Data Processing Agreement

GDPR in Schools knows the importance of regular reviews of its Policies and Data Processing Agreement to ensure that our documents match what we are really doing. This is particularly so when new systems are taken on or there is a completely different way of working.

Our Data Security team will be reviewing this against our new features and processes and will be updating this policy as and when it is required.

We thank you for your patience and please visit this page regularly.

1.  Introduction

  • This data processing agreement (“Data Processing Agreement“) applies to the existing terms and conditions (“the Agreement”) for services between GDPR in Schools Ltd (“GDPRiS”) and you.
  • By this Data Processing Agreement the terms of the Agreement are amended to address

GDPRiS’ and your respective rights, duties and obligations arising as a result of the implementation of Data Protection Legislation, where GDPRiS is acting in its capacity as a Processor and you acting in your capacity as a Controller under Data Protection Legislation.

2.  Amendment of Agreement

  • This Data Processing Agreement amends all existing provisions relating to the rights, duties and obligations under applicable Data Protection Legislation between GDPRiS and
  • It is agreed that rights, duties and obligations under Data Protection Law shall be amended by the terms of this Data Processing
  • In the event of any conflict between the provisions contained in the Agreement and this Data Processing Agreement, the provisions of this Data Processing Agreement shall

3.  Definitions

In this Data Processing Agreement, unless the context indicates otherwise: “Controller” has the meaning given to it in the Data Protection

Data Protection Legislation” means national laws implementing the Directive on Privacy and Electronic Communications (2002/58/EC), the General Data Protection Regulation (2016/679), the Data Protection Act 2018 and any other applicable laws or regulations relating to data protection, data privacy or similar matters.

Data Subject” has the meaning given to it in the Data Protection Legislation.

Personal Data” means any personal data (as such term is defined in Data Protection Legislation) relating to individuals obtaining or accessing GDPRiS’ services from or through you, Processed under or in connection with the Agreement.

Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. “Processing” has the meaning given to it in the Data Protection Legislation.

Processor” has the meaning given to it in the Data Protection Legislation.

Restricted International Transfer of Personal Data” means a transfer of Personal Data by a person:

(a) from a country which has Data Protection Legislation that imposes restrictions on extra-territorial transfers of Personal Data; (b) to a country which does not provide an adequate level of protection for Personal Data as required by the Data Protection Legislation of the country of export.

Standard Contract Clauses (SCCs)” means the standard contractual clauses for the transfer of personal data to processors established in third countries in the form approved from time to time by the EU Commission or other relevant government, regulatory, or supervisory authority.

4.  Details of Processing of Personal Data

  • The scope and purpose of the Processing carried out by GDPRiS under the Agreement is as follows:
  • GDPRiS provides software and support to aid the Controller in its compliance effort, particularly with UK GDPR and the Data Protection Act 2018.
  • The Data Subjects are any individual persons who obtain access to GDPRiS’ services from or through The individuals will typically be working at or for the Controller. Through open format inputs and data exchanges, the service may – at the sole discretion of the Controller – also involve data about data subjects, who are not directly given access to GDPRiS’ services.
  • The Personal Data processed includes but is not limited to names, contact information, location information (e.g. IP addresses) and other activity information, personal expressions or preferences, training achievements and other data that the data subjects divulge in the course of their use of the service.

5.  Obligations of GDPRiS

In relation to the Processing of Personal Data, GDPRiS shall:
    • Only Process Personal Data on your documented, unless required to Process that Personal Data for other purposes in UK Law. Where such a requirement is placed on GDPRiS, it shall provide prior notice to you unless the relevant law prohibits the giving of notice on important grounds of public
    • Promptly inform you if, in its opinion, your instructions would be in breach of Data Protection Legislation.
    • Promptly notify you of any requests from Data Subjects exercising their rights under Data Protection Legislation in relation to Personal Data, and assist you within such reasonable timescales as may be specified by you with all requests received by you or GDPRiS from Data Subjects exercising such
    • Unless prohibited from doing so by applicable law provide reasonable assistance to you within such timescale as may be specified by you so as to enable you to comply with your obligations under Data Protection Legislation including, without limitation, in respect of the duties to ensure that Personal Data is kept secure, notify a breach of Personal Data, conduct privacy impact assessments (and any related consultations), and maintain all documentation of processing
    • At all times have organisational and technical measures in place to ensure confidentiality, integrity and availability of the Personal Data. The measures taken will be commensurate with the risk.

6.  Breach Notification

In the event GDPRiS becomes aware of or suspects that there has been a Personal Data Breach, it shall promptly, and in any event no later than 48 hours after so becoming aware or so suspecting, notify you of the known or suspected.

7.  Restricted International Transfer of Personal Data to GDPRiS

In the event of any Restricted International Transfer of Personal Data arising in relation to GDPRiS, GDPRiS shall take such measures as you may reasonably specify to ensure that such transfer complies with Data Protection Legislation, including without limitation entering into (or procuring that such other persons or entities as you may reasonably specify enter into) SCCs.

8.  Restricted International Transfer of Personal Data by or on behalf of           GDPRiS

GDPRiS shall not carry out any Restricted International Transfer of Personal Data itself or procure that such a transfer is carried out on its behalf unless it has:
    • Obtained your prior written
    • Taken such measures as you may reasonably specify to ensure that such transfer complies with Data Protection Legislation, including without limitation entering into (or procuring that such other persons or entities as you may reasonably specify enter into) SCCs.

9.  Subcontractors

  • You will provide a general authorisation for GDPRiS to engage Subcontractors, GDPRiS shall maintain an up-to-date list of all Subcontractors it engages to Process Personal Data and make it available in its Privacy Notice. GDPRiS shall provide such list to you on
  • The subcontract between GDPRiS and any Subcontractor Processing Personal Data will impose obligations on the Subcontractor that are equivalent to those set out in this Data Processing Agreement.

10.  Indemnity

GDPRiS shall indemnify you up to the amount paid by you to GDPRiS over the preceding 12 (twelve) months prior to any claim by you for direct liabilities, fines and damages incurred, including as a result of a third party claim made against you (including any claim, proceedings, suit or action by any governmental, regulatory, supervisory or administrative body or Data Subject), directly arising as a result of any breach by GDPRiS of its obligations under this Data Processing.

11.  Audit

At your request GDPRiS shall provide evidence of its compliance with this Data Processing Agreement, and allow you to audit at your cost that compliance (either itself or by using an auditor agreed with you).

12.  Return of Personal Data on Termination of Agreement

Upon termination of the Agreement with you for any reason, GDPRiS shall promptly delete all related Personal Data in GDPRiS’ possession and provide confirmation of such deletion save that GDPRiS may retain a copy of any Personal Data to the extent it is obliged to do so by UK Law or Data Protection.

13.  Your Obligations

You are a Controller in respect of Personal Data Processed by GDPRiS, and shall comply with your obligations under Data Protection Legislation in relation to Processing Personal

14.  General Provisions

  • To the extent that GDPRiS acts as Controller in respect of Personal Data, GDPRiS shall comply with Data Protection Legislation and shall ensure that it provides Data Subjects with a notice describing its Processing in accordance with Data Protection
  • GDPRiS shall inform you without undue delay if GDPRiS suspects that Personal Data which is in GDPRiS’ possession or under its control is threatened with seizure or confiscation (including without limitation through bankruptcy or settlement proceedings or other actions of a third party). GDPRiS shall initiate all reasonable measures to protect your rights and position by, in particular, informing all relevant third parties that ownership and control over the Personal Data lies with
  • GDPRiS ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

15. Measures and Safeguards

Neither party can – on its own – change this agreement. Any required change has to be communicated and accepted.