Data Processing Agreement
Last update: March, 2023
This Data Processing Agreement (the “DPA”) forms part of the Master Service Agreement (the “Agreement”) between Lepaya and Client. Terms used in the DPA have the same meaning as those used in the Agreement, unless explicitly provided otherwise. If there are any conflicts or inconsistencies between the DPA and the Agreement, the provisions in the DPA prevail.
Lepaya provides Power Skill Trainings by offering more than 50 Soft and Hard Skill training modules to employers. Lepaya’s Power Skill Trainings upskill the workforce of employers and enable employees to be more effective in their work and enjoy more happiness in life. As described in our Privacy Policy (https://lepaya.com/privacy/), Lepaya does this from the role defined within the General Data Protection Regulation (the “GDPR”) as Data Processor (hereinafter referred to as “Lepaya”), where the role of Client is defined as the Data Controller (hereinafter referred to as “Controller”).
In this DPA, “processing operations” means any action or set of actions relating to personal data (“Personal Data”), including in any case the collection, recording, organizing, retention, updating, modification, retrieval, consultation, use, provision by transmission, dissemination or any other form of making available, bringing together, linking together, as well as the shielding, erasure or destruction of Personal Data in the context of the Controller’s assignment to Lepaya to make Lepaya’s applications and software (“App”) available for the benefit of the upskilling of the employees of the Controller. In this DPA, Personal Data means data such as: first name, last name, email address, job title, Device ID, test results and telephone number.
- Assignment
1.1 The Controller has contracted Lepaya to strengthen its learning and development offering. This leads to the performance of processing operations as described in the Agreement, as well as this DPA.
1.2 Lepaya is not entitled to perform acts with regard to the Personal Data other than on the basis of written instructions from the Controller. Lepaya will only process the Personal Data for the purposes stated in the Agreement and Lepaya guarantees that it will never exploit, use or otherwise process the Personal Data for its own (commercial) purposes. If a Union or Member State law applicable to Lepaya requires it to process Personal Data, Lepaya will notify the Controller of that legal provision prior to the processing, unless that legislation prohibits such notification for important reasons of public interest.
1.3 Lepaya may outsource the processing operations referred to in Article 1.1 to third parties, including affiliated companies or subcontractors. Examples of sub-processors are Auth0 for user authentication and Amazon Web Services as a sub-processor for the hosting of our platform. The full list of sub-processors can be found in our Data Policy (https://lepaya.com/en/data-policy/). Lepaya will ensure that these third parties are bound by all that is stipulated in this DPA. Lepaya remains responsible for any act and/or omission of third parties engaged with.
1.4 Lepaya will ensure that only those employees or other contractors of Lepaya who are required to process the Personal Data will have access to the Personal Data. Lepaya will adequately instruct these employees or other subordinates of Lepaya and ensure that they are familiar with the responsibilities and obligations under this DPA and under applicable laws and regulations.
1.5 Lepaya will, at the request of the Controller, make information available that is necessary to demonstrate compliance with this DPA as well as compliance with the applicable data protection laws and regulations.
1.6 At the request of the Controller, Lepaya will grant the Controller access to the Personal Data and respond to questions and requests from the Controller in relation to the processing of Personal Data. Lepaya will also, within 2 (two) weeks after request from the Controller:
(i) provide a copy to the Controller of all Personal Data or Personal Data concerning a specific person that is in its possession or control, as well as a copy of all documents in which this Personal Data is included and an overview of all systems in which this Personal Data is included and all other processing of this Personal Data that is carried out by Lepaya, in such a format as the Controller reasonably requests;
(ii) delete, block or correct certain Personal Data in accordance with the instructions of the Controller;
(iii) record non-compliance with specific requests for deletion, blocking or correction and the reasons for this. - Notifications of Disclosures
2.1 Lepaya will notify the Controller within 72 (seventy-two) hours if a competent authority has made a legally binding request for the provision of the Personal Data, unless Lepaya is not permitted to notify the Controller of this, such as in the event of a criminal injunction to maintain the confidentiality of any law enforcement investigation.
2.2 Lepaya will notify the Controller within 72 (seventy-two) hours if it receives a request from a data subject with regard to the Personal Data, including but not limited to a request for access, rectification, erasure or restriction of processing, data portability, and/or an objection to the processing. Lepaya will assist the Controller in fulfilling its duty to respond to requests to exercise the rights of data subjects by means of appropriate technical and organizational measures.
2.3 Lepaya will inform the Controller if at any time it is not (any longer) able to fulfill its obligations under this DPA or if it foresees that it is not (any longer) able to do so in the near future. The Controller can then decide to (i) with immediate effect stop providing Personal Data to Lepaya, (ii) to instruct Lepaya to suspend the processing activities until the moment Lepaya is again able to properly fulfill the obligations under this DPA, or (iii) to terminate this DPA with immediate effect.
2.4 Lepaya will maintain strict confidentiality with regard to the Personal Data and will guarantee that the persons authorized to process the Personal Data will maintain confidentiality or are bound by an appropriate legal obligation of confidentiality. Lepaya will also ensure that it has taken measures to ensure that no more persons have access to the Personal Data than necessary, and that every natural person acting under the authority of Lepaya, and has access to the Personal Data, only uses it to fulfill the agreed purpose, unless the natural person is bound by Union or Member State law to do otherwise.
2.5 Lepaya will notify the Controller if, in the opinion of Lepaya, an instruction from the Controller is in conflict with the applicable laws and/or regulations, including but not limited to the applicable data protection laws and regulations, or if an upcoming change in applicable laws and regulations are likely to have a negative effect on the way in which Lepaya will be able to fulfill obligations under this DPA. - Notifications of Data Breaches
3.1 Lepaya will notify the Controller in writing within 48 (forty-eight) hours of becoming aware of a suspected or actual breach in connection with Personal Data (a “Data Breach”), including but not limited to an actual or suspected unauthorized access, disclosure, use, loss, damage or destruction of the Personal Data by a current or former employee, contractor or agent of Lepaya or by any other person or third party. Lepaya will provide the Controller with full assistance in fulfilling the obligations of the Controller in this respect, such as assisting, if requested, with reporting to the supervisory authority and/or the data subject(s).
3.2 Lepaya will timely assist and support the Controller in the event of an investigation by a supervisory authority, if and insofar as that investigation is related to the processing of Personal Data as referred to in this DPA.
3.3 Lepaya will at all times provide the Controller in a timely manner with the fulfillment of its obligations under Article 32 to 36 of the GDPR, including but not limited to the obligations of the Controller with regard to the security of the processing and the performance of data protection impact assessments. - Applicable legislation and regulations
4.1 Lepaya will comply with its obligations under this DPA as well as from all applicable laws and regulations, including but not limited to the GDPR, and hereby accepts all (future) obligations that will ensue from this. - Technical and organizational measures
5.1 Lepaya will take adequate technical and organizational measures to secure the Personal Data and will apply a security level that guarantees the confidentiality of the Personal Data and guarantees that the Personal Data is protected against loss, alteration, destruction, disclosure or access, and furthermore against all other forms of unlawful processing of the Personal Data. Taking into account the state of art and costs of implementation of these measures, these measures will guarantee an appropriate level of security in view of the risks associated with the processing and the nature of the Personal Data to be protected.
- Processing outside the EEA
6.1 Without the prior written consent of the Controller, Lepaya will not process any Personal Data, or have it processed, outside the European Economic Area and/or the European Union.
- Term and termination
7.1 This DPA will enter into force on the same date as the Agreement between Lepaya and Controller, and will remain valid for 6 (six) months after termination of the Agreement.
7.2 Either Party can terminate this DPA prematurely by giving notice of termination of the DPA in writing with due observance of a notice period of 3 (three) months. The Party that terminates the DPA does not owe the other Party any compensation in connection with the termination, with the exception of the Fees as stipulated in the Agreement between Lepaya and Controller.
7.3 If one of the following cases occurs with regard to a Party, this DPA will be terminated with immediate effect and by operation of law without notice of default being required and without the Parties owing each other any compensation:
(i) the Party has ceased exist or has been dissolved;
(ii) the Party has been declared bankrupt or has been granted a moratorium on payments, whether or not temporarily;
(iii) the Party has applied for a suspension of payments or that Party is granted a suspension of payments;
(iv) the Party is placed under administration. - Return of Personal Data
8.1 If this DPA ends, or if the Controller requests the cessation of the processing activities, or if the retention period of the Personal Data of 2 (two) years has expired, Lepaya will cease the processing activities with regard to the Personal Data with immediate effect and it will, on its own accord, without delay, but no later than within 4 (four) weeks, return all documents and other information carriers, including copies thereof, containing Personal Data, to the Controller.
8.2 Insofar as Personal Data is stored in a computer system of Lepaya or is recorded in another form that cannot reasonably be given to Controller, Lepaya will destroy that Personal Data, subject to other instructions from the Controller, unless Lepaya is obliged to store the Personal Data on the basis of an EU or member state law. - Governing law and jurisdiction
9.1 This DPA is exclusively subject to Dutch law. Applicability of the Vienna Sales Convention is expressly excluded.
9.2 All disputes arising in connection with this DPA , including disputes about its existence and validity, will be settled by the competent court in Amsterdam. - Miscellaneous
10.1 This DPA is not transferable by either Party, except with the prior written consent of the other Party.
10.2 This DPA can only be amended or supplemented in writing and with consent of both Parties.
Questions?
If you have any questions about this DPA, you can always contact us via:
LTD NL BV (trading under the name “Lepaya”)
Stephensonstraat 19
1097BA Amsterdam
Chamber of Commerce (Chamber of Commerce) number: 69556318
VAT number: NL857917171B01
Email: info@lepaya.com