Last updated: April 2023,DISCOVERY EDUCATION ,DATA PROCESSINGADDENDUM,This Data ProcessingAddendum, including its Schedules,(“DPA”) forms part of theStandard Terms of Service ,and License(the “Agreement”) betweenDiscovery Education Europe Limitedand its Affiliates(collectively, ,“Discovery Education”)and the subscriber to the relevant Discovery Education Services (“Subscriber”)to ,reflect the Parties’ agreement with respect to the Processing of Subscriber Data.Discovery Education and ,Subscriber are each referred to herein as a “Party” and collectively as the “Parties.”,Except where the context requires otherwise, references in this DPA to the Agreement are to the Agreement as ,amended by, and including, this DPA.
Except as modified below, the terms of the Agreementshall remain in full ,force and effect.,1.Definitionsand Interpretation ,1.1In this DPA, the following terms shall have the meanings set out below and cognate terms shall be ,construed accordingly:,“Affiliates”means, any person, corporation, company, partnership, joint venture, or other entity ,controlling, controlledby, or under common control with the applicable Party.
For such purpose, the ,term “control” means the holding of 50% or more of the common voting stock or ordinary shares in, or ,the right to appoint 50% or more of the directors of, the corporation, company, partnership, joint venture, ,or entity.,“Account Data”means Personal Data that relates to Subscriber’s relationship with Discovery Education, ,including to access Subscriber’s account and billing information, identity verification, maintain or ,improve performance of the Services, provide support, investigate and prevent system abuse, or fulfill ,legal obligations.
,“Applicable Data ProtectionLaws” means applicable laws relating to privacy and/or data protection, ,which are applicable to either Party.
It shall include without limitation and as applicable (i) the EU e-,Privacy Directive 2002/58/EC as implemented by countries within the European Economic Area ,(“EEA”).
(ii) the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”) as implemented by ,countries within the EEA.
(iii) the UK Data Protection Act 2018, the UK Privacy and Electronic ,Communications (EC Directive) Regulations2003, and the GDPR as retained as UK law by the European ,Union (Withdrawal) Act 2018 (“UK GDPR”).
(iv)the Swedish Data Protection Act (2018:218);and (v) ,other laws, rules and regulations that are similar, equivalent to, or successors to the laws that are identified ,in (i) through (iv) above.,“Restricted Transfer”means (a) a transfer of Subscriber Data from or which originated in the EEA to ,a country outside of the EEA that is not considered to provide an “adequate level” of data protection by ,theEuropean Commission and where such transfer is subject to the GDPR (“EEA Restricted Transfer”) ,and (b) a transfer of Subscriber Data from or which originated in the UK to a country outside of the UK ,that is not considered to provide an “adequate level” ofdata protection by the UK Government and where ,such transfer is subject to the UK GDPR (“UK Restricted Transfer”).,“Services” means the services and other activities to be supplied to or carried out by or on behalf of ,Discovery Education for Subscriber pursuant to the Agreement.,“Standard Contractual Clauses”means the Standard Contractual Clauses for the transfer of Personal ,Data to Third Countries set out in Commission Implementing Decision (EU)2021/914 of 4 June 2021 ,on standard contractual clauses forthe transfer of personal data to third countries pursuant to Regulation ,(EU) 2016/679 of the European Parliament and of the Counciland available at https://eur-,lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=e.,“SubscriberData” means any Personal Data Processed by Discovery Educationin connection with the,provision ofServices to Subscriber.,“UKAddendum” means theInternational Data Transfer Addendumto the EU Commission Standard ,Contractual Clauses (the Standard ContractualClausesdefined above) issued by the Commissioner under ,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,2,S119A(1) Data Protection Act 2018, Version B1.0, in force 21 March 2022and available ,at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-,addendum.pdf.,1.2The terms “Controller,” “Data Subject,” “Personal Data,” “Processor,”and “Processing”have the ,meanings given to them in Applicable Data Protection Law(s).
If and to the extent that Applicable Data ,Protection Law(s) doesnot define such terms, then the definitionsgiven in GDPRwill apply.,1.3All terms not defined herein will have the same meaning as set forth in the Agreementor the Applicable ,Data Protection Laws.,2.Roleand Scopeof Processing,2.1Scope.
This DPAwill apply only to the extent that Discovery EducationProcessesSubscriber Data, on ,behalf of Subscriber, to which Applicable Data Protection Lawsapply.,2.2Details of Processing.
The details ofDiscovery Education’s Processing of SubscriberDataaredescribed ,in Schedule 1 to this DPA.
,2.3Discovery Educationas a Processor.
The parties acknowledge and agree that regarding the Processing ,of Subscriber Data, Discovery Educationis a Processor.
Discovery Educationwill Process Subscriber ,Data in accordance with Subscriber’s instructions as set forth in Section3 (Subscriber Instructions).,2.4Discovery Educationas a Controller of Account Data.
The parties acknowledge that, regarding the ,Processing of Account Data, Subscriberis a controller and Discovery Educationis an independent ,controller, not a joint controller with Subscriber.
Discovery Educationwill ProcessAccount Data as a ,controller (a) in order to manage the relationship with Subscriber.
(b) carry out Discovery Education’s ,core business operations.
(c) in order to detect, prevent, or investigate security incidents, fraud, and other ,abuse or misuse of the Services.
(d) identity verification.
(e) to comply with Discovery Education’s legal ,or regulatory obligations.
and (f) as otherwise permitted under Applicable Data Protection Lawsand in ,accordance with the Agreement.,3.Processing of Subscriber Data,3.1Subscriber Instructions.
Subscriber appoints Discovery Education as a Processor to Process Subscriber ,Data on behalf of, and in accordance with, Subscriber’s instructions (a) as set forth in the Agreementand ,as otherwise necessary to provide the Services to Subscriber (which may include investigating security ,incidents, and detecting and preventing exploits or abuse).
(b) as necessary to comply with applicable ,legal or regulatory obligations, including Applicable Data Protection Laws.
and (c) as otherwise agreed ,in writing between the parties.
,3.2Lawfulness of Instructions.
Subscriber will ensure that its instructions comply with Applicable Data ,Protection Laws.
Subscriber acknowledges that Discovery Education is neither responsible for ,determining which laws or regulations are applicable to Subscriber’s business nor whether Discovery ,Education’s provision of the Services meets or will meet the requirements of such laws or regulations.
,Subscriber will ensure that Discovery Education’s Processing of Subscriber Data, when done in ,accordance with Subscriber’s instructions, willnot cause Discovery Educationto violate any applicable ,law or regulation, including Applicable Data Protection Laws.
Discovery Educationwill inform ,Subscriber if it becomes aware, or reasonably believes, that Subscriber’s instructions violate any ,applicable law or regulation, including Applicable Data Protection Laws.,3.3Subscriber shall, in its use of the Services, Process PersonalData in accordance with the requirements of ,Applicable Data Protection Laws, including any applicable requirement to provide notice to Data ,Subjects of the use of Discovery Education as Processor.,3.4Discovery Education shall:,3.4.1comply with Applicable Data Protection Lawsin the Processing of Subscriber Data;,3.4.2use Subscriber Dataonly for the purpose of fulfilling itsrespective duties and providing the ,Servicesunder theAgreement;and,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,3,3.4.3nototherwiseProcess Subscriber Dataother than onSubscriber’s documented instructions,unless Processing is required by Applicable Data Protection Lawsto which Discovery ,Educationis subject, in which case Discovery Educationshall to the extent permitted by ,Applicable Data Protection Lawsinform Subscriberof that legal requirement before the ,relevant Processing of that SubscriberData.
,3.5Subscriberinstructs Discovery Education(and authorizes Discovery Educationto instruct each Sub-,processor) toProcess Subscriber Data.
and in particular, transfer Subscriber Data to any country or ,territory, as reasonably necessary for the provision of the Services and consistent with the Agreement.,4.Discovery Education Personnel,4.1Confidentiality.
Discovery Educationshallensure that its personnel engaged in the Processing of ,Subscriber Data are informed of the confidential nature of Subscriber Data, have received appropriate ,training on their responsibilities, and have executed written confidentiality agreements.,4.2Reliability.
Discovery Education shall take commercially reasonable steps to ensure the reliability of its ,personnel engaged in Processing SubscriberData.,5.Security,5.1Discovery Educationshallmaintainappropriate technical and organizational measures to protect,Subscriber Data.Subscriber acknowledges that the technical and organizational measures are subject to ,technical progress and development and that Discovery Education may update or modify the technical ,and organizational measures from time to time, provided that such updates and modificationsdo not,materially decrease the overall security ofthe Services.,6.Sub-processors,6.1Appointment ofSub-processors.Subscriber acknowledges and agrees that Discovery Education’s ,Affiliatesmay be retained as Sub-processors, and Discovery Education and its Affiliatesmay engage ,Sub-processors in connection withthe provision of the Services.,6.2Sub-processor List.Discovery Education’scurrent list of Sub-processors engaged in Processing ,Personal Data for the performance of the Services is available on Discovery Education’s Sub-processor ,webpageavailable at https://www.discoveryeducation.co.uk/subprocessor/.Subscriber consents to ,Discovery Education’s use of these Sub-processors.
,6.3Notice.Discovery Education willgiveSubscriber prior written notice ofthe appointment of any new ,Sub-processor.Subscribermay objectto Discovery Education’s appointment of any new Sub-processor ,in writingby email to ukprivacy@discoveryed.comwithin 10 business days of receipt of notice if ,Subscriber hasreasonable concerns related to such Sub-processor’s ability to comply with Applicable ,Data Protection Laws.
UponSubscriber’sobjection,the parties shall work together in good faith to ,address Subscriber’s concerns.
If the parties are unable to reach a resolution, Subscriber may terminate ,the applicable Order Form(s) with respect to onlythose Services that cannot be provided by Discovery ,Education withoutthe use of the objected-tonewSub-processor by providing written notice to Discovery ,Education.In such case,Discovery Education will refund Subscriber a pro-rated amount to reflect any ,prepaid fees that cover the remainder of the term of such Order Form(s) following the effective date of ,termination with respect to such terminated Services.,6.4Discovery Educationwillenter into a written agreement with each Sub-processorimposingdata ,protection termsthatrequire theSub-processor to protect Subscriber Data to the standard required by ,Applicable Data Protection Laws.,7.Data Subject Rights,Taking into account the nature of the Processing, Discovery Educationwill provide reasonable and timely ,assistance (at Subscriber’s expense) to enable Subscriber to respond to any request from a Data Subject ,to exercise any of its rights under Applicable Data Protection Laws.Discovery Education shall notify ,Subscriber about any request it has received directly from a Data Subject without obligation to handle it ,(unless otherwise agreedor required to do so in order to comply with applicable laws).
,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,4,8.Government Access Requests,If Discovery Education receives a legally binding request to access Subscriber Data from a law ,enforcement authority or regulator, Discovery Educationshall, unless otherwise legally prohibited, give ,reasonable notice to Subscriber,including a summary of the nature of the request, to allow Subscriber to ,seek a protective order or other appropriate remedy.
To the extent Discovery Education is prohibited by ,law from providing such notification, Discovery Education shall use commercially reasonable efforts to ,obtain a waiver of the prohibition to enable Discovery Education to communicate as much information,as possible, as soon as possible.
Discovery Education will attempt to redirect the law enforcement agency,or regulatorto request that data directly from Subscriber.As part of this effort, Discovery Education may ,provide Subscriber’s contact information to the law enforcement agencyor regulator.
Discovery ,Education shall not disclose the Subscriber Data requested until required to do so under the applicable ,procedural rules.
Discovery Education agrees it will provide the minimum amount of information ,permissible when responding to a request for disclosure, based on a reasonable interpretation of the ,request.
Discovery Education shall promptly notify Subscriber if Discovery Education becomes aware,of any direct access by a law enforcement authority or regulator to SubscriberData and provide ,information available to Discovery Educationin this respect, to the extent permitted by law.
For the ,avoidance of doubt, this DPA shall not require Discovery Educationto pursue action or inaction that ,could result in civil or criminal penalty for Discovery Education such as contempt of court.
,9.Personal Data Breach,9.1Discovery Educationshall notify Subscriberwithout undue delay upon Discovery Educationbecoming,aware of aPersonal Data Breachaffecting Subscriber Data.,9.2In the event of a Personal Data Breach, Discovery Educationis not authorized to notify a data protection ,or other authority, the Data Subjects concerned, or any other third parties unless Discovery Educationis ,required to do so under Applicable Data Protection Laws.
In such event, Discovery Educationshall, to ,the extent permitted under Applicable Data Protection Laws, liaise and coordinate with Subscriberprior ,to making a notification.,10.Data Protection Impact Assessment and Prior Consultation,Discovery Education shallprovide reasonable assistance to Subscriber with any data protection impact ,assessments and prior consultations withsupervisoryauthoritiesor other regulatory entities which ,Subscriber reasonably considers to be required of Subscriber by anyApplicable Data Protection Laws, ,in each case solely in relation to Processing of Subscriber Data by,and taking into account the nature of ,the Processing and information available to, Discovery Education.,11.Deletion or Return of Subscriber Data,At the choice of Subscriber, Discovery Educationwilldeleteor return all Subscriber Data(including ,copies) Processed on behalf of Subscriber.
providedthatDiscovery Education may anonymize ,Subscriber Data so that it is no longer personally identifiable and may retain the resulting anonymized ,data.This requirement does not apply to the extent Discovery Education is required by applicable law to ,retain some or all of the Subscriber Data, or to Subscriber Data it has archived on back-up systems, which ,Subscriber Data Discovery Education will securely isolate and protect from any further Processing.
,12.Audit,12.1Subject to subsections 12.2to 12.4, upon request, Discovery Educationwillmake available to Subscriber,all information necessary to demonstrate compliance with this DPA,andshallallow for and contribute ,to audits, including inspections, by Subscriberor an auditor mandated by Subscriberin relation to the ,Processing of the Subscriber Databy Discovery Education.Any audit performed pursuant to this Section,will be conducted under a non-disclosure agreement and any information or report derived from such ,audit will be deemed Discovery Education’s C onfidential Information.
Subscriber cannot exercise this ,right more than once per calendar year.,12.2Upon Subscriber’s request to perform an inspection or audit in accordance with subsection12.1,to the ,extent permitted by the Applicable Data Protection Laws, Discovery Educationmay elect to retain a ,qualified and independent assessor to perform such inspection oraudit, using an appropriate and accepted ,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,5,control standard or framework and assessment procedure for such assessments.
On the condition that ,Subscriber has entered into an applicable non-disclosure agreement with Discovery Education, ,Discovery Educationmaysupply(on a confidential basis) a summary copy of its audit report to ,Subscriber.
and provide written responses (on a confidential basis) to all reasonable requests for ,information made by Subscriber related to its Processing of Subscriber Data, including responses to ,information security and audit questionnaires, that are necessary to confirm Discovery Education’s ,compliance with this DPA.
,12.3Subscriber willgive Discovery Education reasonable notice of any audit or inspection to be conducted ,under subsection12.1 and shall make (and ensure that each of its mandated auditors makes) reasonable ,efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to Discovery ,Education’s and/or any Sub-processor’spremises, equipment, personnel, and business while its ,personnel are on those premises in the course of such an audit or inspection.
Discovery Education and ,any Sub-processor(s) need not give access to its premises for the purposes of such an audit or inspection:,12.3.1to any individual unless theyproduce reasonable evidence of identity and authority;,12.3.2outside normal business hours at those premises, unless the audit or inspection needs to be ,conducted on an emergency basis and Subscriber has given notice to Discovery Education ,that this is the case before attendance outside those hours begins.
or,12.3.3for the purposes of more than one audit or inspection of Discovery Education or any Sub-,processor in any calendar year, except for any additional audits or inspections which:,12.3.3.1Subscriber reasonably considers necessary because of genuine concerns as to ,Discovery Education’s compliance with this DPA.
or,12.3.3.2Subscriber is required or requested to carry out by the Applicable Data ,Protection Laws, a Supervisory Authority, or any similar regulatory authority ,responsible for the enforcement of the Applicable Data Protection Lawsin ,any country or territory,,where Subscriber has identified its concerns or the relevant requirement or request in its ,notice to Discovery Education of the audit or inspection.,12.4Each party shall bear its own costs with respect to any auditand/or inspection.,13.Transfer Mechanisms for Restricted Transfers,13.1EEA Restricted Transfers.The Parties acknowledge and agree that to the extent a Party undertakes an ,EEA Restricted Transfer, the Parties shall ProcessSubscriber Datawhich is subject to the EEA Restricted ,Transfer in accordance with the Standard Contractual Clauses, appended hereto as Schedule 2.,13.2UK Restricted Transfers.The Parties acknowledge and agree that to the extent a Party undertakes a ,UK Restricted Transfer, the parties shall Process Subscriber Datawhich is subject to the UK Restricted ,Transfer in accordance with the UK Addendum, appended hereto as Schedule 3.,13.3Modules Applicable.The Parties acknowledge and agree that:,13.3.1Module 1.
Whereeither Party and/or its Authorized Affiliate (acting as a controller) ,undertakes a Restricted Transfer to the other Party (also acting as a controller), then the ,Parties shall comply with Module 1 of the Standard Contractual Clauses.,13.3.2Module 2.
Where Subscriberand/or its Authorized Affiliate is a Controller and a data ,exporter,and Discovery Education is a Processor and data importer in respect of that ,Subscriber Data, then the Parties shall comply with Module 2 of the Standard Contractual ,Clauses.
,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,6,14.General Terms,14.1Governing law andjurisdiction.This DPAis governed by the laws of the jurisdiction agreed to by the ,Parties as governing the Agreement.Notwithstanding the foregoing, the provisions set out in the Standard ,Contractual Clauses and the UK Addendumshallbe governed by, and subject to the jurisdiction of, the ,relevant law and courts as set forth in the Standard Contractual Clauses and the UK Addendumas ,applicable.This DPA is in addition to therights related to privacy or data security set forth in the ,Agreement.,14.2Order of precedence.To the extent: (i) the terms contained in this DPAconflict with those contained ,in the Agreement, the terms in this DPAshall govern and control to the extent such conflict relates to the ,Processing of SubscriberData.
and (ii) the terms contained in the UK Addendum conflict with those in ,the Standard Contractual Clauses, the terms in the UK Addendum shall prevail in accordance with the ,Hierarchy provisions thereinto the extent the conflict relates to a UK Restricted Transfer.,14.3Obligations of confidentiality of SubscriberData Processed pursuant to this DPAshall survive ,termination of the Agreement.,14.4Except to the extent set out in subsection14.5, it is the express intent of the Parties that any person who ,is not a party to this DPA has no right, as third party beneficiary, under local legal principle or law, to ,enforce any term of this DPA, and accordingly nothing contained in this DPA will entitle any person ,(including, data subjects) other than the parties to this DPA, to any claim, cause of action, remedy or ,right of any kind whatsoever.,14.5The Parties agree that a data subject may enforce the terms of the Standard Contractual Clauses and the ,UK Addendum (as applicable) as provided therein.,14.6Amendment.
This DPAmay only be amended by a specific amendment to this DPAsigned by both ,Parties hereto.Notwithstanding the foregoing, the Parties acknowledge that should the European ,Commission, or UK Government publishnew standard contractual clauses or similar (or amendments to ,the existing Standard Contractual Clauses and/or UK Addendum) to address Restricted Transfers, and ,where the Partiesdetermine such new or amended clauses are required to address the Restricted,Transfers, such new or amended clauses will replace the Standard Contractual Clauses and/or UK ,Addendum attached to this DPAupon either Party’s notification to other Partythereof.
All Restricted ,Transfers will be thereafter made pursuant to such new or amended clauses.,14.7Indemnification.
Each of the parties (“Indemnifying Party”) agrees to indemnify and hold harmless ,the other party and its officers, employees, directors, and agents (“Indemnified Party”) from, and at the ,Indemnifying Party’s option defend against, any and all third-party claims, losses, liabilities, damages, ,costs, and expenses (including attorneys’ fees, consultants’ fees, and court costs) (collectively, “Claims”) ,arising out of the Indemnifying Party’s (i) violation of an Applicable Data Protection Law.
or (ii) breach ,of any provision of this DPA.,14.8Term.
This DPA, including the Standard Contractual Clauses and the UK Addendum (where applicable), ,will terminate simultaneously and automatically upon deletion by Discovery Education of Subscriber ,Data Processed on behalf of Subscriber, in accordance with Section 11 of this DPA.,14.9Changes.Discovery Education reserves the right to change the terms of this DPAfrom time to time.
,Such changes will become effective when Discovery Education posts the revised DPAon the Discovery ,Education website.
Subscriber and Users should check the DPAfrom time to time, as they are bound by ,the DPAposted on Discovery Education’s website at the time of access.
The Parties agree that this DPA ,replaces and supersedes any existing DPA the parties may have previously entered into in connection ,with the Services.
The current DPA is available at https://www.discoveryeducation.co.uk/data-,processing-addendum/.,14.10Failure by any Party to enforce any of its rights under this DPAshall not be taken as or deemed to be a ,waiver of such right.,14.11If any part, term or provision under this DPAis held to be illegal or unenforceable, the validity or ,enforceability of the remainder of this DPAwill not be affected.
,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,7,14.12Execution of this DPAby either Party shall be deemed acceptance and execution by that Party of the ,Schedules, which are duly incorporated into this DPA.,IN WITNESS WHEREOF, this DPAis entered into and becomes a binding part of the Agreement.,Discovery Education Subscriber,__________________________________________________________________,SignatureSignature,__________________________________________________________________,NameName,__________________________________________________________________,TitleTitle,__________________________________________________________________,DateDate,Howard Lewis,Managing Director,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,May 9, 2023,8,Schedule 1,Description of Processing/Transfer,1.List of Parties,Dataexporter(s):,Name:The entity identified as Subscriberin the applicable Order Form.,Address:The address for the Subscriber associated with its Discovery Education account.,Contactperson’sname,positionandcontactdetails:The contact details for the Subscriber associated ,with its Discovery Education account.,Activities relevant to the data transferred under these Clauses:The transfer of SubscriberData from ,data exporter to data importer in the context of the Agreement.,Signature and date:Execution of the DPAon the Effective Date is deemed execution of these Clauses ,which are incorporated therein.,Role (controller/processor):For the purposes of Module 2, Subscriber is a Controller.,Dataimporter(s):,Name:Discovery Education Europe Limited,Address:9 Palace Yard Mews, Bath BA1 2NHUnited Kingdom,Contactperson’sname,positionandcontactdetails:Legal Department ukprivacy@discoveryed.com,Activities relevant to the datatransferred under these Clauses: Discovery Education is a provider ,of digital educational services which Processes and transfers SubscriberData at the instructions of the ,data exporter in accordance with the terms of the Agreement.
,Signature and date:Execution of the DPA on the Effective Date is deemed execution of these Clauses ,which are incorporated therein.,Role(controller/processor):For the purposes of Module 2, Discovery Education is a Processor.,2.Description of Processing/Transfer,Categories of data subjects whose personal data is transferred,•Employees, contractors,and agents of Subscriber,•Subscriber’s users authorized by Subscriber to use the Services (including administrators, educators, ,pupils),•Parents or legal guardians of pupils,Categories of personal data transferred,•Employees, contractors, and agentsof Subscriber:first name, last name, business contact information ,(local authority, school, school address, job title, phone number and email address),•Subscriber’s users authorized by Subscriber to use the Services (Pupils)(where applicable):first name, ,middle initial, last name, username (logon ID), password, month and year of birth (DoodleLearning pupil ,users only), contact information (email address), ID data (pupil ID, class ID), school, pupil key stage and ,class, product usage data, device and connection data, including, but not limited to, IP addresses, ,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,9,persistent identifiers, log files, browsing history, search history, and information regarding interaction ,with the Discovery Education Services.,•Subscriber’s users authorized by Subscriber to use the Services (AdministratorsandEducators) (where ,applicable):first name, middle initial, last name, username (logon ID), password, month and year of ,birth (Doodle Learning pupil users only), contact information (school, district, email address, business ,address, school postcode), ID data (teacher ID, class ID), teacher trade association membership number ,(such as NAHT membership number), if relevant for a special offer, teacher key stage and class(es), ,product usage data, device and connection data, including, but not limited to, IP addresses, persistent ,identifiers, log files, browsing history, search history, and information regarding interaction with the ,Discovery Education Services,•Parents or legal guardians of pupils(where applicable):first name, last name, username (logon ID), ,password, contact information (email address, phone number, and optionally home address, where ,physical resources are required to be distributed or to process payment information), product usage data, ,device and connection data, including, but not limited to, IP addresses, persistent identifiers, log files, ,browsing history, search history, and information regarding interaction with awebsite or the Discovery ,Education Services,Sensitive data transferred (if applicable),Except in the limited circumstances where teachers may be asked to provide their National Association of Head ,Teachers trade union membership number to receive a discountfor certain Services, Subscriber may not submit ,special categories of Personal Data to the Services.,The frequency of the transfer (e.g.,whether the data is transferred on a one-off or continuous basis),Continuous,Natureoftheprocessing,SubscriberData will be subject to automated and manual Processing operations by the data importer as necessary ,to perform the Services under the Agreement.,Purpose(s)ofthedatatransfer andfurther processing,To perform Services under the Agreement.,Theperiodforwhichthepersonaldatawillberetained,or,ifthatisnotpossible,thecriteriausedto determine,that period,Discovery Education may retain Subscriber Data for the purposes described above for the duration of the DPA, ,and for as long as Discovery Education has a legitimate need to retain the Subscriber Data for the purposes for ,which it was collected or transferred, in accordance with Applicable Data Protection Laws.,For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing,For the subject matter, nature and duration as identified above.,3.Competent Supervisory Authority ,The supervisory authority of the EEA country where (i) the data exporter is established.
or where (ii) the EU ,representative of the data exporter is established.,4.Technical and Organisational Security Measures,Discovery Education maintains appropriate technical and organisational security measures for protection of the ,security, confidentiality and integrity of Subscriber Data, as described in the IT Security Policies applicable to the ,specific Services purchased by Subscriber, and set forth in Annex IIattached hereto.,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,10,Schedule 2,Standard Contractual Clauses,(European Commission Implementing Decision (EU) 2021/914 4 June 2021),SECTION 1,Clause 1,Purposeand scope,(a)The purpose of these standard contractual clauses is to ensure compliance with therequirements of ,Regulation (EU) 2016/679 of the European Parliament and of theCouncil of 27 April 2016 on the ,protection of natural persons with regard to theprocessing of personal data and on the free movement of ,such data (General DataProtectionRegulation)for thetransfer ofpersonaldatato athirdcountry.,(b)The Parties:,(i)the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ,“entity/ies”) transferring the personal data, as listed in Annex I.A.
(hereinafter each “data ,exporter”), and,(ii)the entity/ies in a third country receiving the personal data from the data exporter, directly or ,indirectly via another entity also Party to these Clauses, as listed in Annex I.A.
(hereinafter each ,“data importer”),have agreed to these standard contractual clauses (hereinafter: “Clauses”).,(c)These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.,(d)The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these ,Clauses.,Clause 2,EffectandinvariabilityoftheClauses,(a)These Clauses set out appropriate safeguards,including enforceable data subjectrights and effective ,legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) ofRegulation (EU) 2016/679 and, with ,respect to data transfers from controllers toprocessors and/or processors to processors, standard ,contractual clauses pursuant toArticle 28(7)of Regulation (EU) 2016/679, provided theyare not ,modified, except to select the appropriate Module(s) or to add or update information in the Appendix.,This does not prevent the Parties from including the standard contractual clauses laiddown in these ,Clauses in a wider contract and/or to add other clauses or additionalsafeguards, provided that they do ,not contradict, directly or indirectly, these Clausesorprejudicethefundamental rights or freedoms of ,data subjects.,(b)These Clauses are without prejudice to obligations to which the data exporter issubject byvirtueof ,Regulation(EU)2016/679.,Clause 3,Third-partybeneficiaries,(a)Data subjects may invoke and enforce these Clauses, as third-party beneficiaries,againstthe data,exporterand/ordata importer,withthefollowingexceptions:,(i)Clause1,Clause 2,Clause 3,Clause6, C lause7;,(ii)Clause 8 -Module One: Clause 8.5 (e) and Clause 8.9(b).
Module Two: Clause8.1(b), 8.9(a), ,(c), (d) and (e).
,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,11,(iii)Clause9-ModuleTwo:Clause9(a),(c),(d)and(e);,(iv)Clause12–ModuleOne:Clause12(a)and(d);ModuleTwo: Clause12(a),(d)and(f);,(v)Clause13;,(vi)Clause15.1(c), (d)and(e);,(vii)Clause16(e);,(viii)Clause18–ModulesOne and Two:Clause18(a)and(b),(b)Paragraph(a)iswithoutprejudicetorightsofdatasubjectsunderRegulation(EU)2016/679.,(c),Clause 4,Interpretation,(a)WheretheseClausesusetermsthataredefinedinRegulation(EU)2016/679,thosetermsshall have,the samemeaningas in that Regulation.,(b)TheseClausesshallbereadandinterpretedinthelightoftheprovisionsofRegulation(EU) 2016/679.,(c)TheseClausesshallnotbeinterpretedinawaythatconflictswithrightsandobligationsprovided for in ,Regulation (EU) 2016/679.,Clause 5,Hierarchy,In the event of a contradiction between these Clauses and the provisions of related agreementsbetween ,the Parties, existing at the time these Clauses are agreed or entered into thereafter,theseClausesshall ,prevail.,Clause 6,Descriptionofthetransfer(s),Thedetailsofthetransfer(s),andinparticularthecategoriesofpersonaldatathataretransferredand the,purpose(s)for which theyaretransferred,arespecifiedinAnnexI.B.,Clause 7–Optional,Dockingclause,Deliberately omitted.,SECTION 2 -OBLIGATIONSOFTHEPARTIES,Clause 8,Dataprotectionsafeguards,The data exporter warrants that it has used reasonable efforts to determine that the dataimporterisable,,throughtheimplementationofappropriatetechnicalandorganisationalmeasures,to satisfyits obligations ,under theseClauses.,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,12,MODULEONE:Transfercontrollertocontroller,8.1Purposelimitation,Thedataimportershallprocessthepersonaldataonlyforthespecificpurpose(s)ofthetransfer, ,assetoutin AnnexI.B.Itmayonlyprocessthepersonaldatafor anotherpurpose:,(a)whereithasobtainedthedatasubject’sprior consent;,(b)wherenecessaryfortheestablishment,exerciseordefenceoflegalclaimsinthecontextof ,specificadministrative, regulatoryor judicialproceedings;or,(c)wherenecessaryinordertoprotectthevitalinterestsofthedatasubjectorofanothernatural,person.,8.2Transparency,(a)InordertoenabledatasubjectstoeffectivelyexercisetheirrightspursuanttoClause 10, the ,data importer shall inform them, either directly or through the dataexporter:,(i)of its identity and contact details;,(ii)ofthecategories ofpersonaldataprocessed;,(iii)ofthe right to obtainacopyof theseClauses;,(iv)where it intends to onward transfer the personal data to any third party/ies, ofthe ,recipient or categories of recipients (as appropriate with a view to providingmeaningful ,information), the purpose of such onward transfer and the groundthereforepursuant ,to Clause 8.7.,(b)Paragraph (a) shall not apply where the data subject already has the information,including when ,such information has already been provided by the data exporter, orproviding the information ,proves impossible or would involve a disproportionateeffort for the data importer.
In the latter ,case, the data importer shall, to the extentpossible,makethe information publiclyavailable.,(c)Onrequest,thePartiesshallmakeacopyoftheseClauses,includingtheAppendixas ,completed by them, available to the data subject free of charge.
To the extentnecessary to ,protect business secrets or other confidential information,includingpersonal data, the Parties ,may redact part of the text of the Appendix prior to sharingacopy,butshallprovidea,meaningfulsummary wherethedatasubjectwouldotherwise not be able to understand its ,content or exercise his/her rights.
On request,the Parties shall provide the data subject with the ,reasons for the redactions, to theextentpossible without revealingthe redacted information.,(d)Paragraphs (a) to (c) are without prejudice to the obligations of the data exporterunderArticles ,13and 14ofRegulation(EU)2016/679.,8.3Accuracyanddataminimisation,(a)Each Party shall ensure that the personal data is accurate and, where necessary, keptup to date.
,The data importer shall take every reasonable step to ensure that personaldata that is inaccurate, ,having regard to the purpose(s) of processing, is erased orrectifiedwithout delay.,(b)If one of the Parties becomes aware that the personal data it has transferred orreceived is ,inaccurate, or has become outdated, it shall inform the other Party withoutunduedelay.,(c)The data importer shall ensure that the personal data is adequate, relevant and limitedtowhat is ,necessaryin relationto the purpose(s) of processing.,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,13,8.4Storagelimitation,The data importer shall retain the personal data for no longer than necessary for the purpose(s)forwhich,itisprocessed.Itshallputinplaceappropriatetechnicalororganisationalmeasures toensure compliance,withthisobligation,includingerasureoranonymisationofthedataandallback-ups at theend ofthe ,retentionperiod.,8.5Securityof processing,(a)The data importer and, during transmission, also the data exporter shall implementappropriate,technicalandorganisationalmeasurestoensurethesecurityofthepersonal data, including,protection against a breach of security leading to accidentalorunlawfuldestruction,loss,,alteration,unauthoriseddisclosureoraccess(hereinafter “personal data breach”).
In assessing ,the appropriate level of security,they shall take due account of the state of the art, the costs of ,implementation, thenature, scope, context and purpose(s) of processing and the risks involved ,in theprocessingforthedatasubject.ThePartiesshallinparticularconsiderhavingrecourse to,encryption or pseudonymisation, including during transmission, wherethepurposeof ,processingcan befulfilled in that manner.,(b)The Parties have agreed on the technical and organisational measures set out inAnnexII.
The ,data importer shall carry out regular checks toensure that thesemeasurescontinueto provide ,an appropriatelevelofsecurity.,(c)The data importer shall ensure that persons authorised to process the personal datahave ,committed themselves to confidentiality or are under an appropriate statutoryobligationof,confidentiality.,(d)In the event of a personal data breach concerning personal data processed by the dataimporter ,under these Clauses, the data importer shall take appropriate measures toaddress the personal ,data breach, including measures to mitigate its possible adverseeffects.,(e)In case of a personal data breach that is likely to result in a risk to the rights andfreedoms of ,natural persons, the data importer shall without undue delay notify boththe data exporterand ,the competent supervisory authority pursuant to Clause 13.Such notification shall contain i) a ,description of the nature of the breach (including,wherepossible,categoriesandapproximate,numberofdatasubjectsandpersonaldatarecordsconcerned),ii)itslikelyconsequences,iii),themeasurestakenorproposedtoaddressthebreach,andiv)thedetailsofacontactpoint,fromwhom more informationcanbe obtained.Tothe extentitisnotpossible for the data,importer to provide all the information at the same time, it may do so in phaseswithoutundue,furtherdelay.,(f)In case of a personal data breach that is likely to result in a high risk to the rights andfreedoms ,ofnatural persons, the data importer shall also notify without undue delaythe data subjects ,concerned of the personal data breach and its nature, if necessary incooperationwiththedata,exporter,togetherwiththeinformationreferredtoinparagraph (e), points ii) to iv), unless the ,data importer has implemented measures tosignificantlyreducetherisktotherightsor,freedomsofnaturalpersons,ornotificationwouldinvolvedisproportionateefforts.Inthelatter,case,thedataimporter shall instead issue a public communication or take a similar measure to,informthepublicof the personal databreach.,(g)Thedataimportershalldocumentallrelevantfactsrelatingtothepersonaldatabreach,,includingitseffects andanyremedialaction taken,andkeeparecordthereof.,8.6Sensitivedata,Where the transfer involves personal data revealing racial or ethnic origin, political opinions,religious ,or philosophical beliefs, or trade union membership, genetic data, or biometric datafor the purpose of ,uniquely identifying a natural person, data concerning health or a person’ssex life or sexual orientation, ,or data relating to criminal convictions or offences (hereinafter“sensitivedata”),thedataimportershall,applyspecificrestrictionsand/oradditionalsafeguards adapted to the specific nature of the data and the ,risks involved.
This may includerestricting the personnel permitted to access the personal data, ,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,14,additional security measures(suchaspseudonymisation)and/oradditionalrestrictionswithrespectto,furtherdisclosure.,8.7Onwardtransfers,The data importer shall not disclose the personal data to a third party located outside theEuropean Union,(in thesame country asthe data importer or inanother third country,hereinafter “onward transfer”) ,unless the third party is or agrees to be bound by these Clauses,under the appropriate Module.
Otherwise, ,an onward transfer by the data importer may onlytakeplaceif:,(a)it is to a country benefitting from an adequacy decision pursuant to Article 45ofRegulation ,(EU)2016/679 that coverstheonward transfer;,(b)the third party otherwise ensures appropriate safeguards pursuant to Articles 46or47 of,Regulation (EU) 2016/679 withrespect tothe processingin question;,(c)the third party enters into a binding instrument with the data importer ensuringthe same level ,of data protection as under these Clauses, and the data importerprovidesacopyof these,safeguards to the dataexporter;,(d)it is necessary for the establishment, exercise or defence of legal claims in thecontextof specific,administrative, regulatoryorjudicial proceedings;,(e)it is necessary in order to protect the vital interests of the data subject or ofanothernatural ,person.
or,(f)wherenone of the other conditions apply, the data importer has obtained theexplicitconsentof,thedatasubjectforanonwardtransferinaspecificsituation, after having informed him/her of ,its purpose(s), the identity of therecipient and the possible risks of such transfer to him/her due ,to the lack ofappropriate data protection safeguards.
In this case, the data importer shallinform ,the data exporter and, at the request of the latter, shall transmit to it acopyof theinformation ,provided to thedata subject.,Anyonwardtransferissubjecttocompliancebythedataimporterwithalltheothersafeguardsunder ,theseClauses, in particular purpose limitation.,8.8Processingundertheauthorityofthedataimporter,Thedataimportershallensurethatanypersonactingunderitsauthority,includingaprocessor,,processes thedata onlyon its instructions.,8.9Documentationandcompliance,(a)Each Party shall be able to demonstrate compliance with its obligations under theseClauses.
In ,particular, the data importer shall keep appropriate documentation of theprocessingactivities ,carried out underitsresponsibility.,(b)Thedataimportershallmakesuchdocumentationavailabletothecompetentsupervisory,authorityonrequest.,MODULETWO:Transfercontrollertoprocessor,8.1Instructions,(a)The data importer shall process the personal data only on documented instructionsfrom the data exporter.
,The data exporter may give such instructions throughout thedurationofthe contract.,(b)The data importer shall immediately inform the data exporter if it is unable to followthoseinstructions.,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,15,8.2Purposelimitation,The data importer shall process the personal data only for the specific purpose(s) of thetransfer, asset ,outinAnnexI.B,unlesson further instructionsfrom thedataexporter.,8.3Transparency,On request, the data exporter shall make a copy of these Clauses, including the Appendix ascompleted ,by the Parties, available to the data subject free of charge.
To the extent necessaryto protect business ,secrets or other confidential information, including the measures describedin Annex II and personal data, ,the data exporter may redact part of the text of the Appendix tothese Clauses prior to sharing a copy, but ,shall provide a meaningful summary where the datasubject would otherwise not be able to understand ,the its content or exercise his/her rights.
Onrequest, the Parties shall provide the data subject with the ,reasons for the redactions, to theextent possible without revealing the redacted information.
This Clause ,is without prejudice totheobligationsof thedataexporter under Articles 13 and14ofRegulation(EU),2016/679.,8.4Accuracy,If the data importer becomes aware that the personal data it has received is inaccurate, or hasbecome ,outdated, it shall inform the data exporter without undue delay.
In this case, the dataimportershall ,cooperatewith thedata exporter toeraseor rectifythe data.,8.5Durationof processinganderasureorreturnof data,Processing by the data importer shall only take place for the duration specified in Annex I.B.After the ,end of the provision of the processing services, the data importer shall, at the choiceof the data exporter, ,delete all personal data processed on behalf of the data exporter andcertify to the data exporter that it ,has done so, or return to the data exporter all personal dataprocessedonitsbehalfanddeleteexisting,copies.Untilthedataisdeletedorreturned,thedata importer shall continue to ensure compliance with ,these Clauses.
In case of local lawsapplicable to the data importer that prohibit return or deletion of the ,personal data, the dataimporter warrants that it will continue to ensure compliance with these Clauses ,and will onlyprocess it tothe extent and for as long as required under that local law.
This is without,prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e)to notify ,the data exporter throughout the duration of the contract if it has reason to believethat it is or has become ,subject to laws or practices not in line with the requirements underClause14(a).,8.6Securityofprocessing,(a)The data importer and, during transmission, also the data exporter shall implementappropriate technical ,and organisational measures to ensure the security of the data,including protection against a breach of ,security leading to accidental or unlawfuldestruction, loss, alteration, unauthorised disclosure or access ,to that data (hereinafter“personaldata breach”).In assessing theappropriate levelof security, the Parties,shall take due account of the state of the art, the costs of implementation, the nature,scope, context and ,purpose(s) of processing and the risks involved in the processingfor the data subjects.
The Parties shall ,in particular consider having recourse toencryption or pseudonymisation, including during transmission, ,where the purpose ofprocessingcanbefulfilledinthatmanner.Incaseofpseudonymisation,the,additionalinformationforattributingthepersonaldatatoaspecificdatasubjectshall, where ,possible, remain under the exclusive control of the data exporter.
Incomplying with its obligations under ,this paragraph, the data importer shall at leastimplement the technical and organisational measures ,specified in Annex II.
The dataimporter shall carry out regular checks to ensure that these measures ,continue toprovidean appropriatelevel of security.,(b)The data importer shall grant access to the personal data to members of its personnelonlytotheextent,strictlynecessaryfortheimplementation,managementandmonitoring of the contract.
It shall ensure ,that persons authorised to process thepersonaldatahavecommittedthemselvestoconfidentialityorare,underanappropriatestatutoryobligation ofconfidentiality.,(c)In the event of a personal data breach concerning personal data processed by the dataimporter under these ,Clauses, the data importer shall take appropriate measures toaddressthe breach,including measuresto,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,16,mitigate itsadverseeffects.The dataimporter shall also notify the data exporter without undue delay ,after having becomeaware of the breach.
Such notification shall contain the details of a contact point,where more information can be obtained, a description of the nature of the breach(including, where ,possible, categories and approximate number of data subjects andpersonal data records concerned), its ,likely consequences and the measures taken orproposed to address the breach including, where ,appropriate, measures to mitigate itspossibleadverseeffects.Where,andinsofaras,itisnot,possibletoprovideall informationatthe same time, the initialnotification shall contain the information,then available and further information shall, as it becomes available, subsequently beprovidedwithout ,undue delay.,(d)The data importer shall cooperate with and assist the data exporter to enable the dataexportertocomply,withitsobligationsunderRegulation(EU)2016/679,inparticulartonotifythecompetentsupervisory,authorityandtheaffecteddatasubjects, taking into account the nature of processing and the information ,available tothedata importer.,8.7Sensitivedata,Where the transfer involves personal data revealing racial or ethnic origin, political opinions,religious ,or philosophical beliefs, or trade union membership, genetic data, or biometric datafor the purpose of ,uniquely identifying a natural person, data concerning health or a person’ssex life or sexual orientation, ,or data relating to criminal convictions and offences (hereinafter“sensitive data”), the data importer shall ,apply the specificrestrictions and/or additionalsafeguardsdescribed inAnnexI.B.,8.8Onwardtransfers,Thedataimportershallonly disclosethepersonaldatatoathirdparty ondocumentedinstructions from ,the data exporter.
In addition, the data may only be disclosed to a third partylocated outside the European ,Union (in the same country as the data importer or in anotherthird country, hereinafter “onward transfer”) ,if the third party isor agrees tobe bound bytheseClauses, under the appropriate Module, or if:,(i)theonwardtransferistoacountry benefittingfromanadequacy decisionpursuant to Article 45 ,of Regulation (EU) 2016/679 that covers the onwardtransfer;,(ii)the third party otherwise ensures appropriate safeguards pursuant to Articles 46or47 Regulation ,of(EU) 2016/679 with respecttothe processingin question;,(iii)the onward transfer is necessary for the establishment, exercise or defence oflegal claims in the ,context of specific administrative, regulatory or judicialproceedings;or,(iv)the onward transfer is necessary in order to protect the vital interests of the datasubjector of,another natural person.,Anyonwardtransferissubjecttocompliancebythedataimporterwithalltheothersafeguardsunder ,theseClauses, in particular purpose limitation.,8.9Documentation and compliance,(a)The data importer shall promptly and adequately deal with enquiries from the dataexporterthat relateto ,theprocessingunder theseClauses.,(b)The Parties shall be able to demonstrate compliance with these Clauses.
In particular,the data importer ,shall keep appropriate documentation on the processing activitiescarriedout on behalf of thedata ,exporter.,(c)The data importer shall make available to the data exporter all information necessaryto demonstrate ,compliance with the obligations set out in these Clauses and at thedata exporter’s request, allow for and ,contribute to audits of the processing activitiescovered by these Clauses, at reasonable intervals or if ,there are indications of non-compliance.
In deciding on a review or audit, the data exporter may take ,into accountrelevantcertifications held bythe data importer.,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,17,(d)Thedataexportermaychoosetoconducttheauditbyitselformandateanindependent auditor.
Audits ,may include inspections at the premises or physicalfacilitiesofthedataimporterandshall,where,appropriate,becarriedoutwithreasonablenotice.,(e)ThePartiesshallmaketheinformationreferredtoinparagraphs(b)and(c),including the results of any ,audits, available to the competent supervisory authorityonrequest.,Clause 8,Useofsub-processors,MODULETWO:Transfercontrollertoprocessor,(a)The data importer has thedata exporter’s general authorisation for the engagement of sub-processor(s) ,from anagreed list.
The data importer shall specifically inform the data exporter in writingofany,intendedchangestothatlistthroughtheadditionorreplacementofsub-processors at least thirty (30) ,daysin advance, thereby giving the data exportersufficient time to be able to object to such changes ,prior to the engagement of thesub-processor(s).Thedataimportershallprovidethedataexporterwith,theinformationnecessarytoenablethedata exporter toexercise its right toobject.,(b)Where the data importer engages a sub-processor to carry out specific processingactivities (on behalf of ,the data exporter), it shall do so by way of a written contractthat provides for, in substance, the same ,data protection obligations as those bindingthe data importer under these Clauses, including in terms of ,third-party beneficiaryrights fordata subjects.
The Parties agree that, by complying with this Clause, the,data importer fulfils its obligations under Clause 8.8.
The data importer shall ensurethat the sub-,processor complies with the obligations to which the data importer issubjectpursuant to these Clauses.,(c)The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement ,and any subsequent amendments to the data exporter.
To theextentnecessarytoprotectbusinesssecrets,orotherconfidentialinformation,including personal data, the data importer may redact the text of the ,agreement priortosharing acopy.,(d)Thedataimportershallremainfullyresponsibletothedataexporterfortheperformanceofthesub-,processor’sobligationsunderitscontractwiththedataimporter.
The data importer shall notify the data ,exporter of any failure by the sub-processorto fulfil its obligations under thatcontract.,(e)The data importer shall agree a third-party beneficiary clause with the sub-processorwhereby-inthe,eventthedataimporterhasfactuallydisappeared,ceasedtoexistin law or has become insolvent -the ,data exporter shall have the right to terminate thesub-processorcontractandtoinstructthesub-processor,toeraseorreturnthepersonaldata.,Clause 9,Data subject rights ,MODULEONE:Transfercontrollertocontroller,(a)The data importer, where relevant with the assistance of the data exporter, shall dealwithanyenquiries,andrequestsitreceivesfromadatasubjectrelatingtotheprocessing of his/her personal data and the ,exercise of his/her rights under theseClauses without undue delay and at the latest within one month of ,the receipt of theenquiry or request.
The data importer shall take appropriate measures to facilitatesuch ,enquiries, requests and the exercise of data subject rights.
Any informationprovided to the data subject ,shall be in an intelligible and easily accessible form,usingclear and plain language.,(b)Inparticular,uponrequest bythedata subjectthe data importershall,freeofcharge:,(i)provide confirmation to the data subject as to whether personal data concerninghim/her is being ,processed and, where this is the case, a copy of the datarelating to him/her and the information ,in Annex I.
if personal data has been orwill be onward transferred, provide information on ,recipients or categories ofrecipients (as appropriate with a view to providing meaningful ,information) towhich the personal data has been or will be onward transferred, the purpose of,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,18,such onward transfers and their ground pursuant to Clause 8.7.
and provideinformation on the ,right to lodge a complaint with a supervisory authority inaccordancewith Clause 12(c)(i);,(ii)rectifyinaccurateorincompletedata concerningthedatasubject;,(iii)erase personal data concerning the data subject if such data is being or has beenprocessed in ,violation of any of these Clauses ensuring third-party beneficiaryrights, or if the data subject ,withdraws the consent on which the processing isbased.,(c)Where the data importer processes the personal data for direct marketing purposes, itshallcease,processingfor such purposesifthe datasubject objects toit.,(d)Thedataimportershallnotmakeadecisionbasedsolelyontheautomatedprocessing of the personal ,data transferred (hereinafter “automated decision”), whichwould produce legal effects concerning the ,data subject or similarly significantlyaffect him / her, unless with the explicit consent of the data subject ,or if authorised todo so under the laws of the country of destination, provided that such laws lays down,suitable measures to safeguard the data subject’s rights and legitimate interests.Inthiscase,the data,importer shall,where necessary incooperationwiththe dataexporter:,(i)inform the data subject about the envisaged automated decision, the envisagedconsequences,andthe logic involved.
and,(ii)implement suitable safeguards, at least by enabling the data subject to contestthedecision,,expresshis/herpointofviewandobtainreviewbyahumanbeing.,(e)Where requests from adata subject are excessive, in particular because of theirrepetitive character, the ,data importer may either charge a reasonable fee taking intoaccounttheadministrativecostsofgranting,therequestorrefusetoactontherequest.,(f)The data importer may refuse a data subject’s request if such refusal is allowed underthelawsofthe,countryofdestinationandisnecessaryandproportionateinademocraticsocietytoprotectoneofthe,objectiveslistedinArticle23(1)ofRegulation(EU) 2016/679.,(g)If the data importer intends to refuse a data subject’s request, it shall inform the datasubject of the reasons ,for the refusal and the possibility of lodging a complaint withthecompetent supervisoryauthorityand/or ,seekingjudicial redress.,MODULETWO:Transfercontrollertoprocessor,(a)Thedataimportershallpromptly notify thedataexporterofany requestithasreceived from a data ,subject.
It shall not respond to that request itself unless it hasbeenauthorised to do sobythe data exporter.,(b)The data importer shall assist the data exporter in fulfilling its obligations to respondto data subjects’ ,requests for the exercise of their rights under Regulation (EU)2016/679.Inthisregard,thePartiesshall,setoutinAnnexIItheappropriatetechnicalandorganisationalmeasures,takingintoaccountthenature,oftheprocessing, by which the assistance shall be provided, as well as the scope and theextentofthe ,assistancerequired.,(c)In fulfilling its obligations under paragraphs (a) and (b), the data importer shallcomplywith the,instructions from thedataexporter.,Clause 10,Redress,(a)The data importer shall inform data subjects in a transparent and easily accessibleformat, through ,individual notice or on its website, of a contact point authorised tohandle complaints.
It shall deal ,promptly with any complaints it receives from a datasubject.,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,19,MODULE ONE: Transfer controller to controller,MODULE TWO: Transfer controller to processor,(b)IncaseofadisputebetweenadatasubjectandoneofthePartiesasregardscompliance with these ,Clauses, that Party shall use its best efforts to resolve the issueamicably in a timely fashion.
The Parties ,shall keep each other informed about suchdisputesand, whereappropriate, cooperate in resolvingthem.,(c)Where the data subject invokes a third-party beneficiary right pursuant to Clause 3,thedata importer ,shall accept thedecisionofthe data subject to:,(i)lodge a complaint with the supervisory authority in the Member State of his/herhabitual ,residence or place of work, or the competent supervisory authoritypursuantto Clause 13;,(i)referthedisputeto the competentcourts withinthe meaningofClause18.,(d)The Parties accept that the data subject may be represented by a not-for-profit body,organisation or ,association under the conditions set out in Article 80(1) of Regulation(EU)2016/679.,(e)The data importer shall abide by a decision that is binding under the applicable EU orMemberState law.,(f)The data importer agrees that the choice made by the data subject will not prejudicehis/hersubstantive,andproceduralrightstoseekremediesinaccordancewithapplicablelaws.,(a)IncaseofadisputebetweenadatasubjectandoneofthePartiesasregardscompliance with these ,Clauses, that Party shall use its best efforts to resolve the issueamicably in a timely fashion.
The Parties ,shall keep each other informed about suchdisputesand, whereappropriate, cooperate in resolvingthem.,(b)Where the data subject invokes a third-party beneficiary right pursuant to Clause 3,thedata importer ,shall accept thedecisionofthe data subject to:,(i)lodge a complaint with the supervisory authority in the Member State of his/herhabitual ,residence or place of work, or the competent supervisory authoritypursuantto Clause 13;,(ii)referthedisputeto the competentcourts withinthe meaningofClause18.,(c)The Parties accept that the data subject may be represented by a not-for-profit body,organisation or ,association under the conditions set out in Article 80(1) of Regulation(EU)2016/679.,(d)The data importer shall abide by a decision that is binding under the applicable EU orMemberState law.,(e)The data importer agrees that the choice made by the data subject will not prejudicehis/hersubstantive,andproceduralrightstoseekremediesinaccordancewithapplicablelaws.,Clause 11,Liability,MODULE ONE: Transfer controller to controller,(a)Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any ,breach of these Clauses.
,(b)Each Party shall be liable to the data subject, and the data subject shall be entitled to receive ,compensation, for any material or non-material damages that the Party causes the data subject by ,breaching the third-party beneficiary rights under these Clauses.
This is without prejudice to the liability ,of the data exporter under Regulation (EU) 2016/679.,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,20,(c)Where more than one Party is responsible for any damage caused to the data subject as a result of a ,breach of these Clauses, all responsible Parties shall be jointly and severally liable and the datasubject ,is entitled to bring an action in court against any of these Parties.,(d)The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back ,from the other Party/ies that part of the compensation corresponding to its / their responsibility for the ,damage.,(e)The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.,MODULE TWO: Transfer controller to processor,(b)Each Party shall be liable to the other Party/ies for any damages it causes the otherParty/iesbyany,breach of theseClauses.,(c)The data importer shall be liable to the data subject, and the data subject shall beentitled to receive ,compensation, for any material or non-material damages the dataimporter or its sub-processor causes ,the data subject by breaching the third-partybeneficiaryrights under theseClauses.,(d)Notwithstanding paragraph (b), the data exporter shall be liable to the data subject,and the data subject ,shall be entitled to receive compensation,for any material ornon-material damages the data exporter or ,the data importer (or its sub-processor)causes the data subject by breaching the third-party beneficiary ,rights under theseClauses.Thisiswithoutprejudicetotheliabilityofthedataexporterand,wherethe ,data exporter is a processor acting on behalf of a controller, to the liability of thecontrollerunder,Regulation(EU)2016/679orRegulation(EU)2018/1725,asapplicable.,(e)The Parties agree that if the data exporter is held liable under paragraph (c) fordamages caused by the ,data importer (or its sub-processor), it shall be entitled toclaim back from the data importer that part of ,the compensation corresponding to thedataimporter’sresponsibilityfor thedamage.,(f)Where more than one Party is responsible for any damage caused to the data subjectas a result of a ,breach of these Clauses, all responsible Parties shall be jointly andseverally liable and the data subject ,is entitled to bring an action in court against anyoftheseParties.,(g)The Parties agree that if one Party is held liable under paragraph (e), it shall beentitledtoclaimback,fromtheotherParty/iesthatpartofthecompensationcorrespondingto its / theirresponsibilityforthe,damage.,(h)The data importer maynot invoke the conduct of a sub-processor to avoid its ownliability.,Clause 12,Supervision,MODULE ONE: Transfer controller to controller,MODULE TWO: Transfer controller to processor,(a)Where the data exporter is established in an EU Member State:The supervisoryauthoritywith,responsibilityforensuringcompliancebythedataexporterwithRegulation (EU) 2016/679 as regards ,the data transfer, as indicated in Annex I.C,shallact as competent supervisoryauthority.,Where the data exporter is not established in an EU Member State, but falls withintheterritorial,scopeofapplicationofRegulation(EU)2016/679inaccordancewithitsArticle3(2)andhas,appointedarepresentativepursuanttoArticle27(1)ofRegulation (EU) 2016/679:The supervisory ,authority of the Member State in whichtherepresentativewithinthemeaningofArticle27(1)of,Regulation(EU)2016/679isestablished,asindicatedinAnnexI.C,shallactascompetentsupervisory,authority.,Where the data exporter is not established in an EU Member State, but falls withintheterritorial,scopeofapplicationofRegulation(EU)2016/679inaccordancewithitsArticle3(2)without,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,21,howeverhavingtoappointarepresentativepursuantto Article 27(2) of Regulation (EU) 2016/679:,The supervisory authority of one of theMember States in which the data subjects whose personal data is ,transferred underthese Clauses in relation to the offering of goods or services to them, or whose,behaviour is monitored, arelocated, as indicated in Annex I.C, shall act as competentsupervisory,authority.,(b)The data importer agrees to submit itself to the jurisdiction of and cooperate with thecompetent ,supervisory authority inany procedures aimedatensuring compliancewiththeseClauses.Inparticular,,thedataimporteragreestorespondtoenquiries, submit to audits and comply with the measures ,adopted by the supervisory authority,includingremedialandcompensatory measures.Itshallprovide,thesupervisoryauthoritywith writtenconfirmation that the necessaryactions havebeen taken.,SECTIONIII –LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC,AUTHORITIES,Clause 13,LocallawsandpracticesaffectingcompliancewiththeClauses,MODULE ONE: Transfer controller to controller,MODULE TWO: Transfer controller to processor,(a)The Parties warrant that they have no reason to believe that the laws and practices inthe third country of ,destination applicable to the processing of the personal data bythe data importer, including any ,requirements to disclose personal data or measuresauthorising access by public authorities, prevent the ,data importer from fulfilling itsobligations under these Clauses.
This is based on the understanding that ,laws andpractices that respect the essence of the fundamental rights and freedoms and do notexceed ,what is necessary and proportionate in a democratic society to safeguard oneof the objectives listed in ,Article 23(1) of Regulation (EU) 2016/679, are not incontradictionwith these Clauses.,(b)The Parties declare that in providing the warranty in paragraph (a), they have takendueaccount in ,particularofthe followingelements:,(i)thespecificcircumstancesofthetransfer,includingthelengthoftheprocessing chain, the ,number of actors involved and the transmission channelsused;intendedonwardtransfers;the,typeofrecipient;thepurposeofprocessing;thecategoriesandformatofthetransferredpersonal,data;theeconomic sector in which the transfer occurs.
the storage location of the data,transferred;,(ii)the laws and practicesof the third country of destination–including thoserequiring the ,disclosure of data to public authorities or authorising access bysuch authorities –relevant in ,light of the specific circumstances of the transfer,and theapplicablelimitations and safeguards;,(iii)any relevant contractual, technical or organisational safeguards put in place tosupplement the ,safeguards under these Clauses, including measures appliedduring transmission and to the ,processing of the personal data in the country ofdestination.,(c)Thedataimporterwarrantsthat,incarryingouttheassessmentunderparagraph(b),it has made its best ,efforts to provide the data exporter with relevant information andagreesthatitwillcontinuetocooperate,withthedataexporterinensuringcompliancewith theseClauses.,(d)The Parties agree todocumentthe assessmentunder paragraph(b) andmake itavailableto the competent ,supervisoryauthorityon request.,(e)The data importer agrees to notify the data exporter promptly if, after having agreedto these Clauses and ,for the duration of the contract, it has reason to believe that it isor has become subject to laws or practices ,not in line with the requirements underparagraph (a), including following a change in the laws of the ,third country or ameasure (such as a disclosure request) indicating an application of such laws inpractice ,that is not in line with the requirements in paragraph (a).
,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,22,(f)Following a notification pursuant to paragraph (e), or if the data exporter otherwisehas reason to believe ,that the data importer can no longer fulfil its obligations underthese Clauses, the data exporter shall ,promptly identify appropriate measures (e.g.technical or organisational measures to ensure security and ,confidentiality) to beadoptedbythedataexporterand/ordataimportertoaddressthesituation.
The data ,exportershall suspend the data transfer if it considers that no appropriate safeguards for suchtransfer can ,be ensured, or if instructed by thecompetent supervisory authority to do so.
In this case, the data exporter ,shall beentitled to terminate the contract, insofar as it concerns the processing of personaldata under ,these Clauses.
If the contract involves more than two Parties, the dataexporter may exercise thisrightto,termination only withrespecttothe relevantParty, unless the Parties have agreed otherwise.
Where the ,contract is terminatedpursuantto this Clause,Clause 16(d)and(e)shall apply.,Clause 14,Obligationsofthedataimporter incaseofaccess bypublicauthorities,MODULE ONE: Transfer controller to controller,MODULETWO:Transfercontrollertoprocessor,14.1Notification,(a)The data importer agrees to notify the data exporter and, where possible, the datasubject promptly(if ,necessarywiththehelp of thedata exporter)if it:,(i)receives a legally binding request from a public authority, including judicialauthorities, under ,the laws of the country of destination for the disclosure ofpersonaldatatransferredpursuantto,theseClauses;suchnotificationshallinclude information about the personal data requested, the ,requesting authority,thelegal basis fortherequest and theresponseprovided.
or,(ii)becomesaware of any directaccessby publicauthoritiestopersonaldatatransferredpursuant,totheseClausesinaccordancewiththelawsofthecountry of destination.
such notification ,shall include all information availabletotheimporter.,(b)If the data importer is prohibited from notifying the data exporter and/or the datasubjectunderthelaws,ofthecountryofdestination,thedataimporteragreestouseits best efforts to obtain a waiver of the ,prohibition, with a view to communicating asmuch informationaspossible, assoonaspossible.
The data ,importer agreestodocument its best efforts in order to be able to demonstrate them on request of thedata,exporter.,(c)Where permissible under the laws of the country of destination, the data importeragreestoprovidethe,dataexporter,atregularintervalsforthedurationofthecontract, with as much relevant information as ,possible on the requests received (inparticular,numberofrequests,typeofdatarequested,requesting,authority/ies,whether requests have been challenged and the outcome of such challenges, etc.).,(d)The data importer agrees to preserve the information pursuant to paragraphs (a) to (c)for the duration of ,the contract and make it available to the competent supervisoryauthorityon request.,(e)Paragraphs (a) to (c) are without prejudice to the obligation of the data importerpursuant to Clause 14(e) ,and Clause 16 to inform the data exporter promptly where itis unableto complywiththeseClauses.,14.2Reviewoflegalityanddataminimisation,(a)The data importer agrees toreview the legality of the request for disclosure, inparticular whether it ,remains within the powers granted to the requesting publicauthority, and to challenge the request if, after ,careful assessment, it concludes thatthere are reasonablegrounds to consider that the request is unlawful ,under the lawsofthecountryofdestination,applicableobligationsunderinternationallawand ,principlesofinternationalcomity.Thedataimportershall,underthesameconditions,pursue,possibilitiesofappeal.Whenchallengingarequest,thedataimporter shall seek interim measures with a ,view to suspending the effects of therequest until the competent judicial authority has decided on its ,merits.
It shall notdisclose the personal data requested until required to do so under the applicable,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,23,procedural rules.
These requirements are without prejudice to the obligations of thedataimporter under ,Clause14(e).,(b)The data importer agrees to document its legal assessment and any challenge to therequest for disclosure ,and, to the extent permissible under the laws of the country ofdestination, make the documentation ,available to the data exporter.
It shall also makeit available to the competent supervisory authority on ,request.
,(c)The data importer agrees to provide the minimum amount of information permissiblewhen responding ,to a request for disclosure, based on a reasonable interpretation oftherequest.,SECTIONIV–FINAL PROVISIONS,Clause 15,Non-compliancewiththeClausesandtermination,(a)The data importer shall promptly inform the data exporter if it is unable to complywiththeseClauses, ,forwhateverreason.,(b)In the event that the data importer is in breach of these Clauses or unable to complywith these Clauses, ,the data exporter shall suspend the transfer of personal data to thedata importer until compliance is again ,ensured or the contract is terminated.
This iswithoutprejudiceto Clause14(f).,(c)The data exporter shall be entitled to terminate the contract, insofar as it concerns theprocessingof ,personal data under theseClauses,where:,(i)thedataexporterhassuspendedthetransferofpersonaldatatothedataimporter pursuant to ,paragraph (b) and compliance with these Clauses is notrestoredwithinareasonabletimeand,inanyeventwithinonemonthofsuspension;,(ii)thedataimporteris insubstantialor persistentbreachof theseClauses;or,(iii)the data importer fails to comply with a binding decision of a competent courtorsupervisory,authorityregardingits obligations under theseClauses.,Inthesecases,itshallinformthecompetentsupervisoryauthorityof such non-compliance.
Where the ,contract involves morethan two Parties, the data exporter may exercise this right to termination only with,respectto the relevantParty, unless theParties haveagreedotherwise.,(d)For Modules One and Two: Personal data that has been transferred prior tothe termination of the ,contract pursuant to paragraph (c) shall at thechoice of thedata exporter immediately be returned to the ,data exporter or deleted in its entirety.Thesameshallapplytoanycopiesofthedata.,(e)Either Party may revoke its agreement to be bound by these Clauses where (i) theEuropeanCommission,adoptsadecisionpursuanttoArticle45(3)ofRegulation(EU) 2016/679 that covers the transfer of ,personal data to which these Clauses apply;or (ii) Regulation (EU) 2016/679 becomes part of the legal ,framework of the countrytowhichthepersonaldataistransferred.Thisiswithoutprejudicetoother,obligationsapplyingto theprocessinginquestionunderRegulation (EU)2016/679.,Clause 16,Governing law,MODULE ONE: Transfer controller to controller,MODULE TWO: Transfer controller to processor,These Clauses shall be governed by the law of one of the EU Member States,provided such law allows for third-,party beneficiary rights.
The Parties agree that this shall be thelaw of Ireland.,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,24,Clause 17,Choice of forum and jurisdiction,MODULE ONE: Transfer controller to controller,MODULE TWO: Transfer controller to processor,(a)AnydisputearisingfromtheseClausesshallberesolvedbythecourtsofanEU Member State.,(b)TheParties agreethat thoseshall be thecourts ofIreland.,(c)A data subject may also bring legal proceedings against the data exporter and/or dataimporter before the ,courts of the Member State in which he/she has his/her habitualresidence.,(d)TheParties agreeto submitthemselves tothejurisdictionofsuchcourts.,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,25,AnnexesI –III to the EU Standard Contractual Clauses(Schedule 2),Annex I,The details of data transfers are set out in Schedule 1 of the DPA.,Annex II–Technical and Organisational Measures,Purpose.
This Annex II describes Discovery Education’s security program, and physical, technical, ,organizational, and administrative controls and measures to protect Subscriber Data from unauthorized access, ,destruction, use, modification, or disclosure (the “Security Measures”).
Unless otherwise specified, the Security ,Measures apply to Discovery Education Experience, Espresso, Coding, Health &.
Relationships, STEM Connect, ,and DoodleLearning.,Definitions.Any capitalized terms used but not defined in this document have the meanings set out in the ,Agreement or DPA.,Discovery Education has implemented the following Security Measures:,1.Organizational Measures.,a.Discovery Education has a designated security officer responsible for overseeing its security ,program.,b.Information security personnel are trained and qualified.,c.InformationsecuritytrainingandawarenessisconductedandprovidedtoDiscovery,Educationemployees.,2.Access and Management Controls.Discovery Education implements procedures designed to limit ,personnel’s access to Subscriber Data as follows:,a.LimitsinternalaccesstoSubscriberData,applications,andsystemstoDiscoveryEducation,personnelwithproperauthorizationandallowuseand/ordisclosureinternally,whennecessary,,solelytopersonnelbased on legitimatebusiness need.,b.Revokesaccesstopersonnelwhonolongerrequireaccess.,c.Requires use of strong passwords or pass phrases.
,d.Logically separates Subscriber Data and maintains measures designed to prevent Subscriber ,Data from access by other users.,e.Restricts access to Discovery Education proprietary source code to prevent unauthorized access.,3.Network Security, Physical Security and Environmental Controls.Discovery Education implements ,network security, physical security and environmental controls as follows:,a.Networkintrusiondetectionandnetworkintrusionpreventiontechnology.,b.Physical access controls to processing premises and facilities, provisioning access to the ,processing facilities on the basis of the role (need to know), and utilizing physical Access ,Control Mechanisms such as Electronic Access Control (EAC) cards to access server rooms, ,install CCTV systems, etc.
,c.For remote access connections, requires multifactor authenticationand the use of a VPN ,connection for certain personnel to certain systems and applications.,d.Properly configured and patched firewalls, network access controls and other technical ,measures designed to prevent unauthorized access to systems processing Subscriber Data.,e.Perform routine maintenance to ensure operating systems and applications are patched and ,updated.
,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,26,f.Monitorssecurity release information for software.
Discovery Education prioritizesthe rollout ,of patchesbased on the severityorimpact of the vulnerability.
,g.Process for monitoring, alerting, and responding to suspicious activity occurring in the ,Discovery Education infrastructure.
,h.Discovery Education Services operate on Amazon Web Services (AWS) and is protected by ,Amazon’s security and environmental controls.,i.Subscriber Data hosted in AWS is encrypted at rest and in transit.
AWS does not have access ,to unencrypted Subscriber Data.
,4.Operating System Security.Discovery Education implements operating security controls as follows:,a.Operating systems are protected with anti-malware/virus protection software.
,b.Server and cloudoperating systems are deployed using a secure build process.
,c.Security logging is enabled per vendor recommendations for all desktop, server, and network ,infrastructure OS.
,d.Supported operatingsystem versions.
,e.Anti-virus signatures are updated regularly.,5.Data Encryptionand Pseudonymisation.
Discovery Education implements data encryption and ,pseudonymizationas follows:,a.Implements encryption in transport and at rest.,b.Implements pseudonymizationof Subscriber Data, where appropriate.
,c.Uses industry standard encryption methodologies to protect Subscriber Data.
,d.Implements full-disk encryption for hard-drives on personnel workstations.,e.External data transmissions of Subscriber Dataare encrypted using industry standard security ,protocols.
,6.Incident Response.,a.Discovery Education maintains an information security incident response plan that is tested at ,least annually.
,b.Discovery Education implements and maintains technology designed to detect suspicious ,activity, malicious activity, vulnerabilities and security incidents within Discovery Education’s ,network and systems.,7.Vulnerability Management.
Discovery Education maintainsthe following vulnerability management ,processes for devices used to connect to the Discovery Education network:,a.Discovery Education will employ industry standards and tools to conduct routine infrastructure ,vulnerability scanning to test Discovery Education’s network and application penetration testing ,of the Discovery Education Services.
The results are triaged by the information security team.,b.Discovery Educationhas processes in place designed to ensure adherence to industry standard ,security development practices for development and testing for code, APIs, and applications ,deployed and implemented in support of the Discovery Education Services.,8.Monitoringand Logging.,a.Discovery Education has implemented procedures to log and regularly review records of ,information systems activity, including maintaining access logs, access reports, security ,incident tracking reports, and periodic access audits.
,b.Discovery uses a variety of approaches and technologies to make sure that risks and incidents ,are appropriately detected, assessed and mitigated on an ongoing basis.,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,27,9.Business Continuity Management.,a.Discovery Education maintains a business continuity and disaster recovery plan.,b.Discovery Education maintains processes to ensure failover redundancy with its systems, ,networks and data storage.,10.Personnel Management.,a.For U.S.
Discovery Education employees, Discovery Education performs employment ,verification, including proof of identity validation, check of education records and employment ,track, and criminal background checks for new hires in positions requiring access to systems ,and applications storing Subscriber Datain accordance with applicable law.For non-U.S.
,Discovery Educationemployees, Discovery Educationwill use commercially reasonable efforts ,to meet the same criteria as established for U.S.-based Discovery Educationemployees, subject ,to general business practices in the respective country and in compliance with applicable local ,law requirements.,b.Upon employee termination, whether voluntary or involuntary, Discovery Education ,immediately disables all access to Discovery Education systems and physical facilities.,Updatesand Modifications.
The Security Measures are subject to technical progress and development.
,Discovery Education may update or modify the Security Measures from time to time, provided that such updates ,and modifications do not materially decrease the overall security of the Services.,Annex III–List of Sub-processors,Discovery Education’s current list of Sub-processors can be foundat ,https://www.discoveryeducation.co.uk/subprocessor/.
,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC,28,Schedule 3,International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the ,“Addendum”)(Version B1.0, in force 21 March 2022),Part 1: Tables,Start dateEffective Date of the DPA,The Parties,Exporter (who sends the Restricted Importer (who receives the Restricted ,Transfer)Transfer),Parties’ detailsSee Schedule 2, Annex 1(1), of the See Schedule 2, Annex 1(1), of the ,DPADPA,Key ContactSee Schedule 2, Annex 1(1), of the See Schedule 2, Annex 1(1), of the ,DPADPA,Signature (if required Execution of the DPA on the Effective Execution of the DPA on the Effective ,for the purposes of Date is deemed execution of this Date is deemed execution of this ,Section 2)AddendumAddendum,Table 2: Selected SCCs, Modules and Selected Clauses,Addendum EU SCCsThe version of the Approved EU SCCs which this Addendum is appended to, ,detailed below, including the Appendix Information:,Date: Effective Date of DPA,Reference (if any):None,Other identifier (if any): None,Table 3: Appendix Information,“Appendix Information” means the information which must be provided for the selected modules as set out in ,the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:,Annex 1(1) –(3) A: List of Parties: See Schedule 2, Annex 1, of the DPA ,Annex 1(1) –(3) B: Description of Transfer: See Schedule 2, Annex 1, of the DPA,Annex II: Technical and organisational measures including technical and organisational measures to ensure the ,security of the data: See Schedule 2, Annex II,of the DPA ,Annex III: List of Sub-processors (Module 2 only): See Schedule 2,Annex III,of the DPA ,Table 4: Ending this Addendum when the Approved Addendum Changes,Ending this Which Parties may end this Addendum as set out in Section 19:,Addendum when ,the Approved ,Addendum ,changes,☐Importer,XExporter,☐neither Party,PART 2: MANDATORY CLAUSES,Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid ,before Parliament in accordance with s119A of the Data Protection Act of 2019 on 2 February 2022, as it is ,revised under Section 18 of those Mandatory Clauses.
,DocuSign Envelope ID: 3890E517-70A7-4DC0-83CF-77B64FCFFFBC