These Special Terms for the Educator Tools (“ET Special Terms”) are part of the Institutional License Agreement (“Agreement) between AMBOSS SE, Torstraße 19, 10119 Berlin (“AMBOSS”) and the Institutional Partner, as specified in the Agreement (AMBOSS and the Institutional Partner together “Parties”) with an Effective Date corresponding to the Effective Date of the Agreement. They apply for the duration of the Agreement in addition to the Terms and Conditions that are attached to or linked in the Agreement. Where terms are used in capital letters in these ET Special Terms without being expressly defined herein, such terms shall have the meanings assigned to them in the Agreement.
1. Scope of the Educator Tools and control
1.1 AMBOSS offers Institutional Partners that are licensing the AMBOSS Program continuous access to dashboards containing the following personalized performance and usage data (“Insights Data”) of users who use the AMBOSS Program via the institutional license (“Insights Dashboards”) via so-called Educator Tools or comparable technical solutions (e.g. spreadsheet exports):
- First and last name;
- Email address;
- Year of study, cohort and learning object;
- Performance data (e.g. quota of correct answers, number of articles read or questions answered, course completion, learning recommendations).
1.2 For the purposes of such joint processing, AMBOSS provides the access infrastructure while the Institutional Partner enables the collection of Insights Data within its sphere of responsibility.
1.3 AMBOSS and the Institutional Partner act as joint controllers pursuant to Art. 26 of the EU General Data Protection Regulation (“GDPR”) with respect to the Insights Data that is strictly necessary for the following purposes:
- Supporting the learning performance of Authorized Users;
- Content management/assignment to accompany the learning performance of Authorized Users; and
- Compliance (e.g. completion of mandatory courses), quality and cost control.
1.4 Within the scope of joint controllership, the Institutional Partner may only process Insights Data for the purposes specified above; AMBOSS may additionally process Insights Data in order to fulfill its contractual obligations under the Agreement and these ET Special Terms, i.e., to register relevant users with the AMBOSS Program, to engage in transactional communication with such users in relation to their AMBOSS account, and to support relevant users in their learning process with the AMBOSS Program, e.g., through personalized learning recommendations in relation to content and tools, technical user support, etc. If one of the Parties uses Insights Data outside of joint controllership for its own purposes, that Party acts as an independent controller for this processing.
1.5 The Parties may process the Insights Data for the duration of the Agreement and shall delete it thereafter.
1.6 The Institutional Partner ensures that no restrictions on processing arise from any legal or contractual regulations applicable to the legal relationship between the Institutional Partner and the respective user.
2. Responsibility under data protection law
2.1 Allocation of responsibilities: The responsibilities for fulfilling the obligations with regard to joint data processing are defined as follows:
a) Legal basis: The Parties base the joint data processing of the Insights Data on the necessity to fulfill the contract with the user; the Educator Tools including the Insights Dashboards are part of the services for which the user accepts the terms of use (Art. 6 para. 1 lit. b GDPR).
b) Provision of information and data subject rights: AMBOSS will provide the required data protection information to users in relation to the Insights Dashboards and serves as the primary point of contact for data subject rights. The Institutional Partner may additionally inform its users in the context of its studies and shall forward any user request it receives to AMBOSS without undue delay. AMBOSS ensures that the essence of this arrangement is made available to the users in an appropriate form, including but not limited to privacy notices or websites. AMBOSS is designated as the central contact point for supervisory authorities in accordance with Art. 26 GDPR, without prejudice to the obligation of the Institutional Partner to immediately forward any request it receives to AMBOSS.
c) Data security: Each Party remains independently responsible for ensuring data security and in particular for the implementation of appropriate technical and organizational measures to ensure an adequate level of data protection within its own sphere of responsibility.
d) Data breaches/supervisory authorities: The Parties shall inform each other without undue delay of personal data breaches or inquiries from supervisory authorities relating to their joint processing and shall cooperate within their respective responsibilities in handling such matters, including coordination before responding to supervisory authorities. Each Party shall take immediate measures within its own organization that are necessary to secure the data and to mitigate possible adverse consequences.
e) Data protection impact assessments and accountability: Where a data protection impact assessment is required, AMBOSS shall conduct such assessment in consultation with the Institutional Partner. Each Party shall document the allocation of responsibilities set out in these ET Special Terms.
2.2 Liability: The Parties are liable to data subjects in accordance with Art. 82 GDPR. Internally, each Party shall be responsible only for breaches of obligations falling within its own sphere of responsibility.
2.3 International data transfers:
a) Insofar as personal data is transferred to an Institution located in a country outside the European Union/European Economic Area (EU/EEA) for which the EU Commission has not issued an adequacy decision, the Parties agree that such transfers will be safeguarded by the EU Standard Contractual Clauses (“SCC” - Commission Implementing Decision (EU) 2021/914).
b) By signing the Agreement, the Parties legally conclude the SCC Module 1 (Controller-to-Controller), and the following shall apply. A separate execution of the SCC shall not be required:
- Clause 7: The optional docking clause is included.
- Clause 11: The optional wording is excluded.
- Clause 13(a): The competent supervisory authority is the authority of the EU Member State in which the data exporter is established.
c) The Parties agree that the applicable Annexes of the SCC are specified and completed by the corresponding sections of these ET Special Terms. In particular, Annex I SCC corresponds to the information set out in these ET Special Terms, where AMBOSS is the data exporter and the Institutional Partner – as identified in the Agreement – is the data importer and the Berlin Commissioner for Data Protection and Freedom of Information (Alt-Moabit 59-61, 10555 Berlin, Germany) is the competent supervisory authority. The information for Annex II SCC corresponds to the information the Parties agreed upon in Sec. 2.1 c) of these ET Special Terms.