THIS PRIVACY SHIELD SUPPLEMENT (this “Supplement”) is effective as of August 1, 2017 (the “Supplement Effective Date”). All capitalized terms used in this Supplement, other than those capitalized only for grammatical purposes, shall have, in both their singular and plural forms, the meaning given to them in the Section of this Supplement in which they first appear.
1. Background and Purpose.
1.1. Background. Supplier has previously entered into one or more separate contracts for the delivery of goods, services, software or other technology (each, an “Underlying Contract”) with an entity or business unit owned or controlled by SchoolKeep, Ink. (“SKI”). In the operation of its business, from time-to- time SKI comes into possession
of certain personal information regarding citizens of Switzerland and/or European Union member nations (the “Covered Data”). SKI receives, possesses, stores and processes such Covered Data lawfully via self-certification under the EU-US Privacy Shield and the Swiss-US Privacy Shield Principles (collectively, the “Privacy Shield”).
1.2. Purpose. Supplier’s performance of the Underlying Contracts involves, or in the future may reasonably be expected to involve access to, or the processing, storage, maintenance, transmission or other use or disclosure of Covered Data. As such, the Privacy Shield requires that SKI obtain, and Supplier agrees to provide, certain
additional assurances regarding the handling of Covered Data. The purpose of this Supplement is, therefore, to set forth certain additional, confidentiality, data security and privacy obligations of Supplier with respect to the Covered Data. All such additional obligations shall be performed at no additional charge to Customer.
1.3. Scope. The terms of this Supplement are intended to complement Supplier’s existing confidentiality, data security and privacy obligations contained in the Underlying Contract and amend or expand those obligations only to the extent necessary to further SKI’s compliance with Privacy Shield. The terms of this Supplement apply to Supplier and any subcontractor and all references to “Supplier” herein refer to such subcontractors.
1.4. Manifestation of Assent; Adequate Consideration. By continuing to perform the Underlying Contract following the Supplement Effective Date and Supplier’s viewing of this Supplement, Supplier will have affirmatively manifested
its intent to be bound hereby and expressly agrees to the terms and conditions of this Supplement. Supplier acknowledges and agrees that the exchange of promises herein and in the Underlying Contract (which continues in effect solely because Supplier has agreed to this Supplement) is good and valuable consideration the adequacy of which Supplier acknowledges.
2. Performance per Privacy Shield. Supplier’s Underlying Contract obligations shall, where they involve access to, or the processing, storage, maintenance, transmission or other use or disclosure of Covered Data, be performed in accordance with the applicable principles of the Privacy Shield including:
(a) processing all Covered Data received from or made available by SKI for the limited and specified purposes consistent with the consent provided by the data subject;
(b) promptly notifying SKI if Supplier makes the determination it can no longer meet its obligations herein;
(c) assisting SKI, at no additional charge, in making the Covered Data available to each applicable data subject, and where necessary, modifying such Covered Data as required under the Privacy Shield.
3. Requirement to Cease Processing Covered Data. Supplier shall, if it makes the determination it can no longer meet the obligations above, immediately cease processing all Covered Data received from or made available by SKI, and take all reasonable and appropriate steps to stop and remediate any unauthorized processing of such Covered Data.
4. DPA Inquiries. If Supplier receives a DPA Inquiry (defined below), Supplier shall immediately notify SKI thereof and may not independently respond thereto except as expressly instructed in writing by SKI. As between SKI and Supplier, SKI is the only party who shall respond to DPA Inquiries unless expressly authorized by SKI. Supplier
shall, at SKI’s expense, assist SKI in asserting and protecting the SKI Data including by preventing and/or limiting disclosure. If such disclosure cannot be prevented, SKI, and not Supplier, shall disclose the required portion of SKI Data directly to the applicable authority. “DPA Inquiry” means non-subpoena requests for access to, or information about SKI Data from the Data Protection Authorities in the various EU member nations and the Swiss Federal Data Protection and Information Commissioner.
END OF SUPPLEMENT