GDPR DATA PROTECTION ADDENDUM
This General Data Protection Regulation Data Protection Addendum (“DPA”) is entered into by and between Chrysinou Consulting LLC, on behalf of itself and its Affiliates (collectively, “Chrysinou”) and the individual signing this DPA (“User”), and forms part of the Services Agreement(s) previously entered into by and between User and Chrysinou (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of User’s Personal Data, as defined herein, in accordance with the requirements of EU Data Protection Laws.
HOW TO EXECUTE THIS DPA
This DPA has been pre-signed on behalf of the applicable Chrysinou entities. When Chrysinou receives the completed and signed DPA as specified below, this DPA will become a legally binding addendum to the Agreement. To make this DPA a part of the Agreement or, as the case may be, an order, User must do the following:
(A) Prior to submitting any information related to registering for a course or submitting a request for consulting services on electronic forms found on the https://www.agilenomics.net website, User will be prompted to check a box agreeing that User has read, agrees to, and understands the terms of the Agreement. Please check this “click-to-accept” box to execute the Agreement. An electronic copy of the terms of the agreement will be available at: https://agilenomics.net/eugdpr . Additionally prior to submitting any information related to contracting with Chrysinou Consulting LLC for professional consulting services directly via the https://www.chrysinouconsulting.com website, User will be prompted to check a box agreeing that User has read, agrees to, and understands the terms of the Agreement. Please check this “click-to-accept” box to execute the Agreement. An electronic copy of the terms of the agreement will be available at: https://chrysinouconsulting.com/privacy/eu-gdpr.
(B) If User is volunteering an email address to subscribe to Chrysinou newsletters, User will also be prompted to check a box agreeing that User has read, agrees to, and understands the terms of the Agreement.
HOW THIS DPA APPLIES
(A) This DPA is solely for an individual User who has also signed the Agreement. The User is the sole “Data Subject” (as defined by the GDPR).
(B) The Chrysinou entity that is a party to the Agreement is the other party to this DPA.
DATA PROCESSING TERMS
In providing the Services to User pursuant to the Agreement, Chrysinou may process User’s Personal Data on behalf of User. Chrysinou will comply with the provisions in this DPA with respect to its processing of any User Personal Data. Capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement or, if not in the Agreement, in the GDPR.
1.1 For the purposes of this DPA:
“Affiliate(s)” has the same meaning ascribed to it in the Agreement and, if not defined in the Agreement, the term means any legal entity directly or indirectly controlling, controlled by or under common control with a party, where control means the ownership of a majority share of the stock, equity or voting interests of such entity. Affiliates of Chrysinou include Chrysinou Consulting, LLC.
“Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“EU Data Protection Laws” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, (“General Data Protection Regulation” or “GDPR”), as amended, replaced or superseded, as well as any applicable data protection laws and/or regulations in force in EU Member States.
“Chrysinou” means the Chrysinou Consulting LLC entity that is a party to both the Agreement and this DPA, which may be Chrysinou, LLC., a company incorporated in the State of Virginia, or a Chrysinou Affiliate.
“Personal Data” means any personal data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, specific geographical (residential address) or social identity of that natural person. For purposes of this Agreement, only User Personal Data shall be disclosed by User to Chrysinou.
“User Personal Data” means any Personal Data of the individual User himself or herself.
“Privacy Shield” means, individually and collectively, the European Union-US and Swiss-US Privacy Shield Frameworks administered and enforced by the U.S. Department of Commerce.
“Processor” means an entity which processes Personal Data on behalf of the Controller.
“Sub-processor” means any person appointed by or on behalf of the Processor, or by or on behalf of an existing Sub-processor, to process Personal Data on behalf of Controller.
“Services” means the online educational courses, software as a service (“SaaS”) service, and associated professional or other services provided by Chrysinou to User under the Agreement.
“Security Incident” means accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use.
2. APPLICABILITY OF DPA
This DPA shall apply only to the extent (i) User or Chrysinou are located or established within the EEA or Switzerland; or (ii) User or Chrysinou are otherwise subject to the EU Data Protection Laws.
3. ROLES AND RESPONSIBILITIES
3.1 Parties’ Roles. User appoints Chrysinou as a Processor to process the User Personal Data on User’s behalf.
3.2 Purposes and Limitation. Chrysinou shall process User Personal Data for the purposes set forth in the Agreement and the additional purposes set forth below, and only in accordance with the lawful, documented instructions of User (including with regard to transfers of User Personal Data to a third country), unless Chrysinou is required to process User Personal Data by the EU Data Protection Laws to which Chrysinou is subject (in such a case, Chrysinou shall inform the User of that legal requirement before processing, unless applicable law prohibits such disclosure). The User’s instructions may be specific or of a general nature as set out in this DPA or as otherwise notified by the User to Chrysinou from time to time and not for Chrysinou’ own purposes. Chrysinou may refrain from execution of the User’s instruction if it notifies the User immediately that, in Chrysinou’s opinion, an instruction for the processing of User Personal Data given by the User infringes EU Data Protection Laws. Appendix 1 hereto covers more specific data processing information, including the categories of processed User Personal Data, processing operations and duration of the processing by Chrysinou. The purpose of this Section 3.2. is only to determine the scope and the purposes of processing of User Personal Data by Chrysinou and nothing in this DPA will be deemed an obligation of Chrysinou to accept any instructions of the User other than provided under the Agreement.
Chrysinou uses Personal Data for purposes related to the Services, including licensing and operation of the SaaS Service, remote management, education and information services, training, record keeping, communication, customer service, system monitoring and data security. In addition, Chrysinou processes Personal Data for its business purposes, including processing sales leads, invoicing, payments, quotes, submitted forms, trials, consultations, demonstrations, response to inquiries, seminars, web analytics, other marketing, security monitoring, business operations and administration, tax, and other regulatory requirements. Chrysinou uses Personal Data to enable use of SaaS Service features and related Services, including through use of third-party service providers. Chrysinou also uses Personal Data to communicate with User for marketing purposes. Chrysinou may use Personal Data to comply with applicable laws and exercise legal rights. Chrysinou may also use Personal Data for internal purposes, including auditing, data analysis system troubleshooting, and research.
The types of Personal Data Chrysinou processes includes contact information, employment information, scheduling information, SaaS Service use and information, market and use information, internet use information, payment information, and regulatory information (to satisfy regulatory obligations such as taxes).
3.3 Training. Chrysinou shall ensure that its relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the processing, protection and confidentiality of Personal Data.
3.4 No Other Categories of Personal Data. If User uses the Services to process any categories of Personal Data not expressly covered by this DPA, User acts at its own risk and Chrysinou shall not be responsible for any potential compliance deficits related to such use.
3.5 Chrysinou Employee/Contractor Personal Data. Where Chrysinou discloses Chrysinou employees’ or contractors’ Personal Data to the User or a Chrysinou employee or contractor provides Personal Data directly to User, which the User processes to manage its use of the Services, User shall process that Personal Data in accordance with applicable privacy laws, in particular EU Data Protection Laws. Such disclosures shall be made by Chrysinou only where lawful for the purposes of contract management, service management or security purposes.
4.1 Security. Chrysinou shall implement appropriate technical and organizational measures designed to protect the User Personal Data from a Security Incident and in accordance with Chrysinou’s security standards as set forth in the Agreement as well as with EU Data Protection Laws (including Article 32 of the GDPR).
4.2 Confidentiality of Processing. Chrysinou shall ensure that any person that it authorizes to process the User Personal Data (including its staff, agents and subcontractors) shall be subject to a duty of confidentiality (whether a contractual or a statutory duty) that shall survive the termination of their employment and/or contractual relationship.
4.3 Security Incidents. Upon becoming aware of any confirmed Security Incident that affects User Personal Data, Chrysinou shall notify User without undue delay and pursuant to the terms of the Agreement, and shall provide such timely information to User as required to fulfil any data breach reporting obligations under EU Data Protection Laws. Chrysinou will take steps to identify and remediate the cause of such Security Incident and to minimize its possible harm. Notwithstanding the foregoing, the parties acknowledge and agree that from time to time Unsuccessful Security Incidents may occur, and that no additional notice to User is required for such incidents. “Unsuccessful Security Incidents” means any unsuccessful attempts to, or activities that do not, compromise the security of User Personal Data including, without limitation, pings, unsuccessful log-in attempts, denial of service attacks and other attacks on firewalls or networked systems.
5. ONWARD TRANSFERS; SUB-PROCESSING
5.1 In the event that User transfers User Personal Data to Chrysinou and/or Chrysinou makes routine transfers of User Personal Data in the normal course of business to itself or its Affiliates and these transfers include any User Personal Data to which the EU Data Protection Laws apply, such transfers, if to the United States, will be made pursuant to the EU-US and Swiss-US Privacy Shield Program or otherwise in accordance with the EU Data Protection Laws. Transfers that are made to third countries without a Commission adequacy decision other than the United States will be made subject to appropriate safeguards provided for by standard data protection clauses adopted by the Commission (EU Standard Contractual Clauses (Processors)).
5.2 In the event that EU authorities or courts determine that any of the transfer mechanisms above is no longer an appropriate basis for transfers, Chrysinou and User shall promptly take all steps reasonably necessary to demonstrate adequate protection for the User Personal Data, using another approved mechanism. In the event the Standard Contractual Clauses (or any other approved mechanism allowing for EU-US Personal Data transfers) are applicable, nothing in this DPA modifies or affects any supervisory authority’s or Data Subject’s rights under the Standard Contractual Clauses (or any such other approved mechanism).
5.3 User agrees that Chrysinou may engage Chrysinou Affiliates and third parties as Sub-processors to process the User Personal Data on Chrysinou’ behalf. Chrysinou shall impose on such Sub-processors data protection terms that protect the User Personal Data to the same standard provided for by this DPA and, to the extent that Chrysinou was responsible for transferring such User Personal Data to such Sub-processors, shall remain liable for any breach of the DPA caused by a Sub-processor. Where the Standard Contractual Clauses are applicable, Chrysinou shall enter into the Standard Contractual Clauses with such Sub-processor or use/take advantage of any other approved mechanism, including Binding Corporate Rules or an alternative recognized compliance standard (e.g., Privacy Shield) for the lawful transfer of personal data (as defined in the GDPR) outside the EEA. In the event that User provides User Personal Data directly to a third party and not to Chrysinou (such as to a third party payment service), Chrysinou shall have no responsibility or liability with respect to such User Personal Data and such third party shall solely be responsible for compliance with all applicable laws and regulations governing such User Personal Data.
6. DATA SUBJECT RIGHTS
Chrysinou shall promptly respond to any inquiry, communication or request from User seeking to exercise User’s rights as a Data Subject under EU Data Protection Laws, including rights of access, correction, restriction, objection, erasure or data portability, as applicable.
7. SECURITY REPORTS AND AUDITS
7.1 Any provision of security attestation reports (such as SOC 2, Type II or equivalent report) or audits shall take place in accordance with User’s rights under the Agreement. If Chrysinou has security attestation reports performed with respect to its business, Chrysinou shall provide a copy of its most current security attestation report upon User’s written request no more than once annually.
7.2 Chrysinou will allow audits, including inspections, conducted by the User to the extent User is granted such rights under the Agreement. If the Agreement does not include audit rights, Chrysinou and User will discuss and agree in advance on the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit; and Chrysinou reserves the right to charge a reasonable fee (based on Chrysinou’ reasonable costs) for any such audit. Chrysinou will provide further details of any applicable fee and the basis of its calculation to User in advance of such audit. The purpose of an audit pursuant to this clause will be strictly limited to verifying whether Chrysinou is processing User Personal Data in accordance with the obligations hereunder and applicable EU Data Protection Laws.
7.3 Notwithstanding the above, Chrysinou will, subject to the confidentiality arrangements that will satisfy both parties, make available to the User all information held by Chrysinou necessary to demonstrate its compliance with the obligations laid down in the EU Data Protection Laws. If User wishes to receive such further information to which it is entitled under EU Data Protection Laws, User shall submit a request for additional information to Chrysinou in writing for that additional information. Where Chrysinou is in possession of such information, and subject to the aforementioned confidentiality arrangements, Chrysinou shall supply this information to User as soon as reasonably practicable.
8. DELETION OR RETURN OF USER PERSONAL DATA
Upon termination or expiration of the Agreement, Chrysinou shall, in accordance with the terms of the Agreement, upon User’s request, make available to User for retrieval all relevant User Personal Data (including copies) in Chrysinou’ possession, save to the extent that Chrysinou is required by any applicable law or a governmental or regulatory order to retain some or all of the User Personal Data, or if it is otherwise subject to liability for not retaining some or all of the User Personal Data. Unless User specifically requests that Chrysinou delete all User Personal Data, Chrysinou will retain a copy of the User Personal Data for its business records. In such event, Chrysinou shall extend the protection of the Agreement and this GDPR Addendum to such User Personal Data and limit any further processing of such User Personal Data to only those limited purposes that require the retention for so long as Chrysinou maintains the User Personal Data. User acknowledges and agrees that return and/or removal of all User Personal Data from Chrysinou may prevent Chrysinou from tracking User’s completion of courses and issuing certification of completion of such courses.
9.1 In the event that Chrysinou, any of its Sub-processors, or the User receives any regulatory request, order, or other binding decision or recommendation from the competent authority that requires amendments to the provisions hereof or any changes to the processing of User Personal Data hereunder (“Regulatory Request”), Chrysinou and the User as well as, to the extent necessary and/or reasonably practicable, representatives of a respective Sub-processor, shall, within a reasonable time after receiving and reviewing the Regulatory Request, discuss and work in good faith towards agreeing on a plan (“Compliance Review Plan”) to determine the details of how the Regulatory Request can be addressed. A timeframe for reviewing the Regulatory Request and preparing the Compliance Review Plan will be agreed between the parties, taking into account the requirements of EU Data Protection Laws and the urgency of the matter as well as doing everything commercially reasonable given the circumstances and nature of the Services to meet specific time frames set by the relevant authority in connection with the Regulatory Request. If Chrysinou, any of its Sub-processors, or the User believe that it is not possible to meet a specific time frame set by the relevant authority in connection with the Regulatory Request, Chrysinou and/or its Sub-processor will assist User to explain this to the relevant authority, including by providing details of the reasons why the timeframes cannot be met.
9.2 Except as amended by this DPA, the Agreement will remain in full force and effect.
9.3 If there is a conflict between the Agreement and this DPA the terms of this DPA will control.
9.4 Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations, set forth in the Agreement, including without limitation choice of law and venue and limitations of liability.
9.5 For purposes of executing this GDPR Data Protection Agreement, the parties shall sign using an electronic signature that adheres to the requirements of the specific regulation it was created under (e.g., eIDAS in the European Union, NIST-DSS in the USA or ZertES in Switzerland).
Personal Data Processing Information
1. Subject matter
Chrysinou’ provision of Services to User.
2. Data subject
3. Categories of data
The Personal Data concern the following categories of data:
• Basic and contact data: name, organization, title, postal address, e-mail address, telephone number, fax number, social media account ID, also credit or debit card number, or other payment account number, as well as applicable expiration dates and billing or shipping addresses;
• Usage data: browser and device information, operating system, device type, system and performance information, app usage data, information collected through cookies, pixel tags and other technologies, general geographic location;
• Further data about a person: dietary preferences, interests, activities, age, gender, education and occupation.
4. Special categories of data (if appropriate)
The Personal Data concern the following special categories of data (please specify):
No special categories of data are processed. ‘Dietary preferences” is not considered data concerning health for the purposes of this DPA.
5. Duration of Processing
The Personal Data are processed as set forth in Section 8 to this DPA.