Edy365 Personal data processing agreement
for Education institutions
Version: 1.0
Effective as of: April 1st, 2026
This Personal Data Processing Agreement sets out the procedures for the processing of personal data applicable where an educational institution (hereinafter – the Controller) uses the digital internship platform Edy365.com provided by SIA “Edy365.com” (hereinafter – the Processor).
The Controller and the Processor, within the meaning of the General Data Protection Regulation, undertake to comply with the requirements for the processing of personal data of natural persons set out in this Agreement.
This Agreement is concluded in electronic form
using a click-wrap mechanism on the Edy365.com platform.
1. DEFINITIONS.
2. SUBJECT MATTER OF PROCESSING.
3. PURPOSE AND DURATION OF PERSONAL DATA PROCESSING.
4. CATEGORIES OF DATA SUBJECTS.
5. TYPES OF PERSONAL DATA.
6. NATURE OF PERSONAL DATA PROCESSING.
7. TECHNICAL AND ORGANISATIONAL MEASURES FOR THE PROTECTION OF PERSONAL DATA.
8. OBLIGATIONS AND RIGHTS OF THE PROCESSOR.
9. OBLIGATIONS AND RIGHTS OF THE CONTROLLER.
10. HANDLING OF PERSONAL DATA BREACHES.
11. ENGAGEMENT OF OTHER PROCESSORS (SUB-PROCESSORS).
12. LIABILITY.
13. RECTIFICATION AND RESTRICTION OF PERSONAL DATA PROCESSING.
14. TERMINATION OF PERSONAL DATA PROCESSING.
15. FINAL PROVISIONS.
The following terms used in this Personal Data Processing Agreement shall have the meanings set out below:
1.1. Personal Data – any information relating to an identified or identifiable natural person within the meaning of the General Data Protection Regulation.
1.2. Data Subject – an identified or identifiable natural person to whom the Personal Data relates.
1.3. Processing of Personal Data – any operation or set of operations performed on Personal Data, including collection, recording, structuring, storage, alteration, use, disclosure, transfer, blocking, or deletion, whether carried out by automated or non-automated means.
1.4. Personal Data Breach – a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
1.5. Controller – the educational institution which alone or jointly with others determines the purposes and means of the processing of Personal Data within the framework of using the Platform.
1.6. Processor – SIA “Edy365.com”, which processes Personal Data on behalf of the Controller within the framework of providing the digital internship platform Edy365.com.
1.7. Supervisory Authority – the Data State Inspectorate of the Republic of Latvia.
The subject matter of personal data processing is the processing of personal data carried out in connection with the use of the digital internship platform Edy365.com for the organisation, supervision, and administration of internships.
3.1. The purpose of the transfer and processing of Personal Data is to ensure the operation of the digital internship platform Edy365.com and the use of the functionalities available therein within the educational process, including internship planning, execution, supervision, documentation, and related communication.
3.2. Personal Data is processed from the moment the Controller electronically approves this Agreement on the Platform until the moment the Educational Institution discontinues use of the Platform or contractual relations are terminated in accordance with the Platform Terms of Use.
4.1. Within the framework of using the Platform, Personal Data of the following categories of data subjects is processed:
4.1.1. students of the Educational Institution;
4.1.2. employees of the Educational Institution;
4.1.3. representatives of internship providers (companies) participating in the internship organisation process on the Platform;
4.1.4. contact persons of the Controller and the Processor;
4.1.5. other natural persons whose Personal Data is processed on the Platform in accordance with the Controller’s instructions and the Platform’s functionality.
5.1. Within the operation of the Platform, the following types of Personal Data may be processed:
5.1.1. first name, last name;
5.1.2. personal identification number (The Platform provides a dedicated field intended for personal identification, in which the Educational Institution, at its sole discretion and responsibility, may enter a personal identification number, student card number, or any other unique identifier. The Educational Institution ensures that the selected identifier is unique within the respective Educational Institution and that no two persons are assigned the same identifier. The Service Provider does not determine or control the type or content of the identifier and shall not be responsible for the legal basis or compliance of the entered identifier with applicable legal requirements.);
5.1.3. contact details (email address, phone number);
5.1.4. information about the educational institution, internship provider, or workplace;
5.1.5. position or role on the Platform;
5.1.6. other data entered on the Platform by the data subject or the Controller within the framework of internship organisation.
6.1. Personal data processing on the Platform includes the following activities:
6.1.1. The Controller performs:
6.1.1.1. data entry, viewing, correction, structuring, and deletion on the Platform;
6.1.1.2. linking and unlinking of users;
6.1.1.3. administration of the internship process.
6.1.2. The Processor performs:
6.1.2.1. storage of Personal Data;
6.1.2.2. technical maintenance and backup provision;
6.1.2.3. restoration of Personal Data in the event of technical incidents;
6.1.2.4. other technical processing of Personal Data to the extent necessary to ensure the operation of the Platform or carried out pursuant to the Controller’s documented instructions.
6.2. Within the scope of the Platform’s core functionality, Personal Data is not used for automated individual decision-making or profiling within the meaning of the General Data Protection Regulation.
6.3. Personal Data processing is carried out within the territory of the European Union and the European Economic Area.
7.1. The Processor processes Personal Data only in accordance with the provisions of this Agreement, the Controller’s documented instructions, and the requirements of the General Data Protection Regulation.
7.2. Personal Data is processed on behalf of the Processor only by the Processor’s authorised employees or cooperation partners who have undertaken confidentiality obligations and have received appropriate training in the field of personal data protection.
7.3. The Processor ensures that access to Personal Data is granted only to those authorised employees of the Processor for whom such access is necessary to ensure Platform maintenance, security, or technical support.
7.4. Personal Data processing is carried out in information systems that are accessible remotely and maintained in accordance with applicable security standards, without being tied to a specific physical location.
7.5. Taking into account the nature of the Platform’s operation, Personal Data processing may take place on a continuous basis for the purpose of ensuring Platform availability.
7.6. The Processor ensures that persons involved in the processing of Personal Data are legally bound by confidentiality obligations that remain in force even after termination of employment or other contractual relationships.
7.7. The Processor implements appropriate technical measures, including, where proportionate and technically feasible, pseudonymisation and encryption of Personal Data.
7.8. The Processor implements technical and organisational measures to ensure the confidentiality, integrity, availability, and resilience of Personal Data processing systems.
7.9. The Processor takes measures to protect Personal Data against accidental or unlawful destruction, loss, damage, or unauthorised access, including as a result of physical or technical interference.
7.10. The Processor ensures the ability to restore the availability of and access to Personal Data in a timely manner in the event of technical incidents or emergencies.
7.11. The Processor regularly evaluates and, where necessary, improves the effectiveness of the implemented technical and organisational measures to ensure the security of Personal Data processing.
8.1. The Processor provides the Controller with initial access to the digital internship platform Edy365.com by creating the initial administrator user profile or by granting access to the Platform in another technically appropriate manner.
8.2. The Processor makes available to the Controller information that is reasonably necessary to demonstrate the Processor’s compliance with its obligations under this Agreement and Article 28 of the General Data Protection Regulation.
8.3. The Processor enables the Controller to carry out inspections or audits regarding the processing of Personal Data, to the extent that this is proportionate, agreed in advance with the Processor, and does not jeopardise the security of the Platform, the interests of other clients, or the Processor’s trade secrets.
8.4. The Processor ensures that its technical means allow timely performance of actions necessary to fulfil the obligations set out in this Agreement regarding notification of Personal Data Breaches and facilitation of data subject rights.
8.5. The Processor ensures the availability of audit and activity logging mechanisms within the Platform, to the extent technically possible, and retains the relevant records for a reasonable period after termination of Platform use, in compliance with applicable laws and regulations.
8.6. Taking into account the nature of Personal Data processing, the Processor assists the Controller in fulfilling data subject rights in accordance with Chapter III of the General Data Protection Regulation, to the extent possible using the Platform’s technical means.
8.7. The Processor ensures that persons involved in the processing of Personal Data on behalf of the Processor are trained in personal data protection matters and are bound by confidentiality obligations.
9.1. The Controller ensures that only such Personal Data for which there is a lawful basis for processing in accordance with applicable laws and regulations, including the General Data Protection Regulation, is transferred to the Processor within the Platform.
9.2. The Controller is responsible for the security of access credentials on the Platform and ensures that, after initial access is granted, necessary measures are taken to ensure the security of user accounts, including renewal or replacement of access credentials where applicable.
10.1. If the Processor becomes aware of a Personal Data Breach, the Processor shall notify the Controller without undue delay and no later than 48 (forty-eight) hours after becoming aware of the breach, using the contact information indicated on the Platform or other communication channels specified by the Controller.
10.2. The Processor’s notification to the Controller shall include, to the extent the information is available to the Processor at the relevant time:
10.2.1. the nature of the Personal Data Breach;
10.2.2. the categories of Personal Data and categories of data subjects potentially affected;
10.2.3. the possible impact on the confidentiality, integrity, or availability of Personal Data;
10.2.4. the measures taken or planned to address or mitigate the effects of the breach.
10.3. The Processor cooperates with the Controller and provides reasonably necessary information and support to enable the Controller to comply with the obligations set out in Articles 33 and 34 of the General Data Protection Regulation.
10.4. The Controller is responsible for notifying the Supervisory Authority of the Personal Data Breach within 72 (seventy-two) hours from the moment it becomes aware of the breach, unless otherwise provided by applicable law.
10.5. Where a Personal Data Breach is likely to result in a high risk to the rights and freedoms of data subjects, the Controller is responsible for informing the data subjects in accordance with the requirements of the General Data Protection Regulation.
11.1. The Processor is entitled to engage other processors (sub-processors) for the processing of Personal Data, ensuring that such sub-processors are subject to data protection obligations no less stringent than those set out in this Agreement.
11.2. The Processor remains fully liable for the processing of Personal Data carried out by sub-processors on behalf of the Controller.
11.3. The Processor informs the Controller of material changes in the engagement of sub-processors by publishing up-to-date information on the Platform or providing notice in another reasonable manner.
12.1. The Processor is liable for damage caused by the processing of Personal Data where it has failed to comply with the obligations set out in the General Data Protection Regulation or this Agreement that directly apply to the Processor.
12.2. A Party shall not be liable for damage if it proves that it is in no way responsible for the event giving rise to the damage.
12.3. The Processor is not responsible for the existence or selection of the lawful basis for the processing of Personal Data, nor for the compliance of the content of Personal Data with the requirements of applicable laws and regulations, where such data is provided to the Processor by the Controller.
12.4. The Processor processes Personal Data on behalf of the Controller on the basis of the Controller’s instructions, the Platform Terms of Use, and this Agreement.
13.1. Where the Controller receives a request from a data subject for rectification, erasure, or restriction of processing of Personal Data, the Controller assesses the request’s compliance with applicable laws and regulations and performs the necessary actions on the Platform.
13.2. The Processor provides the Controller with reasonable technical assistance in fulfilling such requests, to the extent possible using the Platform’s technical means.
14.1. After discontinuation of use of the Platform, the Processor processes Personal Data only to the extent necessary to comply with legal requirements or for the technical shutdown of the Platform.
14.2. Upon the Controller’s request and where permitted by applicable law, the Processor shall, within a reasonable period, delete or anonymise the Controller’s Personal Data, except where retention of Personal Data is necessary to fulfil legal obligations.
15.1. This Agreement enters into force at the moment the Educational Institution electronically agrees to it on the Platform and remains in force for as long as the Educational Institution uses the Platform.
15.2. This Agreement forms an integral part of the Platform Terms of Use.
15.3. This Agreement is publicly available on the Platform and is applied without signature or indication of formal details.