This Data Processing Addendum (“Addendum”) supplements and amends the Master Agreement with regards to the processing of EU Personal Data. This Addendum applies to EAB’s processing of Personal Data provided by Organization to EAB. Except as expressly stated otherwise, in the event of any conflict between the terms of this Addendum, including any policies or appendices referenced herein, and the Master Agreement, the terms of this Addendum shall take precedence. Capitalized terms not otherwise defined herein will have the meanings given to them in the Master Agreement.

I. Definitions:

1. Data Protection Legislation: all applicable legislation relating to the protection and processing of Personal Data in any relevant jurisdiction, including (without limitation): the General Data Protection Regulation ((EU) 2016/679), the Data Protection Act 2018, the ePrivacy Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003, or any other legislation which implements any other current or future legal act of the European Union concerning the protection and processing of personal data and any national implementing or successor legislation), and including any amendment or re-enactment of the foregoing;
2. Personal Data: has the meaning given to it in the Data Protection Legislation and relates only to personal data, or any part of such personal data, in respect of which EAB is a processor in connection with the performance of its obligations under the Master Agreement; and
3. “Data Subject”, “processing and process”, “Supervisory Authority”, “controller”, “processor” and “appropriate technical and organisational measures” shall have the meanings given to them in the Data Protection Legislation.

II. Instructions:

1. EAB will comply and will procure that its employees, agents and subcontractors comply with their respective obligations under the Data Protection Legislation and will not do or omit to do anything that would cause Organization to breach their obligations under the Data Protection Legislation.
2. The parties acknowledge and agree that for the purposes of the Data Protection Legislation, Organization is the controller and EAB is the processor of the Personal Data. Each Program Order Form sets out the scope, nature and purpose of processing by EAB, the duration of the processing and the types of personal data and categories of Data Subject. In no circumstances shall EAB be entitled to process the Personal Data for its own purposes.

III. Obligations on Organization

In relation to the processing of Personal Data, Organization confirms, represents and warrants that it acts as a controller and that it shall:

1. comply with Data Protection Legislation when processing Personal Data, and shall only give lawful instructions to EAB;
2. rely on a valid legal basis under Data Protection Legislation in order to process the Personal Data and share the Personal Data with EAB, including obtaining Data Subjects’ consent if required or appropriate under Data Protection Legislation;
3. obtain appropriate consents from Data Subjects for the purposes of direct marketing activities (whether conducted by the Company or the Customer) and provide the necessary opportunity for Data Subjects to opt-out of such processing, in accordance with applicable Data Protection Legislation;
4. provide appropriate notice to the Data Subjects regarding the processing of Personal Data, in a timely manner and in accordance with the requirements of the applicable Data Protection Legislation;
5. take reasonable steps to ensure that Personal Data is accurate, complete and up to date, is limited to what is necessary for the purposes of the processing and is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is processed, unless a longer retention period is required or permitted under applicable EU or Member State law;
6. implement appropriate technical and organisational measures to ensure, and to be able to demonstrate that the processing of Personal Data is performed in accordance with applicable Data Protection Legislation; and
7. cooperate with EAB to fulfil their respective data protection compliance obligations in accordance with Data Protection Legislation.

IV. Obligations on EAB

In processing Personal Data on behalf of Organization, EAB acting as processor shall:

1. only act on the instructions of Organization as set out in the Master Agreement or as otherwise documented by Organization, unless any EU or Member State law requires otherwise, in which case, EAB shall promptly notify Organization of such legislative requirement before processing Organization’s Personal Data (unless EAB is barred from notifying Organization under any EU or Member State law);
2. implement and maintain at all times during the term of the Master Agreement appropriate technical and organisational measures to protect Organization’s Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing, in each case, taking into account applicable requirements under the Data Protection Legislation, and shall continue to comply with them during the term of the Master Agreement;
3. grant access to the Personal Data to persons authorized to process the Personal Data, including but not limited to: (i) employees who require access to the Personal Data to enable EAB to perform its obligations under the Master Agreement; and (ii) subject to Clause IV(e), EAB contractors, agents, outsourcers, and approved subcontractors who require access to the Personal Data to enable EAB to perform its obligations under the Master Agreement (the “Authorized Persons”) and, shall in each case, ensure such Authorized Persons have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in respect of the Personal Data;
4. transfer the Personal Data to, or process the Personal Data in, any country outside the European Economic Area where necessary to perform its obligations under the Master Agreement, and shall do so in accordance with Data Protection Legislation. Organization hereby authorizes such cross-border transfer of Personal Data and confirms, represents and warrants that it shall comply with any applicable requirements under Data Protection Legislation in respect of such transfers;
5. not engage any sub-processor of the Personal Data without a general written authorization of Organization, attached hereto as Attachment A, and EAB shall inform Organization of any intended changes concerning the addition or replacement of other sub-processors, to give Organization the opportunity to object;
6. as requested by Organization, provide reasonable assistance to Organization (at Organization’s cost) with responding to any request from a Data Subject, and shall provide reasonable assistance to Organization in relation to Organization’s compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, data protection impact assessments and consultations with Supervisory Authorities;
7. at Organization’s written request, EAB shall, and shall instruct all Authorized Persons to, (at Organization’s election), delete or return, to the extent technically possible, all Personal Data to Organization (and delete all existing copies), unless it is necessary for EAB to retain one copy of the Personal Data to comply with any EU or Member State law; and
8. maintain and make available to Organization, on Organization’s request, all information necessary to demonstrate its compliance with this Addendum and allow for audits and inspections by Organization or Organization’s designated auditor on reasonable written notice.

ATTACHMENT A

GENERAL AUTHORIZATION OF SUB-PROCESSORS

Data Processor is authorized by Data Controller to engage the following types of sub-processors when it is processing personal data on behalf of Data Controller and such data is subject to GDPR:

For any EAB Enrollment Services Program:

• Data storage provider
• Data entry and verification providers
• Cloud communication provider to send and receive text messages
• Display advertising platform
• Marketing automation platform
• Business intelligence and reporting platform
• Payment processor for application and deposit fees
• Print and mail shops
• For adult learner recruitment programs only, data integration platform

For any EAB Technology Program

• Data storage and data lake providers
• Help center and service desk support providers
• User experience analysis
• Marketing automation platform
• Analytics dashboard provider
• Contracted developers

For any EAB Agency Program

• Data storage and data lake providers
• Business intelligence and reporting platform

Version 2 (Updated 8/21/2020)