1.1 This sub-data processing addendum including its appendixes (the โAddendumโ) forms part of the Master Subscription and Services Agreement for Clio Partners entered between Clio ApS, Esplanaden 8A, 1.-2. sal, DK-1263 Copenhagen, company reg. no. 30583795, 1263 Copenhagen K (โClioโ) and the Customer (collectively the โPartiesโ) for the Customerโs purchase of online Services from Clio to reflect the partiesโ agreement with regard to the processing of Personal Data.
1.2 This Addendum sets out the rights and obligations that apply when Clio processes Personal Data on behalf of the Customer in the capacity of Sub-data Processor to the Customerโs customers in connection with the Customerโs use of Services from Clio and as required by applicable Data Protection Laws and Regulations. The Customerโs customers are Data Controllers, the Customer is Data Processor and Clio is Sub-data Processor.
1.3 The Parties agree to comply with the following provisions with respect to the processing of the Personal Data.
| โPersonal Dataโ | Means any Customer Content processed in connection with the performance of Services that can identify a unique individual, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of individuals or as such information may be otherwise defined under applicable Data Protection Laws and Regulations. |
| โData Protection Laws and Regulationsโ | Means (i) the EU General Data Protection Regulation 2016/679 (โGDPRโ) and laws or regulations implementing or supplementing the GDPR; and (ii) any other international, federal, state, provincial and local privacy or data protection laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective that apply to the processing of Personal Data under this Addendum. |
| โData Controllerโ | Means one or all (as the case may be) of the Customerโs customers and whose personal data Clio shall process under this Addendum in the capacity as Sub-data Processor. |
| โData Processorโ | Means the entity which processes Personal Data on behalf of the Data Controller. |
| โSub-data Processorโ | Means Clio to assist in fulfilling its obligations with respect to providing the Services pursuant to the Master Subscription and Services Agreement for Clio Partners or this Addendum. |
3.1 Clio shall solely be permitted to process Personal Data on documented instructions from the Customer unless processing is required under EU or Member State law to which Clio is subject; in this case, Clio shall inform the Customer of this legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.
3.2 If, in Clio’s opinion, an instruction is in conflict with the Data Protection Laws and Regulations, Clio must inform the Customer accordingly.
3.3 This Addendum constitutes the Data Controllersโ complete instructions for the processing of Personal Data under this Addendum, with the exception of any written instructions that the Data Controllers are obliged to provide during the term of the Addendum in order to comply with applicable โData Protection Laws and Regulationsโ. The Customer is responsible for ensuring that the Data Controllersโ complete instructions are set out in this Addendum and for that the Data Controllersโ complete instructions are provided to Clio under the term of the Addendum. All other amendments to the instructions shall be agreed separately by the Parties. Clio shall be entitled to reasonable compensation from the Customer for abiding by the amended written instructions.ย
3.4 A specific description of the instructions concerning the processing activities, including purpose, types of personal information and categories of data subjects is described in Appendix A.
3.5 Clio shall assist the Customer in fulfilling the Data Controller’s obligations to respond to requests for the exercise of the data subjects’ rights, including access, correction, limitation, objection, data portability or deletion, if the relevant Personal Data is processed by Clio.
3.6 Further, Clio shall assist the Customer in ensuring the Data Controllerยดs compliance with the obligations pursuant to Articles 32 – 36 of the GDPR provided that the Customer is not capable of assisting the Data Controller to complying with the obligations without assistance from Clio and taking into account the nature of the processing and the information available to Clio.
3.7 If the Customer requests any assistance, cf. section 3.5 and 3.6, from Clio, Clio is entitled to payment for time spent, materials used and costs.
4.1 Clio undertake to implement appropriate technical and organizational security measures according to Article 32 of the GDPR to prevent accidental or illegal destruction, loss or deterioration of Personal Data, and to prevent the Personal Data from being disclosed to unauthorized persons, misused or otherwise treated in contravention of applicable legislative requirements.
4.2 The Customer is responsible for ensuring that the security measures agreed in accordance with this section 4 complies with the Data Controllersโ data security obligations pursuant to Article 32 of the GDPR as regards the Personal Data processed. If the Customer, on a Data Controllerโs behalf, requests an amendment of the security measures, the same provisions as apply for the Customerโs instructions according to section 3.3 shall apply to such a request.ย
4.3 Clioโs employees are subject to obligation of confidentiality.
4.4 The technical and organizational security measures applicable upon entering into this Addendum are specified at https://www.clio.me/int/frontpage/security-standards-for-clio-partners/.
5.1 As a general authorisation Clio is entitled to engage sub-data processors for the processing of Personal Data under this Addendum.
5.2 Clioโs use of sub-data processors is based on written agreements that ensure continuation of at least the same level of protection as the level specified in the Addendum.
5.3 At the signing of the Addendum, the Customer is responsible for having received the Data Controllers authorization of Clioโs use of the sub-data processors which can be found at https://www.clio.me/int/frontpage/list-of-data-sub-processors-for-clio-partners/ .
5.4 As a consequence of the general authorisation, cf. section 5.1, Clio shall inform the Customer of any intended changes concerning the addition or replacement of sub-data processors, thereby giving the Customer the opportunity to object to such changes.
6.1 Clio is entitled to process Personal Data outside the EU/EEA, provided that Clio ensures that the third country in question has an adequate level of protection or that Clio enters into an agreement on behalf of the Data Controller with sub-data processors using the standard contractual clauses (โSCCโ) adopted by the European Commission for such transfers.
6.2 The Customer shall ensure that Clio is entitled to enter into the SCC for transfer of Personal Data to a third country or any provisions succeeding these, on the Data Controllersโ behalf.
7.1 Clio shall once a year make available all information necessary to demonstrate compliance with Article 28 of the GDPR and the obligations laid down in this Addendum and contribute to audits, including inspections, conducted by the Data Controllers or another auditor mandated by the Data Controllers.
7.2 In the event that a Data Controller wishes to conduct an inspection, such Data Controller shall provide Clio with reasonable prior notice and shall at the same time specify the content and scope of the inspection. Clio may charge the Customer for any reasonable costs incurred in conjunction with the audit.
7.3 An inspection may only be conducted if an audit cannot according to applicable Data Protection Laws and Regulations be met by Clio providing information.
7.4 A precondition for an audit, cf. this section 7, is that the Data Controllers or an auditor mandated by the Data Controllers, has entered into necessary confidentiality undertakings and complies with Clioโs security regulations at the location where the inspection is to be performed, including that the inspection will be performed without any risk of it hindering Clioโs business or the protection of other customersโ information. Information collected as part of the inspection shall be erased after the audit has been completed or when it is no longer needed for the purpose of the audit.
7.5 To the extent that the Customer also wants the audits, cf. section 7.1, to include the processing that takes place at sub-data processors, the Customer must inform Clio about this.
8.1 The Addendum shall enter into force upon the signing of a Master Subscription And Service Agreement by the Parties and shall terminate when the processing of Personal Data described in Appendix A ceases.
8.2 As long as Clio processes Personal Data on behalf of the Data Controller under this Addendum, Clio is obligated by the Addendum.
8.3 ย The Customer is responsible for immediately notifying Clio when the agreement between the Customer and a Data Controller has terminated and the Personal Data Clio is processing on such Data Controllerโs behalf shall be deleted by Clio.ย
8.4 Upon termination of the Addendum, Clio shall, at the request of the Customer and after further discussions, return all Personal Data to the Customer or to the party nominated by the Customer, cease to process and delete all personal data that has been processed under the terminated Addendum. The Customer is responsible for that the Customerโs requests to Clio under this section 8.4 are made in accordance with the Data Controllersโ instructions. If a Data Controller should provide instructions under this section 8.4 directly to Clio regarding the processing of its Personal Data, Clio shall comply with such instructions.
Appendix A: Categories of Data Subjects and types of Personal Data etc.
Categories of data subjects and types of personal data etc.
The purpose of the processing
Clio will process the Personal Data to the extent necessary to provide the Services pursuant to the Master Subscription and Services Agreement for Clio Partners and as further specified in the Addendum, and as further instructed by the Customer in its use of the Services.
Categories of Data Subjects
The processing can include the following categories of Data Subjects:
Types of Personal Data
The processing can include the following types of Personal Data about Data Subjects:
| Type of Customer data (Professional users/editors) | Customer personnel and contractor data required for delivery of Clio Services: Name, Login Details, Company name and possibly other contact information as may be provided by Customer or such personnel or contractors to Clio. No sensitive data is being processed |
| Type of data for Customerโs customers and users | Personnel and contractor data required for delivery of Clio Services to customers of Customer, which may include, but is not limited to the beneath mentioned types of Personal Data: Name, Company name, Company address, Company country, Company zip code, Company city, School name, Company contact phone number, Company email address No sensitive data is being processed |
| Personnel and contractor data required for delivery of Clio Services to users of Customer, which may include, but is not limited to the beneath mentioned types of Personal Data: User name, User login details, User email, User role (Teacher/Student), User class name, User date of birth. No sensitive data is being processed |
Latest updated on 17. March 2021.
At Clio Partners we believe in learning. We believe in people. We believe in technology.
Last but not least we believe in you and that together, we can make all children learn more.
Esplanaden 8A, 1st-2nd floor 1263 Copenhagen K, Denmark
Choose another market to see content specific to your location.
