Generally speaking, the Data Processing Agreement (DPA) states that you will only use personal data of the employee for the purpose of providing the services and for no other reason. You will be responsible for ensuring that this data is kept securely and is not shared with anyone without our specific approval.
If there is any kind of breach and anyone external gains access to personal data of the employee, please notify us within 24 hours and provide us with full details about the breach.
Since the personal data may only be used for the purpose of providing the services, once your services with respect to this employee have ended, you should delete any record related to the coaching process.
Please note that the description above is not a summary of the DPA nor legal advice. You are solely responsible for reading and understanding the DPA and determining that you can comply before you sign it.
Data Processing Agreement
This Data Processing Agreement ("DPA") forms an integral part of and is subject to the Terms of Service for Experts, entered into by and between Growth Space Ltd. ("Growth Space") and you ("Expert" and the "Terms of Service" respectively) as of the date it is accepted by the Expert. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms of Service.
Whereas, Growth Space Processes Personal Data ("Customer Personal Data") on behalf of certain its customers ("Customer") and at their direction; and
Whereas, Growth Space is subject to certain contractual and regulatory restrictions with respect to its Processing of such Customer Personal Data; and
Whereas, in connection with the performance of its obligations under the Terms of Service, Expert may Process Customer Personal Data on behalf of Growth Space; and
Whereas, the parties wish to set forth the mutual obligations with respect to the processing of Customer Personal Data by Expert;
Now therefore, intending to be legally bound, the parties hereby agree as follows:
1. Definitions. In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth below:
1.1. "Applicable Law" means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR"), laws implementing or supplementing the GDPR; (ii) the California Consumer Privacy Act of 2018, Cal. Civil Code Title 1.81.5 and the regulations thereunder, as may be amended from time to time ("CCPA"), and/or (iii) any laws applicable to Growth Space's Processing of Customer Personal Data.
1.2. "EU Laws" means any laws of the European Union or any Member State.
1.3. "Personal Data" shall mean both Personal Data as defined under the GDPR and Personal Information as defined under the CCPA.
1.4. The terms "Controller", "Data Subject", "Member State", "Personal Data Breach", "Processor", "Processing", and "Supervisory Authority" shall have the meanings ascribed to them in the GDPR.
1.5. "Business", "Collect", "Consumer", "Processing", "Request to Know", "Request to Delete", "Request to Opt-Out", "Sell", and "Verifiable Consumer Request" shall have the meanings ascribed to them in the CCPA.
2. Roles of the Parties.
2.1. When Growth Space Processes Customer Personal Data that is subject to the GDPR, the applicable Customer serves as a Controller of such Personal Data and Growth Space serves as a Processor on its behalf. Expert shall serve as a Sub Processor of such Customer Personal Data. This DPA should be interpreted accordingly.
2.2. When Growth Space Processes Personal Data of Customers that is subject to the CCPA, the applicable Customer serves as a Business with respect to such Personal Data and Growth Space serves as a Service Provider (as defined in the CCPA) on its behalf.
3. Processing of Customer Personal Data.
3.1. Expert shall Process Customer Personal Data on Growth Space's behalf and at Growth Space’s instructions as specified in the Terms of Service and/or in this DPA, including without limitation with regard to transfers of Customer Personal Data to a third country or international organization. Any other Processing shall be permitted only in the event that such Processing is required by EU Laws to which Expert is subject. In such event, Expert shall, unless prohibited by such EU Laws on important grounds of public interest, inform Growth Space of that requirement before engaging in such Processing.
3.2. Growth Space instructs Expert (i) to Process Customer Personal Data in accordance with Growth Space's written instructions, for the sole purpose of provision of the Services as detailed in the Terms of Service, as set forth in this DPA, and/or as otherwise directed by Growth Space; and (ii) to transfer Customer Personal Data to a country or territory as strictly necessary for the provision of the Services, subject to Applicable Law and Growth Space's prior written consent.
3.3. Expert will not solicit Personal Data from Growth Space's or its customers' Data Subjects except as expressly directly by Growth Space in writing. Expert is expressly prohibited from collecting and/or using Personal Data obtained from any source not specifically detailed in the Terms of Service and/or this DPA, including illegal sources. Expert will not disclose any Customer Personal Data to any person or entity without the prior written approval of Growth Space.
3.4. In addition, and without derogating from the foregoing, with respect to Personal Data subject to the CCPA, Expert hereby undertakes that it shall not: (i) sell any of the Customer Personal Data; (ii) retain, use or disclose any of the Customer Personal Data for any purpose other than for the specific purpose of performing the Services or as otherwise permitted by the CCPA; (iii) retain, use, or disclose any Customer Personal Data for a commercial purpose other than providing the Services; or (iv) collect, sell, retain, use, or disclose the Customer Personal Data except as necessary for the provision of the Services in accordance with the Terms of Service.
3.5. Expert shall document its activities and decision-making processes regarding the implementation of this DPA. Expert shall provide Growth Space with reports as requested by Growth Space regarding the management, processing and securing of Customer Personal Data. In addition, Expert shall disclose unusual events promptly following occurrence.
3.6. Growth Space sets forth the details of the Processing of Customer Personal Data, as required by Article 28(3) of the GDPR in Schedule A (Details of Processing of Customer Personal Data), attached hereto.
4. Expert Employees. To the extent that Expert engages any employees or service providers, it may not give them access to any Customer Personal Data, without Growth Space's prior written consent in each instance.
5. Security.
5.1. Expert shall implement and maintain appropriate technical and organizational measures to ensure an appropriate level of security of the Customer Personal Data, including, as appropriate and applicable, structural segregation of the Customer Personal Data and other security measures commensurate with the type of Customer Personal Data and the risk of a data security breach and any other measure referred to in Article 32(1) of the GDPR. The parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Expert will therefore evaluate the measures implemented in accordance with this Section 4 on an ongoing basis and will, at its own cost, tighten, supplement and improve these measures in order to maintain compliance with the requirements set out herein.
5.2. Without limitation of the foregoing, Expert represents and warrants to Growth Space that it will comply with its obligations under Applicable Law and will maintain and process the Customer Personal Data separately from data processed for third parties including, without limitation, Expert's other clients.
6. Personal Data Breach.
6.1. Expert shall notify Growth Space immediately, and in any event within twenty four (24) hours, by written notice upon Expert becoming aware of a Personal Data Breach.
6.2. In such event, Expert shall provide Growth Space with all available information relating to (i) the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned; (ii) the likely consequences of the Personal Data Breach; and (iii) a description of the measures taken or proposed to be taken by Expert to address the incident including, where appropriate, measures to mitigate its possible adverse effects.
6.3. Expert shall cooperate with Growth Space in connection with the investigation, mitigation, and remediation of any Personal Data Breach and shall take all necessary and appropriate corrective action.
7. Sub Processing. Expert may not engage any additional parties to Process Customer Personal Data on its behalf, without obtaining Growth Space's express prior written consent.
8. Data Subject Rights.
8.1. Expert shall assist Growth Space in complying with any of Growth Space's statutory obligations concerning requests to exercise Data Subject rights under Applicable Law (e.g., for access, rectification, deletion of Customer Personal Data, etc.) or any of Growth Space's statutory obligations concerning Verifiable Consumer Requests or other requests to exercise any Consumer rights under the CCPA in connection with any Customer Personal Data (e.g., Request to Know, Request to Delete, Request to Opt-Out.).
8.2. When a Data Subject whose Personal Data is being Processed by Expert submits a written request to Expert to inspect his or her Personal Data, Expert:
8.2.1. shall provide Growth Space with written notice of the inquiry together with all relevant details within two (2) days of being approached by the Data Subject; and
8.2.2. shall not respond to that request except on the written instructions of Growth Space or as required by Applicable Law to which the Expert is subject, in which case Expert shall, to the extent permitted by Applicable Law, inform Growth Space of that legal requirement prior to responding to the request.
9. Data Protection Impact Assessment and Prior Consultation. At Growth Space's request, Expert shall provide assistance to Growth Space for any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, as required under any Applicable Law.
10. Retention, Deletion or Return of Customer Personal Data.
10.1. Expert will retain Customer Personal Data only for as long as necessary to satisfy the purposes for which it was provided to Expert by Growth Space.
10.2. Expert shall promptly delete, return, or destroy all copies of any Customer Personal Data or any portion thereof, including without limitation, deletion from its hard drives, backup devices, and any magnetic or optic media, once such data is no longer necessary to be retained in accordance with Section 9.1 or upon the request of Growth Space.
10.3. Notwithstanding the foregoing, Expert may retain Customer Personal Data to the extent required by EU Law, provided that such Customer Personal Data shall continue to be retained in accordance with the terms of this DPA.
10.4. Upon Growth Space’s written request, Expert shall provide written certification to Growth Space that it has complied with this Section 9.
11. Inspection and Audit Rights.
11.1. Expert shall make available to Growth Space or the Customer or to any auditor mandated by Growth Space, upon Growth Space's request, all material and information necessary to enable Growth Space to confirm compliance with this DPA, and shall allow for audits, including inspections, by Growth Space, the Customer, or an auditor on behalf of either in relation to the Processing of the Customer Personal Data by Expert
11.2. Growth Space shall give Expert reasonable prior notice of any audit or inspection to be conducted under Section 10.1, provided however that Growth Space, the Customer, or an auditor on behalf of either may conduct unannounced inspections to the extent advisable in the Customer's or Growth Space's reasonable estimation to comply with Applicable Law. Expert hereby grants Customer, Growth Space, any auditor on its behalf, and/or any of their authorized personnel and representatives, permission to access any of Expert's computers and/or any other required materials, documents and devices for the purpose of inspection.
12. Notice of Infringement. Expert shall immediately inform Growth Space if, in its opinion, an instruction received under this DPA infringes the GDPR or other applicable Data Protection Laws.
13. Indemnity. Expert shall indemnify and hold Growth Space harmless against all claims, actions, third party claims, losses, damages and expenses incurred by Growth Space and arising directly or indirectly out of or in connection with a breach of this DPA and/or the Applicable Law by Expert.
14. General Terms.
14.1. Termination. This DPA shall terminate automatically upon the termination of the Terms of Service, provided however, that Expert’s obligations under this DPA will apply for as long as Expert has access to Customer Personal Data.
14.2. Governing Law and Jurisdiction.
14.2.1. The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Terms of Service with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.
14.2.2. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Terms of Service.
14.3. Order of Precedence.
14.3.1. Nothing in this DPA shall detract from Expert’s obligations under the Terms of Service in relation to the protection of Personal Data or permit Expert to Process (or permit the Processing of) Personal Data in a manner that is prohibited by the Terms of Service.
14.3.2. In the event of any conflict or inconsistency between this DPA and Growth Space's Privacy Notice, this DPA shall prevail with regard to the processing of Personal Data subject to Applicable Law.
14.3.3. Subject to this Section 13, in the event of inconsistency between the provisions of this DPA and any other agreements between the parties, including the Terms of Service and (except where explicitly agreed otherwise in writing) agreements entered into or purported to be entered into after the date of this DPA, with regard to the subject matter of this DPA, the provisions of this DPA shall prevail.
14.4. Changes in Applicable Law.
14.4.1. Growth Space may, by prior written notice to Expert, request in writing any variations to this DPA if they are required as a result of any change in, or decision of a competent authority under any Applicable Law in order to allow Customer Personal Data to be Processed (or continue to be Processed) without breach of that Applicable Law.
14.4.2. If Growth Space gives notice with respect to its request to modify this DPA under Section 13.4.1, Expert shall make best efforts to accommodate such modification request.
14.4.3. In the event that Expert is unable to accommodate such request within 30 days, Growth Space may, with immediate effect and without any penalty, terminate the Terms of Service to the extent that it relates to the Services that are affected by the proposed variations. In the event of termination in accordance with this Section 13.4.3, Expert shall refund Growth Space for any prepaid and unused amounts following such termination.
14.5. Severance. Should any provision of this DPA be held invalid or unenforceable, the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained herein.
Schedule A: Details of Processing
This Schedule 1 includes certain details of the Processing of Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the Processing of Personal Data.
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Terms of Service.
The nature and purpose of the Processing of Personal Data:
Rendering Services as an Expert on behalf of Growth Space to employees of Growth Space's customers, all as detailed in the Terms of Service.
The types of Personal Data to be Processed are as follows:
Personal Data relating to employees or other personnel of Growth Space's customers, such as name, email address, phone number, level of seniority, age range, identify of manager, background, assessments of strengths and weaknesses, field of business, experience, any additional information provided by Employee.
The categories of Data Subject to whom the Personal Data relates to are as follows:
Data subjects who are employees of Growth Space's customers.
The obligations and rights of Growth Space.
The obligations and rights of Growth Space are set out in the Terms of Service and this DPA.