TERMS AND CONDITIONS FOR PROCESSING OF PERSONAL DATA

Part 1: Terms of contract – ANNEX 1

The Company complies with the procedures required by the current data protection legislation and regulations regarding the processing and protection of personal data.The Company is responsible for ensuring that the service complies with the data protection legislation and the requirements of the contract in force at any given time, especially taking into account what is stipulated about built-in and default data protection.

The Client is the data controller. As a personal data processor, the Company complies with the terms and conditions attached to this agreement regarding the processing of personal data.

Part II: Terms and conditions for processing of personal data

General

This contract appendix ”Terms and conditions for the processing of personal data” is part of the Contract (Journal number X), hereinafter the “Agreement”, that the Client has concluded with the Company.

In this contract addendum, the contractual terms regarding the processing of personal data and data protection are defined, binding on the Client and the Company, according to which the Company processes personal data on behalf of the Client. There is no separate compensation for the Company’s actions and obligations described in these terms and conditions, unless otherwise agreed.

The parties’ roles in the processing of personal data

When processing personal data, the Client is the data controller and the Company is the personal data processor, unless otherwise determined by the purpose of personal data processing. “Client’s personal data” in these terms means personal data for which the Client is responsible as the data controller.

The object, nature and purpose of the processing of personal data, as well as the types of personal data and groups of data subjects, as well as the obligations and rights of the controller and the processor are described in the description of processing operations in appendix 1 of these terms or in other instructions of the Client. The Company undertakes to comply with the conditions and descriptions in the Agreement, the description of the processing operations and the instructions. The Client is responsible for the maintenance and availability of the instructions.

If the description of the processing operations according to section 2.2 has not been made or it is incomplete, the Client prepares or completes the description of the processing operations, if necessary, in cooperation with the Company.

General obligations of the Company

The Company processes personal data in accordance with the instructions given by the Agreement and the Client. When the group is the Processor, the obligations of this contract addendum apply to all members of the group, and the subcontractors used by the group who participate in the processing of personal data.

The Company implements appropriate technical and organizational measures to ensure that the processing of the Client’s personal data takes place in accordance with the requirements of the contract and the agreed practices.The purpose of the measures is to ensure legal processing of personal data and the confidentiality, integrity, availability and fault tolerance of processing systems and services.

The Company and the Client shall implement and maintain appropriate technical and organizational security measures to protect the Personal Data within their area of responsibility, in order to safeguard the Personal Data against unauthorised or unlawful processing or access and against accidental loss, destruction or damage. Such measures include where necessary and appropriate, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the following measures:
● access right controls to systems containing Personal Data;
● the anonymisation/pseudonymisation and encryption of Personal Data;
● the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and Service;
● the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
● a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Edulyzer Ltd shall ensure that persons processing Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

The Company does not process or otherwise utilize the personal data it processes on the basis of the contract other than for the purpose and scope of fulfilling the contract.

The Company appoints a data protection officer or contact person responsible for data protection for contacts related to the Client’s personal data. The Company will inform the Client in writing of the contact details of the data protection officer or contact person. Data protection officer: Tero Rynkä, tero.rynka@edulyzer.com, p. +358 5030 70 792.

The Company makes available to the Client, upon his request, all the information that the Client needs to demonstrate compliance with the stipulated obligations to the data controller and the Company and participates, when requested, in the agreed manner, in preparing and maintaining the descriptions and other documents, such as the impact assessment, which are the responsibility of the Client, and in conducting the preliminary hearing in accordance with the Data Protection Regulation. The Company performs these tasks at prices according to the contract, unless otherwise agreed.

The Company will notify the Client without delay of all data subjects’ requests concerning the exercise of the data subject’s rights. The Company itself does not respond to these requests. The Company assists the Client so that the Client is able to fulfill its obligation to respond to these requests. Requests may require the Company, for example, to assist the data subject in informing and communicating, implementing the data subject’s right of access, correcting or deleting personal data, restricting processing or transferring the subject’s personal data from one system to another. Unless otherwise agreed, the Company has the right to invoice the Client with the prices agreed in the contract, if the assistance causes additional costs for the Company. The Company is obliged to notify the Client in advance of possible additional costs.

The Company allows and participates in inspections performed by the Client or its authorized auditor. More detailed conditions regarding the inspection procedure are in the contract.

Client’s instructions

In processing the Client’s personal data, the Company complies with the terms agreed in the contract and these special terms and conditions, as well as the Client’s written instructions. The Client is responsible for the maintenance and availability of the instructions.The Company will notify the Client without undue delay if the instructions given by the Client are incomplete or if the Company suspects that they are illegal.

The Client has the right to change, supplement and update the instructions regarding personal data processing and data protection given to the Company. If the changes to the instructions result in other than minor changes related to the services according to the contract, their effect will be agreed upon in the change management procedure according to the contract.

Service personnel

The Company ensures that all persons working under it, who have the right to process the Client’s personal data, are committed to comply with the confidentiality terms agreed in the contract or are subject to a statutory confidentiality obligation.

The Company ensures that every person operating under it who has access to the Client’s personal data is aware of their obligations related to the processing of personal data and processes them only in accordance with the agreement, these special conditions and the Client’s instructions.

Subcontractors who process personal data

To the extent that the Company uses subcontractors who process personal data in its operations, the conditions described in this contract appendix apply to the subcontracting in addition to the Agreement.

If the Company’s subcontractor processes the Client’s personal data, using the subcontractor requires prior written permission from the Client.

The Company enters into a written agreement with the subcontractor, in which it commits the subcontractors it uses to comply with the obligations set for the Company in the contract and the instructions given by the Client regarding the processing of personal data that are valid at any given time.The Company ensures that the Client’s inspection right according to the contract can be extended to the subcontractor.

The company is responsible for the work of subcontractors as if it were its own. The Company is responsible for ensuring that the subcontractor complies with the obligations imposed on the personal data processor. If the Client justifiably believes that the Company’s subcontractor does not fulfill its data protection obligations, the Client has the right to require the Company to change the subcontractor.

The Client must be notified in advance of changing the subcontractor involved in the processing of personal data. The notification must describe how the subcontractor processes the Client’s personal data in accordance with data protection legislation. The Client has the right to object to the proposed subcontractor for a justified reason.

The subcontractors/third parties used are:
Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg.
Data Privacy FAQ: https://aws.amazon.com/compliance/data-privacy-faq/
MongoDB, Building 2, Number 1 Ballsbridge Shellbourne Road, Ballsbridge, D04 Y3X9, Dublin, Ireland.
Data Privacy policy: https://www.mongodb.com/legal/privacy-policy

Place of service

Unless otherwise agreed on the location of the service, the Company has the right to process the Client’s personal data only in the European Economic Area. What is agreed in the contract and these special terms regarding the processing of personal data also applies to enabling access to the Client’s personal data, for example via a management and monitoring connection.

If the contracting parties agree that the Company may transfer the Client’s personal data outside the European Economic Area, the contracting parties will ensure that the transfer of personal data is carried out in accordance with legislation.

Data security breaches

The Company must notify the Client in writing of a personal data security breach it has become aware of without undue delay. In addition, the Company undertakes to notify the Client without undue delay of other service disruptions or problem situations that may have an impact on the status and rights of the registered users.

The Company must provide the Client with at least the following information about the data security breach:

i. a description of the data security breach that occurred, including the groups and estimated numbers of data subjects concerned and the groups and estimated numbers of personal data types as accurately as these are known;
ii. the name and contact information of the data protection officer or other responsible person from whom one can get more information on the matter;
iii. a description of the likely consequences of a data breach; and
iv. a description of the measures that the Company proposes or has already taken as a result of the data security breach, and, if necessary, the measures to mitigate possible adverse effects.
Upon detecting a security breach of personal data, the Company will immediately take the measures agreed in the contract to eliminate the security breach and to limit and correct its effects.

Data security measures for personal data

Personal data is stored in the database as cryptographic hashes. Restoring the cryptographic hash to its original form is practically technically impossible or very challenging.
To the extent that personal data cannot be stored as cryptographic hashes, such as during their processing, they are stored only in the central memory of the server.
The system database is encrypted on disk
Connection to the system’s database is made possible by technical arrangements only from servers intended for data processing.
Control of the application’s access rights is based on role-based rights management.
It is not possible to use the database directly, but all data processing requests must pass through back-end data processing systems, which check the access rights of each request.
All connections are secured. This applies both to the connections between the Edulyzer application and the back-end systems and between the back-end systems and the database.
Best practices of software development models are used in the development of backend systems and other parts of Edulyzer applications.

Termination of personal data processing

During the term of the agreement, the Company may not delete the personal data it has processed on behalf of the Client without the Client’s express request.

Upon ending or termination of the agreement, the Company will, upon request, return to the Client all personal data processed on behalf of the Client and destroy any copies of personal data from its own files, unless otherwise agreed.
Personal data may not be deleted if the law or an official order requires the Company to keep personal information.The Company retains the right to use anonymized response data in product development and educational research.

DESCRIPTION OF PROCESSING ACTIVITIES – ANNEX 2

Parties
Client: //Client name here//
Company: Edulyzer Oy, Business ID FI32591036:

The purpose of the document

The Client has entered into an Agreement with the Company regarding a service in which the Company acts as a processor of personal data belonging to the personal register maintained by the Client.
This document describes the processing operations that the Company as a personal data processor performs on behalf of the Client, the types of personal data and the personal data processed.
This document is attached to Agreement No.26 as Annex No.2.
When processing personal data, the Agreement between the Company and the Client and the Client’s instructions must be followed.
.

Types of personal data and groups of data subject
The parties have agreed that the Company processes the following personal data belonging to the Client’s personal register in order to provide the service agreed in the Agreement on behalf of the Client.
groups subject to processing: teachers and principal of the Client’s School X
personal data subject to processing: name and class information (class teachers and principal only)
via 3rd party application or directly

The nature and purpose of the processing

The parties have agreed that the Company will provide the Client with data services for the development of the school community. This may or may not require the names of the learners of the Client’s School X to be stored in the Edulyzer system, depending on format and quality of Client School X’s user database.

The processing is divided into three parts:

Data collection
During the pilot period, data is collected using the Edulyzer application. The application is used either with a mobile device or another suitable terminal device with a web browser.
The service works with a non-personal code. It requires logging in through the sign-in interface.
During the pilot period:
the following user groups:pupils, guardians, teachers and principal log in through the given code into the system. Edulyzer itself does not maintain a user register. Users are only treated as technical identifiers that cannot be linked to natural persons.
After all the user groups have answered, class teachers can access class information from the dashboard (anonymous data from pupils) via individual links. This link does not require a name or other identifier from the user. Links to each class are sent by Edulyzer to school, where links are shared to accountable class teachers
After all the user groups have answered, the principal can access school and class information from the dashboard (anonymous data from pupils and teachers) via individual link. This link does not require a name or other identifier from the user. Link to principal is sent by Edulyzer to school, where link is shared to accountable principal. This view can be shared with ie. management team if needed.
After all the user groups have answered, other teachers than mentioned above can access limited information from the dashboard (anonymous data from pupils and teachers) via common link. This link does not require a name or other identifier from the user. Link to other teachers is sent by Edulyzer to the school, where the link is shared to above-mentioned teachers.

Data retention
The data collected during the pilot period is stored on servers located in the area of the European Union.
AWS: Sweden
MongoDB: Sweden
Trivore: Finland
.

Data usage
The collected data is used during the pilot and at the time mentioned in the contract (as well as anonymized comparison data after that) to describe the state of the school community and to develop its operations. The goal of using the application is to create the best possible conditions for learning and the development work of the school community.
After the pilot, data can be utilized for

academic research and/or
product development

purposes only in anonymized form. No individual school, class or user can be identified from data mass.

Duration of personal data processing
The Company will process the personal data identified in this appendix for the following period: 6 months after pilot ending. If Client chooses to continue to use Edulyzer after the pilot period, utilization of data collected will be addressed in a separate agreement.