New Era Technology Standard Data Sharing Agreement – General Data Protection Regulation (GDPR)
New Era Education Limited, 125 Queens Road, Brighton BN1 3WB (“New Era”) who are the Service Provider.
Customer stated on the Sales Order Form (“The School ”) who are the Data Controller.
The Agreement will commence on the date stated on the Sales Order Form and will continue for the duration of the period that New Era continue to be the Service Provider unless otherwise agreed in writing between the Parties.
Data Controller: has the meaning set out in the Data Protection Act Legislation.
Data Processor: has the meaning set out in the Data Protection Legislation.
Data Protection Legislation: (i) unless and until the GDPR is no longer directly applicable in the UK, the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998.
Data Subject: an individual who is the subject of Personal Data.
Personal Data: has the meaning set out in the Data Protection Legislation and, in this
Agreement, relates only to personal data, or any part of such personal data, of which the school is the Data Controller and in relation to which the Service Provider is providing services under this Agreement, being unique username for the service provided, title (where appropriate), first name, surname, school, year group, class, email, mobile telephone number, family relationship (where appropriate) and unique identifiers depending upon the services to which The School has subscribed.
Processing and process: have the meaning set out in the Data Protection Act Legislation.
Purpose: the provision by the Service Provider of online services including, but not restricted to,
DB Primary, The Life Cloud, School Ping and Able+ for education, training and learning and communication, cooperation and collaboration through access to relevant online materials, tools and applications.
1. Obligations of the Service Provider
1.1 The School and New Era acknowledge that, for the purposes of the Data Protection Legislation, The School is the Data Controller and New Era is the Service Provider and the Data Processor of any Personal Data.
1.2 The Service Provider shall comply with all applicable requirements of the Data Protection Legislation and, in particular, shall process the Personal Data only to the extent, and in such a manner, as is necessary for the Purpose and shall not process the Personal Data for any other purpose, unless the Service Provider is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Service Provider to process Personal Data (Applicable Laws). Where the Service Provider is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, the Service Provider shall promptly notify The School of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Service Provider from so notifying The School.
1.3 The School will control and be responsible for amending, transferring or deleting the Personal Data; the Service Provider will only amend, transfer or delete data at the written request of The School.
1.4 The School may transfer data to the Service Provider via secure integration through the Groupcall Xporter on demand Software, via email using secure password protected files or any other means that complies with The School’s obligations under the Data Protection Legislation.
1.5 The Service Provider will ensure that it has in place appropriate technical and organisational measures, reviewed and approved by The School if The School so requires, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it.
1.6 If the Service Provider receives any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with Data Protection Legislation, or becomes aware of any breach of Data Protection Legislation, it shall as soon as reasonably practicable notify The School and it shall provide The School with all due co-operation and assistance in relation to any such complaint, notice or communication.
1.7 At The School ‘s request, the Service Provider shall provide to The School a copy of all Personal Data held by it in the format and on the media reasonably specified by The School.
1.8 The Service Provider shall only hold the Personal Data on its servers and will not transfer the Personal Data without the prior written consent of The School.
1.9 The Service Provider will hold the Personal Data only in secure public accredited cloudbased data centres hosted within the UK and EU.
1.10 The School agrees that limited Personal Data, comprising contact details, of officially appointed Customer contacts, for example head teacher, Emergency Contact, IT Lead, Bursar, may be processed in secure data centres outside of the UK and European Union within the Service Provider’s global CRM facility. The Service Provider will comply with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is so transferred and processed and ensure that relevant Data Subjects have enforceable rights and effective legal remedies. The Service Provider will comply with reasonable instructions notified to it in advance by The School with respect to such processing of the Personal Data.
1.11 The Service Provider will ensure Data is securely backed-up to ensure disaster recovery
1.12 The Service Provider shall promptly and within at least 72 hours inform The School if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable and, if this is caused by the negligence or breach of obligations of the Service Provider, will restore such Personal Data at its own expense.
2. Obligations of the Customer
2.1 The Customer will comply with all applicable requirements of the Data Protection Legislation and, in particular, will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Service Provider for the duration of this Agreement and the Purpose.
Service Provider’s Employees
The Service Provider shall ensure that access to the Personal Data is limited to:
those employees who need access to the Personal Data to meet the Service
Provider’s obligations under this Agreement; and
in the case of any access by any employee, such part or parts of the Personal Data as is strictly necessary for performance of that employee’s duties.
The Service Provider shall take reasonable steps to ensure the reliability of any of the Service Provider ‘s employees who have access to the Personal Data and shall ensure that all employees who have access to and/or process Personal Data are obliged to keep the Personal Data confidential.
4. Rights of Data Subjects and compliance by The School
4.1 The Service Provider shall notify The School within three working days if it receives a request from a Data Subject for access to that person’s Personal Data.
4.2 The School (as Data Controller) will handle all such requests and notify the Data Subject accordingly. The Service Provider will assist The School, at The School’s cost, in responding to any such request from a Data Subject and, generally, in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
4.3 The Service Provider shall not disclose the Personal Data to any Data Subject or to a third party other than at the written request of The School or as provided for in this Agreement.
5. Rights of The school
5.1 The School is entitled, on giving at least three working days’ notice to the Service Provider, to inspect or appoint representatives to inspect documents and electronic data relating to the processing of Personal Data by the Service Provider.
5.2 The requirement under clause 5.1 to give notice will not apply if The School reasonably believes that the Service Provider is in breach of any of its obligations under this Agreement.
5.3 At the written direction of The School, the Service Provider will delete or return Personal Data and copies thereof to The School on termination of this Agreement unless required by Applicable Law to store the Personal Data.
6.1 The Service Provider agrees to indemnify and keep indemnified The School against all costs, claims, damages or expenses incurred by The School or for which The School may become liable due to any failure by the Service Provider or its employees or agents to comply with any of its obligations under this Agreement.
6.2 The School agrees to indemnify and keep indemnified the Service Provider against all costs, claims, damages or expenses incurred by the Service Provider or for which the Service Provider may become liable due to any failure by The School or its employees or agents to comply with any of its obligations under this Agreement.
7. Appointment of sub-contractors
7.1 The Service Provider may only authorise a third party (sub-contractor) to process the Personal Data:
- subject to The School’s prior written consent where the Service Provider has supplied The School with full details of such sub-contractor;
- provided that the sub-contractor’s contract is on terms which are substantially the same as those set out in this Agreement;
- provided that the sub-contractor’s contract terminates automatically on termination of this Agreement for any reason; and
- provided that, as between The School and the Service Provider, the Service Provider shall remain fully liable for all acts or omissions of any sub-contractor appointed by it pursuant to this clause.
8. Limits of liability
8.1 Neither party’s liability arising out of this Agreement shall exceed the amount paid to the Service Provider under this Agreement.
8.2 Nothing in this Agreement shall exclude either party’s liability for death or personal injury to the extent it results from the negligence of itself, its employees or its agents, or for fraud or for any other matter in respect of which law prescribes that liability may not be limited or excluded.
Neither party may assign any of its rights or obligations under this Agreement without the prior written consent of the other party.
Any notice served under this Agreement shall be delivered to the appropriate party either by recorded delivery post or by facsimile transmission at its principal place of business, or to such other address as may from time to time be notified in writing by the party concerned, or by electronic mail to the email address as may from time to time be notified in writing by the party concerned. Any notice shall be deemed to be duly served:
10.1 if sent by recorded delivery post, three (3) calendar days after date of posting;
10.2 if sent by facsimile transmission, on receipt of successful facsimile transmission;
10.3 if sent by electronic mail, on the day it is sent provided that a return receipt is received and where the party sending the notice has a contemporaneous record of such return receipt and followed up such notice by recorded delivery post in the event that the electronic mail has not been acknowledged by the other party within twenty-four hours of sending the electronic mail, (unless any such date is a Saturday, Sunday or bank holiday in which case it shall be deemed served on the next working day).
11. No waiver
No failure or delay on the part of either party to this Agreement relating to the exercise of any right, power, privilege or remedy provided under this Agreement shall operate as a waiver of such right, power, privilege or remedy or as a waiver of any proceedings or succeeding breach by the other party to this Agreement.
12. Entire agreement
This Agreement contains the full and complete understanding between the parties relating to its subject matter and supersedes all prior arrangements and understandings whether written or oral relating to such subject matter and may not be varied except by written agreement signed by both parties.
13. Jurisdiction and Governing Law
13.1 This Agreement will be governed by, and will be construed in accordance with, the laws of England and Wales. The parties submit to the exclusive jurisdiction of the English courts.