Model Data Processing Agreement Version 2.0

Transcription

1 Mdel Data Prcessing Agreement Versin 2.0 This is the English translatin f the Dutch text f the Mdel Data Prcessing Agreement. In case the English translatin differs r deviates frm the Dutch text, the Dutch texts and interpretatins prevail. This Mdel Data Prcessing Agreement is an annex t the Privacy Cvenant Digital Educatinal Resurces(hereinafter referred t as the Cvenant) cncluded between the Primary Educatin Cuncil (PO-Raad), Secndary Educatin Cuncil (VO-Raad) and the branch rganisatins f educatinal publishing (GEU), distributrs f learning resurces (members f educatinal department f the Ryal Bk Seller Bnd) and digital service prviders in ICT educatin (VDOD). The starting pints f this Mdel Data Prcessing Agreement are in line with the prvisins f the Cvenant, the Persnal Data Prtectin Act (hereinafter: Data Prtectin Act), and the starting pints as indicated in case law and in guidelines and statements by the supervisry authrity, the Dutch Data Prtectin Authrity (Autriteit Persnsgegevens) The Mdel Data Prcessing Agreement versin 2016 is the successr f the Mdel Data Prcessing Agreement which was drawn up in 2015 in the cntext f the Privacy Cvenant Digital Educatinal Resurces, Learning resurces and Testing. In additin t using Learning Resurces and Testing, the versin 2.0 als cvers Schl and Pupil Infrmatin Resurces. In additin, sme parts f the agreement have been adjusted in line with recent develpments in legislatin, including the amendment f the Data Prtectin Act in cnnectin with the bligatin t reprt Data Leaks. The new Mdel Data Prcessing Agreement 2.0 replaces the Mdel Data Prcessing Agreement frm Data Prcessing Agreements, already cncluded based n the ld mdel frm 2015 remain in effect, in principle, until these Data Prcessing Agreement are terminated by the parties and are then fllwed by a new Data Prcessing Agreement based n the new Mdel Data Prcessing Agreement 2.0. In the Cvenant, it is agreed that Schls and Parties in the chain will use this mdel when making arrangements. If (parts f) the Mdel Data Prcessing Agreement cannt be used, nly a substantiated written dergatin is permitted. Given the number f prvisins that are either required by law, r which the Dutch Data Prtectin Authrity indicate that it must be included in the Data Prcessing Agreement, the scpe fr dergatin frm the prvisins f the Mdel is limited. This Mdel Data Prcessing Agreement cntains tw annexes: 1. The Privacy Leaflet (Annex 1) is a descriptin f the service, prduct characteristics and which categries f Persnal Data are prcessed and fr which bjectives these prcessing peratins fall under. 2. The Technical and Organisatinal Measures (Annex 2) defines what security measures are taken. Security must remain a cnstant fcus f attentin and care. Infrmatin abut the Cvenant and the Mdel Data Prcessing Agreement can be fund n the website Mre infrmatin and answers t questins abut privacy and the legal rights and bligatins fr Schls can be fund n Mdel Data Prcessing Agreement Privacy Cvenant Digital Educatinal Resurces versin June

2 the websites f the industry cuncils Primary Educatin Cuncil (PO-Raad) and Secndary Educatin Cuncil (VO-raad) and Kennisnet. June 2016 Mdel Data Prcessing Agreement Privacy Cvenant Digital Educatinal Resurces versin June

3 Parties: and 1. The cmpetent authrity f <name + legal frm f Schl>, registered under BRIN-number <brin> at the Dienst Uitvering Onderwijs [Dutch Educatin Service] f the Ministry f Educatin, having its registered ffice and principal place f business at <address>, in (<pstal cde>) <city>, legally represented in this matter by <functin + name>, hereinafter referred t as: 'Schl. 2. The private limited cmpany <Name> B.V., having its registered ffice and principal place f business at <address>, in (<pstal cde>) <city>, legally represented in this matter by <functin + name>, hereinafter referred t as: 'Prcessr Hereinafter cllectively referred t as: 'Parties', r separately: 'Party Whereas: a. Schl and Prcessr have cncluded an agreement whereby <specific descriptin f prducts/services t be supplied by Prcessr n behalf f Schl>, ('the Prduct and Services Agreement'). This Prduct and Services Agreement results in the Prcessr carrying ut the prcessing f Persnal Data n behalf f the Schl. b. The parties wish, als in view f the prvisins f Sectin 14 f the Persnal Data Prtectin Act, t recrd their mutual rights and bligatins fr the Prcessing f Persnal Data in this Data Prcessing Agreement. agree t the fllwing: Clause 1: Definitins In this Data Prcessing Agreement: a. Data Subject, Prcessr, Third Party, Persnal Data, Prcessing f Persnal Data and Data Cntrller are understd accrding t the definitins defined in Sectin 1 f the Data Prtectin Act; b. Data Prcessing Agreement: this Data Prcessing Agreement, including Annexes; c. Annex: an annex t this Data Prcessing Agreement, which frms an integral part theref; d. Cvenant: the Privacy Cvenant Digital Educatinal Resurces; e. Data Leak: a security breach, as referred t in Sectin 13 Data Prtectin Act, which leads t the cnsiderable risk f serius adverse effects, r serius adverse cnsequences fr the prtectin f persnal data, as referred t in Sectin 34a, subsectin 1, Data Prtectin Act; f. Digital Educatinal Resurce: Learning Resurces and Testing and Schl and Pupil Infrmatin Resurces; g. Learning Resurces and Testing: digital prduct and/r digital service cnsisting f curse material and/r tests and assciated digital services, fcussed n learning situatins fr the purpse f teaching by r n behalf f Schls; h. Schl and Pupil Infrmatin Resurces: a digital prduct and/r digital service fr the benefit f the educatin (prcess), such as a pupil administratin system, timetabling system, parent prtal, pupil and parent cmmunicatin system, an electrnic learning envirnment and a pupil tracking system. i. Privacy Leaflet: the privacy leaflet as set ut in Annex 1; Mdel Data Prcessing Agreement Privacy Cvenant Digital Educatinal Resurces versin June

4 j. Prduct and Services Agreement: the agreement between the Schl and Prcessr, as defined in paragraph a; k. Mdel Data Prcessing Agreement The mdel fr a data prcessing agreement as attached in the annex t the Cvenant; l. Sub-prcessr: the party that is engaged by the Prcessr as Prcessr fr Prcessing f Persnal Data in the cntext f this Data Prcessing Agreement and the Prduct and Services Agreement; m. Data Prtectin Act: Wet bescherming persnsgegevens [Dutch Persnal Data Prtectin Act]. Clause 2: Subject and assignment f Data Prcessing Agreement 1. This Data Prcessing Agreement shall apply t the Prcessing f Persnal Data in the cntext f the implementatin f the Prduct and Services Agreement. 2. The Schl places with the Prcessr the cntract fr the Prcessing f Persnal Data fr the purpse f implementing the Prduct and Services Agreement. Clause 3: Divisin f rles 1. The Schl is the Data Cntrller in respect f the Prcessing f Persnal Data t be carried ut n its behalf. The Prcessr is a prcessr within the meaning f the Data Prtectin Act. The Schl has and maintains independent cntrl ver the purpse and methds f the Prcessing f Persnal Data. 2. The Prcessr shall ensure that the Schl, prir t the cnclusin f this Data Prcessing Agreement, is sufficiently infrmed abut the service(s) which the Prcessr prvides, and the Prcessing t be carried ut. The infrmatin given shuld enable the Schl t make a chice regarding the ffered services as such, and in additin an individual chice fr any ptinal services ffered. 3. The services referred t in subclause 2, including any ptinal services, must be described in the Privacy Leaflet accmpanying this Data Prcessing Agreement in plain language, whereby the Schl can give infrmed cnsent t the purchase f this service(s). 4. The Schl may be required t ntify the Prcessing f Persnal Data t the Dutch Data Prtectin Authrity. The Schl shall examine whether r nt it is exempt and shall ntify the Dutch Data Prtectin Authrity if it is bliged t d s. 5. The Schl and Prcessr shall prvide each ther back and frth, all the necessary infrmatin t allw prper cmpliance with the relevant privacy law and legislatin. Clause 4: Privacy Cvenant 1. The Parties agree with the prvisins in the Privacy Cvenant Digital Educatinal Resurces. Clause 5: Use f Persnal Data 1. Prcessr undertakes nt t use the Persnal Data received frm the Schl fr ther purpses r in any ther manner than fr the bjective, and the manner in which the data have been supplied r have becme knwn. The Prcessr is therefre nt allwed t carry ut prcessing peratins ther than thse assigned by the Schl (verbally, in writing r electrnically) t the Prcessr. This bligatin applies t bth during the term f this agreement and after its cmpletin. Mdel Data Prcessing Agreement Privacy Cvenant Digital Educatinal Resurces versin June

5 2. An verview f the categries f Persnal Data tgether with the use fr which the Persnal Data are prcessed are set ut in the Privacy Leaflet annexed t this Data Prcessing Agreement. 3. The prcessr must indicate in the Privacy Leaflet whether r nt the Privacy Leaflet relates t a Learning resurce and Testing and/r Schl and Pupil Infrmatin Resurce. The Prcessr must specify in the Privacy Leaflet fr which purpses (included in the Cvenant) Persnal Data are prcessed when using his prduct and/r service and which categries f Persnal Data are prcessed. If specified in the Explanatry Memrandum in the Privacy Leaflet, the Prcessr must als indicate under which f the bjectives as defined in the Cvenant, the Prcessing f Persnal Data takes place when using the prduct and/r service. 4. The Prcessr refrains frm transferring Persnal Data t a Third Party, unless this exchange takes place n behalf f the Schl r when this is necessary in rder t cmply with a legal bligatin impsed n the Prcessr. In the event f a legal bligatin, prir t transferring, the Prcessr must verify the basis f the request and the identity f the applicant. In additin, the Prcessr will infrm the Schl - if permitted by law - immediately, if pssible prir t transferring. 5. SPECIFIC PROVISION IN CASE OF EXCHANGING THE EDUCATIONAL REPORT: In additin t the prvisins f subclause 4, it applies that, if the Prcessr is asked t transfer Persnal Data t a Third Party designated and selected by the Schl, i.e. anther Schl, the Prcessr will nly prceed with transferring after the latter Schl has prvided its administrative educatin identity (e.g. BRIN r OiN), insfar as it is knwn. 6. [SPECIFIC PROVISION IN CASE OF DISTRIBUTION OF LEARNING RESOURCES: Every year, when drawing up the learning resurces lists fr the next schl year, whereby the learning resurces lists are drawn up fr the purpse f perfrming the Prduct and Services Agreement, the Parties will supplement and/r change the Privacy Leaflet by including the categries f Persnal Data and the use f such Persnal Data, with regard t the (digital) learning resurces that are included n the relevant learning resurces lists.] Clause 6: Cnfidentiality 1. The Prcessr ensures that everyne, including its emplyees, agents and/r Subprcessrs, wh are invlved in the Prcessing f Persnal Data, treat this data as cnfidential. The Prcessr ensures that each persn wh is invlved in the Prcessing f Persnal Data has entered int a cnfidentiality agreement r accepted a cnfidentiality clause. 2. The cnfidentiality bligatin referred t in this Clause des nt apply if the Schl has given explicit cnsent t disclse the Persnal Data t a Third Party, if disclsure f Persnal Data t a Third Party is necessary in view f the nature f services prvided by the Prcessr t the Schl, r if there is a legal bligatin t disclse the Persnal Data t a Third Party. Clause 7: Security and cntrl 1. The Prcessr will, in the same way as the Schl, ensure apprpriate technical and rganisatinal measures t prtect Persnal Data against lss r any frm f unlawful Prcessing. These measures, in accrdance with the state f technlgy and the csts invlved with the implementatin and the executin f the measures, must ensure an adequate level f prtectin, taking accunt f the risks assciated with the Prcessing f Persnal Data and the nature theref. Mdel Data Prcessing Agreement Privacy Cvenant Digital Educatinal Resurces versin June

6 2. The measures specified in Clause 7.1 shall include at least: a. measures t ensure that nly authrised persnnel have access t the Persnal Data that is prcessed in the cntext f the Data Prcessing Agreement; b. measures t prtect the Persnal Data against, in particular, accidental r unlawful destructin, lss, accidental alteratin, unauthrised r unlawful strage, access r disclsure; c. measures t identify weaknesses in respect f the Prcessing f Persnal Data in the systems used fr the prvisin f services t the Schl; d. an apprpriate infrmatin security plicy fr the Prcessing f Persnal Data. 3. The Prcessr must evaluate, tighten up, supplement r imprve the infrmatin security measures it has taken t the extent warranted by the requirements r (technlgical) develpments. 4. Annex 2 establishes the arrangements between the Parties n the technical and rganisatinal security measures, as well as n the cntent and frequency f the reprts which the Prcessr prvides t the Schl abut the security measures. These measures are in line with the security measures that the Schl must take. 5. The Prcessr enables the Schl t meet its legal bligatin t mnitr cmpliance f the Prcessr f the technical and rganisatinal security measures as well as n cmpliance with the bligatins referred t in Article 8 in respect f Data Leaks. In additin t reprts by the Prcessr, this can be achieved n the basis f, but nt limited t, a valid certificatin r an equivalent verificatin r prf f evidence. 6. In additin t Clause 7 (4) the Schl has the right at all times, in cnsultatin with the Prcessr and within a reasnable perid f time, at its wn cst, t have the technical and rganisatinal security measures f the Prcessr audited by an independent Registered EDP auditr. The Parties, in mutual agreement, may agree that the audit is perfrmed by a certified and independent auditr appinted by the Prcessr wh will issue a third-party declaratin (TPM). The Schl will be infrmed f the results f the audit. Clause 8: Data Leaks 1. The Prcessr has an apprpriate plicy fr dealing with Data Leaks. 2. If the Schl r Prcessr establishes a Data Leak, they will immediately infrm the ther Party. In the event f a Data Leak, the Prcessr shall prvide all relevant infrmatin t the Data Cntrller with regard t the Data Leak, including infrmatin n any develpments arund the Data Leak, and the measures taken by the Prcessr t limit the effects f the Data Leak and t prevent recurrence. Additinally, the Parties will infrm each ther withut delay if it transpires that the security breach is likely t have a negative impact n the privacy f the Party cncerned as referred t in Sectin 34a, subsectin 2, Data Prtectin Act. 3. In the event f a Data Leak, the Prcessr will enable the Data Cntrller t take the necessary fllw-up steps with respect t the Data Leak. The Prcessr must fllw the existing prcesses that the Data Cntrller has established fr this purpse. The Parties will take as sn as pssible all reasnably required measures t prevent r limit (further) breaches r infringements cncerning the Prcessing f Persnal Data, and mre particularly (further) breaches f the Data Prtectin Act r ther legislatin cncerning the Prcessing f Persnal Data. Mdel Data Prcessing Agreement Privacy Cvenant Digital Educatinal Resurces versin June

7 4. In the event f a Data Leak, the Schl must cmply with any legal reprting bligatin. The Parties may mutually determine whether and if s hw, the Prcessr can make a ntificatin t the Dutch Data Prtectin Authrity. At the request f the Schl, the Prcessr can assist and advise the Schl with this. If required, the Schl will infrm the Parties cncerned abut such an infringement. The Parties will, in gd faith and in mutual cnsultatin, make arrangements abut the reasnable distributin f any csts assciated with cmplying with the reprting bligatins. 5. The Prcessr will infrm the Schl in accrdance with the arrangements laid dwn in Annex 2 n security related incidents, ther than a Data Leak, which fall utside the scpe f Clause 1 ( e ). Clause 9: Prcedural rights f Data Subjects 1. A cmplaint r request f a Data Subject with regard t the Prcessing f Persnal Data will be frwarded immediately by the Prcessr t the Schl with respnsibility fr handling the request. 2. The Prcessr fully cperates with the Schl - t the extent reasnably pssible - t be able t meet the bligatins under the Data Prtectin Act within the statutry deadlines, in particular, the rights f the Data Subjects, such as a request fr access, crrectin, additin, remval r blcking f Persnal Data. The parties will cnsult in gd faith n the reasnable distributin f any csts invlved in this. Clause 10: Prcessing utside the Eurpean Ecnmic Area 1. The Parties shall ensure that insfar as Persnal Data are prcessed utside the Eurpean Ecnmic Area (hereinafter referred t as: EEA), this takes place nly in accrdance with legislative requirements and any bligatins resting n the Schls in this regard. If data are prcessed utside the EEA, this is specified in Annex 1, including an indicatin f the cuntries where the data will be prcessed. Clause 11: Engaging Sub-prcessrs 1. The Prcessr can engage a Sub-prcessr, whse identity and lcatin infrmatin are t be included in the Privacy Leaflet. 2. The Prcessr requires each Sub-prcessr cntractually t cmply with cnfidentiality bligatins, reprting bligatins and security measures with regard t the Prcessing f Persnal Data, which bligatins and measures must al least cmply with the prvisins f this Data Prcessing Agreement. 3. The Prcessr requires each Sub-prcessr cntractually nt t prcess Persnal Data in any ther manner than agreed in this Data Prcessing Agreement. Clause 12: Retentin perids and destructin f Persnal Data 1. The Schl will adequately infrm the Prcessr abut (legal) retentin perids that apply t the Prcessing f Persnal Data by the Prcessr. The Prcessr will nt prcess the Persnal Data fr lnger than these retentin perids. 2. The Schl requires the Prcessr t destry the Persnal Data prcessed n behalf f the Schl, r have them destryed, upn the terminatin f the Data Prcessing Agreement, unless the Persnal Data shuld be kept fr a lnger perid, such as in the cntext f legal bligatins, r at the request f the Schl. The Schl may carry ut an audit at its wn expense whether destructin has taken place. Mdel Data Prcessing Agreement Privacy Cvenant Digital Educatinal Resurces versin June

8 3. The Prcessr will give the Schl written r electrnic cnfirmatin that the destructin f the Prcessed Persnal Data has taken place. 4. The Prcessr will infrm all Sub-prcessrs invlved in the Prcessing f Persnal Data f a terminatin f the Data Prcessing Agreement and will ensure that all Sub-prcessrs will r have the Persnal Data destryed. Clause 13: Cntradictin and amending the Data Prcessing Agreement 1. In case f cnflict between the prvisins f this Data Prcessing Agreement and the prvisins f the Prduct and Services Agreement, the prvisins f this Data Prcessing Agreement will prevail. 2. If the Parties have t deviate frm the articles in the Mdel Data Prcessing Agreement due t circumstances, r want t make additins, these changes and/r additins will be defined and substantiated by the Parties in an verview that is attached as Annex 3 t this Data Prcessing Agreement. The prvisins f this paragraph shall nt apply t additins and/r amendments f the Annexes 1 and In the event f significant changes t the prduct and/r the (additinal) services that impact the Prcessing f Persnal Data, the Schl will be infrmed in plain language abut the implicatins f these changes befre the Schl chses t accept this. Imprtant changes will mean in any case: adding r amending a functinality that leads t an increase in respect f the Persnal Data t be prcessed, the bjectives fr which the Persnal Data are prcessed and the engagement f a Sub-prcessr r different Sub-prcessr. The amendments will be incrprated in Annex Amendments t the Clauses f the Data Prcessing Agreement can nly be effected by jint agreement. 5. In the event that any prvisin f this Data Prcessing Agreement is r becmes invalid, vidable r therwise unenfrceable, the remaining prvisins f this Data Prcessing Agreement remain in full frce and effect. In that case, the Parties will enter int cnsultatin t replace the invalid, vidable r therwise unenfrceable prvisin by an enfrceable alternative prvisin. The parties will take the utmst accunt f the purpse and intent f the invalid, vid r therwise unenfrceable prvisin. Clause 14: Duratin and terminatin 1. The duratin f this Data Prcessing Agreement is equal t the duratin f the Prduct and Services Agreement cncluded between the Parties, including any extensins theref. 2. This Data Prcessing Agreement will end autmatically upn terminatin f the Prduct and Services Agreement. The terminatin f this Data Prcessing Agreement will nt exempt the Parties frm their bligatins arising frm this Data Prcessing Agreement which by their nature are expected t cntinue after terminatin. Mdel Data Prcessing Agreement Privacy Cvenant Digital Educatinal Resurces versin June

9 ANNEX 1: PRIVACY LEAFLET [name f prduct/service] Schls are increasingly using digital applicatins within educatin. The use and prvisin f these prducts and services requires data that can be traced back t individuals (such as pupils). Schls must make arrangements with Prcessrs n the use f such Persnal Data. This leaflet gives schls infrmatin abut the service the prcessr prvides and what persnal data the prcessr will prcess. In shrt, abut the questin "wh, what, where, why and hw" deals with the privacy f the persns cncerned whse data are exchanged. Using this Privacy Leaflet helps Schls t better understand the functin f the prduct and/r service and what types f data are t be exchanged. In the cntext f the recgnisability, it is desirable that Prcessrs use this Privacy Leaflet as much as pssible in a unifrm manner. Deviatins frm this mdel are indeed pssible but shuld preferably be limited. If the space in this Annex is insufficient t describe the required infrmatin, is it pssible t include the infrmatin in a separate annex r annexes, which shall be numbered as fllws: "Annex 1A", "Annex 1B", etc. These Annexes will be attached t the Data Prcessing Agreement. A. General infrmatin Name f prduct and/r service : Name f Prcessr and lcatin infrmatin : Brief explanatin and functining f prduct and service : Link t supplier and/r prduct page : Target grup (such as PE/SE lwer/upper) : User : pupils/parents/guardians/teachers B. The specific services Descriptin f the specific services prvided and assciated Prcessing 1. Prcessing which frm an integral part f the service ffered. a. [.] b. [.] [.] 2. Descriptin f the ptinal Prcessing ffered by the prcessr Explanatin: This relates t additinal services and assciated Prcessing which d nt frm an integral part f the service ffered. These include, fr example, ptinal services fr the Schl that may be helpful t the Schl fr the purpses f the primary (learning) prcess and administrative wrk The Schl must chse (rder) the purchase f these services. This can be achieved by indicating this chice in writing in this Annex (fr example, by ticking a tick bx) ). Agreement can als take place by means f the Schl activating the service in practice, fr example, by switching a prduct r service n r ff. The Schl that makes the chice in this way, must be able t d s n the basis f previusly prvided infrmatin (such as, fr instance, listed in this leaflet). a. [.] b. [.] Mdel Data Prcessing Agreement Privacy Cvenant Digital Educatinal Resurces versin June

10 [.] C. Objectives fr the prcessing f data The Prcessr must explicitly indicate in this Leaflet whether it is: I. a supplier f a digital prduct and/r digital service cnsisting f curse material and/r tests, r II. (als) a supplier f a Schl and Pupil Infrmatin Resurces. Re I. If the Prcessr is a supplier f a digital prduct and/r digital service cnsisting f Learning Resurces and Testing, then the pssible bjectives f these prducts and services are defined in the relevant part f Clause 5 (1) f the Privacy Cvenant Digital Educatinal Resurces 2.0. These d nt need t be further named in this Leaflet. Re II. Only if the prcessr is (als) a supplier f a digital prduct and/r digital service cnsisting f a Schl and Pupil Infrmatin Resurce, this Privacy Leaflet shuld explicitly mentin the purpses fr which Persnal Data are prcessed when using the prduct and/r the service. The Prcessr must fllw as clsely as pssible the list f bjectives laid dwn in Clause 5 (2) f the Privacy Cvenant Digital Educatinal Resurces. D. Categries and types f persnal data Descriptin and summary f categries f Persnal Data which are used: Any ptinal Persnal Data (which are nt requested and stred as standard): Types f data (such as special data r financial infrmatin): E. General infrmatin n security measures taken: Fr the sake f brevity, please refer t Annex 2 t the Data Prcessing Agreement fr the security measures taken.. Specific security measures fr this service/prduct [if applicable]: Any certificatins: Audits/Third Party declaratins: City/Cuntry f strage and Prcessing f Persnal Data: F. Sub-prcessrs The Prcessr engages the fllwing Sub-prcessrs fr the service/prduct: [party name, brief descriptin f task/service shwing what data are prcessed by this Sub-prcessr] City/Cuntry f strage and Prcessing f Persnal Data (if the Persnal Data are prcessed utside the EEA, a separate reprt must be made f the cuntries where the Persnal Data are prcessed). G. Cntact details Fr questins r cmments abut this leaflet r the peratin f the prduct r service, please cntact: [cntact infrmatin]. H. Versin [versin number and date f last mdificatin] Mdel Data Prcessing Agreement Privacy Cvenant Digital Educatinal Resurces versin June

11 This privacy leaflet is part f the arrangements made in the Privacy Cvenant Digital Educatinal Resurces 2.0, an initiative f the Primary Educatin Cuncil, Secndary Educatin Cuncil, the varius interested parties (GEU, KBB-e and VDOD) and the Ministry f Educatin, Culture and Science. Yu can find mre infrmatin n: Mdel Data Prcessing Agreement Privacy Cvenant Digital Educatinal Resurces versin June

12 ANNEX 2: Technical and rganisatinal security measures The Prcessr, in accrdance with the Data Prtectin Act and Clause 7 f the Data Prcessing Agreement, is bliged t take technical and rganisatinal measures t ensure the security f the Prcessing f Persnal Data. If the space in this Annex is insufficient t describe the required infrmatin, is it pssible t include the infrmatin in a separate annex r annexes, which shall be numbered as fllws: "Annex 2A", "Annex 2B", etc. These Annexes will be attached t the Data Prcessing Agreement. Descriptin f the measures as referred t in Clause 7.2 f the Data Prcessing Agreement. I. Descriptin f the measures taken t ensure that nly authrised persnnel have access t the Prcessing f Persnal Data. Mre specifically, an verview f which (grups f) emplyees f the Prcessr have access t which Persnal Data, including a descriptin f the peratins these emplyees may carry ut with the Persnal Data. a. (grups f) emplyees wh have access t which Persnal Data: b. peratins that these emplyees perfrm using the Persnal Data: II. Descriptin f the measures t prtect Persnal Data against accidental r unlawful destructin, accidental lss r alteratin, unauthrised r unlawful strage, Prcessing, access r disclsure. Mre specifically, an verview f the technical and rganisatinal (security) measures taken by the Prcessr and the security standard used. [descriptin f security f the applicatin/platfrm] [descriptin f methd f identificatin/authenticatin/authrisatin and security theref] [descriptin f security f methd f exchange/transprt f data] III. Descriptin f the measures t identify weaknesses in respect f the Prcessing f Persnal Data in the systems used fr the prvisin f services t the Schl; [such as a peridic analysis f (security) incidents, peridically cnducting an external/ internal vulnerabilities investigatin (ethical hack) r peridically cnducting checks n the security f systems] Reprting (Clause 7.4 f the Data Prcessing Agreement The Prcessr reprts peridically with a frequency f [ ] times a year, by [ ] t the Data Cntrller n the measures taken by the Prcessr n the technical and rganisatinal security measures and any cncerns therein.] [cntact details helpdesk/service desk fr security incidents] Infrming abut Data Leaks and/r security related incidents Mdel Data Prcessing Agreement Privacy Cvenant Digital Educatinal Resurces versin June

13 Arrangements n the prvisin f infrmatin in the event f Data Leaks and/r security related incidents, in particular n The way in which mnitring and identificatin f incidents takes place, The way in which infrmatin is shared: In what way (via , telephne); T whm it shuld be addressed (cntact persn and cntact details); Whm shuld be cntacted (fr fllw-up actins). Infrmatin that must be shared in any case abut an incident The characteristics f the incident such as: date and time f discvery, summary f the incident, attribute and type f incident (what part f security des it relate t, hw has it ccurred, des it relate t reading, cpying, mdifying, deleting/destructing and/r theft f persnal data); The cause f the security incident; The measures taken t prevent any damage r further damage; Naming Data Subjects wh may be affected by the incident and the extent; The size f the grup f Data Subjects; The type f data affected by the incident (in particular special data, r data f a sensitive nature, including access r identificatin data, financial data r learning perfrmance). Any arrangements if, and if s hw, the Prcessr can make a ntificatin t the Dutch Data Prtectin Authrity. Versin [versin number and date f the mst recent amendment] This privacy leaflet is part f the arrangements made in the Privacy Cvenant Digital Educatinal Resurces 2.0, an initiative f the Primary Educatin Cuncil, Secndary Educatin Cuncil, the varius interested parties (GEU, KBB-e and VDOD) and the Ministry f Educatin, Culture and Science. Yu can find mre infrmatin n: Mdel Data Prcessing Agreement Privacy Cvenant Digital Educatinal Resurces versin June