Last Updated Date: 3rd January, 2024
This Aratum Data Processing Addendum (“DPA”) forms part of the Aratum Services Order Form and Aratum Standard Terms and Conditions, or other written or electronic agreement (“Agreement”) between Customer Aratum PTE LTD., or its Affiliates (collectively “Aratum”) (each a “Party”, collectively “Parties”). The Parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement. In case of any discrepancy or conflict between this DPA and the Agreement, this DPA shall prevail. In case of any discrepancy between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. Any capitalized terms not defined herein shall have the meanings set forth in the Agreement.
How this DPA Applies: Aratum provides the Services (as defined in the Agreement) to Customer which may include the Processing of Personal Data by Aratum during the provision of the Services. This DPA does not replace any rights related to the Processing of Customer Personal Data previously negotiated by Customer in the Agreement. Aratum agrees to comply with this DPA with respect to any Customer Personal Data Processed by Aratum in the provision of the Services under applicable Data Protection Laws.
- DEFINITIONS. In this DPA, the following terms shall have the meanings set out below:
- “Affiliates” means any entity which is controlled by, controls or is in common control with a Party.
- “Customer Personal Data” means Personal Data provided by or on behalf of Customer to be Processed by Aratum in connection with providing the Services.
- “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
- “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
- “Data Protection Laws” means the laws and regulations which are applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means an individual whose Personal Data is being processed by the Data Processor under the Agreement.
- “EEA” means the European Economic Area, consisting of the Member States of the European Union and Iceland, Liechtenstein, and Norway.
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and the UK equivalent.
- “Personal Data” means any information relating to an identified or reasonably identifiable person.
- “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).
- “Sell,” “Selling,” “Sale,” and “Sold” shall have the meanings provided under applicable Data Protection Laws.
- “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data transmitted, stored, or otherwise processed by Aratum.
- “Standard Contractual Clauses” means the contractual clauses issued by the European Commission by implementing decision 2021/914 of 4th of June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, the UK International Data Transfer Addendum (“UK Addendum”), and any similar measures promulgated pursuant to the GDPR to address the transfer of Personal Data to a Third-country and any amendments and replacements thereto as may be promulgated from time to time.
- “Supplementary Measures” means technical, organizational, and contractual measures as described in EDPB Guideline adopted on 18th June 2021 (“Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”).
- “Sub-processor” means any Data Processor acting on behalf of Aratum.
- “Third-country” means a country that is neither part of the EEA nor has been declared adequate by a decision of the European Commission according to the mechanism lined out in Article 45 GDPR.
- “UK” means the United Kingdom, Wales, and Northern Ireland.
- PROCESSING OF CUSTOMER PERSONAL DATA.
- The Parties agree that with regard to the Processing of Customer Personal Data, Customer is the Data Controller and Aratum is the Data Processor, except for certain services provided by Aratum where Aratum is also a Data Controller with respect to the Customer Personal Data.
- Customer shall, in its use or receipt of the Services, process Customer Personal Data in accordance with the requirements of the Data Protection Laws and Customer will ensure that its instructions for the Processing of Customer Personal Data comply with the Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data, the means by which Customer obtained the Customer Personal Data, and for fulfilling all requirements under Data Protection Laws necessary to make the Customer Personal Data available to Aratum for Processing as provided herein and under the Agreement.
- During the Term of the Agreement, Aratum shall only Process Customer Personal Data on behalf of and in accordance with the Agreement and Customer’s written instructions unless required to do so by law to which Aratum is subject; in such case Aratum shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- Customer instructs Aratum to Process Customer Personal Data for the following limited and specified purposes: (i) Processing in accordance with the Agreement, any applicable orders, and Data Protection Laws; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement and Data Protection Laws. Aratum shall not Sell, or share for targeted advertising purposes, Customer’s Personal Data except as expressly instructed by Customer. Aratum shall not combine Customer Personal Data with other Personal Data except as permitted by Data Protection Laws.
- The objective of Processing of Customer Personal Data by Aratum is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Appendix 1, Annex I B.
- If Aratum determines that it can no longer comply with Data Protection Laws, Aratum will notify Customer within five (5) business days of making such determination.
- ASSISTANCE TO CUSTOMER AND RIGHTS OF DATA SUBJECTS.
- To the extent Customer, in its use or receipt of the Services, does not have the ability to take steps required to comply with Data Protection Laws, including without limitation correcting, amending, restricting, blocking or deleting Customer Personal Data, and implementing reasonable security procedures or practices designed to protect Customer Personal Data, as and to the extent required by the Data Protection Laws, Aratum will use commercially reasonable efforts to comply with reasonable requests by Customer to facilitate such actions to the extent Aratum is legally permitted to do so, taking into account the nature of the Processing of Customer Personal Data and the information available to Aratum.
- Aratum shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the processing of that person’s Personal Data. Aratum shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer or as otherwise required by Data Protection Laws. Aratum shall provide Customer with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s request, to the extent legally permitted and to the extent Customer does not have access to such Customer Personal Data through its use or receipt of the Services, taking into account the nature of the Processing of Customer Personal Data and the information available to Aratum.
- PROCESSOR PERSONNEL.
- Aratum shall use commercially reasonable efforts to ensure that its personnel engaged in the Processing of Customer Personal Data are subject to obligations of confidentiality.
- Aratum shall use commercially reasonable efforts to ensure that access to Customer Personal Data is limited to those personnel who require such access to perform the Services.
- SUB-PROCESSORS.
- Aratum shall not transfer or otherwise make available Customer Personal Data to any third party without Customer’s prior authorization.
- Upon signing of the DPA, Customer gives its general authorization to Aratum to use Aratum Affiliates as Sub-processors; and third-party Sub-processors in connection with the provision of the Services provided that the following conditions are met:
- Aratum shall ensure that obligations not materially less protective than those set out in this DPA are imposed on Sub-processors by way of a written contract;
- Aratum remains liable towards Customer for the work of its Sub-processors as if and to the extent such work was performed by Aratum;
- Aratum shall provide the list of its Sub-processors by giving a link to a website where the information about the Sub-processors is kept up to date; and
- Aratum shall inform Customer of any intended changes to Sub-processors concerning the addition or replacement of Sub-processors. To the extent required by Data Protection Laws, Aratum shall thereby give Customer the opportunity to object to such changes by notifying Aratum in writing within 30 days after the receipt of Aratum’s notice about the changes, and if, within 20 days of receipt of that notice, Customer notifies Aratum in writing of any objections on reasonable grounds to the proposed engagement of a Sub-processor, Aratum shall not use that proposed Sub-processor to Process Customer Personal Data until reasonable steps have been taken to address the objections raised by Customer and Customer has been provided with a reasonable written explanation of the steps taken.
- INTERNATIONAL DATA TRANSFERS
- Customer acknowledges and agrees that Aratum is established in a Third Country and that providing the Services defined in the Agreement require transfer to, and Processing of Customer Personal Data within, a Third Country. All transfers to a Third Country are subject to the following conditions:
- Customer has given prior authorization for the transfer by signing the Agreement as documented in Appendix 1;
- The Customer Personal Data is Processed under the terms of the Agreement;
- There is a valid transfer mechanism in place in accordance with the GDPR; and
- Aratum shall implement the Supplementary Measures, where necessary.
- EU/UK Standard Contractual Clauses: The valid transfer mechanism referred in Section 6.1(iii) is, where Aratum acts as a Processor and Customer acts as a Controller, the Standard Contractual Clauses, Module TWO: Transfer Controller to Processor; where Aratum acts as a Controller and Customer acts as a Controller, the Standard Contractual Clauses, Module ONE: Transfer Controller to Controller; and in both cases, the UK Addendum thereto attached as Appendix 2, and all of the foregoing are deemed to be incorporated herein by reference as set forth below. In respect of the Standard Contractual Clauses, the Parties agree on the following:
- in clause 7, the Parties choose to include the “docking clause”;
- where Module Two applies, in clause 9, the Parties choose Option 2: “general written authorization”;
- where Module Two applies, in clause 9, the Parties choose twenty (20) days as the specific time period;
- in clause 11, the Parties do not choose the optional complaint mechanism;
- in clause 17, the governing law is the law of the EU Member State :
- Option 1: Where Customer is established in an EU Member State, the law in that EU Member State;
- Option 2: Where Customer is not established in an EU Member State but has appointed a representative pursuant to Article 27(1) of the GDPR, the law in the EU Member State in which the Customer’s representative is located;
- Option 3: Where the data exporter is not established in an EU Member State and is not required to appoint a representative pursuant to Article 27(2) of the GDPR, the law of Hungary, or as defined in the Agreement; and
- in clause 18, the country of the applicable court in respect of any disputes arising from Standard Contractual Clauses is the courts of the EU Member State in which in which the Parties have denoted choice of law per 6.2(v) above.
- To the extent that Aratum uses a Sub-processor in a Third-Country for the Processing of Customer Personal Data, the following shall apply in addition to Section 5 above:
- Customer has given prior authorization for the transfer by signing the DPA;
- There is a valid transfer mechanism in place in accordance with the GDPR; and
- Aratum makes information on the transfer mechanism, and where applicable, the Standard Contractual Clauses, available without undue delay to Customer.
- SECURITY; AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS.
- Aratum shall maintain technical and organizational measures designed to protect of the security, confidentiality, and integrity of Customer Personal Data.
- No more than once per year, Customer may engage a mutually agreed upon third party to audit Aratum solely for the purposes of meeting its audit requirements pursuant to the Data Protection Laws. To request an audit, Customer must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to privacy@Aratum.com. The audit must be conducted during regular business hours, subject to Aratum’s policies, and may not unreasonably interfere with Aratum’s business activities. Any audits are at Customer’s expense.
- Any request for Aratum to assist with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law. Customer shall reimburse Aratum for any time spent for any such audit at the rates agreed to by the Parties. Before the commencement of any such audit, Customer and Aratum shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, considering the resources expended by Aratum. Customer shall promptly notify Aratum with information regarding any non-compliance discovered during an audit.
- Aratum will reasonably cooperate with Customer, at Customer’s expense, where Customer is conducting a privacy impact assessment that is required by Data Protection Laws.
- SECURITY BREACH MANAGEMENT AND NOTIFICATION.
- In the event of a Security Breach, Aratum shall: (i) notify Customer of the Security Breach without undue delay after becoming aware of the Security Breach. Notification shall include at least the information required by the Data Protection Laws; (ii) investigate the Security Breach and provide Customer with information about the Security Breach; and (iii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach and to allow Customer to take reasonable and appropriate steps to do the same to the extent such steps are within Customer’s control.
- Aratum shall cooperate with Customer, and with any third parties designated by Customer, to respond to the Security Breach.
- RETURN AND DELETION OF CUSTOMER DATA.
- Aratum shall provide functionality for Customer to download Customer Personal Data from the Services, to the extent possible, and/or delete Customer Personal Data in accordance with Aratum’s data retention policies which adhere to requirements of the Data Protection Laws, and in a manner consistent with the terms of the Agreement.
- SEVERANCE.
- Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
- LEGAL EFFECT.
- This DPA shall only become legally binding between Customer and Aratum when the Parties the Agreement for the Services.
- LIMITATION OF LIABILITY.
- To the extent permitted by Data Protection Laws, Customer’s remedies with respect to any breach by Aratum of the terms of this DPA or Data Protection Laws will be subject to any aggregate limitation of liability that applies to Aratum and/or Customer under the Agreement.
APPENDIX 1 – EU STANDARD CONTRACTUAL CLAUSES
ANNEX I
A. LIST OF PARTIES
Data exporter(s): As defined in the Agreement
Name: As defined in the Agreement
Address: As defined in the Agreement
Contact person’s name, position and contact details: As defined in the Agreement
Activities relevant to the data transferred under these Clauses: As defined in the Agreement
Signature and date: As defined in the Agreement
Role: Controller
Data importer(s): As defined in the Agreement
Name: As defined in the Agreement
Address: As defined in the Agreement
Contact person’s name, position, and contact details: As defined in the Agreement
Activities relevant to the data transferred under these Clauses:
The data importer provides a Software-as-a-Service Internet accessible learning management software, for use by the data exporter as described in the Agreement.
Signature and date: As defined in the Agreement
Role: Processor
B. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13: The competent supervisory authority is the supervisory authority denoted in Section 6.2 of the DPA.
ANNEX II
LIST OF SUB-PROCESSORS
This Annex must be completed in case of the specific authorization of sub-processors (Clause 9(a), Option 1).
APPENDIX 2: JURISDICTION SPECIFIC TERMS
To the extent that Services involve Customer Personal Data originating from the following countries, the relevant provisions set out below will apply.
- Provisions relevant to Turkey
- The provisions of this paragraph 1 apply where Aratum processes Customer Personal Data that originates from Turkey.
- Aratum will comply with the Turkish Data Protection Act (“Turkish DPA”) numbered 6698 and dated 7 April 2016 and any related regulations, and all decisions of the Turkish Data Protection Authority.
- Aratum will promptly assist the Customer:
- by implementing appropriate technical and organizational measures, insofar as this is possible, taking into account the nature of the processing, to fulfil the Customer’s obligations to respond to requests from individuals exercising their rights under data protection law which applies to the Customer (such as, but not limited to, rights to rectify, erase, or block Customer Personal Data); and
- in ensuring compliance with the Customer’s obligations pursuant to Article 12 of the Turkish Data Protection Act (security, notification of personal data breaches to authorities and individuals), taking into account the nature of the processing and the information available to Aratum.
- Where Aratum processes, outside of Turkey, Customer Personal Data subject to the Turkish DPA originating from Turkey, then Aratum shall cooperate with Customer with any formalities required by the Turkish Data Protection Authority.
- Provisions relevant to Switzerland
- The provisions of this paragraph 2 apply where Aratum processes Customer Personal Data that originates from Switzerland.
- The definition of “Applicable Data Protection Law” includes the Swiss Federal Act on Data Protection, as revised (“FADP”).
- When Aratum engages a Sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this DPA, it will:
- require any appointed Sub-processor to protect the Customer Personal Data to the standard required by applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR, and
- require any appointed Sub-processor to (i) agree in writing to only Process Customer Personal Data in a country that Switzerland has declared to have an “adequate” level of protection or (ii) only process Customer Personal Data on terms equivalent to the EU Standard Contractual Clauses.
- To the extent that Customer Personal Data transfers from Switzerland are subject to the EU Standard Contractual Clauses, the following amendments will apply to the EU Standard Contractual Clauses:
- references to “EU Member State” and “Member State’ will be interpreted to include Switzerland, and
- insofar as the transfer or onward transfers are subject to the FADP:
- references to “Regulation (EU) 2016/679” are to be interpreted as references to the FADP;
- the “competent supervisory authority” in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;
- in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and
- in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.
- Provisions relevant to Australia
- The provisions of this paragraph 3 apply where Aratum processes Customer Personal Data that originates from Australia.
- “APPs” shall mean the Australian Privacy Principles in the Privacy Act.
- “Personal Information” has the meaning given to that term in the Privacy Act.
- “Privacy Act” shall mean the Australian Privacy Act 1988 (Cth).
- Aratum shall in respect of any Customer Personal Data it receives or has access to under the Agreement:
- comply with the APPs (except for APP 1) as if it were bound by the APPs to the same extent as the Customer; and
- without limiting sub-paragraph (i), enter into a similar contractual arrangement with any third party to whom it discloses the Personal Information (whereby the third party agrees to comply with the APPs in respect of such information (except for APP 1) as if that third party were bound by the APPs to the same extent as the Customer).
- Provisions relevant to Hong Kong
- The provisions of this paragraph 4 apply where Aratum processes Customer Personal Data that originates from Hong Kong.
- To the extent that Aratum carries out direct marketing on behalf of the Customer, Aratum shall implement effective measures designed to inform data subjects of the scope of the marketing and provide effective means designed to allow data subjects to give consent in accordance with the requirements of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO“).
- Aratum shall comply with the data retention requirement (DDP2) and data security requirement (DPP4) as contained in the PDPO.
- Provisions relevant to India
- The provisions of this paragraph 5 apply where Aratum processes Customer Personal Data that originates from India. When Providing the Services, Aratum shall comply with the requirements of the Information Technology Act 2000, the Information Technology (reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (each as amended, modified, supplemented from time to time) as applicable to a body corporate, and any other laws, rules, regulations, notifications, judgements relating to data protection or privacy that are in force as of date of the Agreement, or that may be brought into force in India at any time in the future during the term of the Agreement.
- Provisions relevant to Japan
- The provisions of this paragraph 6 apply where Aratum processes Customer Personal Data that originates from Japan.
- Aratum shall not obtain any Customer Personal Data from the Customer in Japan or another party through any deceptive, fraudulent, or other wrongful means.
- Aratum shall make a reasonable effort to ensure that the transferred Customer Personal Data is accurate and up to date and within the scope necessary to perform the Services.
- Aratum will take the appropriate technical and organizational security measures designed to adequately protect all Customer Personal Data in Japan against not only misuse and loss, but also leakage and damage, in accordance with any relevant Order, the Agreement, this DPA, and the Act on the Protection of Personal Information (Act No. 57 of 2003, as amended) (the “APPI”).
- Aratum will implement appropriate technical and organizational measures, insofar as this is possible taking into account the nature of the processing, to fulfil the Customer’s obligations to respond to requests from individuals exercising their rights under applicable Data Protection Law which applies to the Customer (such as, but not limited to, rights to rectify, erase, or block Customer Personal Data);
- If Aratum acquires Customer Personal Data of Data Subjects in Japan directly from those Data Subjects, in connection with the Services by Aratum to those Data Subjects, Aratum will process Customer Personal Data of those Data Subjects in compliance with the APPI and all accompanying regulations and guidelines issued by the Personal Information Protection Commission of Japan, and all other privacy legislation and other laws which the Aratum is subject to, even when it handles Customer Personal Data of those data subjects outside Japan.
- Aratum will notify the Customer of any notices, requests, orders or queries from Data Subjects, any data protection or other governmental authority, law enforcement agency, court order or tribunal, which the Customer or Aratum is obliged to comply with under the APPI or other applicable laws to facilitate timely resolution of any matter arising in connection with the foregoing or any related investigation.
- Provisions relevant to Malaysia
- The provisions of this paragraph 7 apply where Aratum processes Customer Personal Data that originates from Malaysia.
- For the purposes of this paragraph 6, “Personal Data”, “Sensitive Personal Data” and “Data User” have the meanings given to those terms in the Personal Data Protection Act 2010.
- Aratum shall comply with the Personal Data Protection Act 2010 to the extent that this applies to Data Processors and the Customer Personal Data to be Processed hereunder.
- No Personal Data shall be transferred to a country outside Malaysia unless to such country as specified by the Minister by notification published in the Gazette (if any) or with the consent of the data subject or as otherwise permitted in the circumstances as prescribed in the Personal Data Protection Act 2010 with regards to the transfer of Personal Data.
- No processing of special categories of data/sensitive data within the meaning of Sensitive Personal Data, including any transfer thereof, may be made without the explicit consent of the data subject or as otherwise permitted in the circumstances as prescribed in the Personal Data Protection Act 2010 with regards to the processing of Sensitive Personal Data.
- Aratum will promptly assist the Data User to fulfil the Data User’s obligations to respond to requests from individuals exercising their rights under data protection law which applies to the Data User within the time as prescribed by the Personal Data Protection Act 2010.
- Provisions relevant to New Zealand
- The provisions of this paragraph 8 apply where Aratum processes Customer Personal Data that originates from New Zealand. Aratum shall comply with the Information Privacy Principles set out in the New Zealand Privacy Act 1993 (as though Aratum were Customer) and shall cooperate with the Customer in a manner designed to ensure that the Customer can meet its obligations (including in relation to information privacy requests and investigations) under that Act.
- Provisions relevant to the Philippines
- The provisions of this paragraph 9 apply: (i) where Aratum processes Customer Personal Data about a Philippine citizen or resident; (ii) where Aratum, Data Processor or Customer is found or established in the Philippines; (iii) where the processing of Customer Personal Data is done in the Philippines; or (iv) where the processing of Customer Personal Data is done or engaged in by an entity with links to the Philippines.
- Aratum will comply with the following obligations:
- comply with applicable local laws and regulations and issuances of the Philippine National Privacy Commission;
- assist the Customer, by appropriate technical and organizational measures and to the extent possible, to fulfil the obligation to respond to requests by Data Subjects relative to the exercise of their rights;
- assist the Customer in ensuring compliance with applicable local laws and regulations and issuances of the Philippine National Privacy Commission, taking into account the nature of processing and the Customer Personal Data available to Aratum;
- make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in applicable local laws and regulations; and
- immediately inform the Customer if, in its opinion, a Direction from the Customer infringes any applicable local law, regulation or issuance of the Philippine National Privacy Commission.
- Aratum shall process Customer Personal Data contained in the Services in Australia and Singapore.
- Provisions relevant to Singapore
- Aratum shall comply with the Personal Data Protection Act 2012 to the extent that this applies to Data Processors and the Customer Personal Data to be Processed hereunder. Aratum shall host the Customer Personal Data contained in the Services in Australia and Singapore
- Provisions relevant to South Korea
- The provisions of this paragraph 11 apply: (i) where Aratum processes Customer Personal Data that originates from South Korea; or (ii) where Aratum is an entity located in South Korea.
- Aratum will comply with the Personal Data Protection Act (as amended), and the Act on Promotion of Data and Communications Network Utilization and Data Protection, etc., (as amended).
- Subject to the limitations and waivers of liability in the Agreement, Aratum shall be liable to the Customer for damages that it causes by any breach of provisions in this DPA.
- Aratum hosts the Services in Hong Kong for customers located in South Korea.
- Provisions relevant to Taiwan
- The provisions of this paragraph 12 apply where Aratum processes Customer Personal Data that originates from Taiwan or is the Customer Personal Data of Taiwanese national Data Subjects anywhere in the world. Aratum hosts the Services in Singapore for Customers located in Taiwan.
- Aratum will comply with the provisions of the current Taiwan Personal Information Act (the “PIPA”), the Enforcement Rules to the Personal Information Protection Act (the “PIPA Enforcement Rules”), and any other data protection regulations currently in force in Taiwan.
- Aratum will promptly assist the Customer:
- by implementing appropriate technical and organizational measures, insofar as this is possible taking into account the nature of the processing, to fulfil the Customer’s obligations to respond to requests from individuals exercising their rights under the PIPA which apply to the Customer (such as, but not limited to, rights to review, to copy, to rectify, to cease collection, processing, or use, or to erase Customer Personal Data);
- in ensuring compliance with the Customer’s obligations pursuant to Article 12 of the PIPA (prompt investigation of data breach and notice to individuals) and any applicable industry-specific regulations issued under Article 27 of the same (including but not limited to any industry-specific duty to notify the regulator of a data breach) taking into account the nature of the processing and the information available to Aratum; and
- by immediately informing the Customer if, in Aratum’s opinion, an instruction from the Customer to collect, process, or use Customer Personal Data violates the PIPA.
- Aratum shall adopt the technical and organizational measures set forth in Article 12(2) of the PIPA Enforcement Rules proportional to the purpose of the prevention of Customer Personal Data from being stolen, altered, damaged, destroyed or disclosed.
- In addition to informing the Customer of any serious interruption of Aratum’s processing operations, any suspicion of security breaches, or violation of the PIPA, the PIPA Enforcement Rules, or other Taiwan data protection regulations, Aratum shall inform the Customer of all remedial measures taken to remedy the interruption, breach, or violation.
- Aratum shall comply with any reserved instruction from the Customer and has an obligation to provide information evidencing compliance with any such reserved instruction to the Customer.
- Provisions relevant to China
- The provisions of this paragraph 13 apply where Aratum processes Customer Personal Data that originates from the People’s Republic of China.
- The definition of Customer Personal Data shall include all information specifically identified as “personal information” under the applicable local law.
- Aratum shall, at no additional cost, assist each Customer to obtain all consents necessary from the individuals regarding the collection, processing or use of Customer Personal Data in China.
- Aratum shall at all times comply with all applicable local law, including if applicable, the Cyber Security Law on the protection of personal information, as if Aratum were the user in respect of all Personal Identifiable Information.
- Aratum hosts the Services in China for Customers located in China.
- South America: Aratum hosts the Services in the USA for customers located in South America.
- Provisions relevant to Brazil
- The provisions of this paragraph 14 apply where Aratum processes Customer Personal Data that originates from Brazil.
- The definition of “Data Protection Laws” includes the Lei Geral de Proteção de Dados (LGPD).
- The definition of “Security Breach” includes a security incident that may result in any relevant risk or damage to Data Subjects.
- The definition of “processor” includes “operator” as defined under the LGPD.
- To the extent Customer Personal Data is processed through the Internet, the provisions of the Brazilian Internet Act (Law 12,965/2014) must be observed. Aratum will comply with the so-called Habeas Data Law (Law 9,507/1997) to the extent applicable.
- Provisions relevant to Chile
- The provisions of this paragraph 15 apply where Aratum processes Customer Personal Data that originates from Chile.
- Aratum will comply with paragraph 15 of this Appendix 3.
- Aratum will comply with the Data Protection Act Nº 19.628, as amended. The substantive provisions of the Data Protection Act entered into force on October 27, 1999, and August 22, 2000.
- Provisions relevant to Colombia
- The provisions of this paragraph 16 apply where Aratum processes Customer Personal Data that originates from Colombia.
- Aratum will comply with paragraph 16 of this Appendix 3.
- For the purposes of this paragraph 16:
- “Colombian GDP” shall mean the Colombian General Data Protection legal framework (Law 1581 of 2012 and Decree 1074 of 2015); and
- Customer Persona Data flows between Aratum and Customer will be understood as ‘data transmissions’ under the Colombian GDP.
- Aratum will comply with the following obligations:
- process Customer Personal Data only for the purposes authorized by the individuals who are the subjects of such information;
- process Customer Personal Data pursuant to the Customer’s instructions and privacy notice; and
- process Customer Personal Data pursuant to the principles set forth in the Colombian GDP.
- Provisions relevant to Mexico
- The provisions of this paragraph 17 apply where Aratum processes Customer Personal Data that originates from Mexico.
- Aratum will comply with paragraph 17 of this Appendix 3.
- Aratum will comply with the security measures set out in Article 52 of the Mexican Data Protection Regulations (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares) where applicable.
- Aratum will process Customer Personal Data in accordance with the privacy notice of the Customer, provided that Customer shall ensure that the Customer’s privacy notice adequately describes the processing of Customer Personal Data by Aratum under the Agreement in a manner compliant with Mexican law.
- Provisions relevant to the Republic of Argentina
- The provisions of this paragraph 18 apply where Aratum processes Customer Personal Data that originates from the Republic of Argentina.
- Aratum agrees to comply with the obligations of a data importer as set out in the model contract titled Contrato Modelo de Transferencia Internacional de Datos Personales con Motivo de Prestación de Servicios adopted by the Data Protection Agency of the Republic of Argentina under Disposition 60 — E/2016 (the ‘Argentinian SCCs’) for the transfer of personal data to data processors established in third countries.
- Aratum acknowledges that each Customer Affiliate in the Republic of Argentina will be a Customer. In particular, and without limiting the above obligation:
- Aratum agrees to grant third party beneficiary rights to Data Subjects, as set out in Clause 3 of the Argentinian SCCs, provided that Aratum’s liability shall be limited to its own Processing operations; and
- Aratum agrees that its obligations under the Argentinian SCCs shall be governed by the laws of the Republic of Argentina in which the Customer Affiliates that are the data exporter(s) are established; and
- the details of the appendices applicable to the Argentinian SCCs are set out in Appendix 1 to this DPA.
- For the purposes of Annex A to the Argentinian SCCs, the data exporter is an educational institution; the data importer is an international education technology company and details about the data subjects, categories of data, processing operations and security measures are as set out in Appendix 1 to this DPA.
- Aratum shall neither apply nor use the Customer Personal Data for any purpose other than the one specified in this DPA nor shall Aratum, except as permitted in this DPA and the Agreement, communicate to other parties such Customer Personal Data, even for storage purposes. Once the corresponding contractual obligations have been performed, the Customer Personal Data processed must be destroyed, except where there is an express authorization given by the person for account of whom such services are rendered, by reason of a possibility of the Customer Personal Data being used for future services, in which case the Customer Personal Data may be stored under due security conditions for a maximum term of up to two (2) years. The parties agree to adopt confidentiality measures to protect the Customer Personal Data following section 9 of the Data Protection Act and its Regulations. Aratum shall process the Customer Personal Data following only instructions from the Customer.
- North America
- Provisions relevant to Canada
- The provisions of this paragraph 19 apply where Aratum processes Customer Personal Data that originates from Canada.
- Aratum shall comply with the Personal Information Protection and Electronic Documents Act and any provincial statute that is declared substantially similar pursuant to section 26(2)(b), where applicable Aratum shall promptly inform Customer if the location where the Customer Personal Data is stored ever changes.