Data Protection Agreement

Version 3.2
Updated December 2023

This Data Processing Agreement (“DPA”) is incorporated into the Workforce Skills Agreement between the entity set forth on the applicable Order Form (“Pearson”) and Client, or other agreement between Client and Pearson governing use of the Services (the “Agreement”) when Personal Data is transferred between Pearson and Client. Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the meanings given to them in the Agreement.  In the event of conflict of terms then this DPA shall prevail.  

 
1.    Definitions.

a.    “Applicable Data Protection Laws” means all state and national data protection, privacy and data security laws applicable to the processing of personal data, including but not limited to, GDPR; the United Kingdom Data Protection Act 2018 (“UK GDPR”); the Swiss Federal Act on Data Protection Act (“FADP”); the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100-.199 (“CCPA”); or Family Educational Rights and Privacy Act (“FERPA”).
b.    "Connected User" means an User that has consented to share their Connected User Data with Client. 
c.    "Connected User Data" means the information, including but not limited to Personal Data, from a Connected User's Pearson account that the Connected User consents to share with Client.
d.    “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
e.    “Information Security Standards” means the security standards attached to the Agreement, or if none are attached to the Agreement, attached to this DPA as Annex II.
f.    “User Data” means the data of a User that is processed by Pearson pursuant to an agreement between Pearson and that User. 
g.    “EEA” means the European Economic Area.
h.    “GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
i.    “processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.
j.    “Processor” means the entity which processes Personal Data on behalf of the Controller.
k.    “Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Data.
l.    “Standard Contractual Clauses” or “SCC” means the Appendix to the European Commission Implementing Decision ((EU) 2021/914 of 4 June 2021) on Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
m.    “UK Addendum” means the ‘Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses’.

2.    Data Processing

a.    Scope and Roles. This DPA applies when Personal Data is transferred between Pearson and Client. The Parties agree that the status of each Party as a Controller, or Processor, is a question of fact determined under Applicable Data Protection Laws.
b.    Compliance with Applicable Data Protections Laws. The Parties represent that (a) the Connected User Data shall be lawfully collected and transferred in accordance with Applicable Data Protection Laws (as defined in the DPA); and (b) the Parties have, and shall maintain, the systems and processes in place to ensure compliance with the terms of the Agreement.
c.    Cooperation between the Parties. The Parties will assist each other to comply with requests or complaints of data subjects or supervisory authorities regarding compliance with Applicable Data Protection Laws with regard to Connected User Data. The Parties will notify each other of any requests, enquiries, monitoring activities and similar measures undertaken by supervisory authorities regarding the handling of Personal Data under this DPA.
d.    California Consumer Privacy Act (“CCPA”). To the extent that the CCPA is applicable, the parties acknowledge and agree that where Pearson is a processor, Pearson shall also be considered a service provider for the purposes of the CCPA. Pearson certifies that it understands the rules, restrictions, requirements and definitions of the CCPA and agrees to refrain from taking any action that would cause any transfers of Personal Data to or from Pearson to qualify as a sale of Personal Data under the CCPA. Pearson acknowledges and confirms that it does not receive any Personal Data from Client as consideration for any services or other items provided to Client. Pearson shall not sell any Client Data. Pearson shall not retain, use or disclose any Client Data except as necessary for the specific purpose of performing the services for Client pursuant to the Agreement or otherwise as set forth in the Agreement or as permitted by the CCPA. For purposes of this Section 1.3, the terms “Personal Data,” “service provider,” “sale,” and “sell” are as defined in Section 1798.140 of the CCPA. 
e.    Family Educational Rights and Privacy Act (“FERPA”). To the extent FERPA is applicable, Pearson will implement safeguards that: (a) ensure the security and confidentiality of Client Data; (b) protect against any anticipated threats or hazards to the security or integrity of such information; and (c) protect against unauthorized access to or use of such information which could result in substantial harm or inconvenience to any students. If Pearson subcontracts with a third party for any of the services that it is required to undertake in furtherance of this Agreement, Pearson will take reasonable steps to verify that such third parties implement practices which protect Client Data.
f.    Details of Data Processing.

i.    Subject matter: The subject matter of the data processing under this DPA is personally identifiable Client Data or Connected User Data.
ii.    Duration: As between Pearson and Client, the duration of the data processing under this DPA is for the Term of the Agreement.
iii.    Purpose: The purpose of the data processing under this DPA is the provision of the Services.
iv.    Nature of the processing: Pearson will provide a platform for Client to use the Services. 
v.    Categories of Personal Data: Client Data  or Connected User Data .
vi.    Categories of data subjects: The data subjects may include Users or Client’s customers, employees, and end-users. 
vii.    Location:  Client agrees that Pearson shall be entitled to transfer and process Client Data within the European Economic Area and the UK. Client also consents to the transfer and/or processing of Client Data within or outside the European Economic Area and UK (“Approved Data Storage Geographies”) provided that the transfer is in accordance with one of the allowed mechanisms prescribed by the Data Protection Law, unless otherwise specified in an applicable Order Form.

g.    Storage and Pseudonymizastion. Notwithstanding anything to the contrary in this Agreement, the Parties acknowledge that Pearson stores Personal Data, including Client Data, in the Approved Data Storage Geographies, and the storage by Pearson of Personal Data in the United States shall not be deemed a violation of this Section or create a right of action under this Agreement.  Some Services require processing and analysis of Personal Data by Pearson Affiliates. Such data will be pseudonymized and encrypted in transit and at rest during any such processing.

3.    Client Instructions. The parties agree that this DPA and the Agreement constitute Client’s documented instructions regarding Pearson’s processing of Client Data (“Documented Instructions”). Pearson will process Client Data only in accordance with Documented Instructions. Client shall obtain all consents required by any Applicable Data Protection Law from Users for Pearson to lawfully store, transfer, and process Personal Data provided by Client to Pearson pursuant to the Agreement.  Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Pearson and Client, including agreement on any additional fees payable by Client to Pearson for carrying out such instructions. Client is entitled to terminate this DPA and the Agreement if Pearson declines to follow instructions requested by Client that are outside the scope of, or changed from, those given or agreed to be given in this DPA.
4.    Government Request for Client Data. If a governmental body sends Pearson a demand for Client Data, Pearson will attempt to redirect the governmental body to request that data directly from Client. As part of this effort, Pearson may provide Client’s basic contact information to the government body. If compelled to disclose Client Data to a government body, then Pearson will give Client reasonable notice of the demand to allow Client to seek a protective order or other appropriate remedy unless Pearson is legally prohibited from doing so.
5.    Confidentiality Obligations of Pearson Personnel. Pearson restricts its personnel from processing Client Data without authorization by Pearson. Pearson shall impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
6.    Security of Data Processing. Pearson has implemented and will maintain the technical and organizational measures for the Services as described in the Information Security Standards. 
7.    Sub-processing

a.    Authorized Sub-processors. Client agrees that Pearson may use sub-processors or other Pearson group companies to fulfill its contractual obligations under this DPA or to provide certain services on its behalf. The Pearson website (currently posted at https://info.credly.com/credly-platform-subprocessors) lists sub-processors that are currently engaged by Pearson to carry out processing activities on Client Data on behalf of Client. At least 30 days before Pearson engages any new sub-processor to carry out processing activities on Client Data on behalf of Client, Pearson will email notice to the notice email set forth on the Order Form or otherwise provided to Pearson in writing from time to time.  If Client reasonably objects to a new sub-processor and such objection cannot be satisfactorily resolved within a reasonable time, Client may terminate this Agreement without penalty upon 30 days’ written notice to Pearson.  
b.    Sub-processor Obligations. Where Pearson authorizes any sub-processor as described in Section 7(a):

i.    Pearson will restrict the sub-processor’s access to Client Data only to what is necessary to maintain the Services or as necessary under the Agreement; and
ii.    Pearson will enter into a written agreement with the sub-processor and, to the extent that the sub-processor is performing the same data processing services that are being provided by Pearson under this DPA, Pearson will impose on the sub-processor the material contractual obligations that Pearson has under this DPA; and
iii.    Pearson will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the sub-processors that violate the obligations under this DPA as if caused by Pearson itself.  

8.    Data Subject Requests.  Should a data subject contact Pearson with regard to correction or deletion of Client Data, Pearson will direct such data subject to Client. 
9.    Security Breach Notification.

a.    Security Incident. Pearson will (i) notify Client of a Security Incident without undue delay after becoming aware of the Security Incident, (ii) investigate the Security Incident; (iii) provide Client with a summary about the Security Incident, and (iv) take reasonable steps to mitigate the effects resulting from the Security Incident and enact procedures to prevent a recurrence of the Security Incident.
b.    Pearson Assistance. To assist Client in relation to any personal data breach notifications Client is required to make under the Applicable Data Protection Laws, Pearson will include in the notification under section 9.1(a) such information about the Security Incident as Pearson is reasonably able to disclose to Client, taking into account the nature of the Services, the information available to Pearson, and any restrictions on disclosing the information, such as confidentiality. Pearson’s obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Pearson of any fault or liability of Pearson with respect to the Security Incident.
c.    Client Obligations. Where a controller-to-controller relationship exists between Pearson and Client, Client shall notify Pearson without undue delay in the event a personal data breach, as defined in the GDPR, occurs that requires Client to notify the competent supervisory authority or other regulator and/or the impacted data subjects.

10.    Pearson Certifications and Audit Right.

a.    Pearson Audits. Pearson uses external auditors to verify the technical, organizational and security measures, including the security of the physical data centers from which Pearson provides the Pearson Services. This audit: (a) will be performed at least annually; (b) will be performed according to the ISO27001 standard or such other alternative standards that are substantially equivalent to ISO27001; (c) will be performed by independent third-party security professionals at Pearson’s selection and expense; and (d) will result in the generation of an audit report (the “Report”), which will be Pearson’s Confidential Information.
b.    Audit Reports. At Client’s written request, Pearson will provide Client with a copy of the Report so that Client can reasonably verify Pearson’s compliance with its obligations under this DPA.
c.    Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the Services and the information available to Pearson, Pearson will assist Client in complying with Client’s obligations in respect of data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR, by providing the information Pearson makes available under this Section.
d.    Client Audit. After Client has exercised its rights under paragraph (a) above, if Client requires further information Client will have the right to, at its own cost and subject to Client’s payment of Pearson’s fees in relation to such audit at its standard professional services rates prevailing at the time, require that Pearson (or its independent third-party auditors) carry out a bespoke audit in relation to Pearson’s compliance with this DPA. Upon receipt of such request, Pearson will carry out (or arrange) such audit within such reasonable period as Client and Pearson may agree and will provide a copy of the audit report to Client promptly following conclusion of the audit.

11.    Limitation of Liability.  Each party’s liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement. In no event shall either party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
12.    Application of Standard Contractual Clauses.

a.    EU GDPR. The Standard Contractual Clauses will apply to Client Data that is transferred outside the EEA, UK, or Switzerland, either directly or via onward transfer, to any country not recognized by the European Commission, UK Information Commissioner’s Office, or the Swiss FDPIC as providing an adequate level of protection for personal data (as described in the GDPR or Swiss FADP). The Standard Contractual Clauses will not apply to Client Data that is not transferred, either directly or via onward transfer, outside the EEA. 
b.    UK GDPR. Where the transfers contemplated under this Section 12 result in transfers of UK Personal Data to Pearson for processing by Pearson in a jurisdiction other than in the UK or UK Information Commissioner’s Office-approved countries providing ‘adequate’ data protection, then each party agrees that (a) the UK Addendum for transfers of UK Personal Data shall apply; and (b) the UK Addendum will be deemed executed by and between Client and Pearson; and (c) the SCCs between the parties shall be deemed amended as specified in the UK Addendum in respect of the transfer of such UK Personal Data. The UK Information Commissioner is the exclusive Supervisory Authority for the transfers of UK Personal Data under this Agreement.
c.    Swiss FDPIC. Where the transfers contemplated under this Section 12 result in transfers of Swiss Personal Data to Pearson for processing by Pearson in a jurisdiction other than in the EAA, then each party agrees that (a) references in the SCC to a “member state” or to the “EU” shall be deemed to include Switzerland; and (b) the SCC between the parties shall be deemed amended as the Swiss FDPIC is the exclusive Supervisory Authority for the transfers of Swiss Personal Data under this Agreement.
d.    Future Amendments. In the event that the Standard Contractual Clauses are amended, replaced or repealed by the European Commission or otherwise under Data Protection Laws, the Parties shall work together in good faith to enter into any updated version or negotiate in good faith a solution to enable a transfer of Personal Data to be conducted in compliance with Data Protection Laws. Either Party may terminate the Agreement on 30 days’ written notice, if the Parties are incapable of implementing or fail to implement another appropriate safeguard to ensure an adequate level of data protection within a period of 90 days.

13.    Termination of the DPA. This DPA shall continue in force until the termination of the Agreement (the “Termination Date”).
14.    Return or Deletion of Client Data. Up to the Termination Date, Client will continue to have the ability to retrieve or delete Client Data in accordance with this Section. Pearson will delete Client Data when requested by Client and promptly following the Termination Date. Pearson will have no obligation to maintain Customer Data after the Termination Date, and may thereafter delete or destroy all copies of Client Data maintained by Pearson. 
15.    Duties to Inform. Where Client Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Pearson, Pearson will inform Client without undue delay. Pearson will, without undue delay, notify all relevant parties in such action (e.g., creditors, bankruptcy trustee) that any Client Data subjected to those proceedings is Client’s property and area of responsibility and that Client Data is at Client’s sole disposition.
16.    Entire Agreement; Conflict. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the parties including the Agreement and this DPA, the terms of this DPA will control. If there is a conflict between the Standard Contractual Clauses and this DPA, the terms of the Standard Contractual Clauses, as applicable, shall prevail.
 

APPENDIX

Standard Contractual Clauses (Controller-to-Controller) Module 1, as applicable
Standard Contractual Clauses (Controller-to-Processor) Module 2, as applicable

Where applicable pursuant to the DPA or Addenda, the parties hereby enter into Module 1 or 2 of the Standard Contractual Clauses, as applicable, and where the SCCs require the parties to choose between optional clauses and to input information, the parties have done so as set out below: 

1.    The Optional Clause 7 “Docking clause” shall not be adopted. 
2.    For Clause 9 “Use of sub-processors”, the parties elect the following option:
“Option 2 General written authorisation: The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 calendar days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).”
3.    For Clause 11 (a) “Redress”, the parties do not adopt the Option. 
4.    For Clause 17 “Governing law”, the parties elect the following option:
“Option 1.  These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.” 
5.    For Clause 18 (b) “Choice of Forum and Jurisdiction”:
“The Parties agree that those shall be the courts of Ireland”.

ANNEX I (applicable to Module 2 only)

1. LIST OF PARTIES
     a) Data exporter: The data exporter is the entity identified as “Client” in the DPA

b) Data importer: The data importer is Pearson, Inc., a provider of web services.

2. DESCRIPTION OF TRANSFER

a)     Data subjects: Data subjects are defined in Section 2(f)(vi)of the DPA.

b)    Categories of data: The personal data is defined in Section 2(f)(v) of the DPA.

c)     Processing operations:The processing operations are defined in Section 2(f)(iv)of the DPA.

d)    Frequency: Continuous

1. COMPETENT SUPERVISORY AUTHORITY
   Data Protection Commission (of Ireland)

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

https://info.credly.com/infosec-exhibit

ANNEX III – LIST OF SUB-PROCESSORS (Applicable to Module 2 only)

To support delivery of the Services, Pearson may engage and use data processors with access to certain personally identifiable data of Users (each, a "Subprocessor"). This link below provides important information about the identity, location and role of each Subprocessor. Pearson undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed Subprocessors that will or may have access to or process personally identifiable data.

https://info.credly.com/credly-platform-subprocessors