DATA PROCESSING AGREEMENT

PARTIES
(1) LOCKER TECHNOLOGY LIMITED incorporated and registered in England and Wales with company number 12037756 whose registered office is at Unit 434 Birch Park, Thorp Arch Estate, Wetherby, West Yorkshire, LS23 7FG (‘the Processor’)
and
(2) Customer

BACKGROUND

(A) The Customer and the Processor have entered into an agreement (‘the Services Agreement’) for the Customer to use the Processors ‘Connect’ System (‘the System’). As part of that system, the Processor is required to process personal data on behalf of the Customer.

(B) For the purposes of that processing, the parties acknowledge that the Customer is the Data Controller and the Processor is the Data Processor within the meaning of the Data Protection Legislation.

(C) The parties have agreed to enter into this data processing agreement to govern the processing of the Customers data by the Processor.

AGREED TERMS:

1. DEFINITIONS
Law: means any law, regulation, subordinate legislation within the meaning of Section 21(1) of the Interpretation Act 1978, byelaw, enforceable right within the meaning of Section 2 of the European Communities Act 1972, regulation, order, regulatory policy, mandatory guidance or code of practice, judgment of a relevant court of law, or directives or requirements with which the Processor is bound to comply

Processor Personnel: means all directors, officers, employees, agents, consultants and contractors of the Processor and/or of any Sub-Processor engaged in the performance of its obligations under this Agreement

Data Protection Legislation: (i) the GDPR, the LED and any applicable national implementing Laws as amended from time to time (ii) the DPA 2018, and; (iiii) all applicable Laws about the processing of personal data and privacy;

Data Protection Impact Assessment: an assessment by the Controller of the impact of the envisaged processing on the protection of Personal Data.

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Data Protection Officer take the meaning given in the GDPR.

Data Loss Event: any event that results, or may result, in unauthorised access to Personal Data held by the Processor under this Agreement, and/or actual or potential loss and/or destruction of Personal Data in breach of this Agreement, including any Personal Data Breach.

Data Subject Access Request: a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation to access their Personal Data.

DPA 2018: Data Protection Act 2018

GDPR: the General Data Protection Regulation (Regulation (EU) 2016/679)

LED: Law Enforcement Directive (Directive (EU) 2016/680)

Protective Measures: appropriate technical and organisational measures which may include: pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the such measures adopted by it.

Sub-processor: any third Party appointed to process Personal Data on behalf of the Processor related to this Agreement.

2. COMMENCEMENT AND DURATION

2.1 This Agreement will commence on the Service Agreement date and continue until terminated in accordance with the provisions of this Agreement.

2.2 The Processor will process the Personal Data in accordance with this Agreement for the duration of this Agreement.

2.3 Any provision of this agreement that expressly or by implication is intended to come into or continue in force on or after termination of this agreement shall remain in full force and effect.

3. DATA PROTECTION

3.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Processor is the Processor. The only processing that the Processor is authorised to do by the Customer is listed in Schedule One and may not be determined by the Processor.

3.2 The Processor shall notify the Customer immediately if it considers that any of the Customer’s instructions infringe the Data Protection Legislation.

3.3 The Processor shall provide all reasonable assistance to the Customer in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Customer, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.

3.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement:
(a) process that Personal Data only in accordance with Schedule One unless the Processor is required to do otherwise by Law. If it is so required, the Processor shall promptly notify the Customer before processing the Personal Data unless prohibited by Law;
(b) ensure that it has in place Protective Measures, which have been reviewed and approved by the Customer as appropriate to protect against a Data Loss Event having taken account of the:
i. nature of the data to be protected;
ii. harm that might result from a Data Loss Event;
iii. state of technological development; and
iv. cost of implementing any measures.
(c) ensure that the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular Schedule One).
(d) take all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
i. are aware of and comply with the Processor’s duties under this clause;
ii. are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor;
iii. are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Customer or as otherwise permitted by this Agreement; and
iv. have undergone adequate training in the use, care, protection and handling of Personal Data; and
(e) not transfer Personal Data outside of the EU unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
i. the Customer or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Customer;
ii. the Data Subject has enforceable rights and effective legal remedies;
iii. the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations); and
iv. the Processor complies with any reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(f) at the written direction of the Customer, delete or return Personal Data (and any copies of it) to the Customer on termination of the Agreement unless the Processor is required by Law to retain the Personal Data.

3.5 The Processor shall notify the Customer immediately if it:
(a) receives a Data Subject Access Request (or purported Data Subject Access Request);
(b) receives a request to rectify, block or erase any Personal Data;
(c) receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation;
(d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement;
(e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
(f) becomes aware of a Data Loss Event.

3.6 The Processor’s obligation to notify under clause 3.5 shall include the provision of further information to the Customer in phases, as details become available.

3.7 Taking into account the nature of the processing, the Processor shall provide the Customer with full assistance in relation to either Party’s obligations under Data Protection Legislation and any complaint, communication or request made under clause 3.5 (and insofar as possible within the timescales reasonably required by the Customer) including by promptly providing:
(a) the Customer with full details and copies of the complaint, communication or request;
(b) such assistance as is reasonably requested by the Customer to enable the Customer to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
(c) the Customer, at its request, with any Personal Data it holds in relation to a Data Subject;
(d) assistance as requested by the Customer following any Data Loss Event;
(e) assistance as requested by the Customer with respect to any request from the Information Commissioner’s Office, or any consultation by the Customer with the Information Commissioner’s Office.

3.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless:
(a) the Customer determines that the processing is not occasional;
(b) the Customer determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; and
(c) the Customer determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.

3.9 The Processor shall allow for audits of its Data Processing activity by the Customer or the Customer’s designated auditor.

3.10 The Processor shall designate a data protection officer if required by the Data Protection Legislation.

3.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must:
(a) notify the Customer in writing of the intended Sub-processor and processing;
(b) obtain the written consent of the Customer;
(c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this Agreement such that they apply to the Sub-processor; and
(d) provide the Customer with such information regarding the Sub-processor as the Customer may reasonably require.

3.12 The Processor shall remain fully liable for all acts or omissions of any Sub-processor.

3.13 The Customer may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).

3.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Customer may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

4. FREEDOM OF INFORMATION

4.1 The Processor acknowledges that the Customer is subject to the requirements of the FOIA and the EIRs.

4.2 The Processor acknowledges that the Customer may be required under the FOIA and EIRs to disclose Information (including Commercially Sensitive Information) provided to the Customer by the Processor in accordance with this Agreement without consulting or obtaining consent from the Processor. The Customer shall take reasonable steps to notify the Processor of a Request For Information to the extent that it is permissible and reasonably practical for it to do so but the Customer shall be responsible for determining in its absolute discretion whether any Commercially Sensitive Information and/or any other information is exempt from disclosure in accordance with the FOIA and/or the EIRs.

4.3 Notwithstanding any other term of this agreement, the Processor consents to the publication of this agreement in its entirety (including variations), subject only to the redaction of information that is exempt from disclosure in accordance with the provisions of the FOIA and EIRs.

4.4 The Customer shall, prior to publication, consult with the Processor on the manner and format of publication and to inform its decision regarding any redactions but shall have the final decisions in its absolute discretion. The Processor shall assist and co-operate with the Customer to enable the Customer to comply with any FOIA and EIR obligations and to publish this agreement.

5. TERMINATION

5.1 The Customer may terminate this agreement by providing one month’s written notice to the Processor.

5.2 If the Processor breaches any provision of this agreement, or any of the Processors data protection obligations under the data protection legislation, the Council may terminate this agreement with immediate effect.

5.3 If in accordance with clause 3.4(f) the Customer elects for destruction rather than return of the Personal Data the Processor shall as soon as reasonably practicable ensure that all Personal Data is permanently deleted from the Processor’s System and will provide the Customer with a certificate confirming the deletion of the data

5.4 If the Customer elects for return rather than destruction of the Processor shall fulfil such request 7 days of termination of this agreement.

6. GENERAL

6.1 No variation of this agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).

6.2 No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

6.3 If any provision or part-provision of this agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement.

6.4 This agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this agreement.

6.5 This agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.

6.6 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this agreement or its subject matter or formation.

6.7 This agreement and the documents referred to in it constitute the entire agreement between the parties in relation to the matters dealt with by this Agreement.

SCHEDULE ONE
Schedule of Processing, Personal Data and Data Subjects

1. The Processor shall comply with any further written instructions with respect to processing by the Customer.

2. Any such further instructions shall be incorporated into this Schedule.

Description Details

Subject matter of the processing: The Customer’s Management Information System “MIS” holds the master data set for students and staff and the Customer is using Connect to automate the processing of user related data items for staff and students to facilitate the automation of Office 365, Google and Active Directory. The automated process includes the creation and management of users, email distribution lists, pushing timetables into the cloud-based calendars and the maintenance of users and classes in Microsoft Teams and Google Classroom.

Duration of the processing: Duration is defined by the user, but it is typically daily.

Nature and purposes of the processing: The purpose of processing is under contractual obligation.

The nature of processing: includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means) etc.

Type of Personal Data: Full name, email address, year (students), classes, start date, finish date, AD user name.

Categories of Data Subject: Students and Staff

Plan for the destruction of the data once the processing is complete: The data will be retained for 1 month and then permanently deleted.

SCHEDULE TWO

Sub-processors

1. This Annex lists the sub-processors that the Customer has authorised the processor to use in accordance with clause 3.11 of this Agreement.

2. The Customer may, at any time and upon such notice as is reasonable in the circumstances, withdraw its approval in relation to any or all sub-processors listed within this Schedule and upon such withdrawal the Processor must immediately cease using that sub-processor.

3. If the Processor wishes to propose a new sub-processor for approval, it must provide written notice to the Customer detailing the identity of the proposed sub-processor, the nature of the sub-processing and confirmation that a written contract in relation to the sub-processing is in place between the Processor and the sub-processor. The Customer must not unreasonably refuse or delay approval.

4. The Customer may at any time and upon reasonable notice request copies of the contracts between the Processor and its approved sub-processors in relation to the sub-processing.

Sub-contractor details: N/A