This article is also available in:
We have made some alterations to the Data Processing Agreement (DPA), in summary, apart from some textual amendments:

We have renamed the agreement; instead of Data Processor Agreement, it is now named Data Processing Agreement.
The name of our company was changed from Quizworks B.V. to EasyLMS B.V., so we have updated this in the DPA.
We have clarified in the definition of the “Service Agreement” (article 1.7), on the basis of which the personal data are processed, that this agreement can consist of our terms and conditions or another type of agreement.
We have removed from article 2.2 the wording that states that you, as the controller, must warrant and guarantee that you will apply with the applicable personal data legislation. It now only states that this is your responsibility.
In the same article, we have added that a part of the GDPR-compliance obligations on the part of the controller is also to inform the data subjects (the participants) about the processing.
We have removed article 2.3, which states that we have appointed a person to act as the contact person for the controller and that we will share the contact details with the controller. We do of course have a contact person for data protection questions (whom you can contact using our general email address) and issues, but we will not actively share the relevant person’s details.
In article 3.3, which concerns the situation where we would receive an order to disclose personal data. If we are not prohibited from notifying you of such an order, we will notify you thereof and we will disclose only the personal data you advise us to disclose in a notice you send us. We have added to this clause that the notice must be given timely and if the notice is not timely given, we will disclose such personal data as we deem is required pursuant to the legal requirement.
We have added article 3.4, which states that if, in our opinion, an instruction given by the controller infringes on the GDPR, we will notify the controller thereof and we will not have to comply with such an instruction.
In article 5.2, we have changed the wording that our employees will only have access to the personal data if they are required to do so on the basis of the DPA to: for the purpose of providing the Services. We feel this explains the access purposes more clearly.
In article 5.3, we have added that the information about our security measures is made available on our website. In addition, we have clarified that a requested overview of security measures is about security measures in place at the time of the request.
We have clarified in article 7.1 that if the controller does not agree with a change of sub-processors, in addition to being allowed to terminate the Services, the controller is also entitled to terminate the Service Agreement.
In article 8.2 (data export), in light of the European Court of Justice judgment in the Max Schrems II case, we gave added that if we transfer personal data to outside the EEA, if this is required, supplementary measures will be taken to safeguard the personal data. Please note however that at present, we do not transfer or store personal data outside the EEA.
We have added a sentence to article 11.2 that, if we are obliged to retain personal data pursuant to a legal obligation, we will delete the data after the legal retention term has expired.
From a practical perspective, we have changed article 12.3. This article provides that changes to the DPA can be notified by us to the controller and the controller can object to such changes (unless the change is dictated by applicable law) and end the Services Agreement.
We have updated Schedule 2 to update the information about our sub-processors and where they are located. Please note they are located in the EEA.

If you have any questions about these changes, feel free to ask us in the chat or by mailing
Was this article helpful?
Thank you!