Data Protection
Published 23rd November 2023
DATA PROCESSING ADDENDUM
BACKGROUND:
Purpose:
1.1. The purpose of this DPA is to ensure that the processing of personal data carried out by the Service Provider on behalf of the School complies with the General Data Protection Regulation (GDPR), the Data Protection Act (DPA), and any applicable data protection laws.
Data Subjects:
2.1. The personal data processed under this DPA pertains to individuals, including but not limited to students, parents, guardians, staff, and other individuals associated with the School.
TERMS AND CONDITIONS:
Scope of Processing:
3.1. The Service Provider shall process personal data only on behalf of the customer and for the purposes set forth in the main Agreement.
3.2. The customer instructs the Service Provider to process personal data for the duration of the Agreement.
Data Protection Compliance:
4.1. The Service Provider shall comply with all applicable data protection laws, including but not limited to the GDPR and the DPA.
4.2. The Service Provider shall promptly inform the customer if it believes that any instruction received from the customer infringes data protection laws.
Confidentiality:
5.1. The Service Provider shall ensure that any person it authorises to process personal data on behalf of the customer is subject to a duty of confidentiality.
5.2. The Service Provider shall implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
Security Incidents:
6.1. The Service Provider shall promptly notify the customer of any security incidents affecting personal data.
6.2. The Service Provider shall cooperate with the customer and take reasonable steps to mitigate the effects of any security incident.
Sub-Processors:
7.1. The customer provides general authorisation for the Service Provider to engage sub-processors. The Service Provider shall inform the customer of any changes in sub-processors, giving the customer the opportunity to object.
7.2. The Service Provider shall ensure that any sub-processor engaged complies with the data protection obligations set forth in this DPA.
Data Subject Rights:
8.1. The Service Provider shall assist the customer in fulfilling its obligations to respond to requests from data subjects.
8.2. The Service Provider shall promptly notify the customer if it receives a request from a data subject relating to the customer’s personal data.
Data Transfers:
9.1. The Service Provider shall not transfer personal data outside of the European Economic Area without the prior written consent of the customer.
9.2. In the event of a data transfer, the Service Provider shall ensure that appropriate safeguards are in place, such as Standard Contractual Clauses.
Data Deletion or Return:
10.1. Upon termination of the Agreement, or upon the customer’s request, the Service Provider shall delete or return all personal data processed on behalf of the customer, other than where we are legally required to retain the information for a minimum period.
10.2. The Service Provider shall provide written confirmation of the deletion or return of personal data.
Audit and Compliance:
11.1. The Service Provider shall make available to the customer all information necessary to demonstrate compliance with its obligations under this DPA.
11.2. The customer may, at its own expense, conduct audits or inspections to ensure compliance with this DPA, subject to reasonable advance notice.
GOVERNING LAW:
This DPA shall be governed by and construed in accordance with the laws of England and Wales.
BACKGROUND:
Purpose:
1.1. The purpose of this DPA is to ensure that the processing of personal data carried out by the Service Provider on behalf of the School complies with the General Data Protection Regulation (GDPR), the Data Protection Act (DPA), and any applicable data protection laws.
Data Subjects:
2.1. The personal data processed under this DPA pertains to individuals, including but not limited to students, parents, guardians, staff, and other individuals associated with the School.
TERMS AND CONDITIONS:
Scope of Processing:
3.1. The Service Provider shall process personal data only on behalf of the customer and for the purposes set forth in the main Agreement.
3.2. The customer instructs the Service Provider to process personal data for the duration of the Agreement.
Data Protection Compliance:
4.1. The Service Provider shall comply with all applicable data protection laws, including but not limited to the GDPR and the DPA.
4.2. The Service Provider shall promptly inform the customer if it believes that any instruction received from the customer infringes data protection laws.
Confidentiality:
5.1. The Service Provider shall ensure that any person it authorises to process personal data on behalf of the customer is subject to a duty of confidentiality.
5.2. The Service Provider shall implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
Security Incidents:
6.1. The Service Provider shall promptly notify the customer of any security incidents affecting personal data.
6.2. The Service Provider shall cooperate with the customer and take reasonable steps to mitigate the effects of any security incident.
Sub-Processors:
7.1. The customer provides general authorisation for the Service Provider to engage sub-processors. The Service Provider shall inform the customer of any changes in sub-processors, giving the customer the opportunity to object.
7.2. The Service Provider shall ensure that any sub-processor engaged complies with the data protection obligations set forth in this DPA.
Data Subject Rights:
8.1. The Service Provider shall assist the customer in fulfilling its obligations to respond to requests from data subjects.
8.2. The Service Provider shall promptly notify the customer if it receives a request from a data subject relating to the customer’s personal data.
Data Transfers:
9.1. The Service Provider shall not transfer personal data outside of the European Economic Area without the prior written consent of the customer.
9.2. In the event of a data transfer, the Service Provider shall ensure that appropriate safeguards are in place, such as Standard Contractual Clauses.
Data Deletion or Return:
10.1. Upon termination of the Agreement, or upon the customer’s request, the Service Provider shall delete or return all personal data processed on behalf of the customer, other than where we are legally required to retain the information for a minimum period.
10.2. The Service Provider shall provide written confirmation of the deletion or return of personal data.
Audit and Compliance:
11.1. The Service Provider shall make available to the customer all information necessary to demonstrate compliance with its obligations under this DPA.
11.2. The customer may, at its own expense, conduct audits or inspections to ensure compliance with this DPA, subject to reasonable advance notice.
GOVERNING LAW:
This DPA shall be governed by and construed in accordance with the laws of England and Wales.