Changes to the Unicorn Subscription Services Terms and Conditions (all products and Services)
Why the change?
GDPR, the new General Data Protection Regulation: There is a new European General Data Protection Regulation (known as the GDPR) which will come into force in the UK from 25 May 2018. The new legislation represents a significant change to the legal requirements to protect personal data and how ‘data controllers’ and ‘data processors’ deal with one another.
Information on the GDPR and what this may mean for your business can be found on the UK Information Commissioner’s website here: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
We have updated the Data Protection clause of our terms and conditions to help us and you comply with the legal requirements of the GDPR.
What next?
The following Data Protection provision shall take effect from 00:01 on 25 May 2018 and shall supersede the relevant clauses of your current Agreement. All other terms and conditions remain unchanged.
We strongly recommend that you read and save a copy of the new clause for future reference.
New Definitions
GDPR | Regulation EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, 4.5.2016 and any and all national legislation implementing the same into UK law from time to time. |
DPA |
The Data Protection Act 1998 |
Data Protection Legislation | Any law, statute, regulation, rule or other binding restriction regarding the protection of individuals with regards to the Processing of their Personal Data to which a party is subject, including the DPA (until 00:01 on the 25 May 2018) and the GDPR (from 00:01 on 25 May 2018) and any code of practice or guidance published by the Information Commissioner’s Office from time to time. |
Data Protection clause amendment
1.0 Obligations
1.1 The terms “process”, “personal data”, “data processor”, “data controller”, “data subject” shall have the terms given to them in the Data Protection Legislation.
1.2 Both parties will comply with all applicable requirements of the Data Protection Legislation.
1.3 The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the data controller and Unicorn is the data processor.
1.4 Appendix 1 sets out the scope, nature and purpose of processing by Unicorn, the duration of the processing and the types of personal data and categories of data subject.
1.5 Without prejudice to the generality of clause 1.2, the Customer will:
1.5.1 ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to Unicorn for the duration and purposes of this Agreement;
1.5.2 notify Unicorn without undue delay on becoming aware of a personal data breach which has or may have an impact on the processing carried out by Unicorn or the written instructions for processing including the details of processing Customer Data, Appendix 1.
1.6 Without prejudice to the generality of clause 1.2, Unicorn shall, in relation to any personal data processed in connection with the performance by Unicorn of its obligations under this Agreement:
1.6.1 process that personal data as agreed with the Customer (including the information in Appendix 1) unless Unicorn is required by the laws of any member of the European Union or by the laws of the European Union applicable to Unicorn to process personal data (Applicable Laws). Where Unicorn is relying on laws of a member of the European Union or European Union law as the basis for processing personal data, Unicorn shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Unicorn from so notifying the Customer;
1.6.2 ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and Services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
1.6.3 ensure that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential; and
1.6.4 not transfer any personal data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
1.6.4.1 the Customer or Unicorn has provided appropriate safeguards in relation to the transfer;
1.6.4.2 the data subject has enforceable rights and effective legal remedies;
1.6.4.3 Unicorn complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and
1.6.4.4 Unicorn complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the personal data;
1.6.5 assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
1.6.6 notify the Customer without undue delay on becoming aware of a personal data breach;
1.6.7 at the written direction of the Customer, delete or return personal data and copies thereof to the Customer on termination of the Agreement unless required by Applicable Law to store the personal data;
1.6.8 maintain complete and accurate records and information to demonstrate its compliance with this Clause 1; and
1.7 Unicorn is audited annually by independent external auditors as part of its continuing ISO27001 accreditation to validate that Unicorn has appropriate technical and organisational measures (TOMs) in place. At the Customer’s cost and at reasonable notice, Unicorn will allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller in accordance with the following procedures:
1.7.1 At the Customer’s written request Unicorn will provide the Customer with the most recent confidential ISO 27001 audit report and certificate.
1.7.2 Unicorn will cooperate with the Customer by providing additional information necessary to demonstrate compliance with the obligations as described in this section of the terms and conditions.
1.8 The Customer consents to Unicorn appointing the following suppliers as sub-processors of personal data under this Agreement. Unicorn confirms that it has with the third-party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and Unicorn, Unicorn shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this Clause 1.
1.9 Unicorn maintains a list of current sub-processors. The current list of sub-processors is available at: https://help.unicornlms.com/hc/en-us/articles/360000233609-Unicorn-s-Sub-Processors-
1.10 Any changes made or additions to the requirements of the Customer in respect of its data processing requirements shall be dealt with via a written agreement between the two parties, Changes made under this clause 1.8 shall entitle Unicorn to modify the Services as it sees fit or, if such changes cannot be agreed, Unicorn shall be entitled to terminate the Services.
Appendix 1
Details of processing Customer Data
1. Processing by Unicorn
1.1 Subject matter
This Appendix applies to the processing of Personal Data, that is reasonably necessary for the provision of the agreed Services.
1.2 Nature
Unicorn provides Software as a Service (SaaS) and Content as a Service (CaaS). Any processing is to support the provision of learning resources (eLearning, courseware, assessments, video and audio files, text documents and such other learning) hosted, launched and tracked within the Unicorn LMS.
1.3 Purpose of processing
To provide the Customer with End User data for management information, reporting and CPD, to support the provision of the Services.
1.4 Duration of the processing
For the duration of the Initial Subscription Period, Extended Subscription Period and any subsequent Subscription Renewal Periods. The data controller can delete Personal Data on its own initiative at any time during the Subscription Period.
2. Types of personal data
The Unicorn LMS has been designed to process the following types of personal data: name, company provided email address, photograph, about/bio, employment start/end, job title, employee ID, line manager, job role and performance reviews. Additionally, login times, system actions, content usage, assessment results, and continued professional development (CPD) are also recorded for each user account. We also process data that the Customer and End Users upload as part of the provision of the Services and choose to include ("incidentally-collected Personal Information"). The Unicorn LMS has not been designed to store sensitive personal data and there is no requirement or reason for the Customer or End User to upload any data of this type.
3. Categories of data subject
The categories of data subjects are Customer’s Administrators and End Users, such as employees, contractors, collaborators, and consumers.
4. Sub-processors
The Customer consents to Unicorn appointing the following suppliers as sub-processors of Personal Data under this Agreement. Unicorn confirms that it has with the third-party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and Unicorn, Unicorn shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to the amended clause.