Data Protection Addendum and General Data Protection Regulation Compliance
Please note: If you require a signed copy of the agreement, please request one via email to firstname.lastname@example.org.
When a User adds Nurture to their Microsoft Teams account the current Data Processing Agreement on Nurture' website applies. If a new feature is introduced to Nurture the Data Processing Agreement may be updated and will apply to the User’s use of those new features.
Unless otherwise defined herein, capitalized terms and expressions used in this agreement shall have the following meaning:
“Agreement” means this Data Processing Agreement and Appendices A and B.
“EEA” means the European Economic Area.
“Data Protection Laws” means EU/EEA Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.
“GDPR” means EU General Data Protection Regulation 2016/679.
“Sub-processor” means other processors used by Nurture to process Controllers personal data in connection with the Service, for example to store the personal data.
“Data transfer” means a transfer of Controller Personal Data to the Processor or a transfer of Controllers Personal Data to a Sub-processor.
The terms, “Controller”, “Processor” Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their related terms shall be interpreted accordingly.
The Processor shall process the Controller’s personal data only on documented instructions from the Controller, unless required to do so by national law to which the Processor is subject. The instructions shall be specified in Appendix A.
The Processor shall take reasonable steps to ensure the reliability of any employee, agent or any Sub-processor who may have access to the Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant Personal Data, as strictly necessary for the purposes of the Processor service, and to comply with applicable laws in the context of that individual’s duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) (a-d) of the GDPR. Depending on their relevance, the measures may include the following:
In assessing the appropriate level of security, Processor shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.
5. Use of Sub-processor
The Processor has the Controller’s general authorisation for the engagement of Sub-processors. The processor shall inform in writing the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 21 days in advance, thereby giving the Controller the opportunity to object to such changes. A list of sub-processors already authorised by the Controller can be found in Appendix B.
Where the Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in the agreement shall be imposed on that Sub-processor by way of an agreement.
6. Assistance to the Controller
Taking into account the nature of the processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controllers obligations, to respond to requests to exercise Data Subject rights under GDPR and other Data Protection Laws.
The Processor shall provide reasonable assistance to the Controller with any Data Protection Impact Assessments (DPIA) and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Controllers Personal Data by, and taking into account the nature of, the processing and information available to the Processor.
The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller Personal Data. Such notification shall meet the Controller’s obligation to notify the competent Supervisory Authority and the Data Subject if applicable, and include that information a Processor must provide to a Controller under Art. 33 (3) of the GDPR to the extent such information is reasonably available to the Processor.
The Controller shall immediately notify the Processor if he becomes aware of a Personal Data Breach or has any suspicion of a breach in connection with the use of Nurture.
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and the Agreement, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
For Controllers covered by the GDPR the Processor may not transfer or authorize a transfer of Personal Data to countries outside the European Economic Area (EEA) without a prior written consent of the Controller. If Personal Data processed under this Agreement is transferred from a country within the EEA to a country outside the EEA, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
The Controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (Art. 24), the applicable national Data Protection Laws and this Agreement.
The Controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.
The Controller shall be responsible for ensuring that the processing of personal data, which the Processor is instructed to perform, has a legal basis.
All notices and communications given by the Processor under this Agreement must either be in writing, published on the website or sent by email.
The Processor shall be notified by email sent to the address: email@example.com
This agreement is governed by Irish laws and EU/EEA Data Protection Laws.
This agreement becomes effective when Controller adds Nurture in Microsoft Teams.
The Agreement shall apply for the duration of the Personal Data processing by Nurture (jumpAgrade Technology Ltd.) on behalf of the Controller.
Nature of processing: The data processing performed by Nurture add-in to Microsoft Teams on behalf of the Controller relates to the service of Nurture (jumpAgrade Technology Ltd.). Nurture is an add-in dedicated to extending the functionality of Microsoft Teams for teachers and educators. Nurture provides functionality inside of Teams for teachers to store digital lesson resources, organise their daily work and share content with other teachers and students.
Purpose of processing: Enable Nurture Users to create, store and share with fellow teachers and pupils for example lessons plans, class lists and notes regarding students’ behaviour, learning progress and more.
Type of personal data:
Categories of Data Subjects:
Students, Teachers and other staff.