Data Processing Agreement
This Data Processing Agreement (“DPA”) is an addendum to the legal Agreement between you and Kahoot! for your use of the Kahoot! Services.
For the purposes of the DPA the following definitions apply;
“Customer Personal Data” means all Personal Data which Kahoot! processes on behalf of the Customer.
“Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, the “GDPR”) (ii) in respect of the United Kingdom (“UK”) any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union), and (iii) the Norwegian legislation implementing the GDPR.
“New Sub-Processor” means any Sub-Processors engaged by the Kahoot! after the effective date of the Agreement.
“SCC” means the European Commission’s standard contractual clauses for data transfers between EU and non-EU countries.
“Sensitive Data” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of “special categories of data” under applicable Data Protection Laws.
“Sub-Processor” means an entity to which Kahoot! subcontracts its processing of the Customer Personal Data to.
“Data Subject“, “Controller“, “Personal Data“, “Personal Data Breach” “Processor” “Supervisory Authority” shall have the meaning provided to such term pursuant to Data Protection Law.
All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement. For the avoidance of doubt, all references to the Agreement shall include this DPA (including the SCCs (where applicable), as defined herein.
Roles and responsibilities
The parties acknowledge and agree that with regards to the processing of Customer Personal Data, Customer is the controller and Kahoot is a processor acting on behalf of Customer as further described in Annex A (Details of Data Processing).
Kahoot shall process Customer Personal Data only in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing (“Permitted Purposes”).
The Customer shall (i) comply with its obligations under applicable laws, including Data Protection Laws, in respect of its processing of Customer Personal Data and any processing instructions issued to Kahoot; (ii) provide all notices and contain all constants and rights necessary under Data Protection Laws for Kahoot to process Customer Personal Data for the purposes described in the Agreement and this DPA does not relieve the Customer’s obligations under Data Protection Law.
Customers will not provide (or cause to be provided) any Sensitive Data to Kahoot! for processing under the Agreement, and Kahoot will have no liability for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
If, in Kahoot!’s opinion, an instruction from the Customer is in violation of Data Protection Law or other mandatory national or EU/EEA law, Kahoot! shall immediately notify the Customer thereof.
The above limitation does not apply in so far as Kahoot! is obligated to process Customer Personal Data pursuant to national law or EU/EEA law. In the event of any such obligation, Kahoot! shall immediately notify the Customer, unless mandatory law prevents Kahoot! from disclosing this information.
Kahoot! will implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data from accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, and any other breach of security in accordance with Article 32 (1) of the GDPR. The security measures shall at all times be designed to preserve the security and confidentiality of Customer Personal Data in accordance with Kahoot!’s security standards set out in Annex B to this DPA.
Kahoot! shall ensure that Customer Personal Data is solely processed by Kahoot!’s personnel who is authorized by Kahoot! to process Customer Personal Data. This entails that relevant Kahoot! personnel who process Customer Personal Data are (i) granted access to the Customer Personal Data on a need-to-know basis, (ii) familiar with the provisions under Data Protection Law and the obligations imposed on Kahoot! under this DPA, (iii) regularly trained in the care, protection and handling of Personal Data, (iv) authorized to Process the Customer Personal Data, and (v) subject to a duty of confidentiality (whether a contractual or statutory duty).
Customer is responsible for reviewing relevant information pertaining to data security as is made available by Kahoot!. Based on such information, the Customer shall make an independent assessment on whether the Kahoot! Service complies with the Customer’s obligations pursuant to applicable laws, including Data Protection Laws. Customer understands that the Kahoot! security measures may be updated or modified as needed, provided that such updates and/or modifications does not negatively degrade the overall level of security for the Kahoot! Services provided to Customer.
Security incidents and notification
Upon becoming aware of any Personal Data Breach, Kahoot! shall (i) without undue delay notify the Customer, and where feasible, in any event no later than 24 hours from becoming aware of the Personal Data Breach, (ii) promptly take reasonable steps to contain and investigate any Personal Data Breach and (iii) provide all reasonable information and cooperation necessary for the Customer to fulfil its Personal Data Breach requirements under Data Protection Law. Notwithstanding the foregoing, the Customer is responsible for notifying the Personal Data Breach to the competent Supervisory Authority. Kahoot!’s notification of or response to a Personal Data Breach under this Section 4 shall not be construed as an acknowledgment by Kahoot! of any fault or liability with respect to the Personal Data Breach.
Cooperation with the Customer
Taking into account the nature of the processing, Kahoot! shall by appropriate technical and organizational measures, insofar as this is possible, assist the Customer to respond to Data Subject’s request for exercising the Data Subject’s rights under Chapter 3 of the GDPR.
Furthermore, taking into account the nature of the processing and the information available to Kahoot!, Kahoot! shall assist the Customer with the Customer’s obligations to:
- Implement appropriate technical and organizational measures for the purpose of complying with Data Protection Law;
- Carry out data protection impact assessments; and
- Conduct prior consultations with Supervisory Authorities.
For the avoidance of doubt, Kahoot! shall be entitled to receive remuneration for any documented costs Kahoot! incurs in connection with its assistance under this section 5.
Audit and compliance review
Kahoot! shall, in relation to its processing of Customer Personal Data, maintain documentation of its compliance with this DPA and Data Protection Law, including written records of all Customer Personal Data processed on behalf of the Customer. Kahoot! shall provide access to the aforementioned documentation upon the Customer’s reasonable notice.
Kahoot! shall allow for and contribute to audits, including inspections, conducted by the Customer of Kahoot!’s premises and security systems specific for Customer, as Customer may reasonably require to ascertain compliance with Data Protection Law. The Parties shall agree on the timing of such audits, including the scope and methods for the audits. Unless otherwise is agreed, a maximum of one (1) audit may be conducted each year. Notwithstanding the foregoing, the Customer shall be entitled to carry out additional audits to the extent that the performance of such audits are necessary for the Customer’s compliance with Data Protection Law. The Customer shall give Kahoot! reasonable notice of the audit. The audit shall be conducted in a manner that causes the least possible disruption to Kahoot!’s ordinary operations.
The Customer may appoint a third party to conduct audits on its behalf at Customer’s own expense. The relevant third party may not be a competitor of Kahoot!.
Costs for any audits initiated by the Customer pursuant to this Section 6 shall be borne by the Controller. Notwithstanding the foregoing, if audits, pursuant to this Section 6, identifies that Kahoot! is in material non-compliance with this DPA or Data Protection Laws, costs for such audits shall be borne by Kahoot!.
Use of Sub-Processors
Kahoot! may subcontract its processing of the Customer Personal Data to a Sub-Processor.
Kahoot! shall enter into a written agreement with each Sub-Processor, requiring the Sub-Processor to comply with data protection obligations equivalent in all material respects to those imposed on Customer under this DPA. Kahoot! shall be responsible for any acts or omissions of such Sub-Processor in breach of this DPA and for any acts or omissions of such Sub-Processors that cause Kahoot! to breach any of its obligations under this DPA.
Kahoot! will notify the Customer if Kahoot! intends to appoint or use a New Sub-Processor to the extent applicable to the nature of the service provided by such New Sub-Processor. If the Customer has reasonable grounds to object to Kahoot!’s use of a New Sub-Processor, and such objection directly relates to Customer’s obligations under Data Protection Law, the Customer shall notify Kahoot! thereof in writing within fifteen (15) calendar days after receipt of Kahoot!’s notice. The list of Kahoot!´s current Sub-Processors are available here.
Following such an objection from the Customer, Kahoot! shall be entitled to terminate the Agreement for convenience without being obligated to refund any amounts that You have already paid, to the fullest extent permitted under applicable law.
Customer agrees that Kahoot! shall be entitled to transfer and process Customer Personal Data within the EU/EEA.
Subject to section 7, Customer acknowledges that Kahoot! may transfer and process Customer Personal Data to areas outside the EU/EEA because of the geographical location of the data centers of some of our Sub-Processors. Kahoot! shall ensure that such transfers are made in compliance with the requirements of the Agreement, this DPA and Data Protection Law.
To the extent that Kahoot! transfers Customer Personal Data protected by EU Data Protection Laws to a country outside of EU/EEA that is not recognized as providing an adequate level of protection for personal data (as described in applicable EU Data Protection Law), Kahoot! shall ensure that the transfer is based on SCC´s in the form currently approved by the European Commission. Kahoot! shall enter into written agreement including SCCs with all of Kahoot!´s sub-processors that might process Customer Data outside the EU/EEA, and shall require that its sub-processors abide by and process EU Data in compliance with SCCs. For the purposes of the descriptions in the SCCs, Kahoot! agrees that it is the “data importer”, and Customer is the “data exporter” (notwithstanding that Customer may itself be an entity located outside the EU/EEA).
Return or Deletion of Data
Upon termination of the Agreement, Kahoot! shall delete or return to Customer, at Customer’s choice, all Customer Personal Data in Kahoot!´s possession or control. This requirement shall not apply to the extent Kahoot! is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data that is archived in back-up systems, which Kahoot! shall securely isolate, protect from any further processing and eventually delete in accordance with Kahoot!´s deletion policies, except to the extent required by applicable law.
Annex A – Details of Data Processing
Kahoot! is the Processor of Customer Personal Data.
The Customer is the Controller of Customer Personal Data.
The subject matter of the data processing under this DPA is Customer´s Personal Data.
Duration of processing:
Kahoot will process Customer Personal Data as outlined in Section 9 (Return or Deletion of Data) of this DPA
Purposes of processing:
Kahoot! shall only process Customer Personal Data for the following purposes; (i) processing as necessary to provide the Kahoot! Services in accordance with the Agreement; (ii) processing initiated by Customer in its use of the Kahoot! Services; and (iii) processing to comply with any other reasonable instructions by Customer (e.g. via email or support tickets) that are consistent with the terms of the Agreement.
Nature of the processing:
Kahoot provides a learning platform, and related services, that allows our users to create and upload content, play and host games and invite others to join a game, as more particularly described in the Agreement.
Data Subjects include the individuals about whom data is provided to Kahoot! via the Kahoot! Service under the Agreement, for example participants in a Kahoot game, Customer´s employees or students, and other third parties that Customer includes in the use of the Kahoot! Services.
Categories of Personal Data
The Customer may upload, submit or otherwise provide certain Personal Information to or for the use of the Kahoot! Services, the extent of which is typically determined and controlled by the Customer in its sole discretion, and may include email addresses (required for login), organization (required), user name, name, location, picture, game reports (including scores and in-game activities), and profile bio.
Kahoot! Does not want to, nor does it intentionally, collect or process any Sensitive Data as part of the provision of the Services.
Annex B – Security Measures
The Security Measures applicable to the Service are described here (as updated from time to time in accordance with Section 3 of this DPA).