“Data Protection Laws” means all data protection laws and regulations applicable to the processing of Creator Data and Student Data, including, without limitation, the EU Data Protection Law.
“EU Data Protection Law” means all data protection laws and regulations applicable to the European Union, the European Economic Area (“EEA”), Switzerland, and the United Kingdom (“UK“), including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR“); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national legislation implementing the GDPR and Directive 2002/58/EC; and (iii) with respect of the UK, any applicable national legislation that replaces the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, consumer personal data transmitted, stored or otherwise processed.
“Standard Contractual Clauses” means the controller-to-processor contractual clauses issued by the European Commission in Decision 2010/87/EU, as may be amended from time to time by the European Commission.
“Sensitive Data” means (i) social security number, passport number, driver’s license number, or similar identifier (or any portion thereof); (ii) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (iii) employment, financial, genetic, biometric or health information; (iv) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (v) account passwords; or (vi) other information that falls within the definition of “special categories of data” under applicable Data Protection Laws.
“Sub-Processor” means any entity engaged by Tourism Academy, Inc. to provide processing services in furtherance of The Tourism Academy’s processing of Creator Data.
The terms “personal data“, “controller“, “data subject“, “processor” and “processing” shall have the meaning given to them under Data Protection Laws, or if not defined thereunder, the GDPR, and “process“, “processes” and “processed” shall be interpreted accordingly.
1. Relationship between the Parties.
1.1. The parties acknowledge and agree that Creator is the controller and Tourism Academy, Inc. is a processor acting on behalf of Creator with respect to Creator Data, as further described in Schedule A of this Agreement.
1.2. The parties acknowledge and agree that Tourism Academy, Inc. and Creator each act as an independent controller with respect to their particular processing of Student Data. For the avoidance of doubt, Tourism Academy, Inc. and Creator are at all times independent controllers, not joint controllers, of Student Data.
2. Creator Obligations.
3. The Tourism Academy’s Obligations as Processor of Creator Data.
3.2. Tourism Academy, Inc. shall notify the Creator if it becomes aware of, or reasonably believes that, a documented instruction from the Creator infringes upon Data Protection Laws.
3.3. Confidentiality. Tourism Academy, Inc. shall ensure that its employees, authorized agents, and any Sub-Processors authorized to process Creator Data have agreed to comply with confidentiality obligations with respect to Creator Data.
3.4. Assistance to Creator. Tourism Academy, Inc. shall, taking into account the nature of the processing and the information available to The Tourism Academy, provide reasonable assistance to Creator to enable Creator to comply with its obligations under applicable Data Protection Laws. Notwithstanding the foregoing, Creator agrees that it will not cause Tourism Academy, Inc. to process any personal data that presents a high risk to the rights and freedoms of data subjects.
3.5.2. Prior to the relevant Sub-Processor carrying out any processing activities in respect of Creator Data, Tourism Academy, Inc. shall enter into an agreement with the Sub-Processor containing data protection obligations that provide at least the same level of protection for Creator Data as those under this Agreement.
3.6 Deletion on Termination. Upon termination or expiration of this Agreement, Tourism Academy, Inc. shall (at the Creator’s election) return or delete all Creator Data in its possession or control, except that this requirement shall not apply to the extent Tourism Academy, Inc. is required to retain some or all of the Creator Data to comply with its legal obligations, or to Creator Data it has archived on backup systems, which Tourism Academy, Inc. shall protect from any further processing and eventually delete in accordance with The Tourism Academy’s data retention policies, except to the extent required by applicable law.
3.6.1. Creator acknowledges and agrees that Tourism Academy, Inc. will fulfill its obligations to return Creator Data under this section by providing Creator the opportunity to download and export Creator Content out of the Tourism Academy, Inc. Platform.
4. Data Subject Requests.
4.1. Creator Data. As part of Tourism Academy, Inc. Services, Tourism Academy, Inc. provides the Creator with a number of self-service features, including the ability to modify, delete, and restrict access to Creator Content, that Creator may use to assist in complying with its obligations under Data Protection Laws with respect to responding to requests from data subjects regarding Creator Data.
4.2. Student Data. Each party shall respond to data subject requests received by it concerning the processing of covered Student Data promptly and within the timeframes required by Data Protection Laws. In the event that Creator receives any data subject requests regarding Student Data, Creator will promptly (and in any event within three business days) notify Tourism Academy, Inc. and provide Tourism Academy, Inc. with a copy of the request.
4.3. Tourism Academy, Inc. shall, taking into account the nature of the processing, provide reasonable assistance to Creator to enable Creator to comply with its data protection obligations with respect to data subject requests.
5. Security and Compliance Rights
5.1. Security Measures. Taking into account the state of technical developments and the nature of processing, Tourism Academy, Inc. undertakes to establish and maintain appropriate technical and organizational measures in order to protect Creator Data against accidental, unauthorised, or unlawful destruction, loss, alteration, disclosure, or access, in accordance with The Tourism Academy’s security standards described in Schedule B (“Security Measures”).
5.2. Personal Data Breaches. In the event that Tourism Academy, Inc. becomes aware of a Personal Data Breach that affects Creator Data or Student Data, Tourism Academy, Inc. shall notify Creator without undue delay of the Personal Data Breach via the email address associated with the Creator’s primary owner account.
5.3. Compliance Obligations. In order to ensure compliance with the applicable Data Protection Laws, Tourism Academy, Inc. shall make available to the Creator information necessary to demonstrate compliance with the legal obligations related to the processing of Creator Data by Tourism Academy, Inc. on behalf of the Creator.
5.3.1. Tourism Academy, Inc. shall respond to all reasonable requests for information made by Creator to confirm The Tourism Academy’s compliance with this Agreement upon Creator’s written request to firstname.lastname@example.org.
5.3.2. Upon written request, Tourism Academy, Inc. shall supply (subject to confidentiality protections) a summary copy of its most current audit report(s) (“Audit Report”) to Creator, so that Creator can verify The Tourism Academy’s compliance with the audit standards against which it has been assessed.
5.3.3.Should an audit be requested under applicable Data Privacy Laws to assess The Tourism Academy’s compliance with the terms of this Agreement, the parties shall select an accredited independent third-party audit firm that is mutually agreeable to both parties. Creator shall be responsible for all costs, fees, and expenses related to such audit. The scope of the audit shall be limited to The Tourism Academy’s compliance with Data Privacy Laws as applied under this Agreement. Notwithstanding the foregoing, the audit shall occur during regular business hours, with reasonable advance notice to The Tourism Academy, and subject to confidentiality protections. Creator may not audit Tourism Academy, Inc. more than once annually.
6. International Transfers
6.1. The Creator acknowledges and agrees that Tourism Academy, Inc. may transfer and process personal data in and to servers and databases located in the United States and anywhere else in the world where The Tourism Academy, its affiliates, or its Sub-Processors maintain their servers, provided that Tourism Academy, Inc. shall comply with the provisions of applicable Data Protection Laws relating to the transfer.
6.2. To the extent that Tourism Academy, Inc. transfers Creator Data protected by the European Data Protection Law, Tourism Academy, Inc. and Creator agree to abide by and process Creator Data in compliance with the Standard Contractual Clauses, which are incorporated in full by reference and form an integral part of this Agreement. For purpose of the Standard Contractual Clauses, Tourism Academy, Inc. agrees that (i) it is the “data importer” and Creator is the “data exporter” under the Standard Contractual Clauses (notwithstanding that Creator may itself be an entity located outside the EU); and (ii) Schedule A of this Agreement shall replace Appendixes 1 and 2 of the Standard Contractual Clauses, respectively. The parties further agree that the Standard Contractual Clauses will solely apply to Creator Data that is transferred via Tourism Academy, Inc. Services from the EEA, the UK, and/or Switzerland to outside the EEA, the UK, and Switzerland, either directly or via onward transfer, to any country or recipient not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the European Data Protection Law).
6.3. The Creator acknowledges and agrees that Tourism Academy, Inc. shall be entitled to enter into Standard Contractual Clauses with any Sub-processor on behalf of the Creator.
7. Limitation of Liability
8. Jurisdiction Specific Terms
8.1. To the extent Tourism Academy, Inc. processes Creator Data originating from and protected by applicable Data Protection Laws in one of the jurisdictions listed in Schedule C, then the terms specified in Schedule C with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) apply in addition to the terms of this Agreement. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Agreement, the applicable Jurisdiction Specific Terms will take precedence.
9.1. Superseding Agreement. Unless otherwise agreed to between the parties, Creator acknowledges and agrees this Agreement shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with Tourism Academy, Inc. Services.
9.2. Severability. If any one or more of the provisions contained in this Agreement is, for any reason, held to be invalid, illegal, or unenforceable in any respect, that invalidity, illegality, or unenforceability will not affect any other provisions of this Agreement, but this Agreement will be construed as if those invalid, illegal, or unenforceable provisions had never been contained in it, unless the deletion of those provisions would result in such a material change so as to cause completion of the transactions contemplated by this Agreement to be unreasonable.
9.5. Updates. Tourism Academy, Inc. may update the terms of this Agreement from time to time, at its sole discretion, provided Tourism Academy, Inc. gives Creator reasonable advance notice of the update. Any additional amendments, change or alteration of this Agreement must be made in writing and duly signed by both Parties in order to become valid and effective.
9.6. Notices. Unless otherwise specified in this Agreement, each party giving notice or other communication required or permitted under this Agreement shall use one of the following methods of delivery: personal delivery, mail (registered or certified mail, postage prepaid, return-receipt requested), nationally recognized overnight courier (fees prepaid), or email.
9.7. Headings. The descriptive headings of the sections and subsections of this Agreement are for convenience only, and do not affect this Agreement, construction or interpretation.
9.8. Gender/Plural. Whenever such wording may appear in this Agreement, words in the singular shall mean and include the plural and vice versa and words in the feminine shall mean and include the masculine and vice versa.
10. Governing law and Jurisdiction; Disputes and Arbitration dispute
10.1. Unless otherwise required by applicable Data Protection Laws, this Agreement shall be governed in accordance with the laws of the State of Florida without regard to its conflicts of laws principles. Any action arising out of or relating to this Agreement shall be filed only in the state or federal courts located in the County of Broward in the State of Florida. You consent and submit to the exclusive personal jurisdiction of such courts for the purpose of litigating any such action.
10.2. Any dispute, controversy, proceeding, or claim arising out of or in connection with or relating to this Agreement shall be resolved by binding confidential arbitration by JAMS pursuant to its Optional Expedited Arbitration Procedures then in effect for JAMS. The arbitration will be conducted in Broward County, Florida, unless Creator and Tourism Academy, Inc. agree otherwise. Any judgment on the award rendered by the arbitrator may be entered in any court of competent jurisdiction.
Schedule A: Details of Processing
The Tourism Academy’s Processing of Creator Data under this Agreement shall be in accordance with this Schedule A.
1.Subject matter of Processing: Creator Data, as defined in this Agreement.
2.Duration of the Processing: Tourism Academy, Inc. will store Creator Data in accordance with Section 3.6 of this Agreement (Term and Termination)
3.Nature and Purpose of the Processing: Tourism Academy, Inc. provides an open online content creation platform and additional services and tools to allow Creators to offer courses and other services to their Students. Creators may upload, submit, or otherwise provide Creator Content to the Tourism Academy, Inc. Platform in connection with their use of Tourism Academy, Inc. Services.
4.Data Subjects and Categories of Personal Data
A Creator may upload, submit, or otherwise provide certain personal data to the Platform, the extent of which is typically determined and controlled by the Creator, in its sole discretion. The type of data subjects and categories of personal data included will depend on the nature of the Creator Content, and may include personal data about the Creator and/or third parties, such as biographical and contact information.
Schedule B: Security Measures
The Security Measures applicable to the Tourism Academy, Inc. Platform are described here (as updated from time to time in accordance with Section 5.1 of this Agreement).
Schedule C: Jurisdiction-Specific Terms
The definitions of: “controller” includes “Business”; “Sub-Processor” includes “Service Provider”; “data subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under the California Consumer Privacy Act (“CCPA“).
The Tourism Academy’s obligations regarding data subject requests, as described in Section 4 of this Agreement, apply to Consumers’ rights under the CCPA.
For this “California” section of Schedule C only, Creator’s documented instructions shall include, in addition to the purposes set out in Section 2.2, processing of Creator Data as may be permitted for “service providers” under CCPA.