SNSI DATA PROCESSOR AGREEMENT
1. Purpose and Scope
1.1. The Controller and the Processor have entered into an arrangement under which the Processor will provide services to the Controller that involve the processing of personal data (“Services”).
1.2. This Agreement sets out the terms and conditions under which the Processor shall process personal data on behalf of the Controller in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
2. Definitions
2.1. “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4 of the GDPR.
2.2. “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in Article 4 of the GDPR.
2.3. “Sub-processor” means any third party appointed by or on behalf of the Processor to process Personal Data under this Agreement.
3. Processing of Personal Data
3.1. Subject Matter: The Processor shall process Personal Data strictly for the provision of Services as described in the main service agreement between the Parties (“Service Agreement”).
3.2. Duration: The Processor will process Personal Data only for as long as necessary to fulfill the Services or until the termination of the Service Agreement, unless otherwise required by law.
3.3. Nature and Purpose: The Processor shall process Personal Data solely for the purposes specified by the Controller and not for any other purpose without the Controller’s prior written consent.
3.4. Categories of Data Subjects:
- Website visitors (e.g., individuals browsing scubasnsi.com)
- Registered users (e.g., students, instructors)
- Course participants
- Customers purchasing products or services
3.5. Types of Personal Data:
- Identification and Contact Data: Name, email address, phone number, mailing address
- Account Data: Username, password (or password hash), course enrollments, certification history
- Transactional Data: Payment information (excluding or including limited credit card details, depending on the system), purchase records, billing address
- Communication Data: Messages or correspondence sent via the website or email
- Technical Data: IP address, device information, browser type, cookie data, and usage logs
4. Obligations of the Processor
4.1. The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by Union or Member State law.
4.2. The Processor shall ensure that any individuals authorized to process Personal Data are bound by confidentiality obligations.
4.3. The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including (but not limited to) encryption, pseudonymization, and access controls.
4.4. The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under the GDPR.
4.5. The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach, providing sufficient detail to enable the Controller to comply with its legal obligations.
5. Obligations of the Controller
5.1. The Controller shall provide the Processor with the Personal Data that is required for the performance of the Services, ensuring that such provision and the intended processing are lawful.
5.2. The Controller shall document and communicate any special instructions or requirements regarding the processing of Personal Data to the Processor.
5.3. The Controller shall maintain its own records of processing activities where required by the GDPR.
6. Sub-processing
6.1. The Processor may engage Sub-processors only with the Controller’s prior written consent.
6.2. The Processor shall ensure that any Sub-processor is bound by contractual obligations no less protective than those set forth in this Agreement.
6.3. The Processor shall remain fully liable to the Controller for the performance of any Sub-processor.
7. International Data Transfers
7.1. If the Processor transfers Personal Data originating from the European Economic Area (“EEA”) or the UK to a country not recognized by the European Commission or the relevant authority as providing an adequate level of data protection, the Processor shall ensure that appropriate safeguards (e.g., Standard Contractual Clauses) are in place.
7.2. The Processor shall promptly inform the Controller of any inability to comply with the aforementioned safeguards and suspend processing if compliance is not possible.
8. Data Subject Rights
8.1. The Processor shall assist the Controller, by appropriate technical and organizational measures, in fulfilling the Controller’s obligation to respond to requests by data subjects to exercise their rights under the GDPR (e.g., access, rectification, erasure, restriction of processing, data portability, and objection).
9. Data Return or Deletion
9.1. Upon expiration or termination of the Service Agreement, or at the Controller’s request, the Processor shall promptly return or securely delete all Personal Data, unless otherwise required by law to retain the data.
9.2. The Processor shall provide written certification confirming the secure deletion of Personal Data if requested by the Controller.
10. Audit and Compliance
10.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits conducted by the Controller or its appointed auditor.
10.2. Any audit must be conducted at reasonable intervals, with prior notice, and during normal business hours, without disrupting the Processor’s business operations.
11. Limitation of Liability
11.1. Each Party’s liability arising out of or related to this Agreement shall be subject to the limitations and exclusions of liability agreed in the Service Agreement, except to the extent prohibited by applicable law.
12. Governing Law and Jurisdiction
12.1. This Agreement is governed by and shall be construed in accordance with the laws of [Jurisdiction].
12.2. Any disputes arising from this Agreement shall be subject to the exclusive jurisdiction of the competent courts of [Jurisdiction].
13. Miscellaneous
13.1. This Agreement forms part of the Service Agreement. In the event of a conflict between this Agreement and the Service Agreement regarding data protection, this Agreement shall prevail.
13.2. If any provision of this Agreement is held invalid, illegal, or unenforceable, it shall not affect the validity of the remaining provisions.
13.3. This Agreement may only be amended by a written instrument signed by both Parties.