This Data Processing Commitment Statement (the "Commitment") is provided by Inmarkets International Limited ("Skillcast") to clients that have not signed a Data Protection Agreement with us (the "Client") to establish our obligations concerning the processing of Personal Data subject to the General Data Protection Regulation ("GDPR"). Any client of Skillcast that has signed a Data Protection Agreement ("DPA") should refer to the terms of that DPA.
In this Commitment, the following words and expressions will have the following meanings:
This Commitment applies to all relevant Services Agreement/s as long as they remain in force. It does not apply to clients of Skillcast who have signed a DPA, or to individuals for whose data Skillcast is the Data Controller.
Skillcast is the Processor of this Personal Data and the Client is the Controller. As the Data Processor, Skillcast will:
(i) Process the Personal Data only in accordance with the Applicable Law/s;
(ii) Process the Personal Data only on behalf of the Client and in accordance with the Client's written instructions (for which email is sufficient and oral form may be acceptable if the urgency of the situation warrants) and the Services Agreement/s;
(iii) assist the Client, in so far as this is technically or legally possible, for the fulfilment of the Client's obligations to respond to requests from Data Subjects for exercising their rights;
(iv) give the Client such assistance as it reasonably requests, and Skillcast is reasonably able to provide, aimed at ensuring compliance with the Client’s own security, Personal Data Breach notification, impact assessment, Supervisory Authority consultation obligations under the Applicable Law/s, and any other obligations under the Applicable Law/s, taking into account the information and means available to Skillcast; and
(v) ensure that persons authorised to Process the Personal Data on behalf of the Client, in particular employees of Skillcast and any Sub-processors, including their employees, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality relating to the Personal Data.
Upon termination of relevant Services Agreement/s, Skillcast will promptly notify the Client that it is out of contract and hence obliged to delete the Personal Data Processed as agreed in this Commitment, which is in Skillcast’s possession or under its control, within thirty (30) days from the notification. Skillcast will simultaneously provide access to the Client to download this Personal Data.
Skillcast will not be required to destroy or return the Personal Data Processed as agreed in this Commitment that Skillcast is required to retain in accordance with any laws, regulations and regulatory guidance applicable to Skillcast or any of its affiliates, orders imposed on Skillcast or an affiliate of Skillcast by a competent judicial, governmental, regulatory or similar body, or that Skillcast may have determined (to the extent permitted by law) to be necessary to protect and enforce its rights under the Services Agreement/s.
Skillcast will implement and maintain all necessary technical and/or organisational measures as required by the Applicable Law/s (such as, for instance, the ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to Personal Data in a timely manner in the event of a Personal Data Breach, a Process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing) to ensure the protection of the Personal Data Processed from any accidental or unlawful destruction, loss, deterioration, unauthorised disclosure or access, and any other unlawful form of Processing or Personal Data Breach.
Skillcast will notify the Client of any Personal Data Breach as defined herein or by Applicable Law/s without undue delay (and in any event no later than 24 hours) after becoming aware of the Personal Data Breach.
Skillcast will investigate the Personal Data Breach and provide the Client with detailed information about the Personal Data Breach (the “Data Breach Report”) and take reasonable steps to mitigate the effects and minimise any damage resulting from the Personal Data Breach.
Skillcast will assist the Client with the Client's obligation under
Applicable Law/s to inform the Data Subjects and the Supervisory Authorities, as applicable, by providing relevant information taking into account the nature of the processing and the information available to Skillcast.
The Client hereby authorises Skillcast to delegate the Processing of Personal Data as agreed in this Commitment to the Sub-Processors listed in Annex.
With regards to any Sub-Processor not listed in Annex, Skillcast will not sub-contract and/or outsource any of its Processing of Personal Data under this Commitment to any other person or entity without prior written consent from the Client, which will not be unreasonably withheld, and which will be provided by Client no later than thirty (30) days from receiving notice of it. The Client will give detailed reasons for its objection to any Sub-Processor proposed by Skillcast.
Skillcast will enter into a written sub-processing agreement with the Sub-Processor and will ensure that the Sub-Processor will accept the data protection obligations that are substantially the same as those undertaken by Skillcast under this Commitment.
Skillcast will assist the Client, insofar as this is possible, with the fulfilment of the Client's obligation to respond to requests for exercising the Data Subject's rights; it being understood that Skillcast has no obligation to respond directly to any such Data Subject
The Client is obliged to determine whether or not a Data Subject has a right to exercise any such data subject rights and to give instructions to Skillcast as to what extent the assistance is required.
Skillcast will provide to the Client the contact details of one employee who will act as the Service Manager (the "SM") for the Client and who will be authorised to receive notifications required under this Commitment from Skillcast. Skillcast will notify any change in SMs to the Client without undue delay.
Skillcast will seek the contact details of two individuals appointed by the Client to act as its Data Protection Contacts (the "DPC") who are authorised to receive the notifications required under this Commitment from Skillcast.
Skillcast will provide notices to the Client in writing, for which email is sufficient, and which may be made orally if the urgency of the situation warrants.
We may update this Commitment from time to time. If there are any significant changes we will notify our Clients. Clients are welcome to review this Commitment at any time.
This Commitment was last updated on 21/05/2018
Registered Office: 1 Sqaq il-Ghadam, Mriehel, BKR 3000, Malta
Incorporated and registered in Malta with the company number 39269
Description of Data Subjects whose data is being Processed: Individuals
Description of types of Personal Data being Processed: Names, Emails, Unique IDs, training records and other personal information provided by Data Subjects in responses to surveys compliance apps
Purpose of the Processing: Staff training, attestations and information gathering to enable the Client to fulfil its compliance and training obligations
Description of the types of Processing involved: Assignment of e-learning and/or surveys, email communication with data subjects, retention of training records and survey results, preparation of management information reports, case management of survey information
A summary of technical and organisational security measures applied by Skillcast to the data (including encryption/access controls/training/ screening of personnel/security reviews etc.) is given below. These are subject to change from time to time. The complete description of measures is included in Skillcast’s ISMS, which the Client can review upon signing an NDA.
Registered Office: Salisbury House, Finsbury Circus, London, England, EC2M
Incorporated and registered in England and Wales with the company number 04267842