Data Processing terms, for Wordshark Online, for Schools/Tutors
Back to Wordshark Back to Numbershark
DATA PROCESSING TERMS
Updated March 2023
Parties
(1) White Space Ltd a company incorporated and registered in England and Wales with company number 00908615 whose registered office is 45 St Dunstans Road, London, W6 8RE (“We” or “us”).
(2) You an educational provider who has signed up for the Wordshark Online platform (“You”).
Background
(A) Under the Terms and Conditions (as defined below), We are supplying the Wordshark Online platform and associated services to You.
(B) In relation to the processing of Personal Data that is necessary for the provision of the services as described in the Terms and Conditions, You will be a Data Controller and We will be a Data Processor, and this Agreement sets out our respective obligations in that regard. 1.1. The definitions and rules of interpretation in this clause apply in this Agreement.
Agreed terms
1. Definitions and interpretation
1.1. The definitions and rules of interpretation in this clause apply in this Agreement.
Controller: any person, agency or other body who falls under the definition of “Controller” or “controller” under Data Protection Law.
Data Breach: any breach of Data Protection Law, including any Personal Data Breach.
Data Protection Law:
(a) the Data Protection Act 2018, the EU GDPR, the UK GDPR, and the Privacy and Electronic Communications (EC Directive) Regulations 2003;
(b) any law concerning data protection, privacy or confidentiality which is applicable and not mentioned in part (a) of this definition;
(c) any guidance, codes of practice or instruction issued by the ICO (or any other relevant supervisory authority) from time to time; and
(d) and any other applicable laws concerning data protection, confidentiality or privacy which may come into force from time to time in any relevant jurisdiction.
Data Subject: an individual who falls under the definition of data subject under Data Protection Law.
EU GDPR: Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016, otherwise known as the General Data Protection Regulation.
Personal Data: any information which falls under the definition of “personal data” or “Personal Data” under any Data Protection Law.
Personal Data Breach: as described in the UK GDPR.
Privacy Notice Information: the information referred to in Articles 13 and 14 of the UK GDPR or other similar information required to be provided by Data Protection Law.
1.2. A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
1.3. Any phrase followed by the terms including, include, in particular or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding those terms.
Processing, Processed and Process: as described under Data Protection Law.
Processor: any person, agency or other body who falls under the definition of “Processor” or “processor” under Data Protection Law.
Protected Data: means Personal Data received from or on behalf of You in connection with the performance of Our obligations under this Agreement.
Relevant Occurrence: any of the following that relates to, affects or is likely to affect, the Processing of Personal Data relating to this Agreement: (a) any communication from the Information Commissioner’s Office (or any other data protection supervisory authority); (b) any exercise, or purported exercise, by an individual (or someone acting on their behalf) of their rights in their Personal Data; (c) any complaint, enquiry or other communication from any person concerning the Processing of their Personal Data; and (d) any actual or suspected Data Breach.
Terms and Conditions: the Terms and Conditions relating to sale of the Wordshark Online product or platform.
Special Category Personal Data: as described in the Data Protection Law and/or including any personal data relating to criminal convictions (including offences and alleged offences and any court proceedings or sentence).
Staff: means all persons employed by a Party to perform its obligations under this Agreement together with that Party’s officers, staff, employees and volunteers engaged in the performance of its obligations under this Agreement.
Subcontractor: (a) each of the subcontractors, agents, representatives and consultants of a Party engaged in the performance of that Party’s obligations under this Agreement or who provides or is involved in the use by that Party of the Personal Data from time to time; and (b) each of the subcontractors, agents, representatives and consultants of a Party’s Subcontractor engaged in the performance of that Party’s obligations under this Agreement or who provides or is involved in the use by that Party of the Personal Data and Protected Data from time to time (and so on).
Supervisory Authority: means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
Technical and Organisational Measures: means the technical and organisational measures to protect the Personal Data and Protected Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected together with those set out in Schedule 1 to this Agreement.
UK GDPR: the UK GDPR as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
1.2. A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
1.3. Any phase followed by the terms including, include, in particular or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding those terms.
2. Purpose and Scope
2.1. This Agreement sets out the framework for the sharing of Personal Data between the Parties, for the purposes of the provision of services as set out in the Terms and Conditions.
2.2. In consideration of the payment provided under the Terms and Conditions, We agree to comply with our obligations set out in this Agreement.
3. General Obligations
3.1. Each Party shall comply with Data Protection Law at all times and shall not do anything, or omit to do anything, to put the other Party in breach of Data Protection Law.
3.2. Each Party has such valid registrations in force and has paid such fees as are required by its national Supervisory Authority which, by the time that the data sharing is expected to commence, covers the intended data sharing pursuant to this Agreement, unless an exemption applies.
3.3. In respect of the processing set out in the Terms and Conditions, the Parties acknowledge that You are the Data Controller of any Personal Data to be shared in order to fulfil the services agreed, and We shall be acting as Data Processor.
4. Obligations on You
4.1. You shall be responsible for ensuring that the transfer of Protected Data to Us under this Agreement is done so lawfully and in accordance with the Data Protection Law.
4.2. You shall be responsible for ensuring the accuracy of Protected Data provided to Us under this Agreement, and, where required, keeping the Protected Data up to date.
4.3. You shall retain responsibility for ensuring that the relevant Privacy Notice Information is provided to relevant Data Subjects as necessary.
5. Obligations on Us
5.1. In so far as We process Protected Data on behalf of You, We shall only Process the Protected Data on documented instructions from You, as may be updated from time to time, including with regard to transfers of Protected Data to a country outside of the UK, unless required to do so by applicable law to which We are subject. In such a case, We shall inform You of that legal requirement before Processing, unless that law prohibits the provision of such information on important grounds of public interest.
5.2. The information in the Terms and Conditions shall serve as documented instructions to Us to process Protected Data for that purpose although You may amend, supplement or update these instructions from time to time.
5.3. We shall ensure that We process the minimum Protected Data necessary to provide the services described in the Terms and Conditions and that access to the Protected Data is strictly restricted to those Staff that are necessary to deliver those services.
5.4. When processing or managing Personal Data including the Protected Data, We shall implement the Technical and Organisational Measures, and other terms set out at Schedule 1 to this Agreement.
5.5. Schedule 2 contains a list of current sub-processors engaged by Us, and acceptance of this Agreement shall constitute prior specific consent to the use by Us of those sub-Processors for the operations set out in Schedule 2.
5.6. Acceptance of this Agreement shall also constitute general written authorisation for the use of sub-Processors by Us, provided that We shall not engage another Processor for carrying out any Processing activities in respect of the Protected Data without first informing You of any intended changes concerning the addition or replacement of other Processors, thereby giving You the opportunity to raise any reasonable objections to such changes.
5.7. Where We engage another Processor for carrying out specific Processing activities on behalf of You, We shall:
- 5.7.1. prior to the relevant Processor carrying out any Processing activities in respect of the Protected Data, enter into a written contract with the Processor that shall impose on the Processor contractual data protection obligations consistent with those to which We are subject under this Agreement. In particular:
- 5.7.1.1. requesting and ensuring that the Processor provides sufficient guarantees to implement appropriate Technical and Organisational Measures in such a manner that the Processing will meet the requirements of the Data Protection Law and paragraph 1 of Schedule 1; and
- 5.7.1.2. ensuring that any relevant transfer of Protected Data to countries outside the UK complies with clause 5.17 of this Agreement,
5.7.2. restrict the Processor’s access to Protected Data only to what is necessary to provide or maintain the services that are described in the Terms and Conditions.
5.8. Where We engage another Processor for carrying out specific Processing activities on behalf of You, where that other Processor fails to fulfil its data protection obligations, We shall remain fully liable to You for the performance of that other Processor’s obligations.
5.9. Taking into account the nature of the Processing, We shall assist You by appropriate Technical and Organisational Measures, insofar as this is possible, for the fulfilment of Your obligation to respond to requests for exercising the Data Subject’s rights laid down in Articles 12 to 23 of the UK GDPR.
5.10. We shall assist You in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the UK GDPR taking into account the nature of Processing and the information available to Us.
5.11. At the end of the provision of the Services, We will delete all the Protected Data after a period of 12 months unless applicable law requires storage of the Protected Data. On Your request We will return to You all the Protected Data prior to deleting it.
5.12. We shall maintain, in accordance with Data Protection Law binding on Us, written records of all Processing activities carried out on behalf of You.
5.13. We shall make available to You all information necessary to demonstrate compliance with the obligations laid down under Data Protection Law and allow for and contribute to audits, including inspections, conducted by You or another auditor mandated by You, at your cost.
5.14. With regard to clause 3, We shall immediately inform You if, in Our opinion, an instruction infringes relevant Data Protection Law.
Generally
5.15. If a Relevant Occurrence happens in respect of Protected Data for which We are acting as Processor, We shall notify You within three calendar days of becoming aware, and provide full co-operation in relation to any questions raised by You about the Relevant Occurrence, save that, if the Relevant Occurrence is any actual or suspected Personal Data Breach, Our obligation to notify You shall be reduced to six hours.
5.16. The Parties acknowledge that, under the UK GDPR, where a Party is acting as a Data Processor, there must be a contract in place which sets out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects and the obligations and rights of the Controller (these matters are referred to in this clause as the Data Processing Particulars). The Data Processing Particulars are set out in Schedule 3 of this Agreement, or shall be as notified by You to Us by way of written notice. When a notification of Data Protection Particulars occurs after the date of this Agreement, such particulars shall be appended to this Agreement within 30 days of the date of the written notice served on Us.
5.17. You agree that We may transfer Protected Data to countries outside the United Kingdom, provided that (to the extent required under Data Protection Law) We ensure that in respect of all such transfers, and any onward transfer:
- 5.17.1. the transfer is to a country approved as providing adequate protection in accordance with Data Protection Law , or
- 5.17.2. there are appropriate safeguards in place pursuant to Article 46 of the UK GDPR; or
- 5.17.3. one of the derogations for specific situations in Article 49 of the UK GDPR applies to the transfer. The provisions of this Agreement shall constitute Your instructions with respect to transfers in accordance with clause 5.1 to this Agreement.
6. General
6.1. No variation of this Agreement shall be effective unless made in writing.
6.2. If any provision of this Agreement is held to be illegal, void, invalid or unenforceable, the legality, validity and enforceability of the remainder of this Agreement shall not be affected.
6.3. No term of this Agreement shall be enforceable under the Contracts (Rights of Third Parties) Act 1999 by a third Party.
6.4. No failure to exercise, nor any delay in the exercise of, any right or remedy under this Agreement shall impair such right or remedy.
6.5. Nothing in this Agreement shall constitute a partnership between the Parties nor, except as expressly provided, shall it constitute any Party as the agent of any other Party.
6.6. Neither Party shall be in breach of this Agreement, nor liable for any failure or delay in performance of any obligations under this Agreement, arising from acts, events, omissions or accidents beyond its reasonable control.
6.7. This Agreement and any dispute or claim arising out of or in connection with its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, English law and the Parties irrevocably submit to the exclusive jurisdiction of the English courts.
This Agreement has been entered into on the date You agreed to be bound by its terms.
Schedule 1: Security of Processing and Staff Training
1. The Agreed Measure
1.1. Without limit to the generality of this Schedule 1, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, We shall implement appropriate Technical and Organisational Measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- 1.1.1. the pseudonymisation and encryption of personal data;
- 1.1.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
- 1.1.3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- 1.1.4. a process for regularly testing, assessing and evaluating the effectiveness of Technical and Organisational Measures for ensuring the security of the Processing.
1.2. In assessing the appropriate level of security We shall in particular take account of the risks that are presented by Processing in the manner anticipated by this Agreement, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data and Protected Data transmitted, stored or otherwise Processed.
2. Access Management
2.1. We shall only permit access to the Personal Data received from You by such of its Staff as:
- 2.1.1. have been subject to appropriate documented checks including references and where relevant disclosure and barring service checks; and
- 2.1.2. have a need to know.
2.2. We shall take responsibility for the reliability of our Staff who may have access to the Protected Data.
2.3. We shall implement appropriate Technical and Organisational Measures to restrict access to the Protected Data such as appropriate authentication and authorisation systems.
2.4. We shall ensure that our Staff and anyone acting under our authority who has access to the Protected Data has committed themselves to relevant duty of confidentiality or are under an appropriate statutory duty of confidentiality.
3. Security Management
We shall ensure that all Protected Data and other data disclosed to Us by You, regardless of the system or device upon which it is held, is kept securely and in an encrypted form and shall deploy all reasonable security practices and systems applicable to the use of Personal Data so as to prevent, and take prompt and proper remedial action against, unauthorised access, copying, modification, storage, reproduction, display or distribution of the Protected Data and other data disclosed to Us by You.
Schedule 2: List of approved sub-Processors
Sub-Processor | Details of operations |
Amazon Web Services, inc. | Data hosting and storage is in the UK |
Zoho Corporation | Accounting software, subscription management software, customer relationship management and bulk email broadcasting system (for the distributions of email newsletters and promotions – EU
|
Infostretch UK Ltd | Website and software development services – UK company with team in India
|
Buckhill | Server maintenance and IT related services – UK company with team in EU
|
TechEdology | Product development services and marketing consultancy – UK
|
Martin Newman | IT and software development related consultancy services – UK
|
Try Catch Software | DevOps Consultancy services |
Schedule 3: Data Processing Particulars
Data Processing Particulars
The following tables set out the details, parameters and restrictions, in relation to the data processor arrangements agreed between the Parties under the Service Agreement and this Data Processing Agreement for Services.
Description of Service:
The provision of the Wordshark Online platform |
|
Category of Data Subjects | Students who are pupils of the individual or organisation who holds the licence to use the platform
|
Nature and agreed purpose of the Processing (i.e. the business purposes of processing which have been agreed by the Parties) | We shall store and process the information for the purpose of the provision of the platform, and the use of the functionality of the platform by the subscriber
|
Category of personal data to be processed | Name, email address, year groups, scores and progress
|
Retention period | Personal Data will be retained for as long as necessary to fulfil the agreed purposes of processing or until the end of the provision of services relating to the processing.
|
Duration of processing | For as long as a licence to use the product is held and operated. |