Data Processing Commitment Statement

This Data Processing Commitment Statement (the "Commitment") is provided by Skillcast Group plc ("Skillcast") to clients that have not signed a Data Protection Agreement with us (the "Client") to establish our obligations concerning the processing of Personal Data subject to the General Data Protection Regulation ("GDPR"). Any client of Skillcast that has signed a Data Protection Agreement ("DPA") should refer to the terms of that DPA..

Table of Contents

Definitions

In this Commitment, the following words and expressions will have the following meanings:

  • “Applicable Law/s” means all applicable laws (including decisions) and guidance by relevant supervisory authorities relating to data protection, the Processing of Personal Data and privacy, including the General Data Protection Regulation (EU) 2016/679;
  • and references to “Data Controller”, “Data Subject”, “Personal Data”, “Process”, “Processed”, “Processing”, “Data Protection Officer”, “Data Processor” and “Personal Data Breach” have the meanings set out in, and will be interpreted in accordance with, such Applicable Law/s.
  • “Services Agreement” means any valid unexpired Subscription Order, Work Order, Master Services Agreement, Statement of Work or other written or electronic agreement for the purchase of online services that has been entered into by Skillcast and Client, including the schedules and documents attached to or referred to in the same.
  • “Personal Data” means the Personal Data (as defined under the Applicable Law/s) of the Client being Processed from time to time pursuant to the terms of this Commitment, including as is more particularly described in Annex to this Commitment
  • “Sub-Processor” means any third party appointed by Skillcast in accordance with this Commitment, with the prior written consent of the Client, to Process Personal Data.
  • “Supervisory Authority” means the relevant supervisory authority with jurisdiction over the Processing of the Personal Data and which is responsible for enforcing compliance with the Applicable Law/s.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed that affects the Personal Data of the Controller covered by this Commitment.

Scope

This Commitment applies to all relevant Services Agreement/s as long as they remain in force. It does not apply to clients of Skillcast who have signed a DPA, or to individuals for whose data Skillcast is the Data Controller.

Obligations of Data Processor

Skillcast is the Processor of this Personal Data and the Client is the Controller. As the Data Processor, Skillcast will:

  1. Process the Personal Data only in accordance with the Applicable Law/s;
  2. Process the Personal Data only on behalf of the Client and in accordance with the Client's written instructions (for which email is sufficient and oral form may be acceptable if the urgency of the situation warrants) and the Services Agreement/s;
  3. assist the Client, in so far as this is technically or legally possible, for the fulfilment of the Client's obligations to respond to requests from Data Subjects for exercising their rights;
  4. give the Client such assistance as it reasonably requests, and Skillcast is reasonably able to provide, aimed at ensuring compliance with the Client’s own security, Personal Data Breach notification, impact assessment, Supervisory Authority consultation obligations under the Applicable Law/s, and any other obligations under the Applicable Law/s, taking into account the information and means available to Skillcast; and
  5. ensure that persons authorised to Process the Personal Data on behalf of the Client, in particular employees of Skillcast and any Sub-processors, including their employees, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality relating to the Personal Data.

Termination of Service Agreement/s

Upon termination of relevant Services Agreement/s, Skillcast will promptly notify the Client that it is out of contract and hence obliged to delete the Personal Data Processed as agreed in this Commitment, which is in Skillcast’s possession or under its control, within thirty (30) days from the notification. Skillcast will simultaneously provide access to the Client to download this Personal Data. If, within the thirty-day period, the Client does not submit a written request to Skillcast to retain the Personal Data, Skillcast will destroy the Personal Data without any further notice.

Skillcast will not be required to destroy or return the Personal Data Processed as agreed in this Commitment that Skillcast is required to retain in accordance with any laws, regulations and regulatory guidance applicable to Skillcast or any of its affiliates, orders imposed on Skillcast or an affiliate of Skillcast by a competent judicial, governmental, regulatory or similar body, or that Skillcast may have determined (to the extent permitted by law) to be necessary to protect and enforce its rights under the Services Agreement/s.

Technical & Organisational Measures

Skillcast will implement and maintain all necessary technical and/or organisational measures as required by the Applicable Law/s (such as, for instance, the ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to Personal Data in a timely manner in the event of a Personal Data Breach, a Process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing) to ensure the protection of the Personal Data Processed from any accidental or unlawful destruction, loss, deterioration, unauthorised disclosure or access, and any other unlawful form of Processing or Personal Data Breach.

Personal Data Breaches and Notification

Skillcast will notify the Client of any Personal Data Breach as defined herein or by Applicable Law/s without undue delay (and in any event no later than 24 hours) after becoming aware of the Personal Data Breach.

Skillcast will investigate the Personal Data Breach and provide the Client with detailed information about the Personal Data Breach (the “Data Breach Report”) and take reasonable steps to mitigate the effects and minimise any damage resulting from the Personal Data Breach.

Skillcast will assist the Client with the Client's obligation under

Applicable Law/s to inform the Data Subjects and the Supervisory Authorities, as applicable, by providing relevant information taking into account the nature of the processing and the information available to Skillcast.

Sub-processors

The Client hereby authorises Skillcast to delegate the Processing of Personal Data as agreed in this Commitment to the Sub-Processors listed in Annex.

With regards to any Sub-Processor not listed in Annex, Skillcast will not sub-contract and/or outsource any of its Processing of Personal Data under this Commitment to any other person or entity without prior written consent from the Client, which will not be unreasonably withheld, and which will be provided by Client no later than thirty (30) days from receiving notice of it. The Client will give detailed reasons for its objection to any Sub-Processor proposed by Skillcast.

Skillcast will enter into a written sub-processing agreement with the Sub-Processor and will ensure that the Sub-Processor will accept the data protection obligations that are substantially the same as those undertaken by Skillcast under this Commitment.

Response to Data Subject Requests

Skillcast will assist the Client, insofar as this is possible, with the fulfilment of the Client's obligation to respond to requests for exercising the Data Subject's rights; it being understood that Skillcast has no obligation to respond directly to any such Data Subject requests unless expressly required by law.

The Client is obliged to determine whether or not a Data Subject has a right to exercise any such data subject rights and to give instructions to Skillcast as to what extent the assistance is required.

Notices

Skillcast will provide to the Client the contact details of one employee who will act as the Service Manager (the "SM") for the Client and who will be authorised to receive notifications required under this Commitment from Skillcast. Skillcast will notify any change in SMs to the Client without undue delay.

Skillcast will seek the contact details of two individuals appointed by the Client to act as its Data Protection Contacts (the "DPC") who are authorised to receive the notifications required under this Commitment from Skillcast.

Skillcast will provide notices to the Client in writing, for which email is sufficient, and which may be made orally if the urgency of the situation warrants.

Updates

We may update this Commitment from time to time. If there are any significant changes we will notify our Clients. Clients are welcome to review this Commitment at any time.

Annex

Data Processor

Skillcast Group plc trading as Skillcast

Registered Office: 1 Sqaq il-Ghadam, Mriehel, BKR 3000, Malta

Incorporated and registered in Malta with the company number 39269

Details of Processing of Personal Data

Description of Data Subjects whose data is being Processed: Individuals given or approved for access to the Services by the Client

Description of types of Personal Data being Processed: Names, Emails, Unique IDs, training records and other personal information provided by Data Subjects in responses to surveys compliance apps

Purpose of the Processing: Staff training, attestations and information gathering to enable the Client to fulfil its compliance and training obligations

Description of the types of Processing involved: Assignment of e-learning and/or surveys, email communication with data subjects, retention of training records and survey results, preparation of management information reports, case management of survey information

Description of Security Measures

A summary of technical and organisational security measures applied by Skillcast to the data (including encryption/access controls/training/ screening of personnel/security reviews etc.) is given below. These are subject to change from time to time. The complete description of measures is included in Skillcast’s ISMS, which the Client can review upon signing an NDA.

  • Access to Personal Data is restricted to the Service Managers in the Global Client Services team. Other employees are barred from access to Personal Data without a "need to know".
  • Regular training for all employees and extra training for Service Managers in Global Client Services
  • Automatic logging of all activity on client portals
  • Tight control over the servers and storage devices where the Personal Data is stored and processed
  • High physical security in the data centres where the servers and storage devices are located - eg biometric security systems, video surveillance and photo IDs, as well as fire detection and suppression systems, HVAC systems, air handling units, UPSs and earthquake preparedness
  • High cyber-security protection for servers, including Intrusion Prevention System, network traffic monitoring, firewalls set up in the tightest manner, encryption requirement and tight security policies for portable devices such as laptops, and centrally managed antivirus protection for all servers and user machines
  • Annual Penetration Testing conducted by an expert firm to harden the IT infrastructure
  • Redundancy and high availability of the critical parts on the infrastructure with a robust 3-2-1 backup solution
  • Communications with data centres encrypted with a secure IPSEC VPN connection
  • Dual authentication required for accessing client portals where Personal Data is stored and processed Advanced Encryption Standard (AES) 256-bit key encryption for data at rest; HTTPS and SFTP protection for data transfer
  • Segregation of each Client's data

Pre-authorised Sub-processors

Skillcast Group plc trading as Skillcast

Registered Office: Salisbury House, Finsbury Circus, London, England, EC2M

Incorporated and registered in England and Wales with the company number 04267842.