This Data Processing Agreement (“DPA”) sets out the additional terms, requirements and conditions on which SkillsTrust will process Personal Data when providing the Services and contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) for contracts between controllers and processors.

AGREED TERMS

1. INTRODUCTION

2. 1 In providing the Services under the Agreement, SkillsTrust may be required to process Per-sonal Data on Client’s behalf. The parties record their intention that Client and its Affiliates (as applicable) shall be the Controller and SkillsTrust shall be a Processor.

3. 2 Client and its Affiliates shall, at all times, comply with their respective obligations as Control-ler and shall be responsible for Processing of all Personal Data processed under or in connec-tion with the Agreement by their respective contractors or agents and Authorised Users in accordance with their obligations under applicable Data Protection Laws.

4. 3 Client shall ensure that Authorised Users and all relevant third parties have, been informed of, and have given their consent, as required by Data Protection Laws to the specific Pro-cessing as contemplated by this DPA.

5. 4 Annex 1 to this DPA sets out certain information regarding SkillsTrust and its subprocessors Processing of the Personal Data as required by article 28(3) of the GDPR.

6. 5 Client hereby instructs SkillsTrust (and consents and authorises SkillsTrust to instruct each subprocessor) to process Client Personal Data as reasonably necessary for the provision of the services and consistent with this DPA.

7. 6 The terms "Controller", "Processor", "Data Subject", "Personal Data", “Personal Data Breach” and "Process/Processing" have the same meaning as described in GDPR and shall be construed accordingly.

8. DATA PROTECTION OBLIGATIONS

9. 1 To the extent that SkillsTrust Processes Client Personal Data pursuant to the Agreement, SkillsTrust warrants, represents and undertakes to Client that it shall:

10. 1.1 not process, disclose to or source from any third party, any Personal Data except to the extent, and in such a manner, as is reasonably necessary for the provision of the Services and then only where SkillsTrust is acting on and in accordance with the express written instructions of Client and/or its Affiliates, and at all times in ac-cordance with all Data Protection Laws;

11. 1.2 implement and maintain appropriate technical and organisational measures to pro-tect Client Personal Data including but not limited to against accidental unauthor-ised or unlawful loss, destruction, damage, alteration, access, disclosure or other Processing;

12. 1.3 not transfer or Process any Client Personal Data outside the European Economic Area, including any transfer via electronic media, without the express prior written consent of Client (and subject then in any event to the execution of an appropriate data transfer agreement);

13. 1.4 cooperate as reasonably requested by Client to enable Client to (i) comply with any exercise of rights by a Data Subject under the Data Protection Laws in respect of Personal Data processed by SkillsTrust under this DPA and shall implement and maintain appropriate technical and organisational measures to assist Client in re-sponding to such requests from Data Subjects and shall notify Client promptly upon receipt of any such request from a Data Subject; and (ii) comply with any assess-ment, enquiry, notice or investigation under the Data Protection Laws which in-cludes assisting Client where required in its obligations under Articles 35 and 36 of GDPR (including but not limited to the completion of a data protection impact as-sessment) to the extent this relates to the Services. Any such reasonable assistance shall be at the cost of Client;

14. 1.5 maintain proper up to date records of any Client Personal Data Processed by or on behalf of SkillsTrust pursuant to this DPA;

15. 1.6 ensure that all SkillsTrust Personnel engaged in the provision of the Services have entered into a confidentiality agreement with SkillsTrust and shall further ensure that such SkillsTrust Personnel are made aware of and observe SkillsTrust's obliga-tions under this DPA with regard to the security and protection of Personal Data;

16. 1.7 at Client's option within thirty (30) days in writing to SkillsTrust, either (i) return to Client, or, (ii) delete from its systems, or destroy and make permanently unusable, all Client Personal Data and any copies, records, analysis, memoranda or other notes to the extent containing or effecting any Personal Data and SkillsTrust shall provide a certificate of confirmation from a senior authorised representative of SkillsTrust that this paragraph 2.1.7 has been complied with in full in accordance with SkillsTrust extract, return and deletion procedures and no longer than thirty (30) days from receipt of the request;

17. 1.8 appoint and identify to Client a named individual within SkillsTrust to act as a point of contact for any enquiries from Client relating to Personal Data and cooperate in good faith with Client concerning all such enquires within a reasonable time period;

18. 1.9 only sub-contract any element of the data Processing provided that (i) Client has given its express prior written consent to the use of such a sub-contractor or (ii) has given its prior general consent to sub-contracting of the data Processing by Skill-sTrust from time to time. In the case of (ii), SkillsTrust will maintain a list of subcon-tractors used from time to time in relation to the data Processing and will make such list available to Client with any proposed additional or replacement sub-contractors prior to the introduction of any such addition or replacement. Client may acting reasonably object to the SkillsTrust or replacement of any particular sub-contractor proposed by SkillsTrust. If no written objections have been received within ten (10) days, the proposed subprocessor shall be deemed accepted. Skill-sTrust shall ensure that (i) the terms governing the engagement between Skill-sTrust and any subcontractors are not less protective with respect to Processing of Client Personal Data compared to the provisions of this DPA and any other relevant provisions of the Agreement to the extent those requirements are applicable to the nature of the services provided by the subprocessor; and (ii) SkillsTrust will remain responsible for the sub-contractor’s compliance with its obligations and for any acts or omissions of such subcontractor.

19. PERSONAL DATA BREACH
    Without prejudice to the other provisions of this DPA, SkillsTrust shall promptly upon becom-ing aware of any Personal Data Breach (and in any event within twenty four (24) hours of be-coming aware of the Personal Data Breach) notify Client of the Personal Data Breach by tel-ephone and by email, and where the Personal Data Breach directly affects Client Personal Data or the Services being offered to Client. SkillsTrust shall, at no additional cost to Client (save that Client shall reimburse SkillsTrust's reasonable costs where SkillsTrust has complied fully with its obligations under this DPA and such Personal Data Breach is not due to Skill-sTrust default or neglect), provide Client with all resources and assistance as required by Cli-ent for Client to notify the Office of the Data Protection Commissioner and/or Information Commissioners Office (or analogous body in any other relevant jurisdiction and/or any bod-ies which may succeed or replace them from time to time and any other relevant Regulatory Authorities) of the Personal Data Breach and for Client to provide such reports or infor-mation as may be requested by it in relation to such Personal Data Breach and/or for Client to notify the relevant Data Subjects of such Personal Data Breach, as applicable.

20. SUBPROCESSORS AND DATA TRANSFERS

21. 1 Client acknowledges and confirms it prior general consent to sub-contracting of the data Processing by SkillsTrust from time to time to its subprocessors, an up to date list of which is maintained by SkillsTrust and available on request, and which may be changed in accordance with Clause 2.1.9.

22. 2 SkillsTrust shall process Client Personal Data in the EU/European Economic Area (EEA) and Client Personal Data shall not be transferred outside of EU/EEA to a country that the Euro-pean Commission has not determined has adequate protection for Personal Data, without Client’s prior written consent. Where Client Personal Data for EEA data subjects is trans-ferred outside of the EU/EEA, the parties shall enter into appropriate data transfer agree-ments.

23. CHANGES IN DATA PROTECTION LAWS

24. 1 Should changes to applicable Data Protection Laws, including the interpretation thereof, en-tail increased costs for SkillsTrust or its Subprocessors, SkillsTrust may, subject to providing written notice to Client, increase the rates charged to Client to reflect the increased costs. The increase to Client should be fair and reasonable and should be proportional to what oth-er similar SkillsTrust clients are being asked to pay.

25. 2 SkillsTrust may propose variations to this Appendix which SkillsTrust reasonably considers to be necessary to address the requirements of any Data Protection Laws. The Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified as soon as is reasonably practicable. Client shall not unreasonably withhold or de-lay agreement to any consequential variations to this Appendix proposed by SkillsTrust to protect SkillsTrust and the Subprocessors against additional risks associated with the varia-tions proposed.

26. AUDIT
    Upon 30 days written request by Client, not more than once per year, Client may conduct an audit of SkillsTrust systems, processes, and procedures relevant to the protection of Personal Data at locations where Personal Data is Processed. SkillsTrust will work cooperatively with Client to agree on an audit plan in advance of any audit. If the scope of the audit is addressed in an ISO 27001/27701 or similar audit report performed by a qualified third party auditor within the prior 12 months, and SkillsTrust data protection or other relevant officer certifies in writing there are no known material changes in the controls audited, Client shall agree to accept those reports in lieu of requesting an audit of the controls covered by the report. SkillsTrust will reasonably cooperate with and assist Client where a Regulator requires an au-dit of the data processing facilities from which SkillsTrust process Personal Data in order to ascertain or monitor Client’s compliance with Data Protection Laws.

27. INDEMNITY
    SkillsTrust shall indemnify Client from and against any and all third party claims, suits, de-mands and actions and for resulting damages, awards of damages, losses, costs, and expens-es (including but not limited to any regulatory fines and reasonable legal and professional fees) incurred by Client that result or arise from any breach by SkillsTrust of the terms and conditions of this DPA and/or Data Protection Laws. SkillsTrust shall be liable on a compara-tive basis for the portion of those damages directly attributable to its breach of its obliga-tions and the indemnity shall be subject to the limitations of liability in the Agreement.

 
ANNEX 1: DETAILS OF PROCESSING OF CLIENT AND AUTHORISED USER PERSONAL DATA
This Annex 1 includes certain details of the Processing of Client and Authorised User Personal Data as required by Article 28(3) GDPR.
(a) Subject matter and duration of the Processing of Client and Authorised User Per-sonal Data
The subject matter is Client Personal Data an--d Authorised User Personal Data and the duration of the Processing of Client Personal Data and Authorised User Personal Data is set out in the Agree-ment
(b) The nature and purpose of the Processing of Client and Authorised User Personal Data
SkillsTrust will Process Personal Data as necessary to perform the Services pursuant to the Agree-ment and as further instructed by the Client and/or Authorised User in its use of the Services.
(c) The types of Personal Data to be Processed
Client and Authorised User Personal Data relating to the following type of data categories:
• First name and last name
• Contact Information (email, phone, work location)
• [ ]
The types of Personal Data may change from time to time, according to any additional or amended Services to be provided by SkillsTrust.
(d) The categories of Data Subject to whom Client and Authorised User Personal Data relates
Client Personal Data relating to the following type of Data Subjects:
• Client employees; and
• Authorised Users (as defined in the Agreement)
(e) The obligations and rights of Client
These are as set out in the Agreement and this DPA.
SkillsTrust may provide notice of change to these provisions where an update is required due to changes to services or changes required due to applicable Data Protection Laws, including the inter-pretation thereof.