Data Processing Agreement (DPA)

This Data Processing Agreement (the “DPA”) is entered into by DreamApply OÜ (“Processor”), the Student Admissions Platform “DreamApply” provider whose registered address is Pärnu mnt 102b, Tallinn, Estonia and A university or other educational institution (“Controller”), who accepts applications from prospective students using Student Admissions Platform “DreamApply” or any other platform or service provided by the Processor and has concluded an Agreement with the Processor. This DPA governs the processing of personal data that the Processor processes on behalf of the Controller.

  1. Definitions
    1.1.Controller’s Personal Data means Personal Data that Processor processes on behalf of Controller in connection with its use of Processor’s services.
    1.2. Data Protection Requirements means the General Data Protection Regulation, Local Data Protection Laws, any subordinate legislation and regulation implementing the General Data Protection Regulation.
    1.3.EU Personal Data means Personal Data of which the sharing pursuant to this DPA is regulated by the General Data Protection Regulation and Local Data Protection Laws.
    1.4. General Data Protection Regulation means the European Union Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
    1.5. Local Data Protection Laws means any subordinate legislation and regulation implementing the General Data Protection Regulation which may apply to this DPA.
    1.6. Personal Data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It includes data that Controller chooses to provide to Processor.
    1.7. Personal Data Breach means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller’s Personal Data.
    1.8. Privacy Laws means all applicable laws, regulations, and other legal requirements relating to (a) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.
    1.9. Process and its cognates mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organising, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
    transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    1.10. Controller – means the institution who have obtained the services from the Processor.
    1.11.Supervisory Authority means Estonian Data Protection Inspectorate. 
  1. Nature of data processing

2.1. Processor is a data processor, who processes data on behalf of the Controller. Processor agrees to process Personal Data received under the DPA only for the purposes set forth in this DPA. For the avoidance of doubt, the categories of Personal Data processed are described in Annex A and B to this

  1. Compliance with laws

3.1. The parties shall each comply with their respective obligations under all applicable Data Protection Requirements. 

  1. Controller’s obligations

4.1.  Controller agrees to: 

4.1.1. Provide instructions to Processor and determine the purposes and general means of Processor’s processing of Controller’s Personal Data in accordance with this DPA;
4.1.2. Comply with its data protection, security and other obligations with respect to Controller’s Personal Data prescribed by Data Protection Requirements for data Processors by: (a) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data are processed on behalf of Controller; (b) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; and (c) ensuring
compliance with the provisions of this DPA by its personnel or by any third-party accessing or using
Controller’s Personal Data on its behalf. 

4.1.3. Controller is responsible for obtaining consent from data subjects, where applicable.  Consent is an indication from the data subject to allow their Personal Data to be processed by Controller. Consent needs to be in a written or electronic form. 

4.1.4. Controller is responsible of using DreamApply integrations with third-party service providers Such third-party service providers are separate data processors that DreamApply has no control over. Although DreamApply chooses the integration providers based on overall level of compliance, Controller should read the terms and privacy documentation of the third-party service provider before integrating it to its processes and systems.   

  1. Processor’s obligations

5.1. Processor will:
5.1.1. Process Controller’s Personal Data (i) only for the purpose of providing, supporting and improving Processor’s services, using appropriate technical and organizational security measures; and (ii) in compliance with the instructions received from Controller. Processor will not use or process the
Controller’s Personal Data for any other purpose. Processor will promptly inform Controller if it cannot comply with the requirements under Sections 5-8 of this DPA, in which case Controller may terminate this DPA or take any other reasonable action, including suspending data processing operations;
5.1.2. Inform Controller promptly if, in Processor’s opinion, an instruction from Controller violates applicable Data Protection Requirements;
5.1.3. Take commercially reasonable steps to ensure that persons employed by it and other persons engaged to perform on Processor’s behalf comply with the terms of this DPA;
5.1.4. Ensure that its employees, authorized agents and any sub-processors are required to comply
with and acknowledge and respect the confidentiality of the Controller’s Personal Data, including after the end of their respective employment, contract or assignment. The Processor and any person acting under its authority who has access to Controller’s Personal Data, shall not process that data unless upon instructions by the Controller, including the powers granted under this DPA, unless they are required to do so by law;
5.1.5. Upon request, provide Controller with a summary of Processor’s privacy and security policies or other documented evidence that the Processor has implemented necessary technical and organizational measures;
5.1.6. Inform Controller if Processor undertakes an independent security review;
5.1.7. Maintain appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Controller’s Personal Data while in transit and at rest) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Controller’s Personal Data;
5.1.8. Be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all Processor personnel with respect to Controller’s Personal Data and liable for any failure by such Processor personnel to meet the terms of this DPA;
5.1.9. Take reasonable steps to confirm that all Processor personnel are protecting the security, privacy and confidentiality of Controller’s Personal Data consistent with the requirements of this DPA, and
5.1.10. Notify Controller of any Personal Data Breach by Processor, its sub-processors, or any other third parties acting on Processor’s behalf without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach.
5.2. Processor will inform Controller if Processor becomes aware of:
5.2.1. Any non-compliance by Processor or its employees with Sections 5-8 of this DPA or the Data Protection Requirements relating to the protection of Controller’s Personal Data processed under this DPA;
5.2.2. Any legally binding request for disclosure of Controller’s Personal Data by a law enforcement authority, unless Processor is otherwise forbidden by law to inform Controller, for example to preserve the confidentiality of an investigation by law enforcement authorities;
5.2.3. Any notice, inquiry or investigation by a Supervisory Authority with respect to Controller’s Personal Data or
5.2.4. Any complaint or request (in particular, requests for access to, rectification or blocking of Controller’s Personal Data) received directly from Controller’s data subjects. Processor will not respond to any such request without Controller’s prior written authorization.
5.3. Processor will provide reasonable assistance to Controller regarding:
5.3.1. Any requests from Controller’s data subjects in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Controller’s Personal Data that Processor processes for Controller. If a data subject sends such a request directly to Processor, Processor will promptly send such request to Controller. Such requests shall be fulfilled by the Processor in accordance with documented instructions by the Controller without undue delay.
5.3.2. The investigation of Personal Data Breaches and the notification to the Supervisory Authority and Controller ‘s data subjects regarding such Personal Data Breaches
5.3.3. Where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.
5.4. Processor may claim a reasonable fee for support services which are not included in the description of the services, and which are not attributable to failures on the part of the Processor.
5.5. If Processor is required by Data Protection Requirements to process any Controller’s Personal Data for a reason other than providing the services described in the DPA, Processor will inform Controller of this requirement in advance of any processing, unless Processor is legally prohibited from
informing Controller of such processing (e.g., as a result of secrecy requirements that may exist under applicable EU member state laws).
5.6. If Processor intends to engage sub-processors to help it satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such sub-processors, Processor must
(i) keep an exclusive of the list of sub-processors which Processor maintains online; (ii) remain liable to Controller for the sub-processors’ acts and omissions with regard to data protection where such sub-processors act on Processor’s instructions; and (iii)enter into contractual arrangements with such sub-processors binding them to provide the same level of data protection and information security to that provided for in this DPA. Current sub-processors are listed in the Annex A. Hereby Controller provides
Processor with general written authorization for engaging sub-processors, Processor shall inform Controller of any intended changes concerning the addition or replacement of other sub-processors, thereby giving Controller the opportunity to object to such changes. 

  1. Liability and audits
    6.1. Any person who has suffered material or non-material damage as a result of an infringement of Data Protection Requirements, has the right to receive compensation from Controller or Processor for the damage suffered. The party responsible for the event giving rise to the damage must compensate the damage to the data subject.

6.2. Controller shall be liable for the damage caused by processing which infringes the Data Protection Requirements. Processor shall be liable for the damage caused by processing only where it has not complied with obligations of the Data Protection Requirements specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller.
6.3. Controller or Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
6.4. If a Supervisory Authority requires an audit of the data processing facilities from which Controller processes Controller’s Personal Data to ascertain or monitor Controller ‘s compliance with Data Protection Requirements, Processor will cooperate with such audit.
6.5. Upon consultation with the Processor, the Controller has the right to carry out inspections or to have them carried out by an auditor to be designated on a case-by-case basis. The auditor shall have the right to assess the Processor’s compliance with this DPA in his business operations by means of
random checks, which are ordinarily to be announced in advance.
6.6. Processor shall allow the Controller to verify compliance with its obligations as provided by the General Data Protection Regulation. Processor undertakes to give the Controller the necessary information on request and, in particular, to demonstrate the implementation of the technical and organizational measures.

  1. Data return and deletion
    7.1. Processor shall not create copies or duplicates of Controller’s Personal Data without the Controller’s knowledge and consent except for backup copies and as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory data retention requirements.
    7.2. The parties agree that on the termination of the data processing services or upon Controller’s reasonable request, Processor shall, and shall cause any sub-processors to, at the choice of Controller, return all the Controller’s Personal Data and copies of such data to Controller or securely destroy them
    and demonstrate to the satisfaction of Controller that it has taken such measures, unless Data Protection Requirements prevent Processor from returning or destroying all or part of the Controller’s Personal Data disclosed. In such case, Processor agrees to preserve the confidentiality of the Controller’s Personal Data retained by it and that it will only actively process such Controller’s Personal Data after such date in order to comply with applicable laws. The Processor is exempt from this obligation when required to retain the data by law.
  2. Third-party data processors
    8.1. Processor acknowledges that in the provision of some services, Processor on receipt of instructions from Controller, may transfer Controller’s Personal Data to and otherwise interact with third-party data processors. Processor agrees that if and to the extent such transfers occur, Processor is responsible
    for entering into separate contractual arrangements with such third-party data processors binding them to comply with obligations in accordance with Data Protection Requirements. For avoidance of doubt, such third-party data processors are not sub-processors.
  3. Term
    9.1. This DPA shall remain in effect for as long as Processor carries out Personal Data processing operations on behalf of the Controller or until the termination of the Agreement. All Personal Data must be returned or deleted in accordance with Section 7 above.
  4. Miscellaneous
    This DPA shall be governed by the laws of Estonia and any action or proceedings related to this DPA (including those arising from non-contractual disputes or claims) will be brought in Harju County Court, Tallinn, Estonia.

ANNEX A to the DPA
Student Admissions Platform “DreamApply” 

1. Data Subjects.
The personal data processed concerns (i) the applicants (a natural person)applying to study at Controller institution (submitted and not submitted applications), (ii)advisors(a natural person who sends applicants to the Controller and who is given access and rights by the Controller), (iii) contact persons (a natural person, information shall be provided by the respective applicant),(iv) referees (a natural person, information shall be provided by the respective applicant) and administrators registered on
DreamApply platform by and/or on behalf of the Controller (Administrators), (v)persons who’s data is collected through functional add-ons. 

2. Purposes of the processing.
The processing is intended to enable to allow the Controller to manage applications through Student Admissions Platform “DreamApply” and to perform marketing through functional add-ons. The Processor has to provide support where necessary. The Controller determines the purposes of the
processing of personal data and via platform provided by Processor, authorizes and oversees any such data processing. The Controller is collecting and reviewing the information that is submitted by the applicants through the DreamApply platform. 

3. Categories of Data.
The personal data transferred concerns the following categories of data:
3.1. User Data (personal data) of the applicants: personal information necessary for submitting application(s) to the Controller — contact information, information about prior education and experiences on the field, identification information, information about language skills and other relevant info necessary for applying (the full list is available in the Platform). The Controller decides the information necessary for applying based on national law, Controller’s practice and specific program where the applicant is applying.
3.2. User Data (sensitive data) of the applicants: sensitive data may not be collected by the Controller, except data about health (disabilities). Health information may be collected by the Controller only on voluntary basis for the purpose of acknowledging special requirements to the facilities or if it is required by the law. In case the Controller will collect sensitive data via DreamApply platform it has the obligation to notify the applicant.
3.3. Data (personal data) of the Advisors: name, territory, tracker, e-mail, postal address, login code, contract validity (and date of signing), group, notes, attachments, access rights (ability to manage and/or view applications made).
3.4. Data (personal data) of the contact persons (emergency contact for the applicant): name, e-mail, phone number, postal address, relationship with the respective applicant (i.e., mother, father).
3.5. Data (personal data) of the referee (if inserted by the applicant): name, e-mail, work position.
3.6. Data about the administrators registered on DreamApply by Controller: name, e-mail, position, access rights and actions on the platform. 

4. Processing activities
The personal data transferred will be subject to the following basic processing activities:
4.1. application filing and processing;
4.2. statistical reports gathering;
4.3. automatic requirements analysis;
4.4. offer and document generation;
4.5. support (towards Controller and use of “DreamApply”) related processing activities;
4.6. advisors and their contract management;
4.8. lead (potential applicant) management;
4.9. during marketing activities through functional add-ons collection of contacts, study interests and data about information channels
The Controller grants the right and is aware that the Processor uses non-personalized data about the applicants for research purposes (including for non-personalized statistics) to improve efficiency and quality of the system, predict information and data flows in order to better respond to Controller’s
(including the applicants) needs and improve awareness of services offered to potential partners. The Controller grants the Processor the exclusive and irrevocable right to generate anonymous statistics concerning the use of the DreamApply platform and to analyze and share such statistics for business
development, marketing and promotional purposes in any media formats and through any websites, social media networks or media channels now known or hereafter discovered or developed. Such anonymous statistics will only be shared when generalized (including but not limited to generalized on
university, city, country level). The amount and type of data collected depends on the Controller and the requirements of applying. The Controller has the possibility upon request of the data subject to rectify, remove or block incorrect data about data subjects. The Controller is required to ensure that a data subject gives valid consent to the processing of his or her personal data for one or more specific purposes and Is notified about his/her rights. 

5. Duration of processing
The Controller decides the duration of the processing based on the national laws as well as the study term. The Controller decides the duration of storing the data. The Controller has the technical possibility and shall delete the personal data according to its regulations when it is no longer necessary to process for the purposes it was collected and is not required to be processed by the law. After deletion, the data will be automatically deleted also from back-ups within 15-45 days. 

6. Infrastructure providers and sub-processors
The Processor’s infrastructure providers and sub-processors are brought out here Bear in mind this is a list which is kept up to date at all times. 

7. Additional Useful Information
7.1. The Controller operating under European Union Data Protection Regulations shall inform the applicants about data processing activities, including the legal ground, retention period, security measures, asses, rectification, deletion, recipients, complaint procedures etc. Controller shall submit the Privacy Notice and Cookie Notice on Student Admissions Platform “DreamApply”. Each Party shall be responsible for setting up a cookie banner relating the cookies the respective party uses (as a data controller) being liable for its existence and content. Processor, upon a request received from a
Controller may provide a training on how to set up the cookie banner.
7.2. The Administrators, depending on what rights Controller has given them (directly and/or indirectly via other Administrators), can delete applications of the applicants – either case-by-case, or by bulk (for example choosing all the applicants of last semester). If an applicant deletes his/her application to the
study program of the controller, then the Administrator has to confirm the deletion before the deletion takes place from DreamApply side.
7.3. Client happiness department (support provided to the Controller in regard with the use of “DreamApply” by the Processor) has access to the Controller’s Personal Data. All the accesses are logged – from the client happiness department as well as from the Controller(administrator) side, the
logs only show when the access started but not when it ended. Configuration team of the Processor shall have access to the Controller’s Personal Data within the first year of professional relationship in order to provide support, after a year their access is revoked. Access from the Processor side is only
via internal network and/or via VPN, 2nd factor identification if required for every user. Reason for access needs to be provided and saved in the system. 

ANNEX B to the DPA
Learning Agreements Platform 

1. Data Subjects.
The personal data processed concerns Controller’s (Sending or Receiving Institution) exchange students and employees (Coordinator or Contact person) using the Learning Agreements platform. 

2. Purposes of the processing.
The processing is intended to enable to allow the Controller to manage learning agreements. The Processor provides the platform for agreements exchange and signing. The Controller may act as Sending or Receiving Institution. Sending Institution is the HEI which sends the student to exchange program and Receiving Institution is the HEI which accepts the student to their
institution as exchange student. Data processing is carried out by all parties (Student, Sending Institution, Receiving Institution, Dream Apply as data Processor). All parties will undertake to follow the data protection laws and principles while using the platform. The detailed information and roles can be read on the platform website. Section 7 of this Annex B is also relevant in this respect. 

3. Categories of Data.
Controller’s employee identification data as the platform user as well as the students’ and/or exchange students’ identification and education data when managing the exchange agreements on the platform. 

4. Processing activities
Management of student exchange programs and admissions, signing of learning agreements. 

5. Duration of processing
The Controller decides the duration of the processing based on the national laws as well as the study term. The Controller decides the duration of storing the data. The Controller has the technical possibility and shall delete the personal data according to its regulations when it is no longer necessary to process for the purposes it was collected and is not required to be processed by the law. After deletion, the data will be automatically deleted also from back-ups within 15-45 days. 

6. Infrastructure providers and sub-processors
The Processor’s infrastructure providers and sub-processors are brought out here This is a list which is kept up to date at all times. The Learning Agreement website also uses third-party service provider Google for functional web-cookies. 

7. Additional Useful Information
The website and the Learning Agreement platform provided by Dream Apply OÜ (the Processor) is free of charge service that is regulated by the Processor’s general Terms of Service and this Data Processing Agreement. Please also read the specific information and terms regarding Learning Agreement platform on the website after logging in. Related personal data processing is allocated to the same privacy safeguards and policies as the Processor’s main service DreamApply Platform. 

Similarity Check Services (provided by sub-processor Turnitin LCC) 

1. Data Subjects.
The personal data processed concerns the applicants (a natural person) applying to study at academic institutions. 

2. Purposes of the processing.
The processing is intended to enable the Controller to detect potential plagiarism in the academic sectors. Collection, storage, retrieval, use (in the context of text matching functions). 

3. Categories of Data.
First name, family name, email address, student ID number, content, academic papers or proposed published texts. 

4. Recipients 

The personal data processed may be disclosed only to institution which the applicant has submitted application to. 

5. Additional Useful Information
Controller´s Personal data is encrypted and stored separately from any other data stored and processed by Turnitin LCC and will be decrypted only in the event Processor has made a request to Turnitin LCC to verify the details of personal data. The Controller´s Personal data provided by Processor cannot be used for indexing or providing matches for Turnitin LCC other customers, or for training of machine learning algorithm, unless the Personal Data is fully anonymized and anonymization method is approved by Processor. 

6. DreamID product (provided by DreamApply OÜ as Data Controller)

6.1. Controller – Processor roles
DreamID product is provided by DreamApply OÜ as securely authenticated applicant account manager for universities and/or other higher education institutions (HEI). To enable for applicants to register/log-in to different higher education institutions’ applications with one DreamID account DreamApply needs to collect applicant’s Name and E-mail address as minimum set of data to enable secure authentication of the respective applicant. DreamApply acts as Data Controller regarding the DreamID product on the basis of the activities of creating DreamID accounts for the applicants regardless of the specific HEI the applicant is applying to and uses the same account for applying to any other higher education institution. As DreamApply is Data Controller regarding the DreamID product DreamApply also carries the responsibility of data subjects’ rights (i.e., access and deletion) and security of the Personal Data. DreamApply as Data Controller also decides the purposes and means of data processing regarding DreamID.
6.2. Data Subjects.
The personal data processed concerns the applicants (a natural person) applying to study at HEI.
6.3. Purposes of the processing.
The processing is intended to enable DreamID account and secure login service.
6.4. Categories of Data.
Full name, Email address, Password, Security history (login history).  

Optional: Multi-factor authentication details, such as a Backup code, Authentication app (TOTP), phone number or Security keys (Ex: YubiKey)
6.5. Recipients.
The personal data processed may be disclosed only to HEI which the applicant has submitted application to.
6.6. Additional Useful Information
DreamID product functionalities are described in DreamID Privacy Notice available here: