LearnWorlds Data Processing Agreement
This Data Processing Agreement (“Agreement”) forms part of the Terms of Service between LearnWorlds (CY) Ltd (“LearnWorlds” or “Data Processor”) and the Data Controller. All capitalized terms not defined in this Agreement shall have the meanings set forth in the Terms of Service, to the extent the Agreement involves the processing of personal data (as defined below).The purpose of this Agreement is to set our obligations in relation to any processing of personal data carried out as part of the Terms of Service. Only to the extent that there is any conflict or inconsistency between this Agreement and the Terms of Service, the terms of this Agreement will take precedence.
WHEREAS:
(1) Under a written agreement between the Data Controller and the Data Processor (“the Terms of Service”) the Data Processor provides to the Data Controller the Services described in Schedule 1.
(2) The provision of the Services by the Data Processor involves it in processing the Personal Data described in Schedule 2 on behalf of the Data Controller.
(3) Under EU Regulation 2016/679 General Data Protection Regulation (“the GDPR”) (Article 28, paragraph 3), the Data Controller is required to put in place an agreement in writing between the Data Controller and any organization which processes Personal Data on its behalf governing the processing of that data.
(4) The Parties have agreed to enter into this Agreement to ensure compliance with the said provisions of the GDPR in relation to all processing of the Personal Data by the Data Processor for the Data Controller.
(5) The terms of this Agreement are to apply to all processing of Personal Data carried out for the Data Controller by the Data Processor and to all Personal Data held by the Data Processor in relation to all such processing.
IT IS AGREED as follows:
1. Definitions and Interpretation
1.1 In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:
“Data Controller”, “Data Processor”, “processing”, and “data subject” | shall have the meanings given to the terms “controller”, “processor”, “processing”, and “data subject” respectively in Article 4 of the GDPR; |
“OCPDP” | means Cyprus’s supervisory authority, the Office of the Commissioner for Personal Data Protection; |
“Personal Data” | means all such “personal data”, as defined in Article 4 of the GDPR, as is, or is to be, processed by the Data Processor on behalf of the Data Controller, as described in Schedule 2; |
“Services” | means those services described in Schedule 1 which are provided by the Data Processor to the Data Controller and which the Data Controller uses for the purpose described in Schedule 1; |
“End-User Content” | means any content submitted by an End-User (defined below); |
“Sub-Processor” | means a sub-processor appointed by the Data Processor to process the Personal Data; and |
1.2 Unless the context otherwise requires, each reference in this Addendum to:
1.2.1 “writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;
1.2.2 a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
1.2.3 this Agreement is a reference to this Agreement and to each of the Schedules as amended or supplemented at the relevant time;
1.2.4 a schedule is a schedule to this Agreement; and
1.2.5 a clause or paragraph is a reference to a Clause of this Agreement (other than the Schedules) or a paragraph of the relevant Schedule.
1.2.6 a “Party” or the “Parties” refer to the parties to this Agreement.
1.3 The headings used in this Agreement are for convenience only and shall have no effect upon the interpretation of this Agreement.
1.4 Words imparting the singular number shall include the plural and vice versa.
1.5 References to any gender shall include all other genders.
1.6 References to persons shall include corporations.
2. Scope and Application of this Agreement
2.1 The provisions of this Agreement shall apply to the processing of the Personal Data described in Schedule 2, carried out for the Data Controller by the Data Processor, and to all Personal Data held by the Data Processor in relation to all such processing whether such Personal Data is held at the date of this Agreement or received afterwards.
2.2 The provisions of this Agreement supersede any other arrangement, understanding, or agreement including, but not limited to, the Service Agreement and the Terms of Service made between the Parties at any time relating to the Personal Data. If there is any conflict between this Agreement and the Service Agreement, the Addendum shall prevail to the extent of that conflict.
2.3 This Agreement shall continue in full force and effect for so long as the Data Processor is processing Personal Data on behalf of the Data Controller, and thereafter as provided in Clause 11.
2.4 Any claims brought under or in connection with this Agreement shall be subject to the Service Agreement and Terms of Service published online, including but not limited to, the exclusions and limitations set forth in the Service Agreement.
2.5 No one other than a party to this Addendum, its successors and permitted assignees shall have any right to enforce any of its terms.
2.6 This Agreement shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Services Agreement, unless required otherwise by applicable data protection laws meaning the GDPR, as transposed into domestic legislation of each Member State (and the United Kingdom) and as amended, replaced or superseded from time to time, and laws implementing, replacing or supplementing the GDPR and all laws applicable to the collection, storage, processing, and use of Personal Data (“Data Protection Laws”).
2.7 The Data Controller warrants that it has full legal authority to enter into this Agreement.
3. Provision of the Services and Processing Personal Data
The Data Processor is only to carry out the Services, and only to process the Personal Data received from the Data Controller:
3.1 for the purposes of those Services and not for any other purpose;
3.2 to the extent and in such a manner as is necessary for those purposes; and
3.3 strictly in accordance with the express written authorization and instructions of the Data Controller (which may be specific instructions or instructions of a general nature or as otherwise notified by the Data Controller to the Data Processor).
4. Data Protection Compliance
4.1 All instructions given by the Data Controller to the Data Processor shall be made in writing and shall at all times be in compliance with the GDPR and other applicable laws. The Data Processor shall act only on such written instructions from the Data Controller unless the Data Processor is required by law to do otherwise (as per Article 29 of the GDPR).
4.2 The Data Processor shall promptly comply with any request from the Data Controller requiring the Data Processor to amend, transfer, delete, or otherwise dispose of the Personal Data.
4.3 The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s request in the formats, at the times, and in compliance with the Data Controller’s written instructions.
4.4 Both Parties shall comply at all times with the GDPR and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPR.
4.5 The Data Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with the GDPR in all respects including, but not limited to, its collection, holding, and processing.
4.6 The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the OCPDP.
4.7 The Data Processor shall provide all reasonable assistance to the Data Controller in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the OCPDP.
4.8 When processing the Personal Data on behalf of the Data Controller, the Data Processor shall:
4.8.1 not process the Personal Data outside the European Economic Area (all EU member states, plus Iceland, Liechtenstein, and Norway) (“EEA”) without the prior written consent of the Data Controller and, where the Data Controller consents to such a transfer to a country that is outside of the EEA, to comply with the obligations of Data Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the GDPR by providing an adequate level of protection to any Personal Data that is transferred;
Transfers of EEA Personal Data. If Data Controller’s Personal Data is transferred from any European Economic Area (EEA) Member State to any country or recipient not recognized by the European Commission as providing an adequate level of protection, the applicable standard contractual clauses for the Transfers of Personal Data to Processors Established in Third Countries (Module Three -data processor to data processor), dated 4 June 2021 (2021/914/EU), as amended or replaced from time to time (the “Standard Clauses”), will apply. For purposes of the Standard Clauses, (a) Data Processor will act as the data exporter and any Data Sub-Processor will act as the data importer; (b) any further Sub-processor will be subject to Clause 9 (Sub-processing) of the Standard Clauses Option 2; and (c) Clause 7 (Docking Clause) of the Standard Clauses or the UK Addendum meaning the United Kingdom Addendum (International Data Transfer Addendum to the EU Commission’s Standard Contractual Clauses) may apply accordingly. The competent supervisory authority will be the supervisory authority of the jurisdiction of the Data Controller. If the Standard Clauses are amended or replaced from time to time, then the foregoing Clause and Appendix references will be deemed updated as appropriate effective from the date of invalidity of the then current Standard Clauses.
4.8.2 not transfer any of the Personal Data to any third party without the written consent of the Data Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 9;
4.8.3 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as may be required by law (in which case, the Data Processor shall inform the Data Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);
4.8.4 implement appropriate technical and organizational measures, as described in Schedule 3, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. The Data Processor shall inform the Data Controller in advance of any changes to such measures;
4.8.5 if so requested by the Data Controller (and within the timescales required by the Data Controller) supply further details of the technical and organizational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access;
4.8.6 make available to the Data Controller any and all such information as is reasonably required and necessary to demonstrate the Data Processor’s compliance with the GDPR;
4.8.7 on at least 14 days’ prior notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the GDPR. The requirement to give notice will not apply if the Data Controller believes that the Data Processor is in breach of any of its obligations under this Agreement or under the law; and
4.8.8 inform the Data Controller immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation.
5. Data Subject Access, Complaints, and Breaches
5.1 The Data Processor shall assist the Data Controller in complying with its obligations under the GDPR. In particular, the following shall apply to data subject access requests, complaints, and data breaches.
5.2 The Data Processor shall notify the Data Controller without undue delay if it receives:
5.2.1 a subject access request from a data subject; or
5.2.2 any other complaint or request relating to the processing of the Personal Data.
5.3 The Data Processor shall cooperate fully with the Data Controller and assist as required in relation to any subject access request, complaint, or other request, including by:
5.3.1 providing the Data Controller with full details of the complaint or request;
5.3.2 providing the necessary information and assistance in order to comply with a subject access request;
5.3.3 providing the Data Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Data Controller); and
5.3.4 providing the Data Controller with any other information requested by the Data Controller.
5.4 The Data Processor shall notify the Data Controller without undue delay, if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.
6. Processing of special categories of Personal Data
Data Controller acknowledges that the Services are not intended for the processing of special categories of Personal Data as defined under the GDPR and agrees that it will not provide (or cause to be provided) any special categories of Personal Data to LearnWorlds for processing under this Agreement and Terms of Service as published online. LearnWorlds will bear no liability whatsoever for the processing of special categories of Personal Data, whether in connection with a Personal Data Breach or otherwise. For the avoidance of doubt, this Agreement will not apply to special categories of Personal Data as defined under the GDPR. Should any special categories of Personal Data be transferred or uploaded to the LearnWorlds Platform by the Data Controller, the Data Controller shall immediately delete such information. It is the Data Controller’s responsibility to communicate this prohibition to its data subjects as appropriate and applicable.
7. Liability and Indemnity
7.1 The Data Controller shall be liable for, and shall indemnify (and keep indemnified) the Data Processor in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Data Processor arising directly or in connection with:
7.1.1 any non-compliance by the Data Controller with the GDPR or other applicable legislation;
7.1.2 any Personal Data processing carried out by the Data Processor in accordance with instructions given by the Data Controller that infringe the GDPR or other applicable legislation; or
7.1.3 any breach by the Data Controller of its obligations under this Agreement, except to the extent that the Data Processor is liable under sub-Clause 7.2.
7.2 The Data Processor shall be liable for, and shall indemnify (and keep indemnified) the Data Controller in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Data Controller arising directly or in connection with the Data Processor’s Personal Data processing activities that are subject to this Agreement:
7.2.1 only to the extent that the same results from the Data Processor’s breach of this Agreement; and
7.2.2 not to the extent that the same is or are contributed to by any breach of this Agreement by the Data Controller.
7.3 The Data Controller shall not be entitled to claim back from the Data Processor any sums paid in compensation by the Data Controller in respect of any damage to the extent that the Data Controller is liable to indemnify the Data Processor under sub-Clause 7.1.
7.4 Data Processor’s liability cap: The Data Processor’s maximum aggregate liability to Data Controller in connection with the processing of personal data under the Agreement will not exceed the amount of relevant insurance coverage of the Data Processor at the time of the breach.
7.5 Nothing in this Agreement (and in particular, this Clause 6) shall relieve either Party of, or otherwise affect, the liability of either Party to any data subject, or for any other breach of that Party’s direct obligations under the GDPR. Furthermore, the Data Processor hereby acknowledges that it shall remain subject to the authority of the OCPDP and shall co-operate fully therewith, as required, and that failure to comply with its obligations as a data processor under the GDPR may render it subject to the fines, penalties, and compensation requirements set out in the GDPR.
8. Intellectual Property Rights
All copyright, database rights, and other intellectual property rights subsisting in the Personal Data (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either the Data Controller or the Data Processor) shall belong to the Data Controller or to any other applicable third party from whom the Data Controller has obtained the Personal Data under license (including, but not limited to, data subjects, where applicable). The Data Processor is licensed to use such Personal Data under such rights only for the purposes of the Services, and in accordance with this Agreement.
9. Confidentiality
9.1 The Data Processor shall maintain the Personal Data in confidence, and in particular, unless the Data Controller has given written consent for the Data Processor to do so, the Data Processor shall not disclose any Personal Data supplied to the Data Processor by, for, or on behalf of, the Data Controller to any third party. The Data Processor shall not process or make any use of any Personal Data supplied to it by the Data Controller otherwise than in connection with the provision of the Services to the Data Controller.
9.2 The Data Processor shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.
9.3 The obligations set out in in this Clause 8 shall continue for a period of 1 year after the cessation of the provision of Services by the Data Processor to the Data Controller.
9.4Nothing in this Agreement shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.
10. Appointment of Authorized Sub-Processors
10.1 Data Controller agrees that LearnWorlds may engage Sub-processors to process End Users (Subjects’) Data on Data Controller’s behalf. The Sub-processors currently engaged by LearnWorlds and authorized by the Data Controller are listed here:
Entity name | Purpose | Address | Safeguard |
Atlassian | Technical support and team’s work flows | Atlassian B.V. c/o Atlassian, Inc. 350 Bush Street, Floor 13 San Francisco, CA 94104 E-Mail: eudatarep@atlassian.com |
Data Processing Addendum (https://www.atlassian.com/legal/data-processing-addendum) |
Cloudflare Inc. | CDN – total data transfer, CDN requests, advanced DDoS, WAF, Managed Web application firewall, SSL for SaaS. | 101 Townsend Street, San Francisco, CA 94107, USA | Data Processing Addendum (https://www.cloudflare.com/en-gb/cloudflarecustomer-dpa/) |
Freshworks Inc. | Support tickets from Data Processor are handled via the Freshdesk App. These tickets may include End User-related information | Freshworks Inc., 2950 South Delaware St., 2nd Floor, San Mateo, CA 94403, U.S.A. | Data Processing Addendum which forms part of the product’s standard Terms of Use (https://www.freshworks.com/data-processing-addendum/) |
Google Cloud EMEA Limited | Hosting of applications and backups on Google Cloud server infrastructure | 70 Sir John Rogerson’s Quay, Dublin 2, Ireland | Data Processing Addendum which forms part of the product’s standard Terms of Use (https://cloud.google.com/terms/data-processing-terms) |
Google LLC | End User usage data for analytics and performance optimization purposes are maintained in Google Analytics. Data Processor’s data, such as contact details and contract is maintained in Google through products like Gmail and Google Drive | Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 9404, USA | https://cloud.google.com/terms/sccs/eu-p2p, data encryption https://privacy.google.com/businesses/processorterms/ |
Mailgun Technologies | Transactional emails, email sending, notification emails to End-Users | 112 E. Pecan Street #1135 San Antonio, Texas 78209 | Data Processing Addendum (https://www.mailgun.com/legal/dpa/) |
Mixpanel | Event tracking analytics and insights | One Front Street, 1 Front St #28th, San Francisco, United States | Data Processing Addendum (https://mixpanel.com/legal/dpa) |
MongoDB Inc | Developer data platform and NoSQL database program, cloud hosting provider | Legal Department, MongoDB, Inc., 1633 Broadway, 38th Floor New York, NY 10019 | Data Processing Agreement (https://www.mongodb.com/legal/dpa) |
Bugsnag (Smartbear Software Inc) | App monitoring platform | General Counsel, Legal Dept. Mayoralty House, Flood Street, Galway, Ireland, privacy@smartbear.com | Data Processing Addendum (https://smartbear.com/legal/data-processing-addendum/) |
Sentry (Functional Software, Inc. d/b/a Sentry) | App monitoring platform | 45 Fremont Street, 8th Floor, San Francisco, CA 94105, legal@sentry.io | Data Processing Addendum (https://sentry.io/legal/dpa/) |
The Rocket Science Group LLC Intuit (aka “MailChimp”) | Notification emails to End Users which are sent via the Mandrill email service | Mailchimp c/o, The Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA | Data Processing Addendum which is incorporated directly into the Standard Terms of Use https://mailchimp.com/legal/data-processing-addendum/ |
Wistia (Wistia Inc) | Video hosting services | Wistia, Inc. 120 Brookline Street Cambridge, Massachusetts, 02139 USA (888) 494–7842 |
Data Processing Addendum (please request this) |
Vimeo (Vimeo.com Inc) | Video hosting services | Legal Department 330 West 34th Street, 5th Floor New York, New York 10001 |
Data Processing Addendum (https://vimeo.com/enterpriseterms/dpa) |
Zoom Video Communications Inc. | Video conferencing and webinars | San Jose, 55 Almaden Blvd, United States | Data Processing Agreement https://explore.zoom.us/docs/doc/Zoom_GLOBAL_DPA.pdf |
LearnWorlds subsidiaries Sub-processors
LearnWorlds GR | Providing administrative, technical and legal support to LearnWorlds (CY) Ltd. | 17 Koraka Street. Chania, 73135, Greece |
10.2 Sub-processor Obligations. LearnWorlds shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Data Controller Personal Data to the standard required by Data Protection Laws; and (ii) remain fully liable and responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause LearnWorlds to breach any of its obligations under this DPA.
10.3LearnWorlds shall (i) provide an up-to-date list of the Sub-processors it has appointed upon written request from the Data Controller; and (ii) notify the Data Controller (for which email shall suffice) if it adds or removes Sub-processors at least 10 days prior to any such changes.
10.4 If the Data Controller (acting reasonably) object to a new Sub-processor on grounds related to the protection of user’s Personal Data only, then without prejudice to any right to terminate the Service Agreement, you may request that we move the user’s Personal Data to another Sub-processor and we shall, within a reasonable time following receipt of such request, use reasonable endeavors to ensure that the original Sub-processor does not Process any of the user’sPersonal Data. If it is not reasonably possible to use another Sub-processor, and you continue to object for a legitimate reason, either party may terminate the Service Agreement on thirty (30) days written notice. If you do not object within thirty (30) days of receipt of the notice, you are deemed to have accepted the new Sub-processor.
11. Deletion and/or Disposal of Personal Data
11.1 The Data Processor shall, delete (or otherwise dispose of) the Personal Data or return it to the Data Controller in the format(s) reasonably requested by the Data Controller within a reasonable time and no later than nine months after the earlier of the following:
11.1.1 the end of the provision of the Services; or
11.1.2 the processing of that Personal Data by the Data Processor is no longer required for the performance of the Data Processor’s obligations under this Agreement and the Service Agreement.
11.2 Following the deletion, disposal, or return of the Personal Data under sub-Clause 10.1, the Data Processor shall delete (or otherwise dispose of) all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case the Data Processor shall inform the Data Controller of such requirement(s) in writing.
SCHEDULE 1
Services
Services as described in the Terms of Service and/or any other contractual agreement between the Data Controller and LearnWorlds (CY) Ltd (the “Data Processor”).
SCHEDULE 2
Personal Data
Categories of Data subjects | Type of Personal Data | Nature of Processing Carried Out | Purpose(s) of Processing | Duration of Processing |
i) General Public (Open online courses are accessible to everyone); ii) Students, Entrepreneurs, and Professionals (the main target groups of this Online School) |
● Identification and contact data (Name, Email Address) ● Other custom form fields and profile information provided by end-user (occupation or other demographic information, address, job title, contact details), ● End-user’s personal interests or preferences (including purchase history, marketing preferences and publicly available social media profile information ● Identifiable IT information (IP addresses, usage data, cookies data, online navigation data, browser data) ● Financial information of Data Controller (credit card details, account details, payment information). |
Data Storage on Data Processor’s system and tracking (cloud) |
● Account login and identification. ● Normal platform usage (online course delivery, participation in the community, record keeping, access control) ● Communication with end-users for training and informational purposes |
Duration of Terms of Service linked to the provision of Services (or until a deletion request is received) |
SCHEDULE 3
Technical and Organizational Data Protection Measures
The following are the technical and organizational data protection measures referred to in clause 4 of the Agreement:
1. The Data Processor shall ensure that, in respect of all Personal Data it receives from or processes on behalf of the Data Controller, it maintains security measures to a standard appropriate to:
1.1 the harm that might result from unlawful or unauthorised processing or accidental loss, damage, or destruction of the Personal Data; and
1.2 the nature of the Personal Data.
2. In particular, the Data Processor shall:
2.1 have in place, and comply with, a security policy, incorporated herein by reference https://www.learnworlds.com/data-security/, which:
2.1.1 defines security needs based on a risk assessment;
2.1.2 allocates responsibility for implementing the policy to specific personnel;
2.1.3 is provided to the Data Controller on or before the commencement of this Agreement;
2.1.4 is disseminated to all relevant staff; and
2.1.5 provides a mechanism for feedback and review.
2.2 ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;
2.3 prevent unauthorised access to the Personal Data;
2.4 protect the Personal Data using pseudonymisation, where it is practical to do so;
2.5 ensure that its storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;
2.6 have secure methods in place for the transfer of Personal Data whether in physical form (for example, by using couriers rather than post) or electronic form (for example, by using industry-accepted encryption standards);
2.7 password protect all computers and other devices on which Personal Data is stored, ensuring that all passwords are secure, and that passwords are not shared under any circumstances;
2.8 not allow the storage of the Personal Data on any mobile devices such as laptops or tablets unless such devices are kept on its premises at all times;
2.9 take reasonable steps to ensure the reliability of personnel who have access to the Personal Data;
2.10 have in place methods for detecting and dealing with breaches of security (including loss, damage, or destruction of Personal Data) including:
2.10.1 the ability to identify which individuals have worked with specific Personal Data;
2.10.2 having a proper procedure in place for investigating and remedying breaches of the GDPR; and
2.10.3 notifying the Data Controller as soon as any such security breach occurs.
2.11 have a secure procedure for backing up all electronic Personal Data and storing back-ups separately from originals;
2.12 have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print-outs, and redundant equipment; and
2.13 take appropriate measures to ensure separate processing of data collected for different purposes.