Data Processing Addendum
PARTIES:
Behaviour Smart Ltd of 5 Cavendish Road, Sheffield, S11 9BH, a company registered under number 12846336 “the Provider”
and
The educational establishment entering into the primary Agreement with the Provider “the Customer”
DEFINITIONS:
Addendum:
means this Data Processing Addendum.
Agreement:
means the overarching Terms and Conditions for provision of services between the Provider and the Customer.
Appropriate Safeguards:
has the meaning given in the UK GDPR.
Controller:
has the meaning given in the UK GDPR.
Data Loss Event:
means any event that results or may result in unauthorised access to, loss of, or destruction of the Personal Data, including any Personal Data Breach.
Data Processing Schedule:
means Schedule 1 to this Addendum which identifies the Personal Data and Data Subjects and sets out the scope, nature, purpose and duration of the Processing by the Provider.
Data Protection Impact Assessment:
means a risk assessment by the Controller of the impact of the envisaged processing on the protection and confidentiality of the Personal Data.
Data Protection Legislation:
means all applicable laws in the UK relating to data protection, processing of personal data and privacy, including the UK GDPR and Data Protection Act 2018 as amended from time to time.
Data Protection Officer:
has the meaning given in the UK GDPR.
Data Subject:
has the meaning given in the UK GDPR.
Personal Data:
has the meaning given in the UK GDPR.
Provider Personnel:
means all directors, officers, employees, agents and consultants of the Provider engaged in the provision of services under the Agreement.
Personal Data Breach:
has the meaning given in the UK GDPR.
Processor:
has the meaning given in the UK GDPR.
Processing:
has the meaning given in the UK GDPR. The terms Process, Processes and Processed will be construed accordingly.
Security Measures:
means appropriate technical and organisational measures as detailed in Article 32 of the UK GDPR, to ensure the security of the Personal Data and prevention of a Data Loss Event.
Subject Access Request:
means a request made by, or on behalf of, a Data Subject in accordance with rights granted under the Data Protection Legislation to access their Personal Data.
Sub-Processor:
means any third party appointed to Process the Personal Data on behalf of the Provider in relation to the provision of services under the Agreement.
Transfer Risk Assessment:
means an assessment of the privacy and security risks associated with transferring the Personal Data to a territory that is outside the UK and EU.
UK GDPR:
means the retained version of the General Data Protection Regulation (EU 2016/679) as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419).
1. INTRODUCTION
1.1 This Addendum and its Data Processing Schedule reflects the arrangements between the Parties for Processing of the Personal Data by the Provider on behalf of the Customer, in connection with the provision of services under the Agreement.
1.2 This Addendum forms an integral part of the Agreement and is incorporated into the Agreement by reference.
1.3 Both Parties shall comply with all applicable requirements of the Data Protection Legislation. This Addendum does not relieve, remove, or replace either Party’s obligations under the Data Protection Legislation.
1.4 Each Party shall bear its own costs in relation to compliance with this Addendum and the Data Protection Legislation.
1.5 The Parties acknowledge that for the purposes of the Data Protection Legislation and this Addendum, the Customer is the Controller and the Provider is the Processor.
2. PROCESSOR OBLIGATIONS
2.1 The Processor will process Personal Data only in accordance with the Controller’s written instructions unless the Processor is required to do otherwise by Law. If it is so required, the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law.
2.2 The Processor shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation.
2.3 Information Security
2.3.1 The Processor shall ensure appropriate technical and organisational measures are implemented to ensure the security of Personal Data held on behalf of the Controller.
2.3.2 The Processor shall ensure that the Provider Personnel are subject to a contractual duty of confidentiality and do not process Personal Data except in accordance with this Addendum.
2.3.3 In respect of any Data Loss Event the Processor shall:
2.3.3.1 notify the Controller without undue delay;
2.3.3.2 provide timely updates and information about the investigation of the Data Loss Event;
2.3.3.3. take reasonable steps to contain and mitigate the effects of the Data Loss Event; and
2.3.3.4 provide any reasonable assistance requested by the Controller.
2.4 Reasonable Assistance to the Controller
2.4.1 The Processor shall provide all reasonable assistance to the Controller in connection with:
2.4.1.1 compliance with Article 32; and
2.4.1.2 the preparation of any Data Protection Impact Assessment that may be required, prior to the commencement of the Processing under this Addendum.
2.4.2 In the event that the Processor receives a Subject Access Request or any other request from a Data Subject relating to their rights, the Processor shall:
2.4.2.1 notify the Controller immediately; and
2.4.2.2 provide any reasonable assistance requested by the Controller to comply with relevant Data Protection Legislation.
2.4.3 In the event that the Processor receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation; or any communication from the Information Commissioner’s Office or any other regulatory authority in connection with Personal Data processed under this Addendum, the Processor shall:
2.4.3.1 notify the Controller immediately; and
2.4.3.2 provide any reasonable assistance requested by the Controller to comply with relevant Data Protection Legislation.
2.5 Sub-Processors
2.5.1 The Controller authorises the use of the Sub-Processors listed in Schedule 1.
2.5.2 The Processor shall enter into a written agreement with each Sub-Processor which shall contain terms equivalent to those set out in this Addendum such that they apply to the Sub-Processor.
2.5.3 The Processor shall remain fully liable for all acts or omissions of any Sub-Processor.
2.5.4 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, providing the Controller a minimum of 14 calendar days to object to such appointment on reasonable grounds relating to data protection.
2.5.5 In the event that the Controller objects to the appointment of a new Sub-Processor under clause 2.5.4 above, the Parties shall approach such concerns in good faith with a view to achieving resolution.
2.5.6 If the Parties are not able to achieve resolution under clause 2.5.5 above then the Controller may terminate the Agreement, including this Addendum.
2.6 International Transfers
2.6.1 The Processor shall only transfer Personal Data outside of the UK and EU if it has implemented Appropriate Safeguards to ensure the protection of the Personal Data in the destination territory, in accordance with the Data Protection Legislation.
2.6.2 In the event of any transfer of Personal Data outside of the UK and EU, the Processor shall carry out a Transfer Risk Assessment to determine that the Data Subject has sufficiently enforceable rights and effective legal remedies.
2.7 Audits
2.7.1 The Processor shall maintain and make available to the Data Controller upon request complete and accurate records and information to demonstrate its compliance with this Addendum and the Data Protection Legislation.
2.7.2 The Processor shall allow for audits and inspections by the Controller or the Controller’s designated auditor, to establish the Processor’s compliance with the terms of this Addendum.
2.8 Termination of the Agreement
2.8.1 Upon termination of the Agreement and at the written direction of the Controller, the Processor shall either delete or return the Personal Data to the Controller unless the Processor is required by Law to retain the Personal Data.
2.8.2 The Parties agree that the plan for return and destruction of the Personal Data once the Processing is complete is detailed in Schedule 1.
3. INDEMNITY
3.1 The Processor shall indemnify the Controller against any losses or damages incurred by the Controller as a direct or indirect result of third-party claims relating to the Processor’s failure to comply with the Data Protection Legislation and the obligations set out in this Addendum. This indemnity shall not apply to the extent that the act or omission was a direct result of an express instruction of the Controller.
SIGNED FOR AND ON BEHALF OF EACH PARTY
Name of signatory:
Signed on behalf of the Provider:
Position:
Date:
…………………………………………………………………………………………………………………………………………….
Name of signatory:
Signed on behalf of the Customer:
Position:
Date:
SCHEDULE 1: DATA PROCESSING SCHEDULE
Description
Details
Subject matter of the processing
Provision of services by the Provider to the Customer, under the Agreement.
Duration of the processing
The duration of the Agreement.
Nature and purposes of the processing
The Provider will Process the Personal Data for provision of services to the Customer in relation to behaviour management and incident recording within the educational setting.
Type of Personal Data
The Provider will Process the following Personal Data on behalf of the Customer:
· Pupil full name
· Unique pupil number (UPN)
· Year group
· Details relating to recorded behaviour incidents
· Pupil behaviour plans and risk assessments
The Provider will also Process the following:
· Staff full name
· Staff email address
· Details of staff incident reflection
Categories of Data Subject
· Staff (including volunteers and temporary workers)
· Students/pupils.
Plan for return and destruction of the data once the processing is complete UNLESS required to retain under UK law
Upon termination of the agreement, the Provider will delete or return all copies of Personal Data held on behalf of the Customer, unless required to retain the data under applicable law.
Authorised Sub-Processors
The following Sub-Processors are used:
Akamai
Cloudflare
Amazon Web Services (AWS)
Wonde
International Transfers
Some information may be Processed by Sub-Processors outside of the UK. Adequate safeguards have been implemented to ensure the protection of the Personal Data in the destination territory, in accordance with the Data Protection Legislation.