Data Processing Addendum in accordance with Art. 28 para. 3 GDPR

Last Updated July 5, 2018

This Data Processing Addendum (DPA) shall govern the transfer, collection, destruction, and processing of Personal Data between SMART Technologies ULC (SMART),‬ and:

  • Any customer (Customer) installing or using SMART hardware, software, or services (Services)
  • A party subject to SMARTs End User License Agreement (EULA)
  • A party subject to an agreement other than the EULA for the provision of SMART products or services (collectively referred to as “Agreement”) to Customer and Customer's Users, (each SMART and Customer shall be referred to as a “Party” and collectively as “Parties”).

The Parties hereby agree to the following terms and conditions, which will be in effect upon the earlier of:

(i) The Effective Date of the Agreement between the Parties,


(ii) The date of first transfer or disclosure of Personal Data by Customer or Customer's Users to SMART (“Effective Date”).

Any capitalized terms not defined herein shall have the meaning ascribed to such terms in the Agreement.


1.1. Customer's Users are any natural persons using or accessing the Services on behalf of, or under authorization of, the Customer, including but not limited to: employees, clients, end-users, contractors, students, and teachers.

1.2. Data refers to Personal Data and Non-Personal Data.

1.3. Data Controller shall have the same meaning as defined in the GDPR, and in this context, is the Customer.

1.4. Data Processor shall have the same meaning as defined in the GDPR, and in this context, is SMART.

1.5. GDPR refers to the Regulation (EU) 2016/679, of the European Parliament and of the Council of 27 April 2016, and repealing Directive 95/46/EC (General Data Protection Regulation).

1.6. Non-Personal Data is any data or information of any kind relating to a Customer or Customer’s Users that is not Personal Data.

1.7. Personal Data, Processing and Special Categories of Personal Data, shall have the same meaning as defined the GDPR’s terms.

1.8. Services refers to the provision of products and services provided by SMART to a Customer under an Agreement.

1.9. Sub-Processors refers to any Processor SMART has engaged in connection with the Processing of Personal Data on behalf of Customer.

1.10. EU refers to the European Union, EEA refers to European Economic Area.


This DPA applies to Customer Data processed by SMART. In this context, SMART acts as Data Processor to the Customer who is the Data Controller with respect to the Customer and Customers’ User Data.

2.1. The Parties agree and represent that Personal Data is required to be Processed in a manner which is lawful, fair and transparent, and that Personal Data must be:

  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which the Personal Data is Processed
  • Accurate and, where necessary, kept up to date
  • Kept in a form which permits identification for no longer than is necessary for the purposes for which the Personal Data is Processed

2.2. In rendering Services to a Customer, the Customer may from time to time disclose Personal Data to SMART, concerning the Customer or the Customer's Users.

2.3. The Customer shall only upload, transfer, Process, or disclose Personal Data pursuant to the terms and conditions specified herein and as permitted under applicable law. In the event the Customer considers any upload, Processing, transfer, or disclosure of Personal Data to be inconsistent with the provisions herein, the Customer shall notify SMART.

2.4. SMART will process the personal data of the Customer’s Users. Who these are depends on the type of organization the Customer is. If the Customer is a company, for instance, the data subjects will be the company’s employees.

2.5. SMART will process the following categories of personal data:

  • User data for software including assessment scores, user generated content, class membership, crash data, district ID and district name, IP address (if not anonymized by the user), school name, self-chosen class or meeting name, username, student device type and operating system, student email, student name, teacher/admin email address, teacher name;
  • User data for hardware including model number, OS and OS version, App build details, Brand (SMART), browser used, information based on IP address (City, Country, Region, Screen DPI, Screen height and width, time stamp.

2.6. SMART will Process Personal Data for the following purposes:

  • The Provision of Services as described in the Agreement to the Customer's Users' including updates and maintenance services
  • To contact the Customer's Users' in connection with the Services
  • To authenticate Customer's Users'
  • To protect the security or integrity of Services and to take precautions against legal liability
  • For the fulfilment of the Agreement and exercising SMART rights and obligations thereunder, provided such Processing is permitted under applicable laws

2.7. The Customer shall not upload, Process, transfer, disclose, or otherwise make available to SMART any Personal Data included in Special Categories of Personal Data.

2.8. Subject to legal and tax requirements, SMART and its Sub-Processors will delete or return all Personal Data which is Processed on behalf of the Customer upon request or within a commercially reasonably timeframe after the termination or expiration of the Agreement or Services.

2.9. SMART retains Personal Data for the duration necessary to:

  1. Fulfill the purposes of Processing described herein, and
  2. As otherwise permitted under applicable law.

2.10. The Customer hereby instructs SMART to Process, on behalf of the Customer Personal Data transferred or disclosed to SMART by the Customer or the Customer’s Users in connection with the Services.

2.11. SMART uses cookies or similar technologies to gather Data. The Customer hereby explicitly authorizes SMART to use cookies and similar technologies in connection with the provision of the Services.

2.12. The Customer may instruct SMART to cease Processing its Personal Data at any time. No refunds for Services will be given if the Services can no longer be provided as a result of ceasing to Process the Data.

2.13. SMART shall process Personal Data only on documented instructions from the Customer. The provisions set forth in this DPA, the Terms, the Agreement, and as otherwise agreed to between the Parties, shall constitute the Customer's documented instructions to SMART under the meaning of Article 28 of the GDPR.


3.1. Provided Sub-Processors comply with the GDPR, the Customer hereby grants SMART express authorization to engage Sub-Processors for the provision of Services. SMART will inform the Customer in due time before authorizing a new Sub-Processor, and the Customer may object to authorization upon reasonable grounds. A list of sub-processors that are currently engaged by SMART to carry out specific processing activities are listed in Exhibit 1. The Customer gives his express authorization to the engagement of sub-processors listed in Exhibit 1.

3.2. Where SMART authorizes any Sub-Processor:

  • SMART will restrict the Sub-Processor’s access to Customer Data only to what is necessary to maintain the Service offerings or to provide the Services to the Customer and any of the Customer’s Users. SMART will prohibit the Sub-Processor from accessing Customer Data for any other purpose.
  • SMART will enter into a written agreement with the Sub-Processor and, impose on the Sub-Processor the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.
  • SMART will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor that cause SMART to breach any of SMART’s obligations under this DPA.


4.1. The Customer acknowledges that SMART is an international corporation, and that Personal Data will be stored in the Customer’s home jurisdiction as well as transferred to Canada and the United States. The European Commission has recognized Canada as providing adequate protection. Organizations within the United States of America certified under the EU-US-Privacy Shield are also recognized to provide an adequate level of data protection and may therefore receive Personal Data without further safeguards.

4.2. In the event SMART transfers Personal Data to any other third countries outside the EU/EEA, SMART will use appropriate safeguards to ensure a level of security appropriate to the risks from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data transferred and matching the level of security within the EU/EEA. These include the conclusion of Standard Contractual Clauses issued by the EU Commission.

4.3. The Customer shall have sole responsibility to obtain and document all necessary consents from the Customer’s Users to the transfer of their Personal Data.


5.1. SMART assists the Customer in complying with Data Subject’s requests according to chapter III of the GDPR: Upon the Customer's request to SMART, by calling +1 (888) 427-6278, SMART will provide the Customer with the required assistance. This will enable Customer to verify and correct (if required), delete, receive and block the Customer’s Personal Data on file with SMART, not less than thirty (30) days of receipt of such request. In the event any Personal Data is incorrect or outdated, the Customer may update and correct such data by providing SMART with the appropriate information.

5.2. To the extent applicable to the Customer and the Services, the Customer may request the portability of its Personal Data.

5.3. Customer shall have sole liability to comply with obligations in connection with the rights and freedoms of Customer’s Users pursuant to chapter III of the GDPR or other applicable laws. SMART assists the Customer as described in 5.1.

5.4. The Parties agree that SMART shall not be required to respond and process requests and instructions provided by the Customer’s Users. In the event SMART receives a direct request from the Customer’s Users or any other data subject, SMART’s sole responsibility shall be to communicate such requests or instructions to the Customer, who may then formally make a request to SMART, as described in 5.1.

5.5. SMART shall make reasonable commercial efforts to assist the Customer by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Customer's obligations to respond to requests for exercising Customer’s Users’ rights pursuant to applicable laws.


6.1. SMART only collects Personal Data regarding its Customer's Users which the Customer has provided SMART by engaging with SMART for the provision of Services.

6.2. In respect of Non-Personal Data and anonymized Data, the Customer agrees that SMART has unlimited rights to such information and that SMART may use such information without limitation.

6.3. Non-Personal Data is collected and processed mainly for marketing analysis and to constantly improve and maintain the Services, which includes but is not limited to ,ensuring the technical functioning of SMART Services, to help prevent fraudulent use of the Services and for developing new services and products.


7.1. If SMART becomes aware of a Personal Data breach, it shall without undue delay and, where feasible, not later than seventy-two (72) hours after having become aware of it, notify the affected Customer, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. SMART shall also take reasonable steps to mitigate the effects and to minimize any damage resulting from a Personal Data breach.

7.2. SMART’s communication of a breach shall be in clear and plain language and contain a minimum of:

  • The contact details of the Data Protection Officer or other contact person
  • A description of the nature of the breach
  • The likely consequences of the breach
  • Advice on steps data subjects can take to protect themselves
  • The measures SMART has taken or proposes to take to address the breach.

7.3. SMART may disclose Data to law enforcement, regulatory or other government agencies, or third parties, if SMART reasonably believes that such a disclosure is necessary to comply with a judicial proceeding, court order, or a legal process, provided, however, that SMART shall notify the Customer in writing regarding any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.


8.1. In connection with the transfer, Processing or disclosure of Personal Data by the Customer and the Customer's Users, and any Processing of such Personal Data by SMART, the Parties hereby agree and represent, that, as between the Parties:

  • The Customer shall be regarded as the Controller of all such Personal Data, and shall solely and fully assume all responsibilities, obligations, and liabilities imposed on the Customer as a Controller of Personal Data under the GDPR.
  • SMART shall be regarded as the Processor of such Personal Data, and shall solely and fully assume all responsibilities, obligations, and liabilities imposed on SMART as a Processor of Personal Data under the GDPR.

8.2. In its capacity as Controller, the Customer agrees that it is responsible to inform the Customer's Users, clearly and explicitly, of the Processing of their Personal Data, including processing by SMART, pursuant to, and in accordance with, the Customer's engagement with SMART. The Customer further represents that the Customer has all required authorizations to disclose Personal Data to SMART pursuant to this DPA and the Agreement.

8.3. The Parties shall each implement appropriate technical and organizational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risks associated with accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

8.4. SMART makes available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer at Customer’s expense. Information necessary to demonstrate compliance may be provided in form of certifications of independent third parties. SMART may, at its own discretion, provide the necessary information to demonstrate compliance, instead by way of an inspection, by providing appropriate documents and certifications issued by independent bodies (e.g. chartered accountants, data protection auditors, IT security auditors). If the Customer wishes to carry out an inspection by itself or by an auditor,

  1. the Customer and SMART must agree on a specific date for the inspection,
  2. the Customer must carry all costs and expenditures which may arise on SMART’s side due to the inspection, and
  3. the Customer or his auditor are strictly bound to confidentiality regarding all information relevant for SMART’s business interests.

8.5. SMART will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to:

  1. Satisfy the GDPR requirements
  2. Identify reasonably foreseeable and internal risks to security and unauthorized access to SMART’s network
  3. Minimize security risks, including through risk assessment and regular testing.

SMART has designated one or more employees to coordinate and be accountable for SMART’s information security. SMART conducts periodic reviews of the security of its network and adequacy of its information security program as measured against industry security standards and its policies and procedures. SMART continually evaluates the security of its network and Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by reviews.

8.6. SMART represents and warrants that SMART employees, contractors, agents, or Sub-Processors authorized by SMART to Process Personal Data on behalf of Customer, are bound by adequate contractual obligations.

8.7. SMART ensures that its employees and other persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.8. SMART assists the Customer in ensuring compliance with the obligations pursuant to Art. 32 to 36 GDPR, taking into account its role as a Data Processor.

8.9. SMART shall only Process Personal Data on behalf of Customer and pursuant to the instructions as set forth herein, pursuant to the Agreement, or otherwise agreed to between the Parties. SMART shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR or other EU or EU Member State data protection provision.

8.10. The Parties shall Process Personal Data only as lawful and compliant with applicable law, including the GDPR.

8.11. The Customer's use of the Services shall comply with all applicable laws.


9.1. The term of this DPA shall start on the Effective Date and continue until termination or expiration of the applicable Agreement.


10.1. In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail regarding the Parties' data protection and privacy protection obligations.

10.2. SMART agrees to deposit a copy of this DPA with the supervisory authority if it so requests or, if such deposit is required under the applicable data protection law.

10.3. The Parties acknowledge that responsible supervisory authorities have the right to conduct an audit of the Parties.

10.4. If any provision of this DPA shall be adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision shall be limited to the minimum extent necessary so that this DPA shall otherwise remain in effect.

10.5. This DPA shall be governed by and construed in accordance with the same laws as the Agreement. Any claim under this DPA may be solely brought to the competent courts as specified in the Agreement.