Data Processing Agreement
Appendix A – Data Processing Agreement
General and Scope
This Data Processing Agreement (below DPA) forms part of the Agreement.
The DPA is conducted between You, below the Controller, and MinnaLearn, below MinnaLearn, together referred to as Party or Parties.
Unless otherwise expressly indicated, definitions used in DPA not defined herein shall have the meaning set forth in the Regulation (EU) 2016/679 (“GDPR”).
This DPA applies where and only to the extent that MinnaLearn processes personal data on behalf of the Controller in the course of providing the Service and such personal data is subject to data protection laws of the European Union. This DPA does not apply to processing that MinnaLearn is conducting for its own purposes in the role of controller.
Processing of Personal Data
MinnaLearn shall process personal data only for the following purposes: (i) processing to perform the Services and fulfill the Agreement; (ii) to comply with reasonable documented and lawful instructions provided by Controller to the extent they are consistent with the terms of this Agreement. The Parties agree that this DPA and the Agreement set out the Controller’s complete and final instructions to MinnaLearn’s in relation to the processing of personal data. Any additional instructions shall be agreed separately by the Parties, in which connection MinnaLearn will notify the Controller if it has reasons to believe that instructions proposed by the Controller against the applicable law.
MinnaLearn processes personal data as provided by the Controller in Service. Such data may contain special categories of data depending on how the Services are used by Controller and as agreed in schedule 1. The Controller data may be subject to the following process activities: (i) storage and other processing necessary to provide, maintain and improve the Services provided to Controller; and (ii) disclosures as required by law or otherwise set forth in the Agreement.
Controller agrees that it shall comply with its obligations as a controller under applicable data protection laws in respect of its processing of personal data relevant to this Agreement and any processing instructions it issues to MinnaLearn; and that it has obtained all consents and rights that might be necessary under Data Protection Laws for MinnaLearn to process personal data and provide the Services pursuant to the Agreement and this DPA.
Sub-processors
Controller agrees that MinnaLearn may engage sub-processors to process personal data on controller’s behalf as part of providing the Service. The sub-processors currently engaged by MinnaLearn that are hereby authorized by Controller are listed in MinnaLearn’s Privacy Policy (sections 5 and 6).
With each sub-processor MinnaLearn shall: (i) enter into a written agreement with the sub-processor imposing data protection terms that require the sub-processor to process and protect the personal data to the standard required by data protection laws and similar to the level of this DPA; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the sub-processor.
MinnaLearn shall provide Controller reasonable advance notice if it adds or removes sub-processors. The notice can be provided for example by sending an email or notifying about the change in the Service. Controller may object in writing to MinnaLearn’s appointment of a new sub-processor on reasonable grounds relating to data protection by notifying MinnaLearn about the issue as soon as possible in writing. Such notice shall explain in detail the reasonable grounds for the objection. In such event, the Parties shall discuss such concerns in good faith with the aim of achieving a commercially reasonable resolution to the matter. If this is not possible in reasonable time, either Party may terminate the applicable Services and/or Agreement that cannot be provided by MinnaLearn without the use of the objected new sub-processor.
Security of the Processing
MinnaLearn shall implement and maintain appropriate technical and organizational security measures to protect personal data processed in the Service and to preserve the security and confidentiality of such personal data. Such security measures are subject to technological changes and will be updated and modified from time to time.
MinnaLearn shall ensure that any person who is authorized by MinnaLearn to process personal data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
If there should be of a data breach that affects personal data processed pursuant to this DPA, MinnaLearn shall notify the Controller without undue delay and provide the relevant information as set out in GDPR.
If the Controller has questions about data security of the Service, it may contact hello@minnalearn.com. MinnaLearn will also allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Such audits shall be notified at least 30 days beforehand. The Controller shall bear all costs of the audit and shall reimburse MinnaLearn for its reasonable costs caused by the audit.
International Transfers
The controller understands and accepts that MinnaLearn uses certain service providers that are based outside of the European Union, and in this connection personal data may be transferred to, or accessed from, outside of the European Union. In such a case MinnaLearn will conduct data transfer in accordance with applicable legislation and will implement relevant standard contractual clauses or rely on other applicable transfer mechanism. Such service providers in are listed in MinnaLearn’s Privacy Policy (section 5).
Return or Deletion of the Data
Upon termination of the Services, MinnaLearn shall, at the choice of the Controller, either return all personal data to the Controller or delete all personal data, unless applicable law requires storage of the personal data. MinnaLearn shall ensure that any sub-processors also comply with this requirement.
Assistance and Co-operation
MinnaLearn shall, taking into account the nature of the processing, provide reasonable cooperation to assist Controller by appropriate technical and organizational measures, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement. Controller will reimburse MinnaLearn for any reasonable costs related to such assistance. If any such request is made directly to MinnaLearn, MinnaLearn will re-direct such communication to the Controller. If MinnaLearn is required to respond to such a request, MinnaLearn shall promptly notify Controller and provide it with a copy of the request unless legally prohibited from doing so.
To the extent MinnaLearn is required under data protection legislation MinnaLearn shall (at Controller’s expense) provide reasonably requested information regarding MinnaLearn’s processing of personal data under the Agreement to enable the Controller to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
Schedule 1 – Processing Instructions
Purposes of the processing: MinnaLearn processes personal data solely for the purpose of the providing agreed Service. More specifically:
Account Management: Creating and managing user accounts.
Service Delivery: Delivering and improving educational services.
Customer Support: Addressing user inquiries and technical issues.
Personalization: Customizing user experience and content.
Communication: Sending service-related updates and promotions.
Analytics: Analyzing usage to enhance service and develop features.
Compliance: Fulfilling legal obligations and protecting rights and safety.
Types of personal data processed:
Contact Information: Name, email address, phone number.
Account Details: Username, password, profile picture.
Usage Data: Logins, interactions, preferences.
Payment Information: Billing details, transaction history.
Technical Data: IP address, device type, browser information.
Support Communications: Chat logs, support tickets.
Categories of data subjects: [esim. työntekijät, konsultit]
Users: Individuals using the service.
Customers: Individuals or entities purchasing the service.
Employees: Staff involved in service delivery and support.
Partners: Third parties collaborating with MinnaLearn.
Subcontractors: External entities providing services on behalf of MinnaLearn.
Duration of processing: personal data will be processed for as long as there is a valid agreement for Services and as required to comply with legal obligations.
General and Scope
This Data Processing Agreement (below DPA) forms part of the Agreement.
The DPA is conducted between You, below the Controller, and MinnaLearn, below MinnaLearn, together referred to as Party or Parties.
Unless otherwise expressly indicated, definitions used in DPA not defined herein shall have the meaning set forth in the Regulation (EU) 2016/679 (“GDPR”).
This DPA applies where and only to the extent that MinnaLearn processes personal data on behalf of the Controller in the course of providing the Service and such personal data is subject to data protection laws of the European Union. This DPA does not apply to processing that MinnaLearn is conducting for its own purposes in the role of controller.
Processing of Personal Data
MinnaLearn shall process personal data only for the following purposes: (i) processing to perform the Services and fulfill the Agreement; (ii) to comply with reasonable documented and lawful instructions provided by Controller to the extent they are consistent with the terms of this Agreement. The Parties agree that this DPA and the Agreement set out the Controller’s complete and final instructions to MinnaLearn’s in relation to the processing of personal data. Any additional instructions shall be agreed separately by the Parties, in which connection MinnaLearn will notify the Controller if it has reasons to believe that instructions proposed by the Controller against the applicable law.
MinnaLearn processes personal data as provided by the Controller in Service. Such data may contain special categories of data depending on how the Services are used by Controller and as agreed in schedule 1. The Controller data may be subject to the following process activities: (i) storage and other processing necessary to provide, maintain and improve the Services provided to Controller; and (ii) disclosures as required by law or otherwise set forth in the Agreement.
Controller agrees that it shall comply with its obligations as a controller under applicable data protection laws in respect of its processing of personal data relevant to this Agreement and any processing instructions it issues to MinnaLearn; and that it has obtained all consents and rights that might be necessary under Data Protection Laws for MinnaLearn to process personal data and provide the Services pursuant to the Agreement and this DPA.
Sub-processors
Controller agrees that MinnaLearn may engage sub-processors to process personal data on controller’s behalf as part of providing the Service. The sub-processors currently engaged by MinnaLearn that are hereby authorized by Controller are listed in MinnaLearn’s Privacy Policy (sections 5 and 6).
With each sub-processor MinnaLearn shall: (i) enter into a written agreement with the sub-processor imposing data protection terms that require the sub-processor to process and protect the personal data to the standard required by data protection laws and similar to the level of this DPA; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the sub-processor.
MinnaLearn shall provide Controller reasonable advance notice if it adds or removes sub-processors. The notice can be provided for example by sending an email or notifying about the change in the Service. Controller may object in writing to MinnaLearn’s appointment of a new sub-processor on reasonable grounds relating to data protection by notifying MinnaLearn about the issue as soon as possible in writing. Such notice shall explain in detail the reasonable grounds for the objection. In such event, the Parties shall discuss such concerns in good faith with the aim of achieving a commercially reasonable resolution to the matter. If this is not possible in reasonable time, either Party may terminate the applicable Services and/or Agreement that cannot be provided by MinnaLearn without the use of the objected new sub-processor.
Security of the Processing
MinnaLearn shall implement and maintain appropriate technical and organizational security measures to protect personal data processed in the Service and to preserve the security and confidentiality of such personal data. Such security measures are subject to technological changes and will be updated and modified from time to time.
MinnaLearn shall ensure that any person who is authorized by MinnaLearn to process personal data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
If there should be of a data breach that affects personal data processed pursuant to this DPA, MinnaLearn shall notify the Controller without undue delay and provide the relevant information as set out in GDPR.
If the Controller has questions about data security of the Service, it may contact hello@minnalearn.com. MinnaLearn will also allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Such audits shall be notified at least 30 days beforehand. The Controller shall bear all costs of the audit and shall reimburse MinnaLearn for its reasonable costs caused by the audit.
International Transfers
The controller understands and accepts that MinnaLearn uses certain service providers that are based outside of the European Union, and in this connection personal data may be transferred to, or accessed from, outside of the European Union. In such a case MinnaLearn will conduct data transfer in accordance with applicable legislation and will implement relevant standard contractual clauses or rely on other applicable transfer mechanism. Such service providers in are listed in MinnaLearn’s Privacy Policy (section 5).
Return or Deletion of the Data
Upon termination of the Services, MinnaLearn shall, at the choice of the Controller, either return all personal data to the Controller or delete all personal data, unless applicable law requires storage of the personal data. MinnaLearn shall ensure that any sub-processors also comply with this requirement.
Assistance and Co-operation
MinnaLearn shall, taking into account the nature of the processing, provide reasonable cooperation to assist Controller by appropriate technical and organizational measures, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement. Controller will reimburse MinnaLearn for any reasonable costs related to such assistance. If any such request is made directly to MinnaLearn, MinnaLearn will re-direct such communication to the Controller. If MinnaLearn is required to respond to such a request, MinnaLearn shall promptly notify Controller and provide it with a copy of the request unless legally prohibited from doing so.
To the extent MinnaLearn is required under data protection legislation MinnaLearn shall (at Controller’s expense) provide reasonably requested information regarding MinnaLearn’s processing of personal data under the Agreement to enable the Controller to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
Schedule 1 – Processing Instructions
Purposes of the processing: MinnaLearn processes personal data solely for the purpose of the providing agreed Service. More specifically:
Account Management: Creating and managing user accounts.
Service Delivery: Delivering and improving educational services.
Customer Support: Addressing user inquiries and technical issues.
Personalization: Customizing user experience and content.
Communication: Sending service-related updates and promotions.
Analytics: Analyzing usage to enhance service and develop features.
Compliance: Fulfilling legal obligations and protecting rights and safety.
Types of personal data processed:
Contact Information: Name, email address, phone number.
Account Details: Username, password, profile picture.
Usage Data: Logins, interactions, preferences.
Payment Information: Billing details, transaction history.
Technical Data: IP address, device type, browser information.
Support Communications: Chat logs, support tickets.
Categories of data subjects: [esim. työntekijät, konsultit]
Users: Individuals using the service.
Customers: Individuals or entities purchasing the service.
Employees: Staff involved in service delivery and support.
Partners: Third parties collaborating with MinnaLearn.
Subcontractors: External entities providing services on behalf of MinnaLearn.
Duration of processing: personal data will be processed for as long as there is a valid agreement for Services and as required to comply with legal obligations.
Updated on: 02/10/2024
Thank you!