Data Processing Addendum

Updated 24 November 2021

24 November 2021: update has been made to list Lumina Learning's sub-processors in Appendix 1

 

This Data Processing Addendum (“DPA”) forms part of the General Terms and Conditions of Business (the “Conditions” located at https://www.luminalearning.com/luminaterms) and the Agreement between “Lumina Learning“ (Lumina Learning Limited, registered in England and Wales, Company Number 07021544) and the individual or organisation that is party to the Agreement (“You, Your”).

 

1.               Overview

1.1.           This DPA sets out how the parties shall use Personal Data and Lumina Learning’s obligations where acting as Data Processor.

1.2.           This DPA shall be interpreted in accordance with the Conditions, save that in the case of a conflict between the DPA and the Conditions, the DPA shall prevail.

 

2.               Definitions

2.1.           In this DPA the following words or phrases have the meaning set out alongside them, save to the extent that the context clearly indicates otherwise. Other capitalised terms in this DPA shall have the specific meaning as defined in this DPA or, where this DPA contains no definition, as defined in the Conditions.

2.1.1.      Data Controller - means the individual or legal entity who determines the purposes and means of the processing of Personal Data;

2.1.2.      Data Processor - means the natural or legal person that processes Personal Data on behalf of the Data Controller;

2.1.3.      Data Subject - means any natural person about whom Personal Data is gathered;

2.1.4.      Data Protection Law - means the relevant legal framework concerning data protection, including the United Kingdom Data Protection Act 2018 and the European Union Regulation (EU) 2016/679 (the General Data Protection Regulation);

2.1.5.      Participant - means a Data Subject with whom You interact when providing the Practitioner Services;

2.1.6.      Participant Data - means Personal Data about Participants that You collect and store in Lumina Learning's online system, including Participant name, email address, gender or pronoun preferences, responses to tasks and resulting Portraits and informational reports. You are the Data Controller of this Personal Data and Lumina Learning is the Data Processor;

2.1.7.      Personal Data - means any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2.1.8.      Practitioner Data - means Personal Data gathered by Lumina Learning and the Partner about You and anyone acting on Your behalf for the purpose of the fulfilment of the Agreement, including individuals acting as Practitioners and administrative personnel. Lumina Learning and the Partner are the Data Controllers of this Personal Data;

2.1.9.      User Data - means Personal Data gathered by Lumina Learning about any Data Subject that uses Lumina Learning’s online system, including personal details and technical information necessary to register a user account. Lumina Learning is the Data Controller of this Personal Data.

 

3.               Roles and Subject Matter

3.1.           In relation to Participant Data, details of this processing are as follows:

3.1.1.      Subject matter of processing: the provision of Services to You by Lumina Learning under the Agreement through Lumina Learning’s processing of Participant Data.

3.1.2.      Duration of processing: for the duration of the Agreement, or until personal data is deleted or returned in accordance with this DPA.

3.1.3.      Nature and purpose of processing: the provision of Services by Lumina Learning to You and to facilitate Your provision of the Practitioner Services to Participants

3.1.4.      Type of personal data: Participant Data.

3.1.5.      Categories of data subjects: Participants.

3.2.           You shall share with Lumina Learning a copy of Participant Data and this copy shall be controlled by Lumina Learning and form part of User Data. You warrant that you have a lawful basis for sharing this data.

 

4.               Your Obligations

4.1.           Where You are Data Controller You shall:

4.1.1.      Comply with all relevant Data Protection Law; and

4.1.2.      Provide such assistance as Lumina Learning may reasonably require where necessary to permit Lumina learning to fulfil its obligations under the Agreement.

 

5.               Lumina Learning’s Obligations

5.1.           Where Lumina Learning is Data Controller or Data Processor it shall:

5.1.1.      Comply with all relevant Data Protection Law;

5.1.2.      Implement appropriate technical and organisation measures to ensure an appropriate level of security for Personal Data, including by implementing reasonable measures to keep Personal Data safe from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access;

5.1.3.      Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and

5.1.4.      Ensure that persons authorised to process Personal Data have committed themselves to implement appropriate technical and organisation measures to ensure an appropriate level of security for Personal Data.

5.2.           Where Lumina Learning is Data Processor it shall:

5.2.1.      Process Personal Data only on documented instructions from You. Lumina Learning may also handle data in accordance with applicable law to which it is subject, provided that it undertakes to inform You of that legal requirement before processing takes place, unless that law prohibits such information on important grounds of public interest;

5.2.2.      Where Personal Data is subject to EU Data Protection Law, transfer that Personal Data outside the EEA only with Your instruction and only where satisfied that adequate safeguards are in place, or if the transfer is required by law;

5.2.3.      Where Personal Data subject to UK Data Protection Law, transfer that Personal Data outside the UK only with Your instruction and only where satisfied that adequate safeguards are in place, or if the transfer is required by law;

5.2.4.      At Your choice, delete or return all Personal Data to You after the purposes for processing are complete and delete existing copies, unless applicable law requires storage of the Personal Data;

5.2.5.      Notify You as soon as possible once becoming aware of a Personal Data breach and cooperate in implementing appropriate remedial action; and

5.2.6.      Notify You as soon as possible once becoming aware of a complaint relating to the processing.

5.3.           Where Lumina Learning is Data Processor it shall assist You, where reasonably possible in relation to the processing, to comply with Your obligations established by Data Protection Law to:

5.3.1.      Implement appropriate technical and organisation measures to ensure an appropriate level of security for Personal Data;

5.3.2.      Report a Personal Data breach to a supervisory authority;

5.3.3.      Communicate a Personal Data breach to the Data Subject, where required by law;

5.3.4.      Conduct data protection impact assessments; and

5.3.5.      Respond to Data Subjects to exercise their Data Subject access rights, including their right to access, rectify, port and in some circumstances erase their Personal Data.

5.4.           Lumina Learning shall not carry out Your instructions that it believes are incompatible with Data Protection Laws and shall notify You immediately if it believes such is the case.

 

6.               Processing, Sub-processing and International Transfers

6.1.           In relation to Participant Data You hereby give Lumina Learning general written instruction to:

6.1.1.      Process Participant Data in any manner reasonably required to achieve the purposes of processing;

6.1.2.      Engage sub-processors to conduct its obligations including processing under the Agreement; and

6.1.3.      Transfer Participant Data to any geographic location or international body where reasonably necessary to achieve the purposes of processing.

6.2.           You agree to Lumina Learning's use of the sub-processors listed in Appendix 1 of this DPA.

6.3.           The parties agree that this DPA serves as documentation of Your full instructions regarding Lumina Learning’s processing of Participant Data and is the only basis on which Lumina Learning shall act. Any further instructions must be agreed between the parties.

6.4.           Lumina Learning shall be liable for all acts and omissions of its sub-processors to the same extent as it would be liable had it performed the processing activities directly.

6.5.           Lumina Learning shall inform You at least 1 month in advance of the appointment of any sub-processors (including by email notification or by publication on the Website which it is Your responsibility to check regularly). Where You object to the appointment, You shall notify Lumina Learning before expiry of the 1-month period detailing the reasons for Your objection. In such a scenario, the parties shall use their reasonable endeavours to find a mutually satisfactory alternative sub-processor. If it is not possible to reach agreement within a further period of 1 month, either party may terminate the Agreement immediately without liability by providing notice to the other party. Where you do not object you shall be deemed to have consented to the appointment.

 

7.               Audit

7.1.           7.1. Where Lumina Learning is Data Processor it shall make available to You information necessary to demonstrate compliance with the Agreement and its obligations laid down by Data Protection Law.

7.2.           Lumina Learning shall permit You at Your sole cost and at a mutually agreed time to audit Lumina Learning's compliance with the Agreement and its obligations laid down by Data Protection Law. You shall conduct any audit during Lumina Learning's normal business hours and shall take all reasonable measures to prevent unnecessary disruption to Lumina Learning's operations. You shall be entitled to exercise Your audit rights not more than once in any twelve calendar month period.

7.3.           Where Lumina Learning is Data Processor it shall make available to You a copy of Personal Data held under this agreement upon request.

7.4.           Any information disclosed by Lumina Learning or any information generated in connection with an audit shall be Confidential Information.

 

8.               Term and Termination

8.1.           This DPA shall remain in force for the duration of the Agreement or where Personal Data is held beyond the termination of the Agreement until it is returned to You or deleted.

 

 

Appendix 1 - Sub-processors

Name: Amazon Web Services EMEA SARL
Location: Luxembourg

Name: Microsoft Ireland Operations Limited
Location: Ireland

Name: Steamhaus Limited
Location: UK

Name: Alchemer LLC
Location: USA