DATA PROTECTION AGREEMENT 

THIS DATA PROTECTION AGREEMENT ("DPA") is effective on the same date it is signed. 

BACKGROUND 

  1. Busuu Limited (“Busuu”) is a private limited company incorporated in England and Wales with company registration number 08172044, whose registered office is located at Broadwalk House, 5 Appold Street, London EC2A 2AG.
  2. This Busuu DPA shall apply to the order by the Customer named in the Order Form (the “Customer”) and the supply by Busuu of the services described in the Order Form.    
  3. The Parties have signed an Order Form incorporating the business services agreement for Busuu to provide online language learning platform services to Employees of Customer and which also incorporates this DPA (the "Agreement"). 
  4. The Agreement will require Busuu to process personal data on behalf of Customer up to the point at which the Employees enter into an arrangement directly with Busuu.
  5. This DPA sets out the additional terms, requirements and conditions on which Busuu will process personal data of Employees on behalf of Customer when providing services under the Agreement.
 

AGREED TERMS 

  1. Definitions
 
  1. Terms defined in the Agreement shall have the same meaning when used in this DPA, unless defined below. In addition, the definitions below apply in this DPA.
 

"Busuu Purposes" means the delivery of online language learning to individuals in accordance with Busuu's Terms of Service available at https://www.busuu.com/en/terms 

"Customer Data" means the personal data described in Schedule 1 to this DPA. 

"Data Protection Law" means all applicable legislation and regulations relating to the protection of personal data as may be amended or superseded from time to time (including without limitation EU Data Protection Law and UK Data Protection Law, as applicable);  

"Effective Date" means the date indicated on the first page of this DPA. 

"Employee" means any employee, director, officer, independent contractor or temporary member of staff of Customer; 

"EU Data Protection Law" means:  

  1. all EU regulations or other legislation applicable (in whole or in part) to the processing of personal data (such as Regulation (EU) 2016/679 (the "GDPR")); 
  2. the national laws of each EEA member state implementing any EU directive applicable (in whole or in part) to the processing of personal data (such as Directive 2002/58/EC (the "e-Privacy Directive")); and 
  3. any  other national laws of each EEA member state applicable (in whole or in part) to the processing of personal data,  

as amended or superseded from time to time;  

"Order Form” means the Busuu Order Form agreed between the parties and referencing this DPA. 

"Permitted Purpose" means administration purposes in anticipation of being contacted by Employees (or as otherwise agreed in writing between the Parties); 

"Point of Contact" means the point in time at which Busuu is contacted by an Employee for the purposes of setting up a Busuu language learning account; 

"Security Incident" means (i) accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Customer Data; 

"UK Data Protection Law" means:  

  1. the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); 
  2. the Data Protection Act 2018 (the "DPA 2018");  
  3. the Privacy and Electronic Communications (EC Directive) Regulations 2003 as they continue to have effect by virtue of section 2 of the European Union (Withdrawal) Act 2018 ("PECR"); and
  4. any other laws in force in the UK from time to time applicable (in whole or in part) to the processing of personal data,

as amended or superseded from time to time.  

      II. 
In this DPA, the terms "controller", "processor", "data subject", "personal data", "processing" (and "process" and "processed") and "special categories of personal data" shall have the meanings given in Data Protection Law. 

2. Busuu acting as a Processor up to the Point of Contact 
  1. The Parties agree, that with respect to the processing of Customer Data up to the Point of Contact:  
    1. Customer (the controller) appoints Busuu as a processor to process Customer Data for the Permitted Purpose. The subject matter, duration, nature and purpose of the processing of Customer Data up to the Point of Contact are as set out in Schedule 1 and shall constitute Customer’s documented instructions for processing.  Each party shall comply with the obligations that apply to it under Data Protection Law including, in the case of Customer, for the purposes of facilitating the delivery of the Business Services with Busuu.  If Busuu becomes aware that processing for the Permitted Purpose infringes Data Protection Law, it shall promptly inform Customer. 
    2. Busuu shall ensure that any person that it authorises to process the Customer Data (including its staff, agents and subcontractors) shall be subject to a strict duty of confidentiality and that they shall only process the Customer Data for the Permitted Purpose. 
    3. Busuu shall implement appropriate technical and organisational measures as set out in Schedule 2 to protect the Customer Data from a Security Incident.  If it becomes aware of a Security Incident, Busuu shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer in order for Customer to fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Data Protection Law. Busuu shall further take any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident. 
    4. Customer consents to Busuu engaging third party subprocessors to process the Customer Data for the Permitted Purpose provided that: (i) Busuu maintains an up-to-date list of its subprocessors at https://docs.google.com/document/d/1UtM0fSUIypTjHlRnfZNWzBFSoAVUadC-a6-VUbuw37Y/, which it shall update with details of any change in subprocessors at least 10 days' prior to any such change; (ii) Busuu imposes data protection terms on any subprocessor it appoints that require it to protect the Customer Data to the standard required by Data Protection Law; and (iii) Busuu remains liable for any breach of this Clause 2.1 that is caused by an act, error or omission of its subprocessor.  Customer may object to Busuu's appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection.  In such event, Busuu will either not appoint or replace the subprocessor or, if this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).  
    5. Busuu shall provide reasonable cooperation to Customer in connection with any data protection impact assessment that Customer may be required to conduct under Data Protection Law in respect of processing of the Customer Data for the Permitted Purpose. 
    6. If an Employee(s) to whom Customer Data relates does not contact Busuu within a period of  30 (thirty) days from the date of receipt by Busuu of Customer Data relating to such Employee(s), then Busuu shall (at Customer's option) destroy or return to Customer the Customer Data relating to such Employee(s) in its possession or control at the end of such 30 (thirty) day period (or upon termination or expiry of this Agreement, if earlier).  For Employees that set up a Busuu language learning account within thirty (30) days of the Customer Data being made available by Customer to Busuu, Busuu shall continue to process the personal data of such Employees as a separate and independent controller as from the Point of Contact in accordance with Clause 3.  The requirements for destruction or return of Customer Data set out in this Clause 2.1(f) shall not apply to the extent that Busuu is required by applicable law to retain some or all of the Customer Data relating to such Employee(s), or to Customer Data relating to such Employee(s) that it has archived on back-up systems, in which event Busuu shall securely isolate and protect it from any further processing except to the extent required by such law until deletion is possible. 
    7. Upon request, Busuu shall supply a summary copy of any audit report(s) to Customer which are relevant to its compliance with this Clause 2.1, which shall be subject to the confidentiality clauses of the Agreement.  Busuu shall also respond to any written audit questions submitted to it by Customer provided that Customer shall not exercise this right more than once per year. 
    8. Busuu shall not transfer the Customer Data outside of the European Economic Area ("EEA") or the UK, as applicable, unless it has taken such measures as are necessary to ensure the transfer is in compliance with Data Protection Law.  Such measures may include (without limitation) transferring the Customer Data to a recipient in a country that the European Commission (or, for transfers from the UK, the Secretary of State) has decided provides adequate protection for personal data, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission (or, for transfers from the UK, the Secretary of State). 
3. Busuu and Customer acting as independent controllers as from the Point of Contact 
  1. The Parties acknowledge that Customer does not provide any Customer Data to Busuu other than on a controller-to-processor basis as outlined in Clause 2.1 and that, from the Point of Contact:
  2. Busuu shall obtain personal data directly from Employees and process it as a separate and independent controller for the Busuu Purposes and in accordance with its then posted privacy policy, which may be updated from time to time; 
  3. Customer shall continue to process personal data relating to its Employees as a separate and independent controller in accordance with its own privacy practices
4. Cooperation 
  1. In the event that either Party receives any correspondence, enquiry or complaint from an Employee, regulator or other third party  ("Correspondence") related to: (a) the disclosure of Customer Data by Customer to Busuu; or (b) processing of Customer Data by Busuu on behalf of Customer up to the Point of Contact (including in relation to the exercise by an Employee of his or her data protection rights), it shall promptly inform the other Party giving full details of the same, and the Parties shall cooperate reasonably and in good faith in order to respond to the Correspondence in accordance with any requirements under Data Protection Law. 

Schedule 1 

Data Processing by Busuu up to Point of Contact 

This Schedule describes the processing that Busuu will perform in relation to the Customer Data up to the Point of Contact. 

Categories of data subjects: Employees of Customer who have been offered the opportunity by Customer to take part in Busuu's online language learning. 

Categories of personal data: Contact Information: (ie Email address, First Name, Last Name) 

Special categories of data: None 

Subject matter of processing: Online language learning services for Employees of Customer  

Duration of processing: As set out in clause 2.1(f) of the DPA 

Nature and purpose of the processing: The Permitted Purpose as defined in the DPA 

 

Schedule 2 

Security Measures 

Busuu maintains organizational, technical, and physical safeguards to protect the confidentiality, integrity, and availability of Customer Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Busuu will not materially decrease the overall security of the Business Services during the term of the Agreement. 

 

Such safeguards may include, without limitation: 

  1. the encryption and/or hashing of Customer Personal Data in transit and at rest; 
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 
  3. the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident through a formal Business Continuity and Disaster Recovery program; 
  4. a formal internal and external audit process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 

Additionally, Busuu is certified as compliant with the ISO/IEC 27001:2013 Information Security and Privacy Standard. 

Schedule 3 

Subprocessors engaged by the Processor 

Sub-processor engaged by the Processor for the Processing of Personal Data 

Categories of Personal data processed by Sub-processor 

Type of Processing 

Country of Processing 

Country of establishment of the Sub-processor 

Amazon Web Services (AWS) 

User data 

Hosting 

Ireland 

Ireland 

Braze 

User data 

CRM 

US 

US 

 

Version 1.1 – April 2023