Double First Ltd Data Processing Provisions

1 Processing of personal data

Definitions
1.1 In this clause 1:
1.1.1 Applicable Law means as applicable and binding on the Customer, the Company and/or the Goods:
(a) any law, statue, regulation, byelaw or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services are provided to or in respect of;
(b) the common law and laws of equity as applicable to the parties from time to time;
(c) any binding court order, judgement or decree; or
(d) any applicable direction, policy rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;
1.1.2 Controller, Data Subject, Personal Data, Processor and processing shall have the respective meanings given to them in applicable Data Protection Laws from time to time (and related expressions, including process, processed, processing, and processes shall be construed accordingly) and international organisation and Personal Data Breach shall have the respective meanings given to them in the GDPR;
1.1.3 Data Protection Laws means, as applicable and binding on either party or the Services:
(a) the Directive 95/46/EC (Data Protection Directive) and/or Data Protection Act 1998 or the GDPR;
(b) any laws which implement any such laws;
(c) any laws that replace, extend, re-enact, consolidate or amend any of the foregoing from time to time; and
(d) any Applicable Law which may be in force from time to time relating to the processing of personal data and privacy, including where applicable the guidance and codes of practice issued by any supervisory authority, and the equivalent of any of the foregoing in any relevant jurisdiction.
1.1.4 GDPR means the General Data Protection Regulation (EU) 2016/679;
1.1.5 Protected Data means Personal Data received from or on behalf of the Customer in connection with the performance of the Company’s obligations under the Contract; and
1.1.6 Sub-Processor means any agent, subcontractor or other third party (excluding its employees) engaged by the Company for carrying out any processing activities on behalf of the Customer in respect of the Protected Data.

Compliance with Data Protection Laws

1.2 The parties agree that the Customer is a Controller and that the Company is a Processor for the purposes of processing Protected Data pursuant to the Contract, provided that:
(a) where the Customer has chosen to use an Alternative Hosting Solution, the Customer is the Controller and the Alternative Hosting Solution provider is the Processor for the purposes of processing Personal Data in connection with that part of the support services and any internet or hosting services; and in such cases it is the responsibility of the Customer and the Alternative Hosting Solution provider to comply with their respective Controller and Processor obligations under the Data Protections Laws; and
(b) where the Customer has chosen to use an Alternative SMS Solution, the Customer is the Controller and the Alternative SMS Solution provider is the Processor for the purposes of processing Personal Data in connection with that part of the support services and any SMS services; and in such cases it is the responsibility of the Customer and the Alternative SMS Solution provider to comply with their respective Controller and Processor obligations under the Data Protections Laws.
1.3 The Customer shall at all times comply with all Data Protection Laws in connection with the processing of Protected Data. The Customer shall ensure all instructions given by it to the Company in respect of Protected Data (including the terms of the Contract) shall at all times be in accordance with Data Protection Laws. The Customer shall immediately inform the Company if the Customer believes that any instruction given by it to the Company is likely to infringe the Data Protection Laws.
1.4 The Customer warrants, represents and undertakes, that:
1.4.1 all data sourced by the Customer for use in connection with the Goods shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects and/or in the cases of children’s Personal Data consent from whoever holds parental responsibility for the child), with Data Protection Laws;
1.4.2 all instructions given by the Customer to the Company in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
1.4.3 the Customer is satisfied that:
(a) the Company’s processing operations are suitable for the purposes for which the Customer propose to use the Goods and engage the Company to process the Protected Data; and
(b) the Company has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
1.5 You shall not unreasonably withhold, delay or condition your agreement to any change requested by us so as to ensure the Company (and each Sub-Processor) can comply with Data Protection Laws.
1.6 The Company shall process Protected Data in compliance with (i) the obligations of Data Processors placed on it under Data Protection Laws in respect of the performance of its obligations under the Contract and (ii) the terms of the Contract.
1.7 The Customer shall indemnify and keep indemnified the Company against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs, charges, expenses, compensation paid to Data Subjects, demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a supervisory authority) arising out of or in connection with any breach by the Customer (and by any Processors engaged by the Customer, including but not limited to any Alternative SMS Solution providers and Alternative Hosting Solution providers) of its obligations under these Data Processing Provisions.

Instructions

1.8 The Company shall:
1.8.1 only process (and shall ensure Company Personnel only process) the Protected Data in accordance with the Customer’s documented instructions as set out in this these Data Processing Provisions and the Software Terms and Conditions (and not otherwise unless alternative processing instructions are agreed between the parties in writing) except where otherwise required by Applicable Law (and shall inform the Customer of that legal requirement before processing, unless Applicable Law prevents it doing so on important grounds of public interest);
1.8.2 without prejudice to clause 1.2, if the Company believes that any instruction received by it from the Customer is likely to infringe the Data Protection Laws it shall promptly inform the Customer and be entitled to cease to provide the relevant Goods until the parties have agreed appropriate amended instructions which are not infringing.

Security

1.9 Taking into account the state of technical development and the nature of processing, the Company shall implement and maintain the technical and organisational measures set out in Part B of this these Data Processing Provisions to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.

Sub-processing and personnel

1.10 The Company shall ensure that all persons authorised by the Company (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case we shall, where practicable and not prohibited by Applicable Law, notify you of any such requirement before such disclosure).
1.11 The Company shall not permit any processing of Protected Data by any agent, sub-contractor or other third party (except our or our Sub-Processors’ own employees in the course of their employment that are subject to an enforceable obligation of confidence with regards to the Protected Data) without the Customer’s prior written authorisation (such authorisation not to be unreasonably withheld, conditioned or delayed) and ensure in each case that processing is strictly limited to individuals who need to know/access the Protected Data as strictly necessary for the purpose of providing the Services.
1.12 The Company shall not engage any Sub-Processor for carrying out any processing activities in respect of the Protected Data without the Customer’s written authorisation of that specific Sub-Processor (such authorisation not to be unreasonably withheld, conditioned or delayed) provided that the Customer authorises the Company to use the Sub-Processors already engaged by the Company as at the date of the Contract, including but not limited to the current providers for the Preferred Hosting Option and Preferred SMS Option. The Company shall make available to the Customer a list of all Sub-Processors authorised to process the Protected Data (Sub-Processor List). At least ten (10) business days prior to authorising any new Sub-Processor to process Protected Data, the Company shall provide notice to the Customer of the update to the Sub-Processor List.
1.13 If the Customer notifies the Company in writing of any objections (on reasonable grounds) to a Sub-Processor being added to the Sub-Processor List within ten (10) business days after the date of the applicable Sub-Processor notice to the Customer:
1.13.1 the Company shall work with the Customer in good faith to make available a commercially reasonable change in the provision of the Goods which avoids the use of that proposed Sub-Processor; and
1.13.2 where such a change cannot be made and the Company chooses to retain the Sub-Processor, the Company shall notify the Customer at least ten (10) business days prior to the authorisation of the Sub-Processor to process Personal Data and the Customer may discontinue using the relevant Goods and terminate the relevant portion of the Goods which require the use of the proposed Sub-Processor immediately upon written notice to us, such notice to be given by the Customer within thirty (30) business days of having been so notified by the Company.
1.14 The Company shall:
1.14.1 prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under clauses 1.2 to 1.20 (inclusive) that is enforceable by the Company;
1.14.2 ensure each such Sub-Processor complies with all such obligations; and
1.14.3 remain fully liable to the Customer under the Contract for all the acts and omissions of each Sub-Processor as if they were the Company’s.

Assistance

1.15 The Company shall (at the Customer’s cost):
1.15.1 assist the Customer in ensuring compliance with the Customer’s obligations pursuant to Articles 32 to 36 of the GDPR (and any similar obligations under applicable Data Protection Laws) taking into account the nature of the processing and the information available to the Company; and
1.15.2 taking into account the nature of the processing, assist the Customer (by appropriate technical and organisational measures), insofar as this is possible, for the fulfilment of the Customer’s obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws) in respect of any Protected Data.
International transfers
1.16 The Company will not transfer or otherwise process Protected Data outside the European Economic Area (EEA) without obtaining the Customer’s prior written consent. The Customer agrees that the Company may transfer Protected Data that includes the types of Personal Data set out in Part A of this these Data Processing Provisions for the purpose of providing the Goods to countries outside the European Economic Area (EEA) or to any International Organisation(s) (an International Recipient), provided all transfers by the Company of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of this these Data Processing Provisions shall constitute the Customer’s instructions with respect to transfers in accordance with clause 1.6 of this Appendix 1.
1.17 Sub-Processors will not transfer or otherwise process Protected Data outside the European Economic Area (EEA) without obtaining the Customer’s prior written consent. The Customer agrees that the Sub-Processors on the Sub-Processors List may transfer Protected Data that includes the types of Personal Data set out in Part A of this these Data Processing Provisions for the purpose of providing for the purpose of providing the Goods to countries outside the European Economic Area (EEA) or to any International Organisation(s) (an “International Recipient”), provided all transfers by the Sub-Processors of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of this these Data Processing Provisions shall constitute the Customer’s instructions with respect to transfers in accordance with clause 1.8 of this Appendix 1.

Audits and processing

1.18 The Company shall, in accordance with Data Protection Laws, make available to the Customer such information that is in its possession or control as is necessary to demonstrate the Company’s compliance with the obligations placed on it under this these Data Processing Provisions and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR (and under any equivalent Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose (subject to a maximum of one audit request in any 12 month period under this clause 1.18).

Breach

1.19 The Company shall notify the Customer without undue delay and in writing on becoming aware of any Personal Data Breach in respect of any Protected Data.

Deletion/return

1.20 On the end of the provision of the Goods relating to the processing of Protected Data, at the Customer’s cost and the Customer’s option, the Company shall either return all of the Protected Data to the Customer or securely dispose of the Protected Data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires the Company to store such Protected Data. This clause 1.20 shall survive termination or expiry of this Agreement.

Part A

Data processing details

Processing of the Protected Data by the Company under the Contract shall be for the subject-matter, duration, nature and purposes and involve the types of personal data and categories of Data Subjects set out in this Part A.
1 Subject Matter, Nature, Purpose and Duration of processing:
The Company will process Protected Data to provide the Goods to you. The processing of Protected Data shall be for the term of the Contract or until the Company’s legal obligations in relation to the processing of the Protected Data have ceased.
2 Type of Personal Data:
2.1 The software provided by the Company for pupil, student, parent and teacher information management generally includes portals for teachers, pupils and students and parents, an iOS and Android school application for parents, information on fees, assessment reports, examinations, attendance, curriculum, timetable, special educational needs, performance tracking, extra-curricular and co-curricular activity and accounts.
2.2 The types of Personal Data that the Company processes to provide the Goods depend on factors such as:
(i) the features selected by the Customer as part of the software system,
(ii) the data fields and types of detail added to the system and used by the Customer as part of the selected system features; and
(iii) the types of data input directly into the system by the Customer and teachers, pupils and students and parents of the school operated by the Customer.
2.2 In accordance with the Contract to provide the Goods to the Customer the Company may process (but not limited to) the following types of Personal Data as part of the system packages selected by the Customer:
2.2.1 In relation to the Engage School package, information through pupil and student, staff and parent databases, website admissions module, online parent portal, report creator tools, document management system, alert notification system, recording of medical data and incidents, school SMS services where the following types of Personal Data (but not limited to) may be provided:
(i) In relation to pupils and students, and parents: name of child, date of birth, place of birth, private address, private telephone number, email address, parents name and contact details, date of birth, emergency contact, days of absence, bank account details of parents, references, performance reports, recording of medical data and incidents, tuition and extra curricular accounts.
(ii) In relation to staff of the Customer’s school: name, job title, date of birth, place of birth, private address, private telephone number, email address, contractual details and contract history, emergency contact, employee number, supervisor, name of supervisor, work location, days of absence and cause and holiday entitlement, National Insurance Number, bank account details, court orders, trade union membership, pension details, tax code, grade, Occupational Health Services, redundancy, TUPE documentation, disciplinary and grievance, accident reports, right to work checks (passport details), referees, CRB disclosures, insurance documents, references, exit interviews, accident reports, time sheets / reports, qualifications, beneficiaries and absence management.
2.2.2 In relation to the Engage Teaching package, information regarding curriculum planning and management, attendance register and monitoring, online teacher portal, timetabling and behaviour tracking, assessment and performance tracking, timetable system, special educational needs module, extra-curricular activities module, learning management system, analytics dashboard and exams and exam seating where the following types of Personal Data (but not limited to) may be provided
(i) In relation to pupils and students: name of child, date of birth, place of birth, private address, private telephone number, email address, parents name and contact details, emergency contact, days of absence, references, performance and educational needs reports, incident reports involving pupils or students, attendance and non-attendance records, exam details and results, curricular activities, special educational needs records, medical data and incidents records.
2.2.1 In relation to the Engage Finance package, information regarding pupil and student charges, invoicing, collections and debtors where the following types of Personal Data (but not limited to) may be provided:
(i) for pupils, students and parents: contact details, bank details of parents, tuition and extra curricular activities and fees, information about ad-hoc payments and billing.
(ii) for staff payroll services: name, job title, date of birth, contact details, contractual details and contract history, employee number, work location, days of absence and cause and holiday entitlement, National Insurance Number, bank account details, pension details, tax code, grade, Occupational Health Services, redundancy, TUPE documentation, disciplinary and grievance, insurance documents, accident reports, time sheets / reports, qualifications, beneficiaries and absence management.
(iii) for non-academic billing for rentals or the sale of goods and services: personal data regarding any supplier’s staff and sub-contractors.
(iv) relevant types of Personal Data obtained from the Engage School and Engage Teaching package mentioned above for pupils and students, parents and staff of the school, which is required to provide the financial and accounting services to the Customer.
3 Categories of Data Subjects:
The Company may process (but not limited to) Protected Data in relation to the following data subjects:
(i) the Customer’s current and former employees;
(ii) the Customer’s contractors and sub-contractors;
(iii) the Customer’s job applicants;
(iv) the Customer’s employee’s emergency contacts;
(v) pupils, students and parents of the school operated by the Customer using the Goods under the Contract; and
(vi) other categories of subjects which may be required for the Company to provide the Goods to the Customer.
4 Specific processing instructions:
The Company shall process Protected Data as reasonably necessary for the provision of the Goods arising from the Contract and in accordance with the Customer’s written instructions. Please refer to clause 1.8 of this these Data Processing Provisions for further details. If the Customer has any specific processing instructions, the Customer is required to notify the Company in writing so that the Company may process the Protected Data in accordance with those specific instructions.

Part B

Technical and organisational security measures

1 The Company shall implement and maintain the following technical and organisational security measures to protect the Protected Data:
1.1 In accordance with the Data Protection Laws, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of the Protected Data to be carried out under or in connection with the Contract, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons and the risks that are presented by the processing, especially from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Protected Data transmitted, stored or otherwise processed, the Company shall implement appropriate technical and organisational security measures appropriate to the risk, including as appropriate those matters mentioned in Articles 32(a) to 32(d) (inclusive) of the GDPR.
1.2 The Company is committed to protecting restricted, confidential or Sensitive Data from loss to avoid reputation damage and to avoid adversely impacting its customers.
1.3 The following principles are applied by the Company in relation to data security:
1.3.1 Users of the Company’s systems, services and website are required to adhere to and comply with the principles and restrictions in the Company’s Acceptable Use Policy which can be viewed here: http://www.doublefirst.com/acceptable-use
1.3.2 The Company issues to the Customer the Company’s Product Systems Requirements with the Company’s recommendations based upon testing and experience of the Company’s software products running on different hardware platforms. Every effort is made to provide as much information as possible to guide the Customer and ensure the correct environment is deployed to get the safest and fastest possible experience from the Company’s software products.
1.3.3 The Customer is, however, responsible for:
(ii) maintaining the security of its data;
(iii) ensuring that its data is adequately backed-up including, in particular, but without limitation, in the event that it chooses to use an Alternative Hosting Solution;
(iv) keeping full security copies of the Customer’s programs, databases and computer records in accordance with best computer practice;
(v) ensuring the correct environment is deployed to get the safest and fastest possible experience from the Company’s software products; and
(vi) protecting its systems from any bugs in any third party software or other software, viruses, corrupt data and back-up failures.
1.3.4 Where the Goods to be supplied pursuant to the Contract include Software the Customer is required to adhere to and comply with Company’s Software Licence Terms and Conditions, and where the Company has contracted to supply support services the SLA. The Company’s Software Licence Terms and Conditions and SLA are both subject to change from time to time, the current versions of which are available from the Company’s Support Centre website.
1.3.5 All directors and employees of the Company, together with anyone contracted to work on behalf of the Company and anyone who is offered work placement roles under the Company’s work experience agreement are required to adhere to and comply with the Company’s data security policy.

© Double First Ltd May 2018