This Data Processing Addendum (“Addendum”) forms part of SessionLab’s Terms of Service available at sessionlab.com/terms (“Agreement”) and is entered into between TrainedOn OÜ (“Processor”) and the entity identified as Controller in Annex I (“Controller”). By accessing or using the Service, the Controller agrees to be bound by the terms of this Addendum without requiring a separate signature. Where Controller wishes to obtain a countersigned copy for its own compliance records, it may request one by contacting privacy@sessionlab.com.
(a) The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
(b) The data controllers and data processors listed in Annex I (The Parties) have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29 (3) and (4) Regulation (EU) 2018/1725.
(c) These Clauses apply with respect to the processing of personal data as specified in Annex II.
(d) Annexes I to IV are an integral part of the Clauses.
(a) The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.
(b) This does not prevent the Parties to include the standard contractual clauses laid down in these Clauses in a wider contract, and to add other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses or prejudice the fundamental rights or freedoms of data subjects.
(a) Where these Clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 respectively.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 respectively or prejudices the fundamental rights or freedoms of the data subjects.
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
(a) Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a data controller or a data processor by completing the Annexes and accepting the Agreement.
(b) Once the Annexes in (a) are completed and accepted, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a data controller or a data processor, in accordance with its designation in Annex I.
(c) The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the data controller, are specified in Annex II.
(a) The data processor shall process personal data only on documented instructions from the data controller, unless required to do so by Union or Member State law to which the data processor is subject. In this case, the data processor shall inform the data controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the data controller throughout the duration of the processing of personal data. Such instructions shall always be documented.
(b) The data processor shall immediately inform the data controller if instructions given by the data controller, in the opinion of the data processor, infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the applicable Union or Member State data protection provisions.
The data processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the data controller.
Processing by the data processor shall only take place for the duration specified in Annex II.
Upon termination of the provision of personal data processing services or termination pursuant to Section III Clause 11, the data processor shall delete all personal data processed on behalf of the data controller and certify to the data controller that it has done so, and delete existing copies unless Union or Member State law requires storage of the personal data.
(a) The data processor shall at least implement the technical and organizational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks involved for the data subjects.
(b) The data processor shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. The data processor shall ensure that persons authorized to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(a) The Parties shall be able to demonstrate compliance with these Clauses.
(b) The data processor shall assist the data controller if it inquires about the processing of data in accordance with these Clauses.
(c) The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679. The data controller has the right, after consultation with the data processor, to carry out audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the data controller may take into account relevant certifications held by the data processor.
(d) The data controller may choose to conduct the audit by itself, to mandate, at its own cost, an independent auditor or to rely on an independent audit mandated by the data processor. Where the data processor mandates an audit, it has to bear the costs of the independent auditor.
(e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority on request.
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“special categories of data”), the data processor shall apply specific restrictions and/or the additional safeguards.
(a) The data processor has the data controller’s general authorization for the engagement of sub-processors. The list of sub-processors the data processor intends to engage is to be found in Annex IV. The data processor shall inform the data controller in writing of any intended changes of that list through the addition or replacement of sub-processors at least 14 days in advance, thereby giving the data controller the opportunity to object to such changes prior to the engagement of the concerned sub-processor(s). The Parties shall keep Annex IV up to date.
(b) Where the data processor engages a sub-processor for carrying out specific processing activities (on behalf of the data controller), it shall do so by way of a contract which imposes on the sub-processor the same obligations as the ones imposed on the data processor under these Clauses. The data processor shall ensure that the sub-processor complies with the obligations to which the data processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679 / Regulation (EU) 2018/1725.
(c) The data processor shall provide, at the data controller’s request, a copy of such a sub-processor agreement and subsequent amendments to the data controller. To the extent necessary to protect business secrets or other confidential information, including personal data, the data processor may redact the text of the agreement prior to sharing the copy.
(d) The data processor shall remain fully responsible to the data controller for the performance of the sub-processor’s obligations under its contract with the data processor. The data processor shall notify the data controller of any failure by the sub-processor to fulfil its contractual obligations.
(a) Any transfer of data to a third country or an international organization by the data processor shall be done only on the basis of documented instructions from the data controller or in order to fulfill a specific requirement under Union or Member State law to which the data processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679.
(b) The data controller agrees that where the data processor engages a sub-processor in accordance with Clause 7.6. for carrying out specific processing activities (on behalf of the data controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the data processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.
(a) The data processor shall promptly notify the data controller about any request received directly from the data subject. It shall not respond to that request itself, unless and until it has been authorized to do so by the data controller.
(b) The data processor shall assist the data controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the data processor shall comply with the controller’s instructions.
(c) In addition to the data processor’s obligation to assist the data controller pursuant to Clause 8(b), the data processor shall furthermore assist the data controller in ensuring compliance with the following obligations, taking into account the nature of the processing and the information available to the data processor:
(d) The Parties shall set out in Annex III the appropriate technical and organizational measures by which the data processor is required to assist the data controller in the application of this Clause as well as the scope and the extent of the assistance required.
In the event of a personal data breach, the data processor shall notify the data controller without undue delay and, in any event, within the deadlines set forth under the GDPR, and shall cooperate in good faith with and assist the data controller to comply with its obligations under Articles 33 and 34 Regulation (EU) 2016/679 or under Articles 34 and 35 Regulation (EU) 2018/1725, taking into account the nature of processing and the information available to the data processor.
(a) In the event of a personal data breach, the data processor shall assist the data controller in notifying the personal data breach to the competent supervisory authority/ies, where relevant. The data processor shall be required to assist in obtaining in particular the following information which, pursuant to Article 33(3) Regulation (EU) 2016/679 or under Articles 34(3) Regulation (EU) 2018/1725, shall be stated in the data controller’s notification:
(b) The Parties shall set out in Annex III all the elements to be provided by the data processor when assisting the data controller in the notification of a personal data breach to the competent supervisory authority/ies.
Each Party’s liability arising out of or related to these Clauses, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability contained in the Agreement between the Parties.
For the avoidance of doubt, each reference to “these Clauses” or “this Addendum” means these Standard Contractual Clauses including all Annexes.
(a) Without prejudice to any provisions of Regulation (EU) 2016/679 / Regulation (EU) 2018/1725, in the event that the data processor is in breach of its obligations under these Clauses, the data controller may instruct the data processor to temporarily suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The data processor shall promptly inform the data controller in case it is unable to comply with these Clauses, for whatever reason.
(b) The data controller shall be entitled to terminate these Clauses where:
This Addendum is incorporated into and forms part of the Agreement between the parties. The parties’ execution of, or electronic acceptance of, the Agreement shall constitute their agreement to this Addendum and the Standard Contractual Clauses contained herein, without requiring additional signatures.
The legal entity that has accepted the Terms of Service, as identified by the account details provided at the time of acceptance.
Name: TrainedOn OÜ
Address: Voolu tn 20a, Tallinn, 10918, Estonia
Contact person’s name, position and contact details:
Robert Cserti
Managing Director
privacy@sessionlab.com
Categories of data subjects whose personal data is processed:
You may submit Personal Data to the Service, the extent of which is determined and controlled by You in Your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
Categories of personal data processed:
You may submit Personal Data to the Services, the extent of which is determined and controlled by You in Your sole discretion, and which may include, but is not limited to the following categories of Personal Data:
Processor does not intentionally collect or process any special categories of data, including racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, data concerning health, sexual orientation or activity, or genetic and biometric data for identifying the person.
However, the Controller may submit special categories of data to the Service, the extent of which is determined and controlled by the Controller in its sole discretion.
The parties do not anticipate the transfer of special categories of data under the Addendum.
Nature and Purpose of processing:
The processor will process Personal Data to provide a workshop agenda planning software as a service for the Controller.
Duration of the processing
The processing of Personal Data lasts until the Agreement is terminated or cancelled by either party, at which point this Addendum shall also terminate. Upon termination, the Processor shall delete all Personal Data promptly, unless applicable law requires longer retention.
The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:
(a) Pseudonymization and encryption of personal data in transit and at rest;
(b) The ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
(c) The ability to restore availability and access to personal data in a timely manner in the event of a technical incident;
(d) A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures. Such measures include encryption in transit using TLS 1.2 or higher, encryption at rest using AES-256 or equivalent, data stored within the European Union, access restricted to authorized personnel, and continuous and daily backups with customer data retained for 35 days. Current technical implementation details, audit results, and security certifications are available through SessionLab’s Trust Center.
Sub-processors in accordance with the general authorization (Clause 7.6(a)) are listed in the Processor’s website:
https://www.sessionlab.com/support/third-party-service-providers