(A) MyEd and you/your organisation (the Contributor) entered into a PLATFORM CONTENT AND SUBCRIBER LICENCE AGREEMENT (Content Agreement) that requires MyEd to process Personal Data on behalf of the Contributor.
(B) This Data Processing Agreement (Agreement) sets out the additional terms, requirements and conditions on which MyEd will process Personal Data when performing its obligations under the Content Agreement. This Agreement contains the mandatory clauses required by Article 28 (3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for contracts between controllers and processors.
1. Definitions and Interpretation
The following definitions and rules of interpretation apply in this Agreement.
Authorised Persons: the persons or categories of persons that the Contributor authorises to give MyEd written personal data processing instructions as identified in this agreement (including any Annex(es)).
Business Purposes: the business purposes for which MyEd has been granted use of the Contributor’s ‘Content’, as defined and described in the Content Agreement and any other purpose specified.
Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
Controller: has the meaning given to it in section 6, DPA 2018.
Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
Data Subject: the identified or identifiable living individual to whom the Personal Data relates.
EEA: the European Economic Area.
Personal Data: means any information relating to an identified or identifiable living individual that is contained or comprised in the ‘Content’ provided to MyEd by the Contributor pursuant to the Content Agreement; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
Processing, processes, processed, process: any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third-parties.
Personal Data Breach: a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Records: has the meaning given to it in Clause 12.
Standard Contractual Clauses (SCC): such Standard Contractual Clauses for the transfer of Personal Data from the UK to processors established in third countries (controller-to-processor transfers), as approved by the Commissioner from time to time.
Term: this Agreement's term as defined in Clause 10. UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
1.2 This Agreement is subject to the terms of the Content Agreement and is incorporated into the Content Agreement. Interpretations and defined terms set forth in the Content Agreement apply to the interpretation of this Agreement.
1.3 The Annexes form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes.
1.4 A reference to writing or written includes email.
1.5 In the case of conflict or ambiguity between:
(a) any provision contained in the body of this Agreement and any provision contained in the Annexes, the provision in the body of this Agreement will prevail;
(b) the terms of any accompanying invoice or other documents annexed to this Agreement and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and
(c) any of the provisions of this Agreement and the provisions of the Content Agreement, the provisions of this Agreement will prevail.
2. Personal data types and processing purposes
2.1 The Contributor and MyEd agree and acknowledge that for the purpose of the Data Protection Legislation:
(a) the Contributor is the Controller and MyEd is the Processor.
(b) the Contributor retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to MyEd.
(c) The scope and purpose of the Processing carried out by MyEd under the Agreement is as follows:
i) the purpose of the Processing is to provide or support the provision of services under the Agreement to you and otherwise carry out obligations or exercise rights under the Agreement, for the term of the Agreement.
ii) the Data Subjects are any individual persons who obtain or access MyEd’s services from or through you.
iii) the Personal Data processed includes but is not limited to identifying numbers, contact information, location information, personal expressions or preferences, information relating to education, history, information relating to educational activities, personal records, correspondence, and, in limited circumstances, special categories of personal data and any other categories of Personal Data that are stated in the Agreement to be Processed by MyEd on your behalf.
2.2 The Contributor warrants and represents that its gathering and processing of all Personal Data has been carried out in full compliance with the Data Protection Legislation and that it has obtained all required Data Subject consents for the processing of the Personal Data and/or that the Contributor has an appropriate legal basis for providing the Personal Data to MyEd for processing in accordance with this Agreement.
3. MyEd's obligations
3.1 MyEd will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Contributor's written instructions. MyEd shall promptly notify the Contributor if, in its opinion, the Contributor's instructions do not comply with the Data Protection Legislation.
3.2 MyEd must comply promptly with any Contributor written instructions requiring MyEd to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.3 MyEd will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Contributor or this Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires MyEd to process or disclose the Personal Data to a third-party, MyEd must first inform the Contributor of such legal or regulatory requirement and give the Contributor an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.
3.4 MyEd will reasonably assist the Contributor with meeting the Contributor's compliance obligations under the Data Protection Legislation, taking into account the nature of MyEd's processing and the information available to MyEd, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner under the Data Protection Legislation.
3.5 MyEd shall notify promptly the Contributor of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting MyEd's performance of the Content Agreement or this Agreement.
4. Provider's employees
4.1 MyEd will ensure that all of its employees:
(a) are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;
(b) have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and
(c) are aware of MyEd's duties and their own personal duties and obligations under the Data Protection Legislation and this Agreement.
5.1 MyEd must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
5.2 MyEd must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
6. Personal data breach
6.1 MyEd will promptly and without undue delay notify the Contributor in writing if it becomes aware of:
(a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data;
(b) any accidental, unauthorised or unlawful processing of the Personal Data; or
(c) any Personal Data Breach.
6.2 Where MyEd becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Contributor with the following written information:
(a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
(b) the likely consequences; and
(c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.
6.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, MyEd will reasonably co-operate with the Contributor at no additional cost to the Contributor, in the Contributor's handling of the matter[, including but not limited to:
(a) assisting with any investigation;
(b) providing the Contributor with physical access to any facilities and operations affected;
(c) facilitating interviews with MyEd's employees, former employees and others involved in the matter including, but not limited to, its officers and directors;
(d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Contributor; and
(e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing].
6.4 MyEd will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Contributor's written consent, except when required to do so by domestic law.
6.5 MyEd agrees that the Contributor has the sole right to determine:
(a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Contributor's discretion, including the contents and delivery method of the notice; and
(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
7. Cross-border transfers of personal data
MyEd may transfer or otherwise process the Personal Data outside the UK without obtaining the Customer's prior written consent under the following conditions:
(a) the processing is carried out in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or
(b) MyEd participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that MyEd (and, where appropriate, the Contributor) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals, the said mechanism to include (where appropriate) the execution of Standard Contractual Clauses.
8.1 MyEd may authorise third-party subcontractors to process the Personal Data, provided that:
(a) the Contributor is provided with an opportunity to object to the appointment of each subcontractor within 5 working days after MyEd supplies the Contributor with full details in writing regarding such subcontractor;
(b) MyEd enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Agreement, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Contributor's written request, provides the Contributor with copies of the relevant excerpts from such contracts;
(c) MyEd maintains control over all of the Personal Data it entrusts to the subcontractor; and
(d) the subcontractor's contract terminates automatically on termination of this Agreement for any reason.
8.2 You will provide a general authorisation for MyEd to engage Subcontractors, MyEd shall maintain an up-to-date list of all Subcontractors it engages to Process Personal Data. MyEd shall provide such list to you on request.
8.3 The subcontract between MyEd and any Subcontractor Processing Personal Data will impose obligations on the Subcontractor that are equivalent to those set out in this Data Processing Agreement.
8.4 Where the subcontractor fails to fulfil its obligations under the written agreement with MyEd which contains terms substantially the same as those set out in this Agreement, MyEd remains fully liable to the Contributor for the subcontractor's performance of its agreement obligations.
9. Complaints, data subject requests and third-party rights
9.1 MyEd shall, at no additional cost to the Contributor, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Contributor as the Contributor may reasonably require, to enable the Contributor to comply with:
(a) the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
(b) information or assessment notices served on the Contributor by the Commissioner under the Data Protection Legislation.
9.2 MyEd shall notify the Contributor immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
9.3 MyEd shall notify the Contributor within 7 days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
9.4 MyEd will give the Contributor, at no additional cost to the Contributor, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
9.5 MyEd must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Contributor's written instructions, or as required by domestic law.
10. Term and termination
10.1 This Agreement will remain in full force and effect so long as:
(a) the Content Agreement remains in effect; or
(b) MyEd retains any of the Personal Data related to the Content Agreement in its possession or control (Term).
10.2 Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Content Agreement in order to protect the Personal Data will remain in full force and effect.
10.3 MyEd's failure to comply with the terms of this Agreement is a material breach of the Content Agreement.
11. Data return and destruction
11.1 At the Contributor's request, MyEd will give the Contributor, or a third-party nominated in writing by the Contributor, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Contributor.
11.2 On termination of the Content Agreement for any reason or expiry of its term, MyEd will securely delete or destroy or, if directed in writing by the Contributor, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control, except for one copy that it may retain and use for regulatory, compliance or taxation purposes.
11.3 MyEd will certify in writing to the Contributor that it has deleted or destroyed the Personal Data within  days after it completes the deletion or destruction.
12.1 MyEd will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved subcontractors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in Clause 5.1 (Records).
12.2 MyEd will ensure that the Records are sufficient to enable the Contributor to verify MyEd's compliance with its obligations under this Agreement and the Data Protection Legislation and MyEd will provide the Contributor with copies of the Records upon request.
12.3 The Contributor and MyEd shall review the information listed in the Annexes to this Agreement at least once a year to confirm its accuracy and update it when required to reflect current practices.
13.1 MyEd will permit the Contributor and its third-party representatives to audit MyEd's compliance with its Agreement obligations, on at least 45 days' notice, during the Term. MyEd will give the Contributor and its third-party representatives all necessary assistance to conduct such audits.
13.2 The notice requirements in Clause 13.1 will not apply if the Contributor reasonably believes that a Personal Data Breach has occurred or is occurring, or MyEd is in material breach of any of its obligations under this Agreement or any of the Data Protection Legislation.
13.3 If a Personal Data Breach occurs or is occurring, or MyEd becomes aware of a breach of any of its obligations under this Agreement or any of the Data Protection Legislation, MyEd will:
(a) promptly conduct its own audit to determine the cause;
(b) produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;
(c) provide the Contributor with a copy of the written audit report; and
(d) remedy any deficiencies identified by the audit within 30 days.
14.1 Any notice given to a party under or in connection with this Agreement must be in writing and delivered to:
• The Contributor’s nominated person/department email address as required at the time of subscribing to MyEd’s free or paid services.
• To MyEd: email@example.com
14.2 Clause 14.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
This Agreement has been entered into on the date of you subscribing to a free or a paid for service (and therefore, the Content Agreement).