1.1. In this Addendum:
“Data Protection Regulations” means all laws applicable to any personal data processed under or in connection with the Agreement, including: (a) the Privacy and Electronic Communications Directive 2002/58/EC; (b) the GDPR; (c) the Data Protection Act 2018 and all other national legislation implementing or supplementing any of the foregoing; and (d) all associated codes of practice and other binding guidance issued by any competent regulator; all as amended, re-enacted or replaced and in force from time to time;
“GDPR” means the General Data Protection Regulation 2016/679; and
“Services” means any services to be provided under the Agreement.
1.2. When used in this Addendum, the following terms will have the same meaning as in the Data Protection Regulations: (a) personal data; (b) data controller; (c) data processor; (d) processing; and (e) supervisory authority.
2.1. Under the Agreement, Thinkific may provide you with Services in relation to any one or more of: (a) online course platform software; (b) online course management and administration; and (c) support and maintenance.
2.2. This may involve the processing of personal data by Thinkific on your behalf as part of the provision of the relevant Services, including personal data relating to your customers, students or subscribers or other individuals with whom you deal in the course of your business.
3. Description of Processing
The processing to be carried out by Thinkific is as follows: (a) the nature and subject matter of the processing are as described in 2.1 and the duration of the processing will be throughout the period within which Thinkific performs the relevant Services under the Agreement; (b) the purpose of the processing is to enable Thinkific to perform the relevant Services under the Agreement; (c) the personal data to be processed will be any personal data you provide in order to enable or facilitate the provision of the Services by Thinkific under the Agreement as described in Section 2.1, and the categories of data subjects are as described in Section 2.2; and (d) the obligations and rights of the data controller in relation to the processing are set out below.
3. Compliance with the Data Protection Regulations
The parties will comply with (and will ensure that their personnel and subcontractors comply) with the Data Protection Regulations.
5. Relationship and Roles of the Parties
5.1. In relation to the processing of personal data under the Agreement, the parties acknowledge and agree that (a) you are the data controller and (b) Thinkific is the data processor.
5.2. Thinkific agrees that it will process the personal data in accordance with the terms of the Agreement including this Addendum.
6. Responsible Individuals and Enquiries
Each party will notify the other of the individual within its organisation authorised to respond from time to time to enquiries regarding the personal data and the processing which is the subject of the Agreement. Each party will deal promptly and reasonably with all such enquiries.
7. Processing of personal data by Thinkific
7.1. In relation to the processing of personal data under the Agreement, Thinkific will:
- 7.1.1. process the personal data only to the extent necessary in order to provide the Services and then only in accordance with (a) the terms of the Agreement and (b) your documents instructions from time to time as provided in accordance with Section 7.3, unless otherwise required by law. Where Thinkific is required by law to process the personal data otherwise than as provided by the Agreement, it will notify you before carrying out the processing concerned (unless the law also prevents Thinkific from doing so);
- 7.1.2. implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed under the Agreement;
- 7.1.3. take all reasonable steps to ensure that only authorised personnel have access to the personal data and that any persons whom it authorises to have access to the personal data will respect and maintain all due confidentiality in relation to the personal data (including by means of an appropriate contractual duty of confidentiality where the persons concerned are not already under such a duty under the law);
- 7.1.4. not engage any sub-processors in the performance of the Services without your prior written consent and otherwise in accordance with Section 8 at all times;
- 7.1.5. not do, or omit to do, anything, which would cause you to be in breach of its obligations under the Data Protection Regulations; and
- 7.1.6. promptly notify you if, in Thinkific’s opinion, any instruction given to Thinkific infringes the Data Protection Regulations.
7.2. Where applicable in respect of any personal data processed under the Agreement, Thinkific will co-operate with and assist you in ensuring compliance with:
- 7.2.1. your obligations to respond to requests from any data subject(s) seeking to exercise its/their rights under Chapter III of the GDPR, including by notifying you of any written subject access requests Thinkific receives relating to your obligations under the Data Protection Regulations; and
- 7.2.2. your obligations under Articles 32 – 36 of the GDPR to: (a) ensure the security of the processing; (b) notify the relevant supervisory authority, and any data subject(s), where relevant, of any breaches relating to personal data; (c) carry out any data protection impact assessments of the impact of the processing on the protection of personal data; and (d) consult the relevant supervisory authority prior to any processing where a any data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by you to mitigate the risk.
7.3. You hereby instruct Thinkific to process personal data to provide the Services in accordance with the Agreement (including this Addendum). you may provide additional instructions to Thinkific to process personal data in writing, however Thinkific will be obligated to perform such additional instructions only if they are consistent with the terms and scope of the Agreement and this Addendum.
8.1. You hereby agree and provide a general prior authorization that Thinkific and its affiliates may engage sub-processors.
8.2. Thinkific will ensure that any sub-processor it engages to provide any services on its behalf in connection with the Agreement does so only on the basis of a written agreement that is no less protective than this DPA. Thinkific will be liable any act or omission of the sub-processor to the same extent as if the act or omission were performed by Thinkific.
8.3. A list of Thinkific’s main sub-processors is available at https://www.thinkific.com/thinkificsubprocessors/.
Where you have given a general authorisation to Thinkific to engage sub-processors, then prior to engaging a new sub-processor under the general authorisation Thinkific will notify you of any changes that are made and, subject to Section 8.4, give you an opportunity to object to them.
8.4. This Section 8.4 will apply only where and to the extent that you are established within the European Economic Area, the United Kingdom or Switzerland or where otherwise required by Data Protection Regulations applicable to you. In such event, if you objects on reasonable grounds relating to data protection to Thinkific’s use of a new sub-processor you will promptly, and within 15 days following Thinkific’s notification pursuant to Section 8.3, provide written notice of such objection to Thinkific. Should Thinkific choose to retain the objected-to sub-processor, Thinkific will notify you at least 15 days before authorizing the sub-processor to process personal data and you may terminate the relevant portion(s) of the Services within 30 days. Upon any termination by you pursuant to this Section 8.4. Thinkific will refund to you any prepaid fees for the terminated portion(s) of the Service that were to be provided after the effective date of termination.
9. Monitoring of Thinkific’s Performance
You are, at your expense, entitled to monitor and audit Thinkific’s compliance with the Data Protection Regulations and its obligations in relation to data processing under the Agreement at any time during normal business hours not more than once per year. Thinkific agrees to provide you promptly with all access, assistance and information that is reasonably necessary to enable the monitoring and audits concerned. If you believe that an on-site audit is necessary, Thinkific agrees to give you reasonable access to its premises (subject to any reasonable confidentiality and security measures), and to any stored personal data and data processing programs it has onsite. You are entitled to have the audit carried out by a third party.
10. Completion of Services
Upon completion of the Services, Thinkific will return or delete all personal data processed under the Agreement in accordance with the applicable provisions of the Agreement, except to the extent that Thinkific is required by law to retain any copies of the personal data.
Your remedies with respect to any breach by Thinkific of the terms of this Addendum and the overall aggregate liability of Thinkific arising out of, or in connection with the Agreement (including this Addendum) will be subject to any aggregate limitation of liability that has been agreed between the parties under the Agreement (the “Liability Cap”). For the avoidance of doubt, the parties intend and agree that the overall aggregate liability of Thinkific and its affiliates arising out of, or in connection with the Agreement (including this Addendum) will in no event exceed the Liability Cap.