Keystone Data Processing Addendum
This Keystone Services Data Processing Addendum ("Addendum") is hereby made and entered into by and between the customer, as identified and with the address and organizational number specified in the corresponding order confirmation ("Customer"), and the relevant Keystone entity, similarly specified in the order confirmation ("Keystone").
For the purpose of this Addendum, the term "party" refers to either the Customer or Keystone individually, and the term "parties" refers to the Customer and Keystone jointly.
1 SCOPE
1.1 Keystone and the Customer agree that this Addendum sets forth their obligations with respect to the processing and security of personal data in connection with the relevant service purchased by the Customer, as set out in the order confirmation or as otherwise agreed between the parties ("Order Confirmation"), including any additional or subsequent purchases or updates of the service (the "Keystone Service"). This Addendum is incorporated by reference into the relevant provision agreement for the Keystone Service executed between Keystone and the Customer (hereinafter referred to as the "Main Agreement").
1.2 Each respective Keystone Service may entail distinct processors and controllers roles and responsibilities under applicable data protection laws. Keystone and the Customer agree on the processor and controller roles and responsibilities as set out in Section 2 of this Addendum.
1.3 When Keystone processes personal data in the function as a processor on behalf of the Customer acting as a controller, as specified in Section 2 of this Addendum, the "Data Processing Agreement" (or "DPA") shall apply. The DPA forms an integral part of this Addendum.
1.4 When Keystone processes personal data in the function as a joint controller together with the Customer, as specified in Section 2 of this Addendum, the "Joint Controller Agreement" (or "JCA") shall apply. The JCA forms an integral part of this Addendum.
2 ROLES AND RESPONSIBILITIES
2.1 Listing services
2.1.1 Keystone hosts websites where visitors can access information about domestic and international study programmes, courses and leisure activities (“activities”). On these websites, Keystone sets up profiles for its customers, allowing them to promote their activities locally and globally to generate inquiries from prospective students and participants (“leads").
2.1.2 Within the customers’ profiles, Keystone makes available an information request form that website visitors can fill out if they want to receive more information about the customer or its activities (the “lead form”). The lead form can also be embedded directly on customer websites.
2.1.3 The primary purpose of the lead form is to connect leads with customers, and facilitate communication between the leads and the customers. Upon submission of the lead form, the information collected through the lead form is directly provided to the customer by Keystone.
2.1.4 If the Customer has purchased listing services from Keystone, as specified in the Order Confirmation or agreed upon subsequent to entering into the Main Agreement, the Customer and Keystone agree that they will act as separate controllers for the processing of personal data collected via the lead form. The Customer serves as the controller for the personal data requested and received from each lead through the lead form, as well as for any subsequent processing of that data for the purpose of connecting and communicating with the leads. Conversely, Keystone functions as an independent controller for the processing of any personal data collected through the lead form, specifically for the purpose of creating a user account for the lead on the Keystone student platform.
2.1.5 Should the customer be located outside of the EU/EEA, the parties agree that personal data contained in the lead form shall only be transferred to the Customer if the lead has provided explicit consent for this transfer, in accordance with Article 49 (1) (a) of the GDPR.
2.1.6 The Parties each assume no liability for the other's processing of personal data, in their roles as separate controllers for the personal data collected and processed via the lead form. Consequently, both Keystone and the Customer are required to demonstrate a lawful basis for their respective processing of the relevant personal data and otherwise ensure compliance with all applicable data protection laws.
2.2 Digital marketing, advertisement and promotions services
2.2.1 Keystone offers professional digital marketing services to certain customers. These services include the distribution of direct email marketing, social media marketing, joint and separate newsletters, hosting virtual exhibitions and student fairs, and employing other promotional methods to highlight the customers’ educational programs or services. The aim is to generate leads for customers and to promote enrollment of prospective students and others at the customers’ institutions as full-time students.
2.2.2 If the Customer has purchased marketing services from Keystone, as outlined in the Order Confirmation or subsequently agreed between the parties after entering into the Main Agreement, Keystone and the Customer will act as joint controllers for the processing of personal data related to such marketing and/or advertising service. This processing is governed by the JCA.
2.2.3 Details regarding the joint processing activity referred to and governed by the JCA, are specified below (the "Joint Processing Activity"):
The subject-matter and the nature of the processing:
The processing of personal data that Keystone carries out as a joint controller with the Customer involves offering professional digital marketing services to the Customer. These services include the distribution of joint or separate newsletters, virtual exhibitions, and student fairs, as well as other promotional methods to generate leads from prospective students and others, and to encourage the enrollment of full-time students.
Keystone and the Customer jointly determine the means and purposes of the processing, for example, by deciding which categories of prospective students to target, what information should be included in the advertisements, and the methods of interaction. After Keystone and the Customer has determined the means and purposes of each marketing service, Keystone typically delivers the marketing on behalf of the parties through its own channels or social media, such as via email or digital platforms.
The purpose of the processing:
The purpose of the processing under the JCA is for Keystone to provide the Customer with the agreed-upon professional digital marketing services outlined in the Main Agreement, including the examples provided above. The joint processing of personal data is necessary to deliver the relevant Keystone Service.
The duration of the processing/criteria to determine the duration:
The processing is not limited in duration and will continue until the Main Agreement is terminated or until the Joint Processing Activity related to each individual marketing service concludes.
Categories of data subjects:
Prospective students, other registered users on the Keystone platform, students of the Customer's institution, and any other category of data subject's included in the relevant marketing (e.g., contact person at the Customer's institution).
Types of personal data:
Contact details for prospective students or others with a user account on the Keystone platform, information on each prospective student's academic interest as provided in the user account on the Keystone platform, contact details for students of the Customer's institution, and any other personal data included in the relevant marketing (e.g., contact details for a contact person at the Customer's institution).
2.2.4 No special categories of personal data are being processed.
2.3 CRM and marketing automation software platform services
2.3.1 Keystone provides certain customers with access to a web-based marketing automation software platform which facilitates for the customers’ collecting, storing and managing lead data collected via lead forms or imported into the system by the customers (the “Platform”). The Platform includes various statistics, communication, customization and management tools.
2.3.2 If the Customer has purchased marketing automation software platform services from Keystone, the parties agree that Keystone is a processor for the processing of personal data within the Platform and the Customer is a controller. The processing of personal data for this service is subject to the DPA and the following additional data processing details:
The subject-matter and the nature of the processing:
The processing of personal data that the processor carries out on behalf of the controller consists of making available the Platform which includes basic processing activities such as hosting lead information, and other applicable services as described in the Main Agreement.
The purpose of the processing:
The purpose of the processing under the agreement is to be able to provide to the Customer Platform in accordance with the Main Agreement.
The duration of the processing/criteria to determine the duration:
The processing is not limited in time and will last until the Main Agreement is terminated or as long as the processor processes personal data on behalf of the controller.
Categories of data subjects:
Employees of the controller, leads and enrolled students or course participants.
Types of personal data:
The type of personal data processed are: User account information about the employees of the controller, leads’ and enrolled students’/course participants’ contact information, academic interests and other personal data submitted to the Platform in free text fields and/or in communication with the Customer.
2.3.3 No special categories of personal data are being processed, unless such personal data has been provided to the Platform by way of communication between the Customer and prospective student.
3 ACKNOWLEDGMENTS
3.1.1 The Customer acknowledges and agrees that all processing of personal data associated with providing the Keystone Services may involve processing of personal data across the entities within the Keystone Group. Such processing will always be governed by an intra-group data processing agreement. An overview of the entities in the Keystone Group may be found here: Keystone Education Group Legal Structure.
3.2 For the avoidance of doubt, both parties assume the role as sole data controller for personal data that is independently processed in the interest and for the purposes of such party (such as student enquiries, communication, marketing and third party services) for whom personal data is processed in connection with the Keystone Service and under this Addendum, or as otherwise arranged.
3.3 Keystone will comply with laws and regulations applicable to the Keystone Service, including applicable security and data processing laws. However, Keystone is not responsible for compliance with any laws or regulations applicable to Customer or Customer’s industry that are not generally applicable to Keystone or other service providers for similar services. Keystone does not determine whether Customer’s data includes information subject to any specific law or regulation.
3.4 The Customer must comply with all laws and regulations applicable to its use of the Keystone Services, including laws related to confidentiality of communications, security and data protection. Customer is responsible for determining whether the Keystone Services are appropriate for storage and processing of information subject to any specific law or regulation and for using the Keystone Services in a manner consistent with Customer’s legal and regulatory obligations. Customer is responsible for responding to any request from a third party regarding Customer’s use of the Keystone Services.
4 LEGAL VENUE AND GOVERNING LAW
Unless otherwise agreed in the Main Agreement, this Addendum shall be governed by the laws of Norway, with Oslo District Court as the legal venue.