Data Processing Addendum

This Data Processing Addendum (“DPA”) reflects the Parties’ agreement with respect to the terms governing the processing of Personal Data under the main agreement and its terms and conditions. This DPA is an addendum to the Main Agreement and is effective upon its incorporation into the Main Agreement. The Main Agreement means the Subscription Agreement that concerns the delivery of the Skillate services (skillate.com). The term of this DPA shall follow the term of the Main Agreement. Terms not otherwise defined herein shall have the meaning as set forth in the Main Agreement.

Skillate Laboratories Private Limited, registered under the laws of India and having its registered office at 2751, 31st Main Road, PWD Quarters, 1st sector, HSR layout, Bengaluru, Karnataka 560102, India, hereinafter referred to as “Processor” and the Subscriber (as further specified in the Main Agreement) hereinafter referred to as “Controller“. Processor and Controller are hereinafter also referred to individually as “Party” or collectively as “Parties

Whereas:

Under the Agreement, the Processor provides the Services as provided under the Main Agreement to the Controller and in the context of these services, Processor will process (personal) data on Controller’s behalf.
Pursuant to article 28 of the GDPR, Parties wish to enter into this agreement in order to stipulate the conditions applicable to their relationship regarding the aforementioned activities on behalf of Controller.

The Parties agree as follows:

Article 1 Definitions

  • 1.1    In this agreement, the following terms indicated with a capital, whether single or plural, will have the following meaning:
    • a) Attachment: An attachment to this Data Processing Agreement that is an inextricable part thereof;
    • b) GDPR: The General Data Protection Regulation (2016/679/EU);
    • c) Personal Data: Data which is directly or indirectly traceable to a natural person as defined in article 4(1) of the GDPR;
    • d) Processing: Any act in relation to Personal Data as defined in article 4(2) of the GDPR.
    • e) DPA: this addendum between the Controller and the Processor;
  • 1.2   The terms Controller and Processor shall have the same meaning as provided in article 4 of the GDPR.
  • 1.3   Any other terms that occur both in this agreement, as well as the GDPR, shall have the meaning prescribed to them in article 4 of the GDPR.

Article 2 Controller and Processor of the Personal Data (article 24, 28 and 29 GDPR)

  • 2.1   Processor undertakes to Process the Personal Data under this DPA on behalf of Controller.
  • 2.2   Controller guarantees that the order to Process the Personal Data is in accordance with all relevant and applicable laws and regulations. Controller indemnifies Processor against all damage and costs arising from and/or related to claims of third parties in connection with not fulfilling this guarantee.
  • 2.3   Controller is responsible for the Processing of the Personal Data as described in this DPA.
  • 2.4   An overview of the way the Personal Data is supplied, the categories of Personal Data, the categories of data subjects, the nature and purposes of the Processing is provided in Attachment I to this DPA.

Article 3 Confidentiality

  • 3.1   Without prejudice to any existing contractual arrangements between the Parties, the Processor will treat all Personal Data as strictly confidential. The Processor shall ensure that all persons authorized to Process the Personal Data are bound to confidentiality.
  • 3.2   These obligations will not prevent a Party from sharing information with a third party to the extent such disclosure is mandatory under applicable law.

Article 4 Technical and organizational measures (article 5.1.f, 28, 32 GDPR)

  • 4.1   Processor shall implement appropriate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of Processing. Considering the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the Processing and the nature of the data to be protected.
  • 4.2   Processor has provided Controller with a comprehensive, up-to-date data protection and security concept for data Processing under the terms of this DPA in Attachment II. Controller has accepted the measures mentioned in this concept and declares that these measures constitute an appropriate level of security.

Article 5 Third parties and subcontractors

  • 5.1   Processor may engage third parties and/or subcontractors for the Processing of Personal Data under this DPA.
  • 5.2   Processor is responsible for these third parties and/or subcontractors and shall impose upon the third parties and/or subcontractors the same conditions, duties and responsibilities as contained in this DPA in accordance with article 28.4 GDPR. In accordance with articles 28.3.d; 28.2 and 28.4 GDPR, Processor shall inform (in writing) Controller of any intended changes concerning the addition or replacement of these third parties and/or subcontractors, providing Controller with the opportunity to object to such changes within one week.

Article 6 International data transfer (Chapter V GDPR)

  • 6.1   Countries located inside the EEA will be assumed as having an adequate level of protection due to their obligations to comply with GDPR.
  • 6.2   Processor shall only transfer Personal Data to a country outside of the European Economic Area (EEA) when either:
    • a. There is an adequate level of protection of the data (as described in articles 44-50 GDPR) or;
    • b. without an adequate level of protection if such transfer is allowed or required under applicable law (Article 49 GDPR).
  • 6.3   Processor guarantees that subcontractors will only transfer data outside of the EEA in conformity with article 6.2 of this Agreement.

Article 7 Information and audit (article 28.3.h GDPR)

  • 7.1   If Processor believes an instruction of Controller causes a breach with the GDPR or other applicable legislation, it will immediately inform in written Controller. Parties will seek an appropriate solution together in case any external developments endanger the lawfulness of the Processing of Personal Data as described in this Agreement.
  • 7.2   Processor will provide upon Controller’s written request all information reasonably deemed necessary to demonstrate compliance with this DPA. Controller has the right to perform an audit of the Processor to determine to what extent the Processor complies with the provisions of this DPA. Such an audit will be performed by an independent third party and will take place at a time agreed upon by both Parties. Controller will bear the costs for the audit.

Article 8 Cooperation of Processor: Data Breaches and Data Subject Requests (articles 33-34 GDPR)

  • 8.1   Processor shall notify Controller within 36 hours after it obtains knowledge of a (possible) security incident pertaining to the Processing of Personal Data. In the event of a security incident Processor will offer Controller its reasonable assistance.
  • 8.2   After Processor has obtained knowledge of a security incident as meant in article 8.3 below Processor shall take reasonable measures to mitigate the results of the incident as much as possible.
  • 8.3   The term “security incident” as used in this article, includes, but is not limited to:
    • a) every unauthorized or unlawful Processing, deletion or loss of Personal Data;
    • b) every breach of the security and/or confidentiality which results in an unlawful Processing, deletion or loss of Personal Data, or any indication that such a breach will occur or already has occurred.
  • 8.4   If Processor receives a complaint or a request (articles 12-23 GDPR) from a natural person regarding the Personal Data (such as a request to access, rectification or erasure), Processor will notify Controller within one week after receiving the complaint or request and will offer Controller its reasonable assistance.
  • 8.5   All notifications made based on this article will be directed to the contract details of the
    contact person of Controller as stated below. Controller is responsible for keeping these
    contact details up to date and it warrants it will forward changes in the contact details as
    soon as possible.

Article 9 Liability (Article 82 GDPR)

  • 9.1   Processor is responsible for the proper implementation of the technical and organizational measures as set out in this DPA. Processor is not liable if these measures turn out to be insufficient.
  • 9.2   Controller indemnifies Processor against claims of third parties, including Data Protection Authorities, ensuing from the Processing of Personal Data as set out in this DPA.
  • 9.3   Any liability of Processor due to imputable failure to perform the agreement or on any other ground, is governed by the limitation of liability as agreed upon in the Main Agreement between Parties.

Article 10 Term and termination

  • 10.1   Either Party may, without judicial intervention, terminate this DPA with immediate effect upon the occurrence of any of the following events:
    • a) the other Party applies for or is granted a suspension of payments by court order, or any other event due to which that Party loses absolute control of its property;
      a bankruptcy petition is filed against the other Party or if a court of law declares a bankruptcy (or other relevant order) of the other party;

    • b) the other Party discontinues its business and/or goes into voluntary liquidation;
    • c) the other Party commits a breach of any of the provisions of the DPA and, in the event of a remediable breach, if such breach is not remedied within fifteen (15) days of receipt of written notice demanding that the breach be remedied.
  • 10.3   The obligations from this DPA which are by their nature destined to continue after termination accordingly remain in force after termination of this DPA.
  • 10.4   Processor will not store the Personal Data longer than is necessary for the purposes for which the data were collected, in accordance with article 5.1.c GDPR. Processor works with a tail period of 24 months for the purposes of enrolment verification. This means that for a period of twenty-four (24) months after termination of the partnership agreement the Processor will retain the data collected for the purposes of this partnership agreement.
  • 10.5   After the tail period ends, Processor will delete or anonymise within 1 month all Personal Data it then Processes for Controller, unless applicable legislation requires Processor to store the Personal Data longer.
  • 10.6   During this term Processor shall, upon the request of Controller, provide Controller with the Personal Data it then Processes in a format as decided on by the Processor.

Article 11 Applicable law and competent court

  • 11.1 This DPA is governed by the laws specified in the main agreement.
  • 11.2 All controversies, disputes or claims arising out of or relating to this DPA will be settled by the court specified in the main agreement.

Appendix I, II and III are available on request.