, the Company Personal Data to EC-Council for Processing in accordance with the terms of the Principal Agreement (including this DPA); (iv) ensuring that Company’s Instructions to EC-Council regarding the Processing of Company Personal Data comply with applicable laws, including Data Protection Laws; (v) making an independent determination as to whether the technical and organizational measures for Services meet Company’s requirements, including any of its security obligations under applicable data protection requirements. Company acknowledges and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of Company Personal Data as well as the risks to individuals) the security practices and policies implemented and maintained by EC-Council provide a level of security appropriate to the risk with respect to such data. The Company is responsible for implementing and maintaining privacy protections and security measures for components that Company provides or controls. The Company shall inform EC-Council without undue delay if Company is not able to comply with their responsibilities under this DPA or Applicable Laws
- Company’s Instructions. The parties agree that the Principal Agreement and this DPA, together with Company’s use of the Service in accordance with the Principal Agreement, constitute the Company’s complete Instructions to EC-Council in relation to the Processing of Company Personal Data. The Company may provide additional Instructions as long as additional Instructions, during the term of the Principal Agreement, are consistent with the Principal Agreement, this DPA, and lawful use of the Service under applicable laws. In any instance where the GDPR applies and Company is a Processor, Company warrants to EC-Council that Company’s instructions, including appointment of EC-Council as a processor or Sub-processor, have been authorized by the relevant Controller.
- Security. The Company is responsible for independently determining whether the data security provided for in the Service adequately meets Company’s obligations under Applicable Laws. Company is also responsible for the Company’s secure use of the Service, including protecting the security of Company Personal Data in transit to and from the Service (including to securely backup or encrypt any such Company Personal Data).
4. EC-Council’s Obligations
- Compliance with Instructions. EC-Council will only Process Company Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of the Company’s lawful Instructions, except where and to the extent otherwise required by Applicable Law.
- Conflict of Laws. If EC-Council becomes aware of any situation where it cannot Process Company Personal Data in accordance with the Company’s Instructions due to a legal requirement under any applicable law, EC-Council will (i) promptly notify the Company of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Company issues new Instructions with which EC-Council is able to comply. If this provision is invoked, EC-Council shall not be liable to the Company under the Principal Agreement for any failure to perform the applicable Services until such time as the Company issues new lawful Instructions with regard to the Processing.
- Limits on Updates. When Company renews an existing membership to a Service or subscribes to a new Service, the then-current DPA Terms will apply and will not change during Company’s membership for that Service.
- New Features, Supplements, or Related Software. Notwithstanding the foregoing limits on updates, when EC-Council introduces features, offerings, supplements or related Services that are new (i.e., that were not previously included with the Service offering), EC-Council may provide terms or make updates to this DPA that apply to Company’s use of those new features, offerings, supplements or related Service. If those terms include any material adverse changes to the DPA Terms, EC-Council may provide the Company a choice to use the new features, offerings, supplements, or related Service, without loss of existing functionality of a generally available Service. If the Company does not use the new features, offerings, supplements, or related Service, the corresponding new terms will not apply.
- Government Regulation and Requirements. Notwithstanding the foregoing limits on updates, EC-Council may modify or terminate a Service in any country or jurisdiction where there is any current or future government requirement or obligation that (i) subjects EC-Council to any regulation or requirement not generally applicable to businesses operating there, (ii) presents a hardship for EC-Council to continue offering the Service without modification, and/or iii) causes EC-Council to believe the DPA or the Service may conflict with any such requirement or obligation. EC-Council may amend the terms of this DPA where required to comply with Data Protection Requirements and to reflect any changes in the applicable Data Protection Requirements, so long as any such revisions continue to ensure the protection of Personal Data processed by EC-Council in the course of providing the Service to the Company.
5. Details of Data Processing
- Subject matter. The subject matter of the data processing under this DPA is Company’s Personal Data. The processing activities that EC-Council shall carry out are strictly limited to those necessary to fulfil the scope of the Principal Agreement signed by the parties or for the provisioning of Services provided by EC-Council.
- Duration. As between the parties, the duration of the data processing under this DPA shall be for the duration of the Services.
- Purpose. The purpose of the data processing under this DPA is the provision of the Services.
- Categories of data subjects. The data subjects could include Company’s customers, employees, suppliers, partners, end users or any individual whose Personal Data is provided to EC-Council by Company for processing.
6. Processor Personnel
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, EC-Council shall, in relation to the Company Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. EC-Council periodically monitors the internal processes and the technical and organizational measures to ensure that processing activities pertaining to it are carried out in accordance with the requirements of Applicable Law and the protection of Data Subjects’ rights.
- In assessing the appropriate level of security, EC-Council will take into account the risks that are presented by processing, from a Personal Data Breach.
The Company agrees that EC-Council may engage Sub-Processors to Process Company Personal Data on Company’s behalf. Company may write to EC-Council at [email protected] to know about EC-Council’s Sub Processor(s). Where EC-Council engages Sub-Processors, adequate data protection terms are imposed on the Sub-Processors which provides the same level of protection for Personal Data as those in this DPA , to the extent applicable to the nature of the services provided by such Sub-Processors. EC-Council will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that causes EC-Council to breach any of its obligations under this DPA.
9. Data Subject Rights
- Taking into account the nature of the Processing, EC-Council shall assist the Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of EC-Council’s obligations, as reasonably understood by EC-Council, to respond to requests to exercise Data Subject rights under the Applicable Laws.
- EC-Council shall:
- promptly notify the Company of receipt of a request from a Data Subject under any Applicable Law in respect of Company Personal Data; and
- ensure that EC-Council does not respond to that request except on the instructions of Company or as required by Applicable Laws, in which case EC-Council shall to the extent permitted by Applicable Laws and shall inform Company of the legal requirement before responding to the request.
10. Personal Data Breach
- EC-Council shall notify Company without undue delay of a Personal Data Breach affecting Company Personal Data and shall provide sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of such Personal Data Breach under the Applicable Laws.
- EC-Council shall co-operate with the Company and shall take reasonable commercial steps to assist in the investigation, mitigation, and remediation of such Personal Data Breach.
11. Data Protection Impact Assessment and Prior Consultation
12. Deletion or return of Company’s Personal Data
- Subject to this section, EC-Council shall promptly and in any event within thirty (30) business days of the receipt of request from the Company delete and procure the deletion of all copies of Company Personal Data. However, EC-Council may not be able to provide certain services upon deletion of such data, including records of certification.
- EC-Council shall upon request provide written confirmation to Company that it has complied with this section within thirty (30) business days from the date of deletion.
13. Audit rights
- Subject to Section 13.2, EC-Council may make available to the Company, on Company’s expense and request, information necessary to demonstrate compliance with this Agreement, solely in relation to the Processing of the Company Personal Data by EC-Council.
- Information and audit rights of the Company only arise under Section 13.1 to the extent that the Principal Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Applicable Law. The Company shall request such information only upon providing prior written notice of thirty (30) days. Provided further still that EC-Council shall be obliged to provide only such information as shall be mutually agreed between the parties.
14. Data Transfer
15. General Terms
- Confidentiality. Each Party must keep this agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
- (a) disclosure is required by law;
- (b) the relevant information is already in the public domain.
- Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address. For EC-Council, all notices must be sent on [email protected].
- Amendment. No amendment, change or suspension of this Data Processing Agreement shall be valid unless agreed upon in writing between Company and the Processor and unless this Data Processing Agreement is expressly referred to.
- Independent Parties. Company and Service Provider are independent parties and the processing activities with respect to Processor under this Data Processing Agreement are solely the responsibility of Processor for their services.
- Governing law. Ireland