This DPA is additional to the main training agreement you have entered into with SANS, reference to “Agreement” shall mean the main terms and conditions governing your cybersecurity training, and reference to “DPA” shall mean this Data Processing Agreement.
This DPA shall govern the Processing of Personal Data for the Purposes (as defined in Appendix 1) by the Parties. Capitalized terms not otherwise defined herein have the meaning given to them in the main Agreement. The terms of the Agreement remain in full force and effect. Appendix 1 and 2 form an integral part of this DPA and are deemed to be included where “this DPA” is referenced herein.
In this DPA, SANS may be referred to as (SANS, Supplier, We, Our) and You the Customer may be referred to as (You, Customer, Your)
1. Definitions. The following terms have the meanings set out below for this Data Processing Agreement:
1.1. “Controller” means the entity which alone or jointly with others determines the purposes and the means of the Processing of Personal Data.
1.2. “Data Subject” means a natural person whose Personal Data are Processed in the context of this DPA.
1.3. “Data Protection Law” means any applicable law or regulation relating to privacy and the Processing, protection and/or use of Personal Data in any jurisdiction, as applicable to a Party, the Processing or the Services.
1.4. “Europe” means the member states of the EU and the EEA , the UK and Switzerland.
1.5. “European Data Protection Law” means any applicable law or regulation relating to privacy and the Processing, protection and/or use of Personal Data in Europe, as applicable to a Party, the Processing or the Services, including without limitation (and as may be amended from time to time), the GDPR, the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC) and any national or local laws or regulations in Europe which give effect to, implement and/or supplement the GDPR or the ePrivacy Directive in any relevant jurisdiction.
1.6. “GDPR” means the EU General Data Protection Regulation 2016/679, including in relation to the UK as incorporated into UK law under the European Union (Withdrawal) Act 2018, (as amended and replaced from time to time).
1.7. “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
1.8. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, access to, or other unauthorized Processing of Personal Data transmitted, stored or otherwise Processed.
1.9. “Processor” means the entity which Processes Personal Data on behalf of a Controller.
1.10. “Processing of Personal Data” (or “Processing/Process”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.11. “Services” means cybersecurity training and certification services
1.12. “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers) authorized under Commission Decision 2004/915/EC and authorized for use in the UK under paragraph 7, Part 3, Schedule 21 of the UK Data Protection Act 2018, and which are hereby incorporated by reference herein pursuant to Section 5 and Appendix 2 of this DPA, or any updated, revised or replacement clauses approved under Data Protection Law (including European Data Protection Law) from time to time.
1.13. “Sub-Processor” means the entity engaged by the Processor or any further sub-contractor to Process Personal Data on behalf of and under the instructions of the Controller.
2. Customer affiliates. Pursuant to an agreement (or agreements) between Customer and one or more Customer affiliates (“Relevant Customer Affiliates”), Customer has been appointed by each Relevant Customer Affiliate to procure various services, including the Services, on their behalf and for their benefit. Supplier acknowledges that Personal Data may include Personal Data in respect of which a Relevant Customer Affiliate is the Controller (rather or in addition to Customer). Notwithstanding any other provisions of this DPA or the Agreement, the Customer shall be entitled to enforce this Exhibit on behalf of each such Relevant Customer Affiliate in respect of the Personal Data in the context of the Services of which such Relevant Customer Affiliate is a Controller.
3. Roles of the Parties. For the purpose of this DPA, the Parties acknowledge and confirm that each Party acts as an independent and separate Controller for the Processing of Personal Data for its own Purposes (as defined in Appendix 1) in the context of the Services.
4. Obligations of the Parties. Each Party shall, in relation to the Processing of Personal Data for its own Purposes in the context of the Services:
4.1. Comply in all material respects with Data Protection Law.
4.2. Rely on a valid legal ground under Data Protection Law for its Processing of Personal Data, including obtaining Data Subjects’ consent if required under Data Protection Law.
4.3. Provide appropriate notice to the Data Subjects in a timely manner, and at a minimum with the elements required under Data Protection Law.
4.4. Take reasonable steps to ensure that such Personal Data:
4.4.1. is accurate, complete and current;
4.4.2. adequate, relevant and limited to what is necessary in relation to the Purposes for which they are Processed; and
4.4.3. kept in a form which permits identification of Data Subjects for no longer than is necessary for the Purposes for which the Personal Data are Processed unless a longer retention is required or allowed under applicable law.
4.5. Maintain appropriate records to demonstrate that the Processing of Personal Data in the context of the Services is performed in accordance with this DPA and Data Protection Law.
4.6. Respond to Data Subject requests to exercise their rights in accordance with Data Protection Law.
4.7. To the extent required in connection with the Agreement, reasonably cooperate with the other Party to allow the other Party to comply with their data protection compliance obligations as an independent and separate Controller under Data Protection Law.
4.8. Take reasonable steps to ensure the reliability of personnel who have access to the Personal Data Processed in the context of the Services.
5. Data Transfers. In relation to the Processing of Personal Data in the context of the Services:
5.1. Supplier and Customer shall comply with the requirements of Data Protection Law in relation to the international transfer or export of Personal Data Processed in the context of the Services.
5.2. Supplier and Customer may transfer the Personal Data Processed in connection with the Services which is subject to European Data Protection Law outside of Europe in accordance with European Data Protection Law, provided that the Personal Data are transferred: (a) to a country or territory which has been deemed to provide an adequate level of protection under European Data Protection Law, or (b) to a data recipient with which it has implemented adequate safeguards under European Data Protection Law such as (where relevant and applicable): (i) approved Binding Corporate Rules; or (ii) standard contractual clauses.
5.3. The transfer of any Personal Data Processed in the context of the Services which is subject to European Data Protection Law between Supplier (as data exporter) and Customer (as data importer) shall be subject to the Standard Contractual Clauses in accordance with Appendix 2.
5.4. If, for whatever reason, the transfers of Personal Data under this Section 5 cease to be lawful or require any additional actions to perfect them, the parties shall use all reasonable endeavors to promptly implement an alternative lawful transfer mechanism under Data Protection Law (including European Data Protection Law) or take such actions to perfect the lawfulness of the transfers.
6. Data Disclosures. Each Party shall only disclose Personal Data Processed in the context of the Services in accordance with Data Protection Law, including as regards the engagement of Processors and/or Sub-Processors of Personal Data in the context of the Services, and/or as reasonably necessary for the Purposes or applicable law.
7. Data Protection; Security of the Processing; Confidentiality; and Personal Data Breach.
7.1. The Parties must implement and maintain a written information security program with appropriate technical and organizational measures to ensure a level of security of the Processing of Personal Data in the context of the Services appropriate to the risk. In assessing the appropriate level of security, the Parties must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing of Personal Data as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects and the risks that are presented by the Processing of Personal Data in the context of the Services, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed in the context of the Services.
7.2. The Parties must take steps to ensure that any person acting under their authority who has access to Personal Data is subject to a duly enforceable contractual or statutory confidentiality obligation, and if applicable Process Personal Data in accordance with the Controller’s instructions.
7.3. Supplier must notify Customer of a Personal Data Breach that relates to Personal Data Processed in the context of the Services, without undue delay, and no later than 48 hours after having become aware of a Personal Data Breach.
8. Security Audit. Upon prior written request, each Party agrees to cooperate and within reasonable time provide the requesting Party with: (i) a summary of any audit reports or other information demonstrating its compliance with Data Protection Law obligations as relating to the Services, after redacting any confidential and commercially sensitive information; and (ii) confirmation that an audit has not revealed any material vulnerability in the context of the Services, or to the extent that any such vulnerability was detected, that such vulnerability has been remedied.
9. Liability. The limitation of liability clause in the Agreement shall apply in respect of this DPA as between the Parties in respect of breaches of this DPA or Data Protection Law. Subject to applicable law (including Data Protection Law), as regards liability to Data Subjects, each Party agrees that it is solely responsible for the entire damage resulting from its violation of Data Protection Law in respect of its Processing of Personal Data in the context of the Services for its own Purposes.
10. Applicable law and jurisdiction. The governing law detailed in the Agreement shall also govern this DPA.
11. Modification of this DPA. This DPA may only be modified by a written amendment signed by each of the Parties.
12. Termination. The Parties agree that this DPA is terminated upon the termination of the Agreement.
13. Invalidity and Severability. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this DPA and/or the Agreement and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
14. Conflict. To the extent of any conflict between the provisions of this Exhibit and the Agreement, this Exhibit shall prevail in respect of its subject matter.
Appendix 1: Description of the Processing activities
Subject-matter of the Processing
The provision of cybersecurity training and certification services.
Nature and Purposes of the Processing
Customer and Supplier Process Personal Data pursuant to this DPA and the Agreement for the following purposes:
- Customer Processes Personal Data for business purposes and to organize employee training.
- Supplier Processes Personal Data for the provision of cybersecurity training services, including but not limited to the facilitation of administration of training courses and certifications.
Types of Personal Data
Customer may Process the following categories of Personal Data in the context of the Services:
- Personal Details (including name and work email address)
- Position
- Training and Certification records
Supplier may Process the following categories of Personal Data in the context of the Services:
Personal Details
- Name
- Title
- Employer
- Address
- Telephone Number
- Email Address
- Training and Certification records relative to training/certification completed at SANS (including course attendance and examination status)
- Credit Card numbers (of students who register for training/certification independent of training/certification purchased by Customer.)
Categories of Data Subjects
Customer Processes Personal Data relating to the following categories of Data Subjects in the context of the Services, as applicable:
- Past and present employees and other personnel.
Supplier Processes Personal Data relating to the following categories of Data Subjects in the context of the Services, as applicable:
- Past and present students (being past and present employees or other personnel of the Customer).
Duration of the Processing
Personal Data may be processed and stored for the period necessary to fulfill the agreed purposes of processing pursuant to this DPA, the Agreement, the Services, the student’s request, and as otherwise authorized by applicable law.
Appendix 2 Standard Contractual Clauses
Standard Contractual Clauses (SCCs) reference | Location | Description |
---|---|---|
Obligation of the data importer (Clause II) | Clause II(h) | The data importer selects option (iii) – adherence to the data processing principles set forth in Annex A of the SCCs. In addition, where data transfers involve data subjects located in the UK or Switzerland, the data importer commits to comply with the specific requirements under the UK Addendum (as issued by the UK Information Commissioner’s Office) and the Swiss "finish" requirements, respectively. |
Annex A (Data Processing Principles) | Annex A | The data importer commits to the data processing principles outlined in Annex A of the SCCs and ensures alignment with additional safeguards where applicable, including the standards under the UK GDPR (via the UK Addendum) and Switzerland’s FDPIC guidelines for data protection, to protect the rights of data subjects in these jurisdictions. |
Annex B (Description of the transfer), Recipients | Annex B | The personal data transferred may be disclosed to the following recipients: Processors, Sub-Processors, and other third parties as reasonably necessary in connection with the Purposes and applicable law. This disclosure shall align with the data processing principles set forth in Annex A of the SCCs, including the UK Addendum and Swiss "finish" language where applicable for transfers involving the UK and Switzerland. |
Annex D - Additional Documentation | Annex D | UK Addendum This DPA incorporates the UK Addendum to the Standard Contractual Clauses as issued by the UK Information Commissioner’s Office, which shall apply to all data transfers involving the United Kingdom as a distinct jurisdiction post-Brexit. The UK Addendum modifies the Standard Contractual Clauses (SCCs) to ensure UK GDPR compliance for data transfers to third countries. Swiss "Finish" Language For transfers involving data subjects in Switzerland, all references to “Member State” and “EU Member State” in the SCCs shall include Switzerland, and the parties agree to apply the data protection principles set forth by the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland. This Swiss "finish" ensures adherence to Swiss-specific data protection standards alongside the SCCs. |
All other relevant references in the Standard Contractual Clauses (including: Purposes of the transfer(s); Data subjects; Categories of data; Special categories of data; Processing operations; Additional useful information; and Contact points for data protection queries) shall be construed with reference to the applicable part of Appendix 1, this DPA and the Agreement more widely (including its Exhibits). |