Scholastica Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Service available at Terms of Service, entered into by and between the Customer and Scholastica, Inc. (“Scholastica”). The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below.

In the course of providing the Site or Services to Customer, Scholastica may process personal data on behalf of Customer. Scholastica agrees to comply with the following provisions with respect to any personal data submitted by or for Customer to the Site or collected and processed by or for Customer through the Site.

Data Processing Terms

In this DPA, “Data Protection Legislation” means European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation (Regulation (EU) 2016/279)), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction.

“data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with applicable Data Protection Legislation;

The parties agree that the Customer is the data controller and that Scholastica is its data processor in relation to personal data the Customer enters and that is processed in the course of providing the Site and Services (e.g. a journal editor uploads in potential reviewer email addresses into Scholastica, or an institutional account administrator uploads email addresses of their faculty). Customer shall comply at all times with Data Protection Legislation in respect of all personal data it provided to Scholastica.

The parties agree that Scholastica is the data controller in relation to personal data entered by the data subject themselves (e.g. a user creating an account and uploading their name, email address, etc.). Scholastica may also act as a controller of Customer-entered data. For example, we may need to use certain customer data for the legitimate interests of billing, customer support, and in the context of detecting problems within the Site.

In respect of personal data processed in the course of providing the Application Services, Scholastica:

  1. shall process the personal data only in accordance with the documented instructions from Customer (as set out in this DPA or the Terms of Service) or via written instructions from the Customer (e.g. if the customer requests data be exported). If Scholastica is required to process the personal data for any other purpose provided by applicable law to which it is subject, Scholastica will inform Customer of such requirement prior to the processing unless that law prohibits this on important grounds of public interest;
  2. shall notify Customer without undue delay if, in Scholastica's opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation;
  3. shall implement and maintain appropriate technical and organisational measures designed to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected;
  4. may hire other companies to provide limited services on its behalf, provided that Scholastica complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services Scholastica has retained them to provide, and they shall be prohibited from using personal data for any other purpose. Scholastica remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom Scholastica transfers personal data will have entered into written agreements with Scholastica requiring that the subcontractor abide by terms substantially similar to this DPA.
  5. shall ensure that all Scholastica personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this Clause;
  6. shall implement appropriate and reasonable technical and organisational measures to assist with the Customer’s obligation to respond to requests from data subjects under Data Protection Legislation (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data);
  7. when the General Data Protection Regulation (Regulation (EU) 2016/279) comes into effect, shall take reasonable steps at the Customer’s request to assist Customer in meeting Customer’s obligations under Article 32 to 36 of that regulation taking into account the nature of the processing under this DPA;
  8. may transfer personal data from the EEA to the US for the purposes of this DPA;
  9. If Scholastica becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Scholastica in the course of providing the Site or Services (an “Incident”) it shall without undue delay notify Customer and provide Customer (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Customer Content. Scholastica shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident;
Last updated on May 24, 2018