The Legal Area
Usability rules about LutinX’ websites
Ethic, Respect and transparency
Data Processing Addendum (DPA)
Our Legal office is at your service. Here you can find legal documents regarding the usability of our website and our products.
LutinX.com Data Processing Addendum
Last Update:
July 26, 2024
This Data Processing Addendum (โDPAโ) incorporates by reference the rules between Lutin Technologies Ltd. (โLutinXโ) and Client, or other agreement between Client and LutinX governing when Personal Data is transferred between LutinX and Client. This DPA is an agreement between the Client and LutinX. Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the meanings given to them in the Agreement and this DPA. In the event of a conflict of terms then this DPA shall prevail.
1. Definitions.
a. โApplicable Data Protection Lawsโ means all data protection, privacy, and data security laws applicable to the processing of personal data, including but not limited to, GDPR; the United Kingdom Data Protection Act 2018 (โUK GDPRโ); the Swiss Federal Act on Data Protection Act (โFADPโ); the California Consumer Privacy Act of 2018, Cal. Civ. Code ยง 1798.100-.199 (โCCPAโ); or Family Educational Rights and Privacy Act (โFERPAโ).
b. โClient Dataโ means the data, including Personal Data, that is uploaded to the LutinX Services by the Client. Client Data shall not include Earner Data.
c. “Connected Earner” means an Earner that has consented to share their Connected Earner Data with the Client.
d. “Connected Earner Data” means the information, including but not limited to Personal Data, from a Connected Earner’s LutinX account that the Connected Earner consents to share with the Client.
e. โControllerโ means the entity that determines the purposes and means of the Processing of Personal Data.
f. โLutinX Information Security Standardsโ means the security standards attached to the Agreement, or if none are attached to the Agreement, attached to this DPA as Annex II.
g. โEarner Dataโ means the data of an Earner that is processed by LutinX according to an agreement between LutinX and that Earner.
h. โEEAโ means the European Economic Area.
i. โGDPRโ means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
j. โProcessingโ has the meaning given to it in the GDPR and โprocessโ, โprocessesโ and โprocessedโ will be interpreted accordingly.
k. โProcessorโ means the entity which processes Personal Data on behalf of the Controller.
l. โSecurity Incidentโ a failure of LutinXโs adherence to Annex II security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Client Data.
m. โStandard Contractual Clausesโ or โSCCโ means the Appendix to the European Commission Implementing Decision ((EU) 2021/914 of 4 June 2021) on Standard Contractual Clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council.
n. โUK Addendumโ means the โMandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament under s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clausesโ.
2. Data Processing.
a. Scope and Roles. This DPA applies when Personal Data is transferred between LutinX and Client.
b. Family Educational Rights and Privacy Act (โFERPAโ). To the extent FERPA is applicable, LutinX agrees to comply with all applicable federal and state laws related to the protection and privacy of student records, including, but not limited to FERPA. LutinX will implement safeguards that: (a) ensure the security and confidentiality of Client Data; (b) protect against any anticipated threats or hazards to the security or integrity of such information; and (c) protect against unauthorized access to or use of such information which could result in substantial harm or inconvenience to any students. If LutinX subcontracts with a third party for any of the services that it is required to undertake in furtherance of this Agreement, LutinX will take reasonable steps to verify that such third parties implement practices that protect Client Data.
c. Details of Data Processing.
i. Subject matter: The subject matter of the data processing under this DPA is personally identifiable Client Data or Earner Data.
ii. Duration: As between LutinX and Client, the duration of the data processing under this DPA is for the Term of the Agreement.
iii. Purpose: The purpose of the data processing under this DPA is the provision of the Services.
iv. Nature of the processing: LutinX will provide a platform for the Client to create, manage, issue, and use Credentials.
v. Categories of Personal Data: Client Data uploaded to the Services under Client accounts on LutinX or Earner Data made available to Client according to the consent of the applicable Earner.
vi. Categories of data subjects: The data subjects may include Earners or Clientโs customers, employees, end-users, and other individuals that are issued Credentials by Client.
vii. Location: LutinX shall store data in Europe.
d. Storage in the United States. Notwithstanding anything to the contrary in this Agreement, the Parties acknowledge that LutinX can store Personal Data, including Client Data, in the United States, and the storage by LutinX of Personal Data in the United States shall not be deemed a violation of this Section or create a right of action under this Agreement.
e. Storage in Europe. LutinX stores the Personal Data of European Citizens in Germany and, the European Union.
f. Compliance with Applicable Data Protection Laws. The Parties represent that (a) the Connected Earner Data shall be lawfully collected and transferred by Applicable Data Protection Laws (as defined in the DPA); and (b) the Parties have, and shall maintain, the systems and processes in place to ensure compliance with the terms of the Agreement.
g. Cooperation between the Parties. The Parties will assist each other to comply with requests or complaints of data subjects or supervisory authorities regarding compliance with Applicable Data Protection Laws about Connected Earner Data. The Parties will notify each other of any requests, inquiries, monitoring activities, and similar measures undertaken by supervisory authorities regarding the handling of Personal Data under this DPA.
3. Client Instructions. The parties agree that this DPA and the Agreement constitute the Clientโs documented instructions regarding LutinXโs processing of Client Data (โDocumented Instructionsโ). LutinX will process Client Data only by Documented Instructions. Client shall obtain all consents required by any Applicable Data Protection Law from Earners for LutinX to lawfully store, transfer, and process Personal Data provided by Client to LutinX according to the Agreement. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between LutinX and Client, including agreement on any additional fees payable by Client to LutinX for carrying out such instructions. The client is entitled to terminate this DPA and the Agreement if LutinX declines to follow instructions requested by the Client that are outside the scope of, or changed from, those given or agreed to be given in this DPA.
4. Confidentiality of Client Data. LutinX will not access or use, or disclose to any third party, any Client Data, except, in each case, as necessary to maintain under the Agreement, or to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends LutinX a demand for Client Data, LutinX will attempt to redirect the governmental body to request that data directly from the Client. As part of this effort, LutinX may provide the Clientโs basic contact information to the government body. If compelled to disclose Client Data to a government body, then LutinX will give Client reasonable notice of the demand to allow Client to seek a protective order or other appropriate remedy unless LutinX is legally prohibited from doing so.
5. Confidentiality Obligations of LutinX Personnel. LutinX restricts its personnel from processing Client Data without authorization by LutinX. LutinX shall impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection, and data security.
6. Security of Data Processing. LutinX has implemented and will maintain the technical and organizational measures for the Services as described in the LutinX Information Security Standards, attached hereto as Annex II of the SCC.
7. Sub-processing.
a. Authorized Sub-processors. Client agrees that LutinX may use sub-processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf. The LutinX website lists sub-processors that are currently engaged by LutinX to carry out processing activities on Client Data on behalf of the Client. At least 30 days before LutinX engages any new sub-processor to carry out processing activities on Client Data on behalf of Client, LutinX will email notice to the notice email set forth on the Order Form. If Client reasonably objects to a new sub-processor and such objection cannot be satisfactorily resolved within a reasonable time, Client may terminate this Agreement without penalty upon 30 days written notice to LutinX.
b. Sub-processor Obligations. Where LutinX authorizes any sub-processor as described in Section 7(a):
i. LutinX will restrict the sub-processor’s access to Client Data only to what is necessary to maintain the Services or as necessary under the Agreement. LutinX will prohibit the sub-processor from accessing Client Data for any other purpose; and
ii. LutinX will enter into a written agreement with the sub-processor and, to the extent that the sub-processor is performing the same data processing services that are being provided by LutinX under this DPA, LutinX will impose on the sub-processor the appropriate contractual obligations that LutinX has under this DPA; and
iii. LutinX will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the sub-processors that violate the obligations under this DPA as if caused by LutinX itself.
8. Data Subject Requests. Should a data subject contact LutinX concerning the correction or deletion of Client Data, LutinX will use commercially reasonable efforts to direct such data subject to Client.
9. Security Breach Notification.
a. Security Incident. LutinX will (a) notify Client of a Security Incident without undue delay after becoming aware of the Security Incident, (b) investigate the Security Incident; (c) provide Client with a summary about the Security Incident and (d) take reasonable steps to mitigate the effects resulting from the Security Incident and enact procedures to prevent a recurrence of the Security Incident.
b. LutinX Assistance. To assist Client in relation to any personal data breach notifications Client is required to make under the Applicable Data Protection Laws, LutinX will include in the notification under section 7.1(a) such information about the Security Incident as LutinX is reasonably able to disclose to Client, taking into account the nature of the Services, the information available to LutinX, and any restrictions on disclosing the information, such as confidentiality. LutinXโs obligation to report or respond to a Security Incident under this Section 7 is not and will not be construed as an acknowledgement by LutinX of any fault or liability of LutinX with respect to the Security Incident.
c. Client Obligations. Where a controller-to-controller relationship exists between LutinX and Client, Client shall notify LutinX without undue delay in the event a personal data breach, as defined in the GDPR, occurs that requires Client to notify the competent supervisory authority or other regulator and/or the impacted data subjects.
10. LutinX Certifications and Audit Right.
a. LutinX Audits. LutinX uses external auditors to verify the technical, organizational, and security measures, including the security of the physical data centers from which LutinX provides the LutinX Services. This audit will result in the generation of an audit report (the โReportโ), which will be LutinXโs Confidential Information.
b. Audit Reports. At Clientโs written request, LutinX will provide Client with a copy of the Report so that Client can reasonably verify LutinXโs compliance with its obligations under this DPA.
c. Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the Services and the information available to LutinX, LutinX will assist Client in complying with Clientโs obligations in respect of data protection impact assessments and prior consultation according to Articles 35 and 36 of the GDPR, by providing the information LutinX makes available under this Section.
11. Limitation of Liability. Each partyโs liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability outlined in the Agreement. In no event shall either party limit its liability concerning any individualโs data protection rights under this DPA or otherwise.
12. Application of Standard Contractual Clauses.
a. The Standard Contractual Clauses will apply to Client Data that is transferred outside the EEA, UK, or Switzerland (collectively, the โEEAโ), either directly or via onward transfer, to any country not recognized by the European Commission, UK Information Commissionerโs Office, or the Swiss FDPIC as providing an adequate level of protection for personal data (as described in the GDPR or Swiss FADP). The Standard Contractual Clauses will not apply to Client Data that is not transferred, either directly or via onward transfer, outside the EEA.
b. Where the transfers contemplated under this Section 10 result in transfers of UK Personal Data to LutinX for processing by LutinX in a jurisdiction other than in the UK or UK Information Commissionerโs Office-approved countries providing โadequateโ data protection, then each party agrees that (a) the UK Addendum for transfers of UK Personal Data shall apply; and (b) the UK Addendum will be deemed executed by and between Client and LutinX; and (c) the SCCs between the parties shall be deemed amended as specified in the UK Addendum in respect of the transfer of such UK Personal Data. The UK Information Commissioner is the exclusive Supervisory Authority for the transfers of UK Personal Data under this Agreement.
c. Where the transfers contemplated under this Section 10 result in transfers of Swiss Personal Data to LutinX for processing by LutinX in a jurisdiction other than in the EAA, then each party agrees that (a) references in the SCC to a โmember stateโ or to the โEUโ shall be deemed to include Switzerland; and (b) the SCC between the parties shall be deemed amended as the Swiss FDPIC is the exclusive Supervisory Authority for the transfers of Swiss Personal Data under this Agreement.
d. If the Standard Contractual Clauses are amended, replaced, or repealed by the European Commission or otherwise under Data Protection Laws, the Parties shall work together in good faith to enter into any updated version or negotiate in good faith a solution to enable a transfer of Personal Data to be conducted in compliance with Data Protection Laws. Either Party may terminate the Agreement on 30 daysโ written notice if the Parties are incapable of implementing or fail to implement another appropriate safeguard to ensure an adequate level of data protection within 90 days.
13. Termination of the DPA. This DPA shall continue in force until the termination of the Agreement (the โTermination Dateโ).
14. Return or Deletion of Client Data. Up to the Termination Date, the Client will continue to have the ability to retrieve or delete Client Data under this Section. For 90 days following the Termination Date, Client may delete or retrieve for export or download any Client Data from the Services, subject to the terms and conditions set out in the Agreement, unless prohibited by law or the order of a governmental or regulatory body or it could subject LutinX or its Affiliates to liability. No later than the end of this 90-day period, the Client will close all LutinX accounts. LutinX will delete Client Data when requested by the Client. After that 90-day period, LutinX will have no obligation to maintain Customer Data, and may thereafter delete or destroy all copies of Client Data maintained by LutinX.
15. Duties to Inform. Where Client Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by LutinX, LutinX will inform Client without undue delay. LutinX will, without undue delay, notify all relevant parties in such action (e.g., creditors, bankruptcy trustee) that any Client Data subjected to those proceedings is Clientโs property and area of responsibility and that Client Data is at Clientโs sole disposition.
16. Entire Agreement; Conflict. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the parties including the Agreement and this DPA, the terms of this DPA will control. If there is a conflict between the Standard Contractual Clauses and this DPA, the terms of the Standard Contractual Clauses, as applicable, shall prevail.
APPENDIX
Standard Contractual Clauses (Controller-to-Controller) Module 1, as applicable
Standard Contractual Clauses (Controller-to-Processor) Module 2, as applicable
Where applicable under the DPA, the parties hereby enter into Module 1 or 2 of the Standard Contractual Clauses, as applicable, and where the SCCs require the parties to choose between optional clauses and to input information, the parties have done so as set out below:
1. The Optional Clause 7 โDocking clauseโ shall not be adopted.
2. For Clause 9 โUse of sub-processorsโ, the parties elect the following option:
โOption 2 General written authorization: The data importer has the controllerโs general authorization for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 calendar days in advance, thereby giving the controller sufficient time to be able to object to such changes before the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).โ
3. For Clause 11 (a) โRedressโ, the parties do not adopt the Option.
4. For Clause 17 โGoverning lawโ, the parties elect the following option:
โOption 1. These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Swizerland.โ
5. For Clause 18 (b) โChoice of Forum and Jurisdictionโ:
โThe Parties agree that those shall be the courts of Switzerlandโ.
ANNEX I (applicable to Module 2 only)
1. LIST OF PARTIES
a) Data exporter: The data exporter is the entity identified as โClientโ in the DPA
b) Data importer: The data importer is Lutin Technologies Ltd, a provider of web services.
2. DESCRIPTION OF TRANSFER
a) Data subjects: Data subjects are defined in Section 2.4(f) of the DPA.
b) Categories of data: The personal data is defined in Section 2.4(e) of the DPA.
c) Processing operations: The processing operations are defined in Section 2.4(d)of the DPA.
d) Frequency: Continuous
C. COMPETENT SUPERVISORY AUTHORITY
Data Protection Commission-
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA – click here