Data Processing Agreement
This Data Processing Agreement (“DPA”) is an addendum to the legal Agreement between you and SkillsPlay for your use of the SkillsPlay Services.
1. Definitions
For the purposes of the DPA the following definitions apply;
“Customer Personal Data” means all Personal Data which SkillsPlay processes on behalf of the Customer.
“Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, the “GDPR”) (ii) in respect of the United Kingdom (“UK”) any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union), and (iii) the Norwegian legislation implementing the GDPR.
“New Sub-Processor” means any Sub-Processors engaged by SkillsPlay after the effective date of the Agreement.
“SCC” means the European Commission’s standard contractual clauses for data transfers between EU and non-EU countries.
“Sensitive Data” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under applicable Data Protection Laws.
“Sub-Processor” means an entity to which SkillsPlay subcontracts its processing of the Customer Personal Data to.
“Data Subject“, “Controller“, “Personal Data“, “Personal Data Breach” “Processor” “Supervisory Authority” shall have the meaning provided to such term pursuant to Data Protection Law.
All capitalised terms not defined in this DPA shall have the meaning set forth in the Terms. For the avoidance of doubt, all references to the Agreement shall include this DPA (including the SCCs (where applicable), as defined herein.
2. Roles and responsibilities
The parties acknowledge and agree that with regards to the processing of Customer Personal Data, Customer is the controller and SkillsPlay is a processor acting on behalf of Customer as further described in Annex A (Details of Data Processing).
SkillsPlay shall process Customer Personal Data only in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing (“Permitted Purposes”).
The Customer shall (i) comply with its obligations under applicable laws, including Data Protection Laws, in respect of its processing of Customer Personal Data and any processing instructions issued to SkillsPlay; (ii) provide all notices and contain all constants and rights necessary under Data Protection Laws for SkillsPlay to process Customer Personal Data for the purposes described in the Agreement and this DPA does not relieve the Customer’s obligations under Data Protection Law.
Customers will not provide (or cause to be provided) any Sensitive Data to SkillsPlay for processing under the Agreement, and SkillsPlay will have no liability for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
If, in SkillsPlay’s opinion, an instruction from the Customer is in violation of Data Protection Law or other mandatory national or EU/EEA law, SkillsPlay shall immediately notify the Customer thereof.
The above limitation does not apply in so far as SkillsPlay is obligated to process Customer Personal Data pursuant to national law or EU/EEA law. In the event of any such obligation, SkillsPlay shall immediately notify the Customer, unless mandatory law prevents SkillsPlay from disclosing this information.
3. Security
SkillsPlay will implement and maintain appropriate technical and Organisational security measures to protect Customer Personal Data from accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access, and any other breach of security in accordance with Article 32 (1) of the GDPR. The security measures shall at all times be designed to preserve the security and confidentiality of Customer Personal Data in accordance with SkillsPlay’s security standards set out in Annex B to this DPA.
SkillsPlay shall ensure that Customer Personal Data is solely processed by SkillsPlay’s personnel who is authorised by SkillsPlay to process Customer Personal Data. This entails that relevant SkillsPlay personnel who process Customer Personal Data are (i) granted access to the Customer Personal Data on a need-to-know basis, (ii) familiar with the provisions under Data Protection Law and the obligations imposed on SkillsPlay under this DPA, (iii) regularly trained in the care, protection and handling of Personal Data, (iv) authorised to Process the Customer Personal Data, and (v) subject to a duty of confidentiality (whether a contractual or statutory duty).
Customer is responsible for reviewing relevant information pertaining to data security as is made available by SkillsPlay. Based on such information, the Customer shall make an independent assessment on whether the SkillsPlay Service complies with the Customer’s obligations pursuant to applicable laws, including Data Protection Laws. Customer understands that the SkillsPlay security measures may be updated or modified as needed, provided that such updates and/or modifications does not negatively degrade the overall level of security for the SkillsPlay Services provided to Customer.
4. Security incidents and notification
Upon becoming aware of any Personal Data Breach, SkillsPlay shall (i) without undue delay notify the Customer, and where feasible, in any event no later than 24 hours from becoming aware of the Personal Data Breach, (ii) promptly take reasonable steps to contain and investigate any Personal Data Breach and (iii) provide all reasonable information and cooperation necessary for the Customer to fulfil its Personal Data Breach requirements under Data Protection Law. Notwithstanding the foregoing, the Customer is responsible for notifying the Personal Data Breach to the competent Supervisory Authority. SkillsPlay’s notification of or response to a Personal Data Breach under this Section 4 shall not be construed as an acknowledgment by SkillsPlay of any fault or liability with respect to the Personal Data Breach.
5. Cooperation with the Customer
Taking into account the nature of the processing, SkillsPlay shall by appropriate technical and Organisational measures, insofar as this is possible, assist the Customer to respond to Data Subject’s request for exercising the Data Subject’s rights under Chapter 3 of the GDPR.
Furthermore, taking into account the nature of the processing and the information available to SkillsPlay, SkillsPlay shall assist the Customer with the Customer’s obligations to:
- Implement appropriate technical and Organisational measures for the purpose of complying with Data Protection Law;
- Carry out data protection impact assessments; and
- Conduct prior consultations with Supervisory Authorities.
For the avoidance of doubt, SkillsPlay shall be entitled to receive remuneration for any documented costs SkillsPlay incurs in connection with its assistance under this section 5.
6. Audit and compliance review
SkillsPlay shall, in relation to its processing of Customer Personal Data, maintain documentation of its compliance with this DPA and Data Protection Law, including written records of all Customer Personal Data processed on behalf of the Customer. SkillsPlay shall provide access to the aforementioned documentation upon the Customer’s reasonable notice.
SkillsPlay shall allow for and contribute to audits, including inspections, conducted by the Customer of SkillsPlay’s premises and security systems specific for Customer, as Customer may reasonably require to ascertain compliance with Data Protection Law. The Parties shall agree on the timing of such audits, including the scope and methods for the audits. Unless otherwise is agreed, a maximum of one (1) audit may be conducted each year. Notwithstanding the foregoing, the Customer shall be entitled to carry out additional audits to the extent that the performance of such audits are necessary for the Customer’s compliance with Data Protection Law. The Customer shall give SkillsPlay reasonable notice of the audit. The audit shall be conducted in a manner that causes the least possible disruption to SkillsPlay’s ordinary operations.
The Customer may appoint a third party to conduct audits on its behalf at Customer’s own expense. The relevant third party may not be a competitor of SkillsPlay.
Costs for any audits initiated by the Customer pursuant to this Section 6 shall be borne by the Controller. Notwithstanding the foregoing, if audits, pursuant to this Section 6, identifies that SkillsPlay is in material non-compliance with this DPA or Data Protection Laws, costs for such audits shall be borne by SkillsPlay.
7. Use of Sub-Processors
SkillsPlay may subcontract its processing of the Customer Personal Data to a Sub-Processor.
SkillsPlay shall enter into a written agreement with each Sub-Processor, requiring the Sub-Processor to comply with data protection obligations equivalent in all material respects to those imposed on Customer under this DPA. SkillsPlay shall be responsible for any acts or omissions of such Sub-Processor in breach of this DPA and for any acts or omissions of such Sub-Processors that cause SkillsPlay to breach any of its obligations under this DPA.
SkillsPlay will notify the Customer if SkillsPlay intends to appoint or use a New Sub-Processor to the extent applicable to the nature of the service provided by such New Sub-Processor. If the Customer has reasonable grounds to object to SkillsPlay’s use of a New Sub-Processor, and such objection directly relates to Customer’s obligations under Data Protection Law, the Customer shall notify SkillsPlay thereof in writing within fifteen (15) calendar days after receipt of SkillsPlay’s notice. The list of SkillsPlay´s current Sub-Processors are available here.
Following such an objection from the Customer, SkillsPlay shall be entitled to terminate the Agreement for convenience without being obligated to refund any amounts that You have already paid, to the fullest extent permitted under applicable law.
8. International Transfers
Customer agrees that SkillsPlay shall be entitled to transfer and process Customer Personal Data within the EU/EEA.
Subject to section 7, Customer acknowledges that SkillsPlay may transfer and process Customer Personal Data to areas outside the EU/EEA because of the geographical location of the data centers of some of our Sub-Processors. SkillsPlay shall ensure that such transfers are made in compliance with the requirements of the Agreement, this DPA and Data Protection Law.
To the extent that SkillsPlay transfers Customer Personal Data protected by EU Data Protection Laws to a country outside of EU/EEA that is not recognised as providing an adequate level of protection for personal data (as described in applicable EU Data Protection Law), SkillsPlay shall ensure that the transfer is based on SCC´s in the form currently approved by the European Commission. SkillsPlay shall enter into written agreement including SCCs with all of SkillsPlay´s sub-processors that might process Customer Data outside the EU/EEA, and shall require that its sub-processors abide by and process EU Data in compliance with SCCs. For the purposes of the descriptions in the SCCs, SkillsPlay agrees that it is the “data importer”, and Customer is the “data exporter” (notwithstanding that Customer may itself be an entity located outside the EU/EEA).
9. Return or Deletion of Data
Upon termination of the Agreement, SkillsPlay shall delete or return to Customer, at Customer’s choice, all Customer Personal Data in SkillsPlay´s possession or control. This requirement shall not apply to the extent SkillsPlay is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data that is archived in back-up systems, which SkillsPlay shall securely isolate, protect from any further processing and eventually delete in accordance with SkillsPlay´s deletion policies, except to the extent required by applicable law.
Annex A – Details of Data Processing
Processor
SkillsPlay is the Processor of Customer Personal Data.
Controller
The Customer is the Controller of Customer Personal Data.
Subject matter:
The subject matter of the data processing under this DPA is Customer´s Personal Data.
Duration of processing:
SkillsPlay will process Customer Personal Data as outlined in Section 9 (Return or Deletion of Data) of this DPA
Purposes of processing:
SkillsPlay shall only process Customer Personal Data for the following purposes; (i) processing as necessary to provide the SkillsPlay Services in accordance with the Agreement; (ii) processing initiated by Customer in its use of the SkillsPlay Services; and (iii) processing to comply with any other reasonable instructions by Customer (e.g. via email or support tickets) that are consistent with the terms of the Agreement.
Nature of the processing:
SkillsPlay provides a learning platform, and related services, that allows our users to create and upload content, play and host games and invite others to join a game, as more particularly described in the Agreement.
Data Subjects
Data Subjects include the individuals about whom data is provided to SkillsPlay via SkillsPlay Services under the Agreement, for example participants in a BrightGames, Customer´s employees or students, and other third parties that Customer includes in the use of the SkillsPlay Services.
Categories of Personal Data
The Customer may upload, submit or otherwise provide certain Personal Information to or for the use of the SkillsPlay Services, the extent of which is typically determined and controlled by the Customer in its sole discretion, and may include email addresses (required for login), Organisation (required), username, name, location, picture, game reports (including scores and in-game activities), and profile bio.
Sensitive Data
SkillsPlay Does not want to, nor does it intentionally, collect or process any Sensitive Data as part of the provision of the Services.
Annex B – Security Measures
See our Security Measures applicable to the Service (as updated from time to time in accordance with Section 3 of this DPA).