Last updated: 7 January 2023
This is the Data Processing Agreement ("DPA") which forms part of an Agreement with regard to the use of the online learning platform Ans (the “Service”). The Agreement is or will be concluded between Ans Exam B.V. ("Processor") and the customer ("Controller") each separately referred to as “party” or jointly referred to as (the) “parties”. For the purpose of the fulfillment of its obligations under the Agreement, Processor shall process personal data on behalf of the Controller.
In accordance with article 28 GDPR, the parties wish to describe the subject and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the parties in this DPA. Definitions that are used in this Processing Agreement, such as processing, personal data, controller and processor shall have the meaning as determined in the EU Regulation 2016/679 of 27 April 2016 (the “GDPR”);
In order to comply with the GDPR, with respect to the Processing of Personal Data, parties agree upon the conditions as set forth in this DPA. The Parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement. This DPA is not applicable if the parties have negotiated a different DPA as part of the Agreement. Any capitalised terms not defined in this DPA shall have the meanings set forth in the Agreement.
lightbulb_outline This DPA is not applicable if the parties have negotiated a different DPA as part of the Agreement.
Article 1 General provisions
- The Processor processes personal data on behalf of the Controller during the term of the Agreement. An overview of the categories of personal data and the purposes for which the personal data are processed is included in Schedule 1 to this Processing Agreement.
- Processor shall process personal data on documented instructions from and under the express responsibility of the Controller. The Controller has determined the purposes and means of the processing of personal data falling within the scope of this Processing Agreement.
- The Processor has no control over the purpose and means of the processing and therefore takes no decisions on for example the use of personal data, transfer of personal data to third countries and the duration of storage of personal data.
- If Processor is required to process personal data in a manner that it derogates from what is agreed in this Processing Agreement by Union or Member State law, Processor will notify the Controller in advance, unless Union or Member State law prohibits such notification.
- Controller guarantees to Processor that the content, use and/or processing of the personal data that it instructs under this Processing Agreement are not unlawful and do not infringe any right of a third party.
- Controller shall notify the Processor of any changes in laws and regulations that may change Processor’s rights and obligation with regard to processing personal data on behalf of the Controller.
Article 2 Security
- Parties will take appropriate technical and organisational measures to protect personal data against loss or any form of unlawful processing.
- Processor’s security measures will ensure an appropriate level of security taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks associated with the processing and the nature of personal data. However, the Processor cannot ensure that the security measures will be effective under all circumstances.
- If Controller is of the opinion that a change in Processor’s security measures is necessary to ensure a level of security appropriate to the risk, parties will enter into consultation on the security measures requested by the Controller.
Article 3 Audits
- The Controller is entitled to have an external and independent auditor review the performance of this Processing Agreement annually.
- The Controller will timely notify the Processor about its intention to carry out an audit.
- Processor shall cooperate with such an audit and will enter into consultation with the Controller about any recommendations for improvement given by the external, independent auditor. The obligation to cooperate does not automatically imply the obligation to implement the recommendations.
Article 4 Personal data breach
- Taking into account the nature of the processing and the information available to Processor, Processor will assist the Controller in ensuring compliance with the obligations pursuant to article 33 and 34 GDPR on the notification of a personal data breach to the supervisory authority and data subjects.
- The Processor will inform the Controller without undue delay after becoming aware of a personal data breach.
- The obligation to notify a supervisory authority or data subject of a personal data breach shall remain the responsibility of the Controller. The Processor will not notify a supervisory authority or data subject itself.
Article 5 Obligation to cooperate
Processor shall assist the Controller, in so far as possible and reasonable given the nature of processing personal data under this Processing Agreement, in:
- fulfilling Controller’s obligations with respect to the rights of data subjects by means of appropriate technical and organisational measures. The aforementioned obligations of the Controller are set out in article 12 up to and including article 23 GDPR and relate to for example a request for deletion or correction of personal data by a data subject;
- complying with Controller’s obligations set out in article 32 up to and including article 36 GDPR. The aforementioned Controller’s obligations relate to ensuring appropriate security measures, a data protection impact assessment (DPIA) and the prior consultation of a supervisory authority.
Article 6 Engaging other processors
- Controller authorises Processor to engage other processors to fulfill (parts of) the obligations under the Agreement. Processor shall notify Controller of any intended change concerning the addition or replacement of other processors. Controller may object to any intended change within 5 working days after being notified. If Processor does not accept Controller’s objections, Processor may terminate the Agreement without observing any notification period.
- If Processor instructs another processor for carrying out specific processing activities on behalf of the Controller, Processor shall ensure that the same data protection obligations as set out under this Processing Agreement are imposed on the other processor. Processor shall lay down these obligations in a written contract. If the other processor fails to comply with its obligations regarding data protection, Processor shall remain liable to Controller for the performance of that other processor’s obligations.
Article 7 Confidentiality
- Parties shall ensure that the persons they authorise to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Paragraph 1 of this article does not apply if a provision of personal data to a third party is necessary pursuant to a court decision, a statutory provision or a competent order issued by a governmental authority. Processor shall notify Controller in such a case unless this is not permitted by law.
Article 8 Liability
- The Controller shall indemnify Processor for claims of a supervisory authority and/or data subjects whose personal data are processed by Processor on behalf of the Controller unless Controller proves that the facts underlying the claim are attributable to Processor.
- The liability provisions of the Agreement shall also apply to the rights and obligations of the parties under this Processing Agreement unless the law expressly provided otherwise.
Article 9 Term and termination
- This Processing Agreement will enter into force on the date of the last signing of the Agreement by the parties and is concluded for an indefinite period of time.
- This Processing Agreement will end once the Agreement is terminated (for whatever reason) but only after Processor has returned or deleted all the personal data that it processes on behalf of the Controller.
- At the end of the Agreement, Processor will return or delete all personal data is processed on behalf of the Controller.
- Paragraph 3 of Article 9 does not apply if and in as far as Union or Member State law applicable to the Processor prevent the full or partial return or destruction of the personal data.
Article 10 Costs
- Processor may charge the Controller for the costs (actually incurred costs and hours spent by Processor) associated with: “Audits”, “Obligations to cooperate”, “Returning Personal data at end of Agreement”, “Personal Data Breach” (but only for the costs associated with a notification to the supervisory authority and to data subjects) unless and insofar as the facts underlying these costs are caused by an attributable failure by Processor to comply with this Processing Agreement.
Article 11 Miscellaneous
- This Processing Agreement forms an integral part of the Agreement. Therefore all rights and obligations under the Agreement, including any (limitation of) liability clauses, will also apply to this Processing Agreement. In the event of any contradictions, this Processing Agreement shall prevail.
The processing of personal data under the Agreement relates to ‘Software as a Service Agreement Ans Exam’. Personal data of users of the Service are processed. This concerns in particular:
- User name
- Email address
- Student number
- School name
- Language preferences
- IP address
- Department (faculty)
- Assignment results
The Processor will not process personal data as referred to in article 9 and article 10 of the GDPR and will not process Civil Service Numbers (Dutch: BSN), or any personal data of children under the age of 16. Controller guarantees that it shall not have the aforementioned type of personal data processed in the Service.
Nature and purpose
The Processor performs the following personal data processing operations:
- collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The purpose for processing personal data under the Agreement is to help professors to review written exams, digital exams and all kind of assignments. It enables professors to review more efficient and gives them the opportunity to provide better feedback to the students.
Categories of data subjects
The category of data subjects whose personal data is processed by Processor are:
- Student of the Controller
- Employees of the Controller
The Controller may determine the duration of personal data being processed by Processor. The Processor will store personal data no longer than necessary to provide the services requested by the Controller.
The Processor has engaged the following sub-processors with regards to processing Personal Data:
|Location of processing
|Type of data
|Worldwide (nearest datacenter to user)
The Processor uses other applications for the processing of data, such as NewRelic. These applications do not process any Personal Data and are therefore not included in the overview.
Technical and organisational security measures
The Controller must take at least the following technical and organisational measures to protect personal data against unlawful processing:
- Two-factor authentication to minimise the risk.
- No account sharing.
- Use of a unique password.
- Never leave your devices without logging out or locking the device.
The Processor will take the following technical and organisational security measures to protect the personal data it processes on behalf of the Controller:
- Privacy by design and by default
- ISO27001 and ISO9001 certificate
- Data is encrypted in transport and stored
- Internal and external security controls
- Access logging
- Two-factor authentication
Notification data breach
The Processor will notify the Controller about a personal data breach in the following manner:
- Processor will report personal data breaches to the contact person of the Controller. If Controller’s contact person is not reachable, Processor shall try the general or info contact details as shown on Controller’s website.
Processor shall provide the Controller with the following information (if reasonably available):
- contact details of Processor’s data breach coordinator;
- the (suspected) cause of the data breach;
- the consequences of the data breach;
- location data of the data breach;
- any unauthorized recipients of the personal data and all information available about them;
- proposed measures to mitigate the damage;
- other data that a notification of a data breach to a supervisory authority and to a data subject must include according to relevant laws and regulations.