Data Processing Addendum:
Processor to Sub-Processor

Version Control / History

Version No. Description / Summary of Changes Date Effective
1.0 Released 15/05/2024


This Data Processing Addendum, including its Annexes ("DPA"), forms part of the Agreement between Skillcast and the Customer to reflect the Parties' agreement concerning the Processing of Personal Data and shall apply to arrangements governed by the multi-tiered service provisions of the Agreement.

This DPA sets out the additional terms, requirements, and conditions on which Skillcast shall process Customer Personal Data when providing Services under the Agreement in circumstances where the multi-tiered service provisions of the Agreement apply and where consequently the Customer is a processor of the End Client and where Skillcast is a sub-processor of the Customer. This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).

1. Definitions & Interpretation

The following definitions and rules of interpretation apply in this DPA.

  1. 1.1. Definitions:
    1. Business Purposes: the Services to be provided by Skillcast to the Customer as described in the Agreement and any other purpose specifically identified in Annex A.
    2. Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
    3. Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: each have the meanings given to them in the Data Protection Legislation.
    4. Data Protection Legislation: to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data and to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Skillcast is subject which relates to the protection of Personal Data.
    5. EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
    6. End Client: the client of the Customer (in accordance with the multi-tiered service provisions of the Agreement) acting as Controller of the Personal Data.
    7. End Client Personal Data: means the means the Personal Data of the End Client where the parties operate in accordance with the multi-tiered service provisions of the Agreement.
    8. Records: has the meaning given to it in Clause 12.
    9. Sub-processor: for the purposes of this DPA the sub-processor shall be Skillcast
    10. Sub-sub-processor: means any entity (including Skillcast's Affiliates) which is engaged by Skillcast to process the End Client Personal Data for the Business Purposes. For the avoidance of doubt, Sub-sub-processors do not include individual consultants which may be engaged by Skillcast to perform any of Skillcast's obligations under the Agreement. Such consultants shall be treated like Skillcast's employees and Skillcast shall be liable for their acts and omissions to the same extent as if the acts or omissions were performed by Skillcast.
      Term: this DPA's term as defined in Clause 10.
  2. 1.2. UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.This DPA is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA.

The Annexes form part of this DPA and shall have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.

2. Personal Data Types & Processing Purposes

  1. 2.1. The Customer and Skillcast agree and acknowledge that for the purpose of the Data Protection Legislation:
    1. The End Client is the Controller, the Customer is the Processor of the End Client Personal Data and Skillcast is the sub-processor of the End Client Personal Data.
    2. The End Client retains control of the End Client Personal Data and remains responsible for compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents and for the written processing instructions it gives to Customer..

Annex A describes the subject matter, duration, nature and purpose of the processing and the End Client Personal Data categories and Data Subject types in respect of which Skillcast may process End Client Personal Data to fulfil the Business Purposes.

3. Skillcast's Obligations in Respect End Client's Personal Data

  1. 3.1. Skillcast shall only process the End Client Personal Data as Sub-Processor to the Customer to the extent and in such a manner as is necessary for the Business Purposes in accordance with the Customer's written instructions as established in the Agreement. Skillcast shall not process the End Client Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. Notwithstanding the foregoing, Skillcast may process  End Client Personal Data as required under the Data Protection Legislation. In this situation, Skillcast will take reasonable steps to inform the Customer as processor of the End Client of such a requirement before Skillcast processes the data, unless the law prohibits this. Skillcast must promptly notify the Customer as processor of the End Client if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.
  2. 3.2. Skillcast shall maintain the confidentiality of the End Client Personal Data and shall not disclose the Customer Personal Data to third parties unless the Customer or this DPA specifically authorises the disclosure or as required by domestic law, court or regulator, including the Commissioner. If a domestic law, court or regulator, including the Commissioner, requires Skillcast to process or disclose the Customer Personal Data to a third party, Skillcast must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless domestic law prohibits the giving of such notice.
  3. 3.3. Skillcast shall, upon Customer's request:
    1. taking into account the nature of processing, assist the Customer as Processor and End Client as Controller by implementing appropriate technical and organisational measures, insofar as this is possible, to assist with the Customer's and / or End Client’s obligation to respond to requests from Data Subjects of their Personal Data seeking to exercise their rights under applicable Data Protection Legislation (to the extent that the End Client Personal Data is not otherwise accessible to the Customer through the Services);
    2. b.    taking into account the nature of processing and the information available to Skillcast, assist the Customer and / or End Client with its obligations under Articles 32 to 36 of the UK GDPR and EU GDPR as they relate to Customer Personal Data.
  4. 3.4. Skillcast shall promptly notify the Customer in writing if it receives:
    1. any complaint, notice or communication that relates directly or indirectly to the processing of the End Client Personal Data or to either Party's compliance with the Data Protection Legislation.
    2. (in respect of the End Client Personal Data) a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.

4. Skillcast's Employees

  1. 4.1.Skillcast shall ensure that all of its employees:
    1. are informed of the confidential nature of the End Client Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Customer Personal Data;
    2. are aware of Skillcast's duties and their own personal duties and obligations under the Data Protection Legislation and this DPA.

5. Security

  1. 5.1. Skillcast shall implement and maintain appropriate technical and organisational measures as set out in Annex C to protect against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the  End Client Personal Data and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Personal Data. The Customer acknowledges that Skillcast may change the technical and organisational measures set out in Annex C provided that they do not materially diminish the level of protection. Skillcast's most up-to-date security measures are detailed online.

6. Personal Data Breach

  1. 6.1. Skillcast shall, without undue delay, notify the Customer as Processor for the End Client if it becomes aware of any Personal Data Breach in respect of End Client Personal Data. Such notice will, where possible, provide the Customer and End Client with sufficient information to allow them to meet any obligations under applicable Data Protection Legislation to report or inform Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others of the Personal Data Breach.
  2. 6.2. Skillcast will, in line with its incident response plans and policies, take reasonable steps to identify, prevent and mitigate the effects of the Personal Data Breach and to remedy the Personal Data Breach to the extent such remediation is within Skillcast's reasonable control. Skillcast shall also, at the Customer's reasonable request, take such other steps as Customer may reasonably require in respect of the Personal Data Breach including the provision of additional information over and above that described in Clause 6.1.

7. Cross-border Transfers of Personal Data

  1. 7.1. Skillcast must not transfer or otherwise process the End Client Personal Data outside of the UK and/or European Economic Area without obtaining the Customerʼs prior written consent (not to be unreasonably withheld or delayed).

8. Sub-sub-processor(s)

  1. 8.1. The Customer consents to Skillcast engaging Sub-sub-processors provided that:
    1. Skillcast remains responsible for its Sub-sub-processors' compliance with the obligations of this DPA; and
    2. ii.    Skillcast enters into written agreements with such Sub-sub-processors imposing data protection terms which are no less protective in any material respect than the obligations provided under this DPA.
  2. 8.2. A current list of Sub-sub-processors approved as at the date of this DPA is set out in Annex B. Skillcast may add additional Sub-sub-processors or make changes to the Sub-processor list at Annex B provided that the Customer is given twenty (20) days' prior notice and the Customer does not legitimately object, in writing, to such changes within that timeframe.

9. The Customer's Obligations in Respect of End Client's Personal Data

  1. 9.1. Neither the End Client nor the Customer shall disclose (and shall not permit any Data Subject to disclose) any sensitive data (special categories) of Personal Data or Personal Data that imposes specific data security or data protection obligations on Skillcast in addition to, or different from, those specified in the Agreement (including this DPA) to Skillcast for processing except where and to the extent expressly disclosed in Annex A.
  2. 9.2. The Customer and the End Client shall comply with all necessary transparency and lawful requirements under the Data Protection Legislation in order to disclose the End Client Personal Data to Skillcast for the Business Purposes.

10. Term & Termination

  1. 10.1. This DPA will remain in full force and effect so long as the Agreement remains in effect.
  2. 10.2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after the termination of the Agreement in order to protect the End Client Personal Data will remain in full force and effect.

11. Data Return & Destruction

  1. 11.1. Unless otherwise notified by the Customer, 30 days after termination of the Agreement or 30 days after the expiry of its term, Skillcast shall securely delete or destroy and not retain all or any of the  End Client Personal Data related to this DPA in its possession or control unless any law, regulation, or government or regulatory body requires Skillcast to retain any documents or materials or Customer Personal Data that Skillcast would otherwise be required to return or destroy. During this period, the Customer shall have access to download the End Client Personal Data. The End Client Personal Data shall exist in an archived format on Skillcast's backup systems for a further 30 days, and Skillcast shall protect any such Personal Data from any further processing except to the extent required by applicable laws until deletion is possible.

12. Records

  1. 12.1. Skillcast shall keep detailed, accurate and up-to-date written records regarding any processing of the  End Client Personal Data, including, but not limited to, the access, control and security of the End Client Personal Data, approved Sub-processors, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures referred to in clause 5.1 (Records).
  2. 12.2. Skillcast shall ensure that the Records are sufficient to enable the Customer to verify Skillcast's compliance with its obligations under this DPA and provide the Customer with copies of the Records upon request.

13. Audit

  1. 13.1. Subject to clauses 13.3 and 13.4, and to the extent permitted by applicable Data Protection Legislation, Skillcast will, at the expense of the Customer, make available to the Customer such information in relation to the End Client Personal Data as the Customer reasonably requests and Skillcast is reasonably able to provide.
  2. 13.2. Skillcast will further, subject to any relevant and applicable confidentiality obligation, and at the expense of the Customer, provide the Customer with access to any  End Client Personal Data relating to the performance of the Services and assist with such audits, including inspections, reasonably requested by (or on behalf of) the Customer (and its internal or external auditors (the Auditor) to undertake the verification that Skillcast complies with its obligations under this DPA.
  3. 13.3. The Customer is entitled to conduct a visit or audit under clauses 13.1 and 13.2 at the Customerʼs expense. In such a case, Skillcast may request a prior written notice of at least seven (7) Business Days from the Customer before conducting such audit. Further, the Customer will be required to use (and ensure that its Auditors use) its best endeavours to avoid (or minimise) causing any damage, injury or disruption to Skillcastʼs premises, equipment, personnel and business while the personnel of the Customer, or its Auditors are on Skillcastʼs premises in the course of such an audit or inspection. Skillcast has no obligation to give access to its premises for the purposes of an audit or inspection:
    1. to any individual unless he or she produces reasonable evidence of identity and authority; or
    2. for the purpose of more than one audit or inspection in any calendar year except in case of suspected fraud; or
    3. if by doing so, Skillcast breaches its statutory, regulatory or contractual duties, or an order of a competent court or other authority that is applicable to Skillcast.
  4. 13.4. For the avoidance of doubt, clauses 13.1 and 13.2 will not require, nor be deemed to require, Skillcast to disclose to the Customer and/or its Auditors information of any kind previously disclosed to, or otherwise held in confidence by Skillcast on behalf of any of its other clients or other persons in any capacity whatsoever (the Protected Information). Skillcast may, in its sole discretion, refuse access to the Customer and/or its Auditors to any systems (including databases or servers) and files belonging to, or used by, Skillcast and containing such Protected Information, documents or any other data, if and to the extent that it is impossible or impracticable for Skillcast to grant access to such systems without compromising the protection, confidentiality or security of the Protected Information.

14. Warranties

  1. 14.1. Each party warrants that in relation to this DPA, it is compliant with and will remain compliant with the Data Protection Legislation.

15. Indemnity

  1. 15.1. Skillcast will indemnify only the Customer as Processor for the End Client and hold it harmless against any liabilities, claims, damages and expenses (including reasonable legal expenses) suffered or incurred by it, in each case arising out of, or in connection with, any breach by Skillcast of any of its obligations under clauses 3 (Skillcast's obligations in respect of End Client Personal Data) and 6 (Personal Data Breach) (including any failure or delay in performing, or negligent performance or non-performance of, any of those obligations), including for the avoidance of doubt any breach by Skillcast that arises out of the actions or omissions of any of the Sub sub-Processors.
  2. 15.2. In the event that the Customer becomes aware of a claim against itself or the End Client that is the subject of an indemnity under clause 15.1, the Customer shall, as soon as reasonably practicable, notify Skillcast in writing, provide all such details of the claim as are reasonably requested by Skillcast, and allow Skillcast to participate in and/or conduct negotiations and proceedings in relation to the claim.

16. Limitation of Liability

  1. 16.1. The total combined liability of either party towards the other party, whether in contract, tort or under any other theory of liability, shall be limited to the amounts set forth in the Agreement as well as any disclaimers, exclusions or limitations contained therein. Any reference in such section to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together.
  2. 16.2. Nothing in this DPA shall exclude or limit either party's liability which cannot be excluded or limited by applicable laws.

Annex A: Personal Data Processing Purposes & Details

Type

Description

Data Subject Types

The Data Subject types anticipated by Skillcast are: employees and contractors of the End Client and other individuals who the  End Client gives access to the Services. If additional or alternative Data Subjects are relevant for the Services the End Client and / or Customer should identify those to Skillcast within the Order Form (which makes up part of the Agreement)..

Subject matter of processing

Personal data of the Customer's employees for the purpose of providing the Services.

Nature of Processing

The processing required to deliver the Services to the Customer as described in the Agreement.

Personal Data Categories

The Personal Data Categories anticipated by Skillcast are: Names, Emails, Unique IDs, training records, answers to surveys, employee disclosures and other personal information provided by Data Subjects in the course of accessing the Services. If additional or alternative End Client Personal Data categories are relevant for the Services the Customer should identify those to Skillcast within the Order Form (which makes up part of the Agreement).

Duration of Processing

The duration of the Agreement.

 

Annex B: Sub-processor(s) List

Name

Purpose

Registered Office

Inmarkets Limited (to the extent they are not a direct party to the Agreement)

Provide Customer Service

80 Leadenhall Street, London, England, EC3A 3DH

Inmarkets International Limited (to the extent they are not a direct party to the Agreement)

Provide Customer Service

1 Sqaq il Ghadam, Mriehel BKR3000, Malta

Annex C: Description of Security Measures

Security Measures may be updated from time to time by Skillcast in accordance with clause 5.1 of this DPA.