Last modified: 19 April 2022
1. Data Processing Agreement
1.1. This Data Processing Agreement (“DPA”) applies sets forth the data processing rights and obligations for the Platform. This SLA is entered into by and between Customer and Ecolab Inc. (“Ecolab”). Ecolab’s obligations may be carried out by Lobster Ink, a division of Ecolab.
In this DPA the following terms have the following meanings:
2.1 “Applicable Laws” means (to the extent they apply to Ecolab) the laws of the European Union, the law of any member state of the European Union and/or any domestic laws applicable to Ecolab.
2.2 “Data Protection Legislation” means the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), any other directly applicable European Union regulation relating to privacy, and any domestic data protection legislation directly applicable to Ecolab or Customer (including the UK Data Protection Act 2018).
2.3 "Personal Data" means any information relating to an identified or identifiable individual which information is subject to the Data Protection Legislation and exchanged between the Parties as a part of the Services provided in the Agreement.
2.4 “Controller”, “Data Subject”, “Processor” and “Processing” have the meanings as defined in the GDPR.
3. Data Protection
3.1 Both Parties will comply with all applicable requirements of the Data Protection Legislation. This DPA is in addition to, and does not relieve, remove or replace a Party's obligations under the Data Protection Legislation.
3.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, Customer is the Controller and Ecolab is the Processor. Schedule 1 below sets out the scope, nature and purpose of processing by Ecolab, the duration of the Processing, the types of Personal Data, and categories of Data Subject.
3.3 Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Ecolab for the duration and purposes of the Agreement.
3.4 Ecolab will, with respect to any Personal Data processed in connection with the performance of its obligations under the Agreement:
(a) process that Personal Data only on the reasonable written instructions of Customer unless Ecolab is required by Applicable Laws to otherwise process that Personal Data (in which case Ecolab will notify Customer, unless the law prohibits providing such notice). Customer hereby instructs Ecolab to process Personal Data to the extent necessary to perform its obligations under the Agreement. Ecolab shall immediately inform Customer if, in its reasonable opinion, an instruction from Customer infringes Data Protection Legislation or other Applicable Laws;
(b) taking into account industry standard, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for impact on the individuals to whom the Personal Data relates, ensure that it has in place appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk as identified in Article 32 of the GDPR, considering, in particular the risks associated with unauthorised or unlawful processing of Personal Data and accidental loss or destruction of, or damage to, Personal Data;
(c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
(d) notify Customer without undue delay on becoming aware of a Personal Data breach;
(e) taking into account the nature of the processing and information available to Ecolab, make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow and contribute to audit, including inspections, conducted by Customer or another auditor mandated by Customer, as may be required by Data Protection Legislation, such audits to be held as far as reasonably possible at times, mutually agreed by both Parties, that are convenient to Ecolab and do not disrupt the day to day business activities of Ecolab;
(f) taking into account the nature of the processing and information available to Ecolab, reasonably assist Customer in responding to a Data Subject request and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, impact assessments and consultations with supervisory authorities or regulators;
(g) reasonably cooperate with Customer and take such reasonable commercial steps as are requested in writing by Customer to assist it in the investigation, mitigation and remediation of a Personal Data breach; and
(h) at the written direction of Customer, delete or return Personal Data and copies thereof to Customer on termination or expiration of the Agreement unless required by Applicable Law to store the Personal Data. If Customer fails to provide direction with regard to such Personal Data within a reasonable time, not to exceed sixty (60) days following such termination or expiration, then Ecolab may retain or destroy such Personal Data without liability with respect thereto.
3.5 Customer shall reimburse Ecolab for the cost of any assistance offered to Customer as described in this DPA (e.g. in Section 3.4) beyond what is reasonable taking into account the nature of the Processing.
3.6 Customer consents to Ecolab appointing subprocessors of Personal Data under the Agreement in order for Ecolab to perform its obligations under the Agreement as described in the List of Sub-Processors (which is available at https://lobsterink.com/terms/sub-processors/). Ecolab confirms that it has entered (or will enter) into written agreements with the sub-processors listed imposing the relevant obligations required by the Data Protection Legislation.
3.7 Customer acknowledges that from time to time during the term of the Agreement, Personal Data will be transferred to third countries. To facilitate transfer of Personal Data to third countries, the Parties agree to enter into the EU Standard Contractual Clauses:
(a) Customer, as "data exporter", and Ecolab, as "data importer", hereby enter into, as of the Effective Date, the Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries, Regulation (EU) 2016/679 (the "SCCs") (the text of which is available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en) which are incorporated by this reference and constitute an integral part of this DPA. The Parties are deemed to have accepted and executed the SCCs in their entirety, including the appendices.
(b) In cases where the SCCs apply and there is a conflict between the terms of the DPA and the terms of the SCCs, the terms of the SCCs shall apply.
(c) The information contained in this DPA including its Schedule 1 shall fulfil the requirements of the SCCs Annex 1 (Description of Processing) and Annex 3 (List of Sub-Processors).
(d) The terms of the Security Annex, available from Ecolab upon request, shall fulfil the requirements of the SCCs Annex 2 (Technical and Organizational Measures).
4. Customer Obligations
Customer agrees that:
4.1 It will comply with its obligations under the Data Protection Legislation;
4.2 All of the Personal Data provided by it (or on its behalf) to Ecolab will be collected and provided in accordance with the Data Protection Legislation;
4.3 Ecolab’s processing of such Personal Data in accordance with this Agreement will not put Ecolab in breach of the Data Protection Legislation;
4.4 If in its reasonable opinion Ecolab needs to revise this DPA in order to comply with the Data Protection Legislation, Customer agrees to enter into a written variation to make the amendments which in Ecolab’s reasonable opinion are required.
SCHEDULE 1: PROCESSING, PERSONAL DATA AND DATA SUBJECTS
1. Processing by Ecolab
Processing of Data Subjects’ Personal Data for the purpose of providing online training services and associated reporting and support as described in the Agreement or other applicable documentation.
For the purpose of providing the Services.
1.3 Purpose of processing
Hosting, reporting, customer support or as otherwise described in the Agreement or other applicable documentation.
1.4 Duration of the processing
For the duration required in order to provide the Services unless required by Applicable Law to store the Personal Data for longer.
2. Types of personal data
Names, email addresses, job roles, employee numbers, telephone numbers.
3. Categories of data subject
Any individual accessing and/or using the Services through Customer's subscription (Users).