Learn Tourism Data Processing Agreement

Last Updated: [Month Day, Year]

This Data Processing Agreement, including its schedules and any applicable Standard Contractual Clauses, forms part of the Agreement between Learn Tourism and Customer.

This DPA applies when Learn Tourism processes Personal Data on behalf of Customer in connection with the Services.

1. Introduction

This DPA is entered into by and between Learn Tourism, Inc. (“Learn Tourism,” “we,” “us,” or “our”) and the customer identified in the applicable Order Form, Quote, Proposal, Scope of Work, or other written agreement (“Customer,” “you,” or “your”).

This DPA supplements the Master Customer Terms, Product-Specific Terms, Privacy Policy, and applicable Order Form.

If there is a conflict between this DPA and the Master Customer Terms regarding the processing of Personal Data, this DPA will control. If there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will control for the applicable transfer.

2. Definitions

“Agreement” means the Master Customer Terms, applicable Order Form, Product-Specific Terms, this DPA, the Acceptable Use & Community Standards, and any other document incorporated by reference.

“Authorized User” means any learner, administrator, employee, contractor, representative, stakeholder, partner, participant, or other person Customer authorizes to access or use the Services.

“Customer Content” means content, materials, files, documents, images, videos, logos, text, course materials, or other information Customer provides to Learn Tourism or uploads to the Services.

“Customer Data” means data, records, files, content, and information submitted to or collected through the Services by or on behalf of Customer, including Learner Data and Customer Content.

“Data Protection Laws” means all privacy, data protection, and data security laws and regulations applicable to the processing of Personal Data under the Agreement.

“Data Subject” means an identified or identifiable individual to whom Personal Data relates.

“Learner Data” means Personal Data relating to individuals who enroll in, access, participate in, complete, or otherwise interact with courses, learning environments, events, or training programs provided through the Services.

“Personal Data” means information relating to an identified or identifiable individual that is included in Customer Data and protected as personal data, personal information, personally identifiable information, or similar terms under applicable Data Protection Laws.

“Personal Data Breach” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Learn Tourism under this DPA.

“Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, alignment, restriction, erasure, or destruction.

“Restricted Transfer” means a transfer of Personal Data subject to GDPR, UK GDPR, Swiss data protection law, or similar law to a country or recipient that does not provide an adequate level of protection without appropriate safeguards.

“Security Measures” means the technical and organizational measures described in Schedule B.

“Sensitive Information” means Social Security numbers, government identification numbers, financial account numbers, protected health information, biometric information, precise geolocation, children’s personal information, special categories of Personal Data under GDPR, account passwords, or other highly sensitive data.

“Services” means the products, subscriptions, learning environments, courses, consulting, instructional design, course development, speaking, sponsorship, promotion, training, technology, support, integrations, or other services provided by Learn Tourism under the Agreement.

“Standard Contractual Clauses” or “SCCs” means the then-current standard contractual clauses approved by the European Commission or other applicable authority for Restricted Transfers, as incorporated into this DPA where applicable.

“Subprocessor” means any third party engaged by Learn Tourism to process Personal Data on behalf of Customer in connection with the Services.

The terms “controller,” “processor,” “business,” “service provider,” “contractor,” “personal information,” “sell,” “share,” and similar privacy-law terms have the meanings given to them under applicable Data Protection Laws.

3. Roles of the Parties

3.1 Customer as Controller

Customer is the controller of Customer Data and Personal Data it provides to Learn Tourism or causes to be processed through the Services, except where Learn Tourism independently determines the purposes and means of processing.

Customer determines the purposes and means of processing Personal Data in connection with Customer’s use of the Services, including which individuals may access the Services, what Customer Content is provided, what learning programs are offered, and how Customer uses learner reports and records.

3.2 Learn Tourism as Processor

Learn Tourism acts as a processor when it processes Personal Data on behalf of Customer to provide the Services.

Learn Tourism will process Personal Data only:

  • To provide, maintain, support, secure, and improve the Services.
  • In accordance with Customer’s documented instructions.
  • As required by the Agreement.
  • As required by applicable law.
  • As otherwise agreed in writing by the parties.

The Agreement, including this DPA and the applicable Order Form, constitutes Customer’s documented instructions to Learn Tourism.

3.3 Independent Controller Activities

Learn Tourism may act as an independent controller for certain limited activities, such as:

  • Managing its own business contacts.
  • Processing billing and payment information.
  • Administering its website and general marketing.
  • Responding to direct inquiries.
  • Managing legal, tax, accounting, compliance, and security obligations.
  • Processing information from individuals who interact directly with Learn Tourism outside Customer-controlled services.

These activities are governed by Learn Tourism’s Privacy Policy and applicable law.

3.4 No Joint Controller Relationship

Unless expressly agreed in writing, the parties do not intend to act as joint controllers.

4. Customer Obligations

Customer will:

  • Comply with applicable Data Protection Laws.
  • Provide all required notices to Data Subjects.
  • Obtain all required consents, permissions, and legal bases for processing Personal Data.
  • Ensure Customer has the right to provide Personal Data to Learn Tourism.
  • Ensure Customer’s instructions do not violate Data Protection Laws.
  • Use the Services only for lawful purposes.
  • Avoid submitting Sensitive Information unless Learn Tourism has expressly agreed in writing.
  • Maintain appropriate controls over administrator access and Authorized Users.
  • Respond to Data Subject requests for Personal Data for which Customer is the controller.
  • Keep Customer contact information current for privacy, security, and breach notifications.

Customer is responsible for the accuracy, quality, legality, and completeness of Customer Data and the means by which Customer acquires Customer Data.

5. Learn Tourism Obligations

Learn Tourism will:

  • Process Personal Data only according to Customer’s documented instructions.
  • Ensure personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Maintain appropriate Security Measures.
  • Assist Customer with Data Subject requests as described in this DPA.
  • Assist Customer with security and data protection obligations as reasonably required by applicable Data Protection Laws.
  • Notify Customer of Personal Data Breaches as described in this DPA.
  • Use Subprocessors according to this DPA.
  • Delete or return Personal Data as described in this DPA.
  • Make available information reasonably necessary to demonstrate compliance with this DPA.

Learn Tourism will notify Customer if, in Learn Tourism’s opinion, an instruction violates applicable Data Protection Laws.

6. Details of Processing

The details of processing are described in Schedule A.

Customer acknowledges that the scope of Personal Data processed may vary depending on the Services purchased, Customer’s configuration, Customer Content, and Customer’s use of the Services.

7. Sensitive Information

The Services are not designed to process Sensitive Information unless expressly stated in the Order Form or otherwise agreed in writing.

Customer will not submit Sensitive Information to the Services unless Learn Tourism has expressly agreed in writing.

If Customer submits Sensitive Information without written approval, Customer is responsible for resulting compliance obligations, risks, and consequences, except to the extent caused by Learn Tourism’s violation of this DPA.

8. Security Measures

Learn Tourism will maintain reasonable technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

The Security Measures are described in Schedule B.

Customer acknowledges that security measures may evolve over time. Learn Tourism may update Security Measures, provided such updates do not materially reduce the overall level of protection for Personal Data during the applicable term.

9. Personal Data Breach

9.1 Notice

If Learn Tourism becomes aware of a Personal Data Breach affecting Personal Data processed under this DPA, Learn Tourism will notify Customer without undue delay.

Notice may be provided to the primary customer contact, administrator contact, privacy contact, security contact, or other contact listed in the applicable Order Form or customer account.

9.2 Contents of Notice

To the extent available, Learn Tourism’s notice will include:

  • A description of the nature of the Personal Data Breach.
  • Categories of Personal Data affected.
  • Approximate number of affected Data Subjects, if known.
  • Likely consequences, if known.
  • Measures taken or proposed to address the breach.
  • Measures Customer may consider taking to mitigate possible adverse effects.
  • A contact point for follow-up.

Learn Tourism may provide information in phases as it becomes available.

9.3 Cooperation

Learn Tourism will reasonably cooperate with Customer’s investigation, mitigation, and notification obligations related to a Personal Data Breach.

Customer is responsible for determining whether notice to regulators, Data Subjects, customers, employees, or other parties is required, unless applicable law requires Learn Tourism to provide notice directly.

9.4 No Admission

Notice of a Personal Data Breach is not an admission of fault or liability by Learn Tourism.

10. Subprocessors

10.1 Authorization

Customer provides general authorization for Learn Tourism to use Subprocessors to provide the Services.

10.2 Subprocessor Obligations

Learn Tourism will enter into written agreements with Subprocessors that impose data protection obligations substantially similar to those in this DPA, to the extent applicable to the nature of the services provided by the Subprocessor.

10.3 Subprocessor List

Learn Tourism will maintain a list of Subprocessors used to process Personal Data in connection with the Services.

The list may be made available on a legal, privacy, or security page, by request, or through another reasonable method.

10.4 Changes to Subprocessors

Learn Tourism may add or replace Subprocessors from time to time.

Where required by Data Protection Laws, Learn Tourism will provide notice of new or replacement Subprocessors through a posted list, email notice, customer notice, or other reasonable method.

Customer may object to a new Subprocessor on reasonable data protection grounds by providing written notice within thirty (30) days after notice of the change.

If Customer objects, the parties will work in good faith to resolve the objection. If the objection cannot be resolved, Customer may terminate only the affected Services, and termination rights, refunds, or credits will be handled according to the Agreement.

11. Data Subject Requests

11.1 Customer Responsibility

Customer is responsible for responding to Data Subject requests where Customer is the controller.

Data Subject requests may include requests to access, correct, delete, restrict, object, withdraw consent, or port Personal Data.

11.2 Learn Tourism Assistance

Learn Tourism will provide reasonable assistance to Customer in responding to Data Subject requests, taking into account the nature of the Services and the information available to Learn Tourism.

Assistance may include:

  • Providing self-service tools where available.
  • Exporting available learner records.
  • Correcting or deleting records upon verified instruction.
  • Restricting access where technically feasible.
  • Providing information reasonably necessary for Customer to respond.

11.3 Direct Requests to Learn Tourism

If Learn Tourism receives a Data Subject request relating to Personal Data processed on behalf of Customer, Learn Tourism may:

  • Direct the Data Subject to Customer.
  • Notify Customer of the request.
  • Respond where required by law.
  • Take reasonable steps according to Customer’s instructions.

Learn Tourism will not independently fulfill a request for Customer-controlled Personal Data unless authorized by Customer or required by law.

12. Deletion, Return, and Export

12.1 During the Term

During the applicable term, Customer may request reasonable exports of Customer Data available through the Services, subject to platform capabilities, privacy restrictions, and applicable law.

12.2 End of Services

After expiration or termination of the applicable Services, Learn Tourism will delete or return Personal Data according to the Agreement, applicable Order Form, Customer’s written instructions, and applicable law.

Where technically feasible and commercially reasonable, Learn Tourism will provide Customer an opportunity to export Customer Data before deletion or deactivation.

12.3 Retention Exceptions

Learn Tourism may retain Personal Data where required or permitted by law, including for:

  • Legal, tax, accounting, audit, or regulatory obligations.
  • Dispute resolution.
  • Security, fraud prevention, or abuse prevention.
  • Backup and archival systems.
  • Enforcement of agreements.
  • Legitimate business records.

Retained Personal Data will remain subject to the confidentiality and security obligations of this DPA for as long as it is retained.

13. Audits and Compliance Information

13.1 Compliance Information

Upon reasonable written request, Learn Tourism will provide information reasonably necessary to demonstrate compliance with this DPA.

This may include security summaries, subprocessors, privacy documentation, certifications, policies, questionnaires, or other information appropriate to the nature of the Services.

13.2 Audits

If required by applicable Data Protection Laws, Customer may request an audit of Learn Tourism’s compliance with this DPA.

Any audit must:

  • Be limited to Learn Tourism’s processing of Personal Data under this DPA.
  • Occur no more than once per year unless required due to a confirmed Personal Data Breach.
  • Be conducted during normal business hours.
  • Require reasonable advance written notice.
  • Be subject to confidentiality obligations.
  • Avoid unreasonable disruption to Learn Tourism’s operations.
  • Be conducted by an independent qualified auditor mutually agreed by the parties.
  • Exclude access to other customers’ data, internal systems not relevant to the audit, privileged materials, trade secrets, and highly sensitive security information.

Customer is responsible for audit costs unless otherwise required by law.

13.3 Security Questionnaires

Learn Tourism may respond to reasonable security and privacy questionnaires. Extensive questionnaires, custom assessments, or procurement reviews outside ordinary scope may require additional fees if agreed by the parties.

14. International Transfers

14.1 Transfers

Customer acknowledges that Learn Tourism and its Subprocessors may process Personal Data in the United States and other countries where Learn Tourism or its Subprocessors operate.

14.2 Transfer Safeguards

Where Personal Data is subject to Data Protection Laws that restrict international transfers, Learn Tourism will use an appropriate transfer mechanism where required, such as:

  • An adequacy decision.
  • The applicable Standard Contractual Clauses.
  • The UK International Data Transfer Addendum or UK-approved transfer mechanism.
  • Swiss transfer requirements.
  • Another lawful transfer mechanism recognized under applicable Data Protection Laws.

14.3 SCCs

Where the SCCs apply, the parties agree that the SCCs are incorporated into this DPA by reference.

For purposes of the SCCs:

  • Customer is the data exporter.
  • Learn Tourism is the data importer.
  • Module Two, controller-to-processor, applies where Customer is a controller and Learn Tourism is a processor.
  • Module Three, processor-to-processor, applies where Customer is a processor and Learn Tourism is a subprocessor.
  • The details of processing are set out in Schedule A.
  • The technical and organizational measures are set out in Schedule B.
  • Subprocessor terms are addressed in Section 10 and Schedule C, where applicable.
  • Governing law and forum will be selected as required by the SCCs.

14.4 Transfer Impact Assessments

Where required by applicable Data Protection Laws, Learn Tourism will provide reasonable assistance and information to support Customer’s transfer impact assessment, taking into account the nature of the processing and information available to Learn Tourism.

15. U.S. State Privacy Laws

To the extent Learn Tourism processes Personal Data subject to U.S. state privacy laws on behalf of Customer, Learn Tourism will process such Personal Data as a service provider, processor, contractor, or similar role as defined by applicable law.

Learn Tourism will not:

  • Sell Personal Data.
  • Share Personal Data for cross-context behavioral advertising except as instructed by Customer or permitted by law.
  • Retain, use, or disclose Personal Data outside the business purposes described in the Agreement.
  • Retain, use, or disclose Personal Data for a commercial purpose other than providing the Services, unless permitted by applicable law.
  • Combine Personal Data with personal information from other sources except as permitted by applicable law.

Learn Tourism may process Personal Data to:

  • Provide the Services.
  • Maintain and improve the Services.
  • Detect, prevent, and respond to security incidents.
  • Protect against fraud, abuse, or unlawful activity.
  • Debug and repair functionality.
  • Comply with law.
  • Perform internal operations permitted by applicable law.

16. Assistance With Privacy Impact Obligations

Taking into account the nature of processing and the information available to Learn Tourism, Learn Tourism will provide reasonable assistance to Customer with:

  • Data protection impact assessments.
  • Prior consultations with supervisory authorities.
  • Security assessments.
  • Records of processing.
  • Privacy inquiries related to the Services.

Such assistance may be subject to reasonable fees if it requires substantial effort outside the ordinary operation of the Services.

17. Confidentiality

Learn Tourism will ensure that personnel who process Personal Data are subject to confidentiality obligations.

Customer will treat security, privacy, and compliance information provided by Learn Tourism as Confidential Information unless it is publicly available.

18. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, unless otherwise required by applicable Data Protection Laws.

19. Term

This DPA remains in effect for as long as Learn Tourism processes Personal Data on behalf of Customer.

20. Updates

Learn Tourism may update this DPA from time to time.

Updates will apply to new Order Forms and renewals after the updated DPA is posted or otherwise provided.

For active Order Forms, material changes will not reduce the overall protection of Personal Data during the then-current term unless required by law, third-party platform changes, security needs, or mutual agreement.

21. Contact

Privacy questions or requests related to this DPA may be sent to:

Learn Tourism, Inc.
Attn: Privacy
8433 Enterprise Circ – 100338; Lakewood Ranch, FL 34202

privacy@learntourism.org

Security questions may be sent to:

security@learntourism.org

Schedule A: Details of Processing

A.1 Subject Matter

Learn Tourism’s processing of Personal Data in connection with the Services provided to Customer.

A.2 Duration

The duration of processing is the term of the Agreement and any period during which Learn Tourism retains Personal Data according to the Agreement, this DPA, applicable law, backup practices, or Customer’s instructions.

A.3 Nature and Purpose of Processing

Learn Tourism processes Personal Data to provide, maintain, support, secure, improve, and administer the Services, including:

  • Creating and managing learning environments.
  • Enrolling learners.
  • Providing course access.
  • Tracking course progress and completion.
  • Issuing or recording certificates, badges, or completion records.
  • Providing customer administration and reporting.
  • Providing support.
  • Delivering custom course development and consulting services.
  • Managing events, webinars, and training programs.
  • Processing payments or invoices where applicable.
  • Communicating about the Services.
  • Maintaining security and preventing abuse.
  • Performing analytics and service improvement.
  • Complying with legal obligations.

A.4 Categories of Data Subjects

Data Subjects may include:

  • Customer employees.
  • Customer contractors.
  • Customer administrators.
  • Learners.
  • Training participants.
  • Event attendees.
  • Destination stakeholders.
  • Community members.
  • Travel professionals.
  • Speakers.
  • Sponsors.
  • Partners.
  • Customer contacts.
  • Prospects or referral contacts submitted by Customer.
  • Other Authorized Users.

A.5 Categories of Personal Data

Personal Data may include:

  • Name.
  • Email address.
  • Phone number.
  • Organization.
  • Job title or role.
  • Mailing address.
  • Account credentials or identifiers.
  • Course enrollments.
  • Course progress.
  • Completion status.
  • Quiz, assessment, or activity results.
  • Certificate or badge records.
  • Attendance or participation records.
  • Messages, comments, assignments, or course interactions.
  • Survey responses.
  • Support requests.
  • Billing or payment-related information.
  • IP address.
  • Device and browser information.
  • Usage data.
  • Customer-provided profile information.
  • Images, video, audio, or testimonials if provided for the Services.
  • Any other Personal Data submitted by Customer or Authorized Users through the Services.

A.6 Sensitive Information

The Services are not intended to process Sensitive Information unless expressly agreed in writing.

A.7 Frequency of Processing

Continuous or as needed to provide the Services.

A.8 Processing Operations

Processing operations may include collection, recording, organization, storage, hosting, access, retrieval, use, disclosure, transmission, analysis, modification, deletion, return, export, and other operations necessary to provide the Services.

Schedule B: Security Measures

Learn Tourism will maintain reasonable technical and organizational measures appropriate to the nature of the Services and Personal Data processed.

Security Measures may include:

B.1 Access Controls

  • Role-based access to systems where appropriate.
  • Limited access to Personal Data based on business need.
  • Administrative access restrictions.
  • Password-protected systems.
  • Deactivation or adjustment of access when no longer needed.

B.2 Confidentiality

  • Confidentiality obligations for personnel with access to Personal Data.
  • Internal privacy and security expectations.
  • Limited disclosure of Personal Data to authorized personnel and Subprocessors.

B.3 Data Protection

  • Use of secure hosting and reputable service providers.
  • Encryption in transit where reasonably available.
  • Encryption at rest where supported by applicable systems.
  • Backups or recovery procedures where appropriate.
  • Segregation or logical separation of customer data where supported by systems.

B.4 System Security

  • Reasonable efforts to maintain system integrity.
  • Malware, abuse, and unauthorized-access prevention practices.
  • Monitoring or logging where appropriate.
  • Security updates and patching practices where reasonably available.

B.5 Incident Response

  • Procedures for identifying, investigating, and responding to suspected security incidents.
  • Escalation procedures for potential Personal Data Breaches.
  • Customer notification according to this DPA.

B.6 Vendor and Subprocessor Management

  • Use of reputable vendors and service providers.
  • Contractual data protection obligations for Subprocessors.
  • Review of Subprocessors appropriate to the nature of services provided.

B.7 Business Continuity

  • Reasonable backup, recovery, and continuity practices.
  • Reliance on third-party platform and hosting resilience where applicable.

B.8 Customer Responsibilities

Customer is responsible for:

  • Managing Authorized Users.
  • Protecting login credentials.
  • Assigning appropriate administrator permissions.
  • Reviewing exported reports.
  • Ensuring Customer Content is lawful and accurate.
  • Avoiding submission of Sensitive Information unless approved.
  • Maintaining security of Customer-owned systems and integrations.

Schedule C: Subprocessors

Learn Tourism uses Subprocessors to provide, host, support, secure, analyze, communicate, and improve the Services.

Schedule D: Jurisdiction-Specific Terms

D.1 European Economic Area, United Kingdom, and Switzerland

Where Personal Data is subject to GDPR, UK GDPR, or Swiss data protection law:

  • Customer is the controller and Learn Tourism is the processor unless otherwise stated.
  • Learn Tourism will process Personal Data only on documented instructions.
  • Learn Tourism will maintain appropriate technical and organizational measures.
  • Learn Tourism will assist Customer with Data Subject rights, security obligations, breach response, and data protection impact assessments as required by law.
  • Restricted Transfers will be governed by applicable transfer mechanisms, including SCCs where required.
  • Subprocessor terms in Section 10 apply.

D.2 California and Other U.S. State Privacy Laws

Where Personal Data is subject to California or other U.S. state privacy laws:

  • Learn Tourism acts as a service provider, processor, contractor, or similar role as applicable.
  • Learn Tourism will process Personal Data only for business purposes described in the Agreement.
  • Learn Tourism will not sell Personal Data.
  • Learn Tourism will not share Personal Data for cross-context behavioral advertising except as instructed by Customer or permitted by law.
  • Learn Tourism will not retain, use, or disclose Personal Data outside the Agreement except as permitted by applicable law.