Data Processing Addendum

This Data Processing Addendum ("Addendum") forms part of the Agreement for Services ("Agreement") between you, the service user ("Controller"), and Millennials With Money OÜ, Tornimäe 3, 10145 Tallinn, Estonia ("Processor"), to the extent the Agreement involves the processing of personal data.

 

The purpose of this Addendum is to set out the Controller's and Processor's obligations in relation to any processing of personal data carried out as part of the Agreement. In case of conflict between this Addendum and the Agreement, this Addendum takes precedence regarding personal data processing obligations.

 

1. DEFINITIONS

1.1. In this Addendum:

"Data Protection Regulations" means all applicable data protection laws, including: (a) the Privacy and Electronic Communications Directive 2002/58/EC; (b) the GDPR; (c) the Data Protection Act 2018 and all other national legislation implementing or supplementing the foregoing; and (d) all associated codes of practice and binding guidance issued by any competent regulator; all as amended, re-enacted or replaced and in force from time to time.

"GDPR" means the General Data Protection Regulation 2016/679.

"Services" means any services to be provided under the Agreement.

1.2. When used in this Addendum, the following terms will have the meaning as in the Data Protection Regulations: personal data, data controller, data processor, processing, and supervisory authority.

 

2. BACKGROUND

2.1. Under the Agreement, Processor provides you with Services, which may include online course platform software, online course management and administration, and support and maintenance.

2.2. This may involve the processing of personal data by Processor on your behalf as part of providing the Services, including personal data relating to your customers, students, or subscribers.

 

3. DESCRIPTION OF PROCESSING

The processing carried out by Processor is as follows: (a) the nature and subject matter are as described in 2.1, and the duration is throughout the period Processor performs relevant Services under the Agreement; (b) the purpose is to enable Processor to perform Services under the Agreement; (c) the personal data processed will be any personal data Controller provides to enable or facilitate Services by Processor as described in Section 2.1, and categories of data subjects are as described in Section 2.2; and (d) Controller's obligations and rights are set out below.

 

4. COMPLIANCE WITH THE DATA PROTECTION REGULATIONS

Both parties will comply with (and ensure their personnel and subcontractors comply) with the Data Protection Regulations.

 

5. RELATIONSHIP AND ROLES OF THE PARTIES

5.1. In relation to processing personal data under the Agreement, the parties agree that (a) you, the Service User, are the data controller and (b) Millennials With Money OÜ is the data processor.

5.2. Processor agrees it will process personal data according to the Agreement, including this Addendum.

 

6. RESPONSIBLE INDIVIDUALS AND ENQUIRIES

Each party will notify the other of the authorized individual to respond to enquiries regarding personal data and processing. Each party will deal promptly and reasonably with all such enquiries.

 

7. PROCESSING OF PERSONAL DATA BY PROCESSOR

7.1. In relation to processing personal data under the Agreement, Processor will:

7.1.1. Process personal data only as necessary for the Services and only according to (a) the Agreement and (b) Controller's documented instructions (Section 7.3), unless legally required otherwise. If legally required to process differently, Processor will notify Controller before processing (unless prohibited by law).

7.1.2. Implement appropriate technical and organizational measures to ensure security appropriate to processing risks, particularly against accidental/unlawful destruction, loss, alteration, unauthorized disclosure, or access.

7.1.3. Take reasonable steps to ensure only authorized personnel access personal data and respect confidentiality (including contractual duty where not legally bound).

7.1.4. Not engage any sub-processors without Controller's prior written consent and in accordance with Section 8.

7.1.5. Not do or omit anything that would cause Controller to breach Data Protection Regulations.

7.1.6. Promptly notify Controller if, in Processor's opinion, any Controller instruction infringes Data Protection Regulations.

7.2. Where applicable, for any personal data processed under the Agreement, Processor will cooperate with and assist Controller in ensuring compliance with:

7.2.1. Controller's obligations to respond to data subject requests exercising GDPR Chapter III rights, including by notifying Controller of any written subject access requests Processor receives.

7.2.2. Controller's obligations under GDPR Articles 32-36 to: (a) ensure processing security; (b) notify supervisory authority and data subjects of personal data breaches; (c) carry out data protection impact assessments; and (d) consult supervisory authority before high-risk processing where Controller hasn't mitigated risk.

7.3. Controller instructs Processor to process personal data to provide Services according to the Agreement (including this Addendum). Controller may provide additional written instructions, but Processor is obligated to perform them only if consistent with the Agreement's terms and scope.

 

8. SUB-PROCESSORS (THINKIFIC)

8.1. Controller hereby provides a general prior authorization that Processor may engage sub-processors, specifically Thinkific.

8.2. Processor will ensure any sub-processor (including Thinkific) engaged to provide services on its behalf does so only via a written agreement no less protective than this DPA. Processor will be liable for any sub-processor's act or omission as if performed by Processor.

8.3. Processor will notify Controller of any new sub-processors or changes to existing sub-processors before engagement. A list of Thinkific's main sub-processors is available at https://www.thinkific.com/thinkificsubprocessors/.

8.4. If Controller (established in EEA, UK, or Switzerland, or where Data Protection Regulations require) reasonably objects to a new sub-processor in writing within 15 days of notification (Section 8.3), and Processor chooses to retain the objected sub-processor, Processor will notify Controller at least 15 days before authorizing personal data processing. Controller may then terminate the relevant Service portion(s) within 30 days. Upon such termination, Processor will refund prepaid fees for the terminated portion(s) of Service.

 

9. MONITORING OF PROCESSOR'S PERFORMANCE

Controller is entitled, at its expense, to monitor and audit Processor's compliance with Data Protection Regulations and its data processing obligations under the Agreement, not more than once per year during normal business hours. Processor agrees to promptly provide all reasonable access, assistance, and information. If an on-site audit is deemed necessary, Processor agrees to give reasonable access to its premises (subject to confidentiality/security), stored personal data, and on-site data processing programs. Controller may have the audit carried out by a third party.

 

10. COMPLETION OF SERVICES

Upon completion of Services, Processor will return or delete personal data processed under the Agreement according to its provisions, except if legally required to retain copies.

 

11. REMEDIES

Controller's remedies for any breach by Processor of this Addendum, and Processor's overall aggregate liability arising from or in connection with the Agreement (including this Addendum), will be subject to any agreed aggregate limitation of liability ("Liability Cap") under the Agreement. The parties agree that Processor's overall aggregate liability will not exceed the Liability Cap.