List of active policies
|Data Processing Agreemenet||Site policy||All users|
What are cookies
Cookies are small pieces of text sent by your web browser by a website you visit. A cookie file is stored in your web browser and allows the Site or a third-party to recognize you and make your next visit easier and the Site more useful to you. Essentially, cookies are a user’s identification card for the Moodle servers. Web beacons are small graphic files linked to our servers that allow us to track your use of our Site and related functionalities. Cookies and web beacons allow us to serve you better and more efficiently, and to personalize your experience on our Site.
Cookies can be "persistent" or "session" cookies.
When you use and access the Site, we may place a number of cookies files in your web browser.
We use both session and persistent cookies on the Site and we use different types of cookies to run the Site:
- Analytical/performance cookies. Allow us to recognize and count the number of visitors and see how visitors move around the Site when using it. This helps us improve the way the Site works.
- Functionality cookies. Used to recognise you when you return to the Site. This enables us to personalise our content for you, greet you by name, and remember your preferences (for example, your choice of language or region).
- Targeting cookies. Record your visit to the Site, the pages you have visited, and the links you have followed. We will use this information to make the Site more relevant to your interests. We may also share this information with third parties for this purpose.
- To view a list of Moodle cookies, please view our Cookies Table.
In addition to our own cookies, we may also use various third-party cookies to report usage statistics of the Site and refine marketing efforts.
- Tracking cookies. Follow on-site behaviour and tie it to other metrics allowing better understanding of usage habits.
- Optimization cookies. Allow real-time tracking of user conversion from different marketing channels to evaluate their effectiveness.
- Partner cookies. Provide marketing conversion metrics to our partners so they can optimize their paid marketing efforts.
To view a list of third-party cookies that we use, please view our Cookies table
What are your choices regarding cookies?
Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use some or all of the features we offer. You may not be able to log in, store your preferences, and some of our pages might not display properly.
The table below lists some of the internal and third-party cookies we use. As the names, numbers, and purposes of these cookies may change over time, this page may be updated to reflect those changes.
||MoodleSession||You must allow this cookie into your browser to provide continuity and maintain your login from page to page.||When you log out or close the browser this cookie is destroyed (in your browser and on the server).|
|resellers.moodle.com||MOODLEID||It remembers your username within the browser. This means when you return to this site the username field on the login page will be already filled out for you.
||It is safe to refuse this cookie - you will just have to retype your username every time you log in.|
This policy relates to the user accounts of organisations contracted to Moodle Pty Ltd under one of its partner agreements and to employees of Moodle Pty Ltd.
Privacy and personal data
We take your privacy very seriously. In order to provide access to the service we must collect and store personal information about you. This data is collected under contract with the organisation that you work for.
What is collected?
Basic profile information is collected from your employer when we create your account including your full name, email address and role in the organisation/company.
As you use the site on behalf of your organisation/company, information about the users, partner course area, activities and resources you interact with will also be stored and linked to your account information. All of this information is provided under the Moodle Partner Agreement which includes a confidentiality agreement and is treated as work product from your organisation/company.
How is this information used?
This information is only used to provide access to the online courses on this site.
How long is my data stored?
Your personal data is stored as long as your account is active on this site. The business purpose of the partner course is an ongoing record of the partner network and their interactions and does not have an end. Profile information will be anonymised when an account is deleted once your employer requests it, or your employer is no longer a Moodle Partner and the accounts are all deleted.
Data Processing Agreement
DATA PROCESSING AGREEMENT
(1) You or your organization or entity as the Data Controller (the “Partner” or the “Data Controller”); and
(2) Moodle Pty Ltd being a company registered under the laws of Western Australia with ABN 55 116 513 636 (the “Data Processor").
This Agreement is to ensure the protection and security of data passed from the Partner to the Data Processor for processing or accessed by the Data Processor on the authority of the Partner for processing or otherwise received by the Data Processor for processing on behalf of the Partner.
The Data Processor provides to the Data Controller the Services described in Schedule 1.
The provision of such Services involves the processing of Personal Data by the Data Processor on behalf of the Data Controller.
The GDPR and the Data Protection Acts place certain obligations upon a Data Controller to ensure that any data processor it engages provides sufficient guarantees to ensure that the Processing of Personal data carried out on its behalf is secure.
This Agreement ensures sufficient security guarantees are in place and that any processing of Personal Data complies with obligations equivalent to those of the GDPR and Data Protection Acts.
The terms of this Agreement are to apply to all Processing of Personal Data carried out by the Data Processor and to all Personal Data held by the Data Processor on behalf of the Data Controller.
IT IS AGREED
1. DEFINITIONS AND INTERPRETATION
1.1 In this agreement:
“the Data Protection Acts” or "the Acts" means the Data Protection Acts 1988 and 2003 and the Data Protection Act 2018 (when enacted) and EU Directive 95/46/EC;
"Data" means any information of whatever nature that, by whatever means, is provided to the Data Processor by the Partner, is accessed by the Data Processor on the authority of the Partner, or is otherwise received by the Data Processor on behalf of the Partner, for the purposes of the Processing specified in clause 3.1(a), and shall include, without limitation, any Personal Data;
"Data Subject", "Personal Data" and "Processing" shall have the same meanings as are assigned to those terms in the Acts;
“GDPR” means the General Data Protection Regulation, being Regulation (EU) 2016/679;
“Schedule” means the schedule annexed to and forming part of this Agreement;
"Services" means processing of the Data by the Data Processor in connection with and for the purposes of the provision of the services to be provided by the Data Processor to the Partner under the Services Agreement;
“Services Agreement” means the agreement for the provision of services between the Partner and the Data Processor identified in the Schedule 1.
“Security Measures” means the security measures set out in the Schedule 2.
1.2 In this agreement any reference, express or implied, to any enactment (which includes any legislation in any jurisdiction) includes references to:
(a) that enactment as re-enacted, amended, extended or applied by or under any other enactment (before, on or after the date of this agreement);
(b) any enactment which that enactment re-enacts (with or without modification); and
(c) any subordinate legislation made (before, on or after the date of this agreement) under that enactment, as re-enacted, amended, extended or applied as described in clause 1.2(a), or under any enactment referred to in clause 1.2(b).
1.3 In this agreement:
(a) references to a person include an individual, a body corporate and an unincorporated association of persons;
(b) references to a party to this agreement include references to the successors or assignees (immediate or otherwise) of that party.
2. APPLICATION OF THIS AGREEMENT
2.1 The terms of this Agreement apply to all processing of Personal Data carried out for the Data Controller by the Data Processor and to all Personal Data held by the Data Processor in relation to all such processing whether such Personal Data is held at the date of this Agreement or received thereafter. the terms of this Agreement supersede any other arrangement, understanding or agreement including any services agreement made between the parties at any time relating to protection of Personal Data.
3. DATA PROCESSING
3.1 The Partner acknowledges that it is deemed the Data Controller and Moodle Pty Ltd is deemed the Data Processor at all times and in respect of any Personal Data processed in the course of providing the Services.
3.2 The Data Processor acknowledges that it is the Data Processor in respect of any Personal Data that the Partner allows access to or provides to it for the purposes of providing Services to the Partner and that, in such a context, the Partner is the Data Controller.
3.3 The Data Processor takes sole responsibility for its compliance, as data processor, with the requirements of the GDPR and the Data Protection Acts and of the contract herein.
3.4 If the Data Processor processes Personal Data other than as instructed by the Partner, the Data Processor shall be considered to be a controller in respect of that processing and shall be subject to the rules and legal obligations on data controllers pursuant to the Acts.
3.5 In consideration of the undertakings provided by the Partner in clause 5 of this Agreement, the Data Processor agrees to Process the Data in accordance with this Agreement, and specifically the Data Processor agrees to:
- process the Data at all times in accordance with the GDPR and the Data Protection Acts and solely for the purposes (connected with provision by the Data Processor of the Services), to the extent and in such manner as is necessary for those purposes and in the manner specified from time to time by the Partner in writing and for no other purpose or in any manner except with the express prior written consent of the Partner;
in a manner consistent with the GDPR and the Data Protection Acts and with any guidance issued by the relevant Data protection authority, implement appropriate technical and organizational measures to safeguard the Personal Data from unauthorized or unlawful Processing or accidental loss, destruction or damage, and that having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorized or unlawful processing or accidental loss, destruction or damage and to the nature of the Data to be protected. the details of those security measures for the time being are set out in Schedule 2 hereto;
in particular, ensure that appropriate security measures shall be taken against unauthorized access to, or unauthorized alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. the details of those security measures for the time being are set out in Schedule 2 hereto;
comply, in processing of the data, with the Partner’s information security policies and procedures as defined or as may be communicated from time to time or specified in the context of a particular project or instance of processing;
ensure that each of its employees, agents and subcontractors are made aware of its obligations under this agreement with regard to the security and protection of the Data and shall require that they enter into and enforce binding obligations with the Data Processor in order to maintain the levels of security and protection provided for in this agreement, including the agreement Appended at Schedule 2;
not divulge the Data whether directly or indirectly to any person, firm or company or otherwise without the express prior written consent of the Partner except to those of its employees, who are engaged in the Processing of the Data and are subject to written terms substantially the same as the terms contained in this processor agreement or except as may be required by any law or regulation;
not divulge the Data, whether directly or indirectly to any person, firm or company or otherwise except with the express prior written consent of the Partner, and to agents or subcontractors who are subject to written terms substantially the same as the terms contained in this processor agreement, or except as may be required by any law or regulation;
provide the Partner on demand with the text of any such written terms to which its employees, sub-contractor or agents are subject with regard to their processing of Data;
upon the request of the Partner, promptly provide a written description of the technical and organizational measures employed by it and/or any of its permitted sub-contractors, detailed to such a level that the Partner can determine whether or not, in connection with Personal Data, the Supplier and its permitted subcontractors are complying with their obligations under this Agreement. If, as a result of an independent audit by the Partner, its Agents, or the Office of the Data Protection Commissioner, the measures employed by the Data Processor and/or its permitted subcontractors are not sufficient to ensure compliance with their obligations under this Agreement, the Data Processor shall take all steps (or procure that its permitted sub-contractors take all steps) which are reasonably required to ensure that such compliance is achieved;
afford to the Partner (and procure that its permitted sub-contractors afford to the Partner) access on at least 14 working days notice, and at reasonable intervals, to any premises where the relevant Personal Data is being processed to enable the Partner to ensure that the Data Processor is complying with its obligations under this Agreement and/or that the Data Processor’s permitted subcontractors are complying with the equivalent contractual obligations imposed on them;
notify the Data Controller (within 2 working days) if it receives
- a request from a data subject to have access to that person’s Personal Data
- or a complaint or request relating to the Data Controller obligations’ under the Act;
- provide the Data Controller with full cooperation and assistance in relation to any complaint or request made, including by:
- providing the Data Controller with full details of the complaint or request
- complying with a data access request within the relevant timescale set out in the Act and in accordance with the Data Controller’s instructions; providing the Data Controller with any Personal Data it holds in relation to a data subject (within the timescales required by the Data Controller)
- providing the Data Controller with any information requested by the Data Controller;
- notify the Data Controller immediately if it becomes aware of:
- any unauthorized or unlawful processing, loss of, damage to or destruction of any of the Personal Data
- or any advance in technology and methods of working which mean that the Data Controller should revise the security measures set out in Schedule 2;
- in the event of the exercise by Data Subjects of any of their rights under the Acts in relation to the Data directly to the Data Processor, inform the Partner as soon as possible, and the Data Processor further agrees to assist the Partner with all data subject information requests which may be received from any Data Subject in relation to any Data;
- in the event that the Data Processor receives a request for any information contained in the Data pursuant to the acts, not to respond to the person making such request but to notify the Partner within 2 working days, and the Data Processor further agrees to assist the Partner with all such requests for information which may be received from any person within such reasonable timescales as may be prescribed by the Partner;
- for the purposes of this Agreement, procure a right in favour of the Partner to enforce the obligations imposed on the Data Processor’s permitted subcontractors directly against such sub-contractors and shall also procure that the terms of any sub-contract shall be governed by the Laws of Ireland and be subject to the jurisdiction of the Irish courts;
- not Process or transfer the Data outside of the European Economic Area except for limited specified purpose and with the express consent of the Partner;
- to notify all incidents of loss of control of Personal Data in manual or electronic form to the Partner, as soon as it becomes aware of the incident, such that the Partner can notify the Data Protection Commissioner within 24 hours;
- in the event of any such breach, to take prompt action to remedy the cause of the breach and to share the costs of such remedy with the Data Controller equally;
- in the event of any such breach, to share the costs of investigation into said breach with the Data Controller equally;
- in the event of any such breach, to promptly, and at its own expense provide the Partner on request with all information required to fulfil its obligations, as Data Controller, under all applicable laws, regulations and codes of practice;
- to otherwise comply with all applicable laws and regulations and with the Personal Data Security Breach Code of Practice insofar as they apply to it;
- the Data Processor shall maintain the Personal Data processed by the Data Processor on behalf of the Data Controller in confidence, and in particular, unless the Data Controller has given written consent for the Data Processor to do so, the Data Processor shall not disclose any Personal Data supplied to the Data Processor by, for, or on behalf of, the Data Controller to any third party. the Data Processor shall not process or make any use of any Personal Data supplied to it by the Data Controller otherwise than in connection with the provision of the Services to the Data Controller. the above obligations in this Clause 3.5 (z) shall continue for a period of five (5) years after the cessation of the provision of Services by the Data Processor to the Data Controller. Nothing in this Agreement shall prevent either party from complying with any legal obligation imposed by the Data Protection Commissioner or a court. Both parties shall however, where possible, discuss together the appropriate response to any request from the Data Protection Commissioner or court for disclosure of information;
- the Data Processor shall take appropriate measures to ensure that the people processing the data on its behalf are subject to a duty of confidence;
- the Data Processor shall not subcontract to any third party any of its rights or obligations under this Agreement without the prior written consent of the Data Controller. Where the Data Processor, with the written consent of the Data Controller, does subcontract, it shall do so only by way of a written sub-processing agreement with the subcontractor which imposes the same obligations on the subcontractor as are imposed on the Data Processor under this Agreement and which permits both the Data Processor and the Data Controller to enforce those obligations. For the avoidance of doubt, where the subcontractor does not meet its obligations under any sub-processing agreement, the Data Processor shall remain fully liable to the Data Controller for meeting its obligations under this Agreement;
- the Data Processor shall delete or return all Personal Data to the Partner, as requested, on the termination of this contract;
- the Data Processor shall submit to audits and inspections by or on behalf of the Partner, provide the Partner with whatever information it needs to ensure that they are both meeting their obligations under Article 28 of the GDPR, and will tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state;
- This Agreement shall continue in full force and effect for so long as the Data Processor is processing Personal Data on behalf of the Data Controller, and thereafter as provided in Clause 3.5 (z).
4. OBLIGATIONS OF THE PARTNER
4.1 In consideration of the obligations undertaken by the Data Processor in clause 4, the Partner agrees that it shall ensure that it complies at all times with any applicable enactment, and in particular with its obligations as Data Controller under the GDPR and Data Protection Acts.
4.2 In particular, the Partner shall ensure that any disclosure of Personal Data made by it to the Data Processor is made with the data subject's consent, which consent shall have been obtained freely, fairly and after the data subject has been fully informed as to all processing to be applied or is otherwise lawful.
4.3 The Partner shall comply with its responsibilities under the Acts and all applicable laws, regulations and codes of practice.
5.1 Each party to this Data Processing Agreement commits to being responsible for its own acts of infringement of this Data Processing Agreement. A party shall not be liable for any claims, demands, actions, costs, expenses and liabilities, including reasonable legal fees resulting from the culpable infringement committed by the other party or its current and former trustees, directors, officers, employees, agents, and affiliates. Art. 82 of GDPR is in no way altered by this clause 5.1.
6.1 This Agreement shall terminate automatically upon termination or expiry of the Data Processor obligations’ in relation to the Services, and on termination of this agreement the Data Processor shall forthwith deliver to the Partner or destroy, at the Partner’s sole option, all Data in its possession or under its control which has been provided by Direct. Either party may terminate this contract on 30 days written notice to the other party, or without notice in the event of a breach of any of the terms of this agreement.
7.1 Failure by either party to exercise or enforce any rights available to that party or the giving of any forbearance, delay or indulgence shall not be construed as a waiver of that party's rights under this agreement.
8.1 If any term or provision of this Agreement shall be held to be illegal or unenforceable in whole or in part under any enactment or rule of law such term or provision or part shall to that extent be deemed not to form part of this agreement but the enforceability of the remainder of this agreement shall not be affected provided however that if any term or provision or part of this agreement is severed as illegal or unenforceable, the parties shall seek to agree to modify this agreement to the extent necessary to render it lawful and enforceable and as nearly as possible to reflect the intentions of the parties embodied in this agreement including without limitation the illegal or unenforceable term or provision or part.
9. ENTIRE AGREEMENT
9.1 This Agreement and the documents attached to or referred to in this Agreement shall constitute the entire understanding between the parties and shall supersede all prior agreements, negotiations and discussions between the parties. In particular the parties warrant and represent to each other that in entering into this agreement they have not relied upon any statement of fact or opinion made by the other, its officers, servants or agents which has not been included expressly in this agreement. Further, each party hereby irrevocably and unconditionally waives any right it may have:
to rescind this Agreement by virtue of any misrepresentation;
to claim damages for any misrepresentation whether or not contained in this agreement;
save in each case where such misrepresentation or warranty was made fraudulently.
10.1 Notices shall be in writing and shall be sent to the other party marked for the attention of the person at the address set out below. Notices may be sent by mail, email or facsimile transmission. Correctly-addressed notices sent by mail shall be deemed to have been delivered 72 hours after posting and correctly directed email or facsimile transmissions shall be deemed to have been delivered instantaneously on transmission providing that they are confirmed as set out as above.
If for the Partner: email address provided to the Data Processor
If for the Data Processor: firstname.lastname@example.org;_______________________________________________________________________________________________________________________________________________________________
THE SERVICES AGREEMENT
Description of all Personal Data accepted from the Data Controller:
Partner’s Personal Data
Partner’s customers’ Personal Data
To perform all the contractual obligations between the Data Processor and the Data Controller.
The following are the Security Measures referred to in Sub-Clause 1.1.:
1. the Data Processor will ensure that in respect of all Personal Data it receives from or processes on behalf of the Data Controller it maintains security measures to a standard appropriate to:
1.1 the harm that might result from unlawful or unauthorized processing or accidental loss, damage or destruction of the Personal Data; and
1.2 the nature of the Personal Data.
2. In particular the Data Processor shall:
2.1 ensure that it
2.1.1 defines security needs based on a risk assessment;
2.1.2 allocates responsibility for implementing the policy to a specific individual or members of a team;
2.1.3 that the required information is disseminated to all relevant staff; and
2.1.4 provides a mechanism for feedback and review.
2.2 ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;
2.3 prevent unauthorized access to the Personal Data;
2.4 ensure the storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;
2.5 have secure methods in place for the transfer of Personal Data whether in physical form (for instance, by using couriers rather than post) or electronic form (for instance, by using encryption);
2.6 put password protection on computer systems on which Personal Data is stored and ensure that only authorized personnel are given details of the password;
2.7 take reasonable steps to ensure the reliability of employees or other individuals who have access to the Personal Data;
2.8 ensure that any employees or other individuals required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Agreement;
2.9 ensure that none of the employees or other individuals who have access to the Personal Data publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Data Controller;
2.10 have in place methods for detecting and dealing with breaches of security (including loss, damage or destruction of Personal Data) including:
2.10.1 the ability to identify which individuals have worked with specific Personal Data;
2.10.2 having a proper procedure in place for investigating and remedying breaches of the data protection principles contained in the Acts; and
2.10.3 notifying the Data Controller as soon as any such security breach occurs.
2.12 have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print outs and redundant equipment.