Common use of COPPA Clause in Contracts

COPPA. If the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. §6501-6506 (“COPPA”) applies to the Services, you are responsible for obtaining all student and/or parental consent as required by COPPA and must provide verifiable evidence of such consent upon our written request, provided that Impero will provide you with any reasonably requested information necessary to fulfill your obligations in obtaining consent. Where COPPA applies to Impero as part of its provision of the Services to Customer, Impero’s information management practices are attached as Exhibit C. 19.1. If we collect “Personal Data” as defined by the Data Protection Legislation as part of delivering the Services to you, then the Impero Data Protection Policy (attached as Exhibit D) and the Impero Data Retention Policy (attached as Exhibit E) apply and are incorporated herein by reference. In so far as required, both you and we agree that we will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 19.2. You acknowledge that for the purposes of the Data Protection Legislation, you are the data controller and Impero is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). The Impero Data Protection Policy and 19.3. As the Processor for the Personal Data, Impero will only process Personal Data provided by you or any user (i) in accordance with your written instructions (including this ISA) or (ii) where required to do so by applicable law. 19.4. Without prejudice to the generality of clause 20.3, you will ensure that you have all necessary appropriate consents and notices in place to enable lawful transfer of any required Personal Data to Impero for the duration and purposes of this agreement. 19.5. Without prejudice to the generality of clause 20.3, Impero warrants and undertakes that it shall, in relation to any Personal Data processed in connection with the performance by Impero of its obligations under this ISA: (a) process that Personal Data only on your written instructions unless we are required by the laws of any member of the European Union or by the laws of the European Union applicable to Impero to process Personal Data (Applicable Laws). Where Impero is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, we shall promptly notify you of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit us from so notifying you; (b) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and (d) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of Customer has been obtained (and the following conditions are fulfilled: (i) Impero has provided appropriate safeguards in relation to the transfer; (ii) the data subject has enforceable rights and effective legal remedies; (iii) Impero complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (iv) Impero complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; (e) assist you, at your cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (f) notify you without undue delay on becoming aware of a Personal Data breach; (g) Personal Data will be processed for the duration of this Contract. Upon termination of the Contract, you shall be given the option to have all Personal Data securely deleted or, upon your request, returned to you (in a format specified by Impero), unless applicable law prevents us from returning or destroying all or part of the Personal Data. If you choose not to request the deletion of this Personal Data, the Personal Data will be archived and retained for a maximum period of 7 years, after which the Personal Data is deleted. 19.6. You shall own all right, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 19.7. Impero shall, in providing the Services, comply with its IT Security measures relating to the privacy and security of the Customer Data.

COPPA. If the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. §6501-6506 (“COPPA”) applies to the Services, you are responsible for obtaining all student and/or parental consent as required by COPPA and must provide verifiable evidence of such consent upon our written request, provided that Impero will provide you with any reasonably requested information necessary to fulfill your obligations in obtaining consent. Where COPPA applies to Impero as part of its provision of the Services to Customer, Impero’s information management practices are attached as Exhibit C. 19.1. If we collect “Personal Data” as defined by the Data Protection Legislation as part of delivering the Services to you, then the Impero Data Protection Policy (attached as Exhibit D) and the Impero Data Retention Policy (attached as Exhibit E) apply and are incorporated herein by reference. In so far as required, both you and we agree that we will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 19.2. You acknowledge that for the purposes of the Data Protection Legislation, you are the data controller and Impero is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). The Impero Data Protection Policy andand Impero Data Retention Policy set out the scope, nature and purpose of processing by Impero, the duration of the processing and the types of Personal Data (as defined in the Data Protection Legislation, Personal Data) and categories of Data Subject. 19.3. As the Processor for the Personal Data, Impero will only process Personal Data provided by you or any user (i) in accordance with your written instructions (including this ISA) or (ii) where required to do so by applicable law. 19.4. Without prejudice to the generality of clause 20.3, you will ensure that you have all necessary appropriate consents and notices in place to enable lawful transfer of any required Personal Data to Impero for the duration and purposes of this agreement. 19.5. Without prejudice to the generality of clause 20.3, Impero warrants and undertakes that it shall, in relation to any Personal Data processed in connection with the performance by Impero of its obligations under this ISA: (a) process that Personal Data only on your written instructions unless we are required by the laws of any member of the European Union or by the laws of the European Union applicable to Impero to process Personal Data (Applicable Laws). Where Impero is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, we shall promptly notify you of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit us from so notifying you; (b) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); (c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and (d) not transfer any Personal Data outside of the European Economic Area unless the prior written consent of Customer has been obtained (and the following conditions are fulfilled: (i) Impero has provided appropriate safeguards in relation to the transfer; (ii) the data subject has enforceable rights and effective legal remedies; (iii) Impero complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (iv) Impero complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; (e) assist you, at your cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (f) notify you without undue delay on becoming aware of a Personal Data breach; (g) Personal Data will be processed for the duration of this Contract. Upon termination of the Contract, you shall be given the option to have all Personal Data securely deleted or, upon your request, returned to you (in a format specified by Impero), unless applicable law prevents us from returning or destroying all or part of the Personal Data. If you choose not to request the deletion of this Personal Data, the Personal Data will be archived and retained for a maximum period of 7 years, after which the Personal Data is deleted. 19.6. You shall own all right, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 19.7. Impero shall, in providing the Services, comply with its IT Security measures relating to the privacy and security of the Customer Data.