This Agreement (“Agreement”) is entered into by and between Coursera, Inc., a Delaware corporation, with a principal place of business at 381 E. Evelyn Ave., Mountain View, California 94041 (“Coursera”), and the entity agreeing to these terms (“Organization”). This Agreement is effective as of the date you accept the terms (the “Effective Date”). If you are accepting on behalf of your employer or another entity, you represent and warrant that: (a) you have full legal authority to bind your employer, or the applicable entity, to these terms and conditions; (b) you have read and understand this Agreement; and (c) you agree, on behalf of the party that you represent, to this Agreement. If you don’t have the legal authority to bind your employer or the applicable entity, please do not accept the terms below. This Agreement governs Organization’s access to and use of Coursera. To the extent that Organization and Coursera have already entered into data privacy terms that apply to this or a similar transaction, the privacy terms listed here shall be superseded by currently-in-effect agreements binding between you and Coursera.
In consideration of the mutual promises set forth herein, the sufficiency of which are hereby acknowledged, the Parties hereby agree as follows:
- Organization agrees to implement and maintain technical and organizational measures and procedures to ensure an appropriate level of security for participants’ personal information, including protecting such personal information against the risks of accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, dissemination or access.
- This Agreement shall be construed, interpreted, and governed by the laws of the State of California without regard to its conflict of laws principles. The parties hereby submit to the exclusive jurisdiction of the federal courts or state courts located in Santa Clara County.
EU Data Protection: This section shall only apply to the extent that Personal Data (as defined below) of Data Subjects (as defined below) in the EU is processed by Coursera.
- In this section, the following terms shall have the following meanings:
- “Data Protection Laws” means any laws and regulations in any relevant jurisdiction, relating to privacy or the use or processing of data relating to natural persons, including: (a) EU Directives 95/46/EC and 2002/58/EC (as amended by 2009/139/EC) and any legislation implementing or made pursuant to such directives; and (b) from 25 May 2018, EU Regulation 2016/679 (“GDPR”); and (c) any laws or regulations ratifying, implementing, adopting, supplementing or replacing GDPR; in each case, to the extent in force, and as such are updated, amended or replaced from time to time.
- “DP Regulator” means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws.
- “Data Subject”, “Data Controller”, “Personal Data” and “processing” shall have the meanings set out in EU Directive 95/46/EC until 25 May 2018, and thereafter the meaning set out in GDPR.
- “EU Privacy Shield” means the EU-U.S. Privacy Shield Framework as administered by the U.S. Department of Commerce.
- This section (titled ‘Data Protection’) shall only apply in respect of Personal Data of Data Subjects in the European Economic Area. To the extent that the parties do not transfer or otherwise process Personal Data of Data Subjects in the European Union, the provisions of this section shall not apply.
- The parties shall comply with the provisions and obligations imposed on them by the Data Protection Laws at all times when processing Personal Data in connection with this Agreement.
- Each party shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Laws, and shall make such information available to any DP Regulator on request.
- To the extent that a party (the “Receiving Party”) receives any Personal Data from the other party (the “Providing Party”), the Receiving Party, acting as a new Data Controller of such Personal Data, shall:
- comply with the provisions and obligations imposed on it as a Data Controller by Data Protection Laws at all times;
- take reasonable steps to ensure the reliability of all its personnel who have access to such Personal Data, and ensure that any such personnel are committed to binding obligations of confidentiality when processing such Personal Data;
- implement and maintain technical and organizational measures and procedures to ensure an appropriate level of security for such Personal Data, including protecting such Personal Data against the risks of accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, dissemination or access;
- not transfer such Personal Data outside the European Economic Area unless in accordance with applicable Data Protection Laws and, if applicable, in accordance with clause 5(j) of this Section below;
- inform the Providing Party within 24 hours of becoming aware that any such Personal Data is (while within the Receiving Party or its subcontractors’ or affiliates’ possession or control) subject to a personal data breach (as defined in Article 4 of GDPR) or is lost or destroyed or becomes damaged, corrupted or unusable;
- provide to the Providing Party and any DP Regulator all information and assistance necessary or desirable to demonstrate or ensure compliance with the obligations in this clause and/or Data Protection Laws;
- from 25 May 2018, take such steps as are reasonably required to assist the Providing Party in ensuring compliance with its obligations under Articles 30 to 36 (inclusive) of GDPR;
- notify the Providing Party within two (2) business days if it receives a request from a Data Subject to exercise its rights under the Data Protection Laws in relation to that Data Subject’s Personal Data;
- provide the Providing Party with its full co-operation and assistance in relation to any request made by a Data Subject to exercise its rights under the Data Protection Laws in relation to that Data Subject’s Personal Data; and
- to the extent that Personal Data is processed outside the European Economic Area, either:
- be certified under and comply with the EU Privacy Shield, and maintain its self-certification to and compliance with such framework; or
- comply with the protection requirements and principles of the EU Privacy Shield, including providing at least the same level of data security and privacy protection as required by the principles set out in the EU Privacy Shield and in such case shall provide without any charge or delay such information and assistance as required by the Providing Party to assess whether the Receiving Party is processing Personal Data in a manner consistent with the obligations under the principles set out in the EU Privacy Shield,
- and the Receiving Party hereby represents, warrants and covenants that this is and shall remain the case.
- To the extent that a Receiving Party receives any Personal Data from the Providing Party, the Providing Party warrants and represents that it has the right under applicable Data Protection Laws to transfer such Personal Data to the Receiving Party and that, where applicable, it has obtained all necessary consents to do so.
- If either party receives any complaint, notice or communication which relates directly or indirectly to the processing of Personal Data by the other party or to either party’s compliance with the Data Protection Laws, it shall as soon as reasonably practicable notify the other party and it shall provide the other party with reasonable cooperation and assistance in relation to any such complaint, notice or communication.