Data Protection Addendum
Part 1 – Data Protection Provisions
1.1. In this Schedule, “Processor” refers to Sound Training for Reading Limited trading as “Lexonik” and “Controller” refers to the party identified in the Order Form to which this Data Protection Addendum is attached.
1.2. This Schedule sets out the additional terms requirements and conditions on which the Controller shall transfer the personal data to the Processor, and on which the Processor shall process such personal data for the purposes of this Agreement, and contains the mandatory clauses required by Article 28 of the EU General Data Protection Regulation for contracts between controllers and processors.
In this Schedule the following words and expressions have the following meanings:
Article an article of the GDPR
Chapter a chapter of the GDPR
Data Protection Law all applicable legislation protecting the fundamental rights and freedoms of individuals in relation to their personal data and right to privacy, including:
1. the General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament and the Council of 27 April 2016 (“GDPR”) and any applicable national implementing laws;
2. the Data Protection Act 2018 to the extent that it relates to processing of personal data and privacy; and
3. the Privacy and Electronic Communication (EC Directive) Regulations 2003, each as amended and updated from time to time.
Personal data, data subject, as defined in the GDPR.
processing, personal data breach,
special categories of data,
and supervisory authority
3.1. Part 2 of this Schedule describes the subject matter, duration, nature and purpose of processing and the personal data categories and data subject types in respect of which the Processor may process to fulfil its obligations under this Agreement.
3.2. Whenever the Processor processes personal data on the Controller’s behalf:
3.2.1. the Controller shall be the controller and the Processor shall be the processor in respect of such personal data; and
3.2.2. the Processor shall only process such personal data on the Controller’s documented instructions except insofar as required to do otherwise by Data Protection Law or in connection with troubleshooting any technical issues.
3.3. The Processor shall inform the Controller on becoming aware of:
3.3.1. any requirement of Applicable Law which requires the Processor to process personal data otherwise than on the Controller’s documented instructions, unless the Applicable Law prohibits such information on important grounds of public interest; or
3.3.2. any instruction from the Controller in relation to the processing of personal data which, in the Processor’s reasonable opinion, infringes Data Protection Law.
3.4. The Controller will ensure that it has all necessary appropriate consents and notices in place to enable the lawful transfer of the Shared Personal Data to the Processor for the duration and purposes of this Agreement.
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk to the rights and freedoms of natural persons, the Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk including (as appropriate):
4.1.1. the pseudonymisation and encryption of personal data;
4.1.2. the Processor’s ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
4.1.3. the Processor’s ability to restore the availability and accessibility of personal data in a timely manner in the event of a physical or technical incident;
4.1.4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and
4.1.5. providing any assistance the Controller reasonably requires in order for it to implement appropriate technical and organisational measures to protect its personal data.
4.2. In assessing the appropriate level of security measures to be taken under paragraph 4.1. above, the Processor shall take account of the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
4.3. The Processor shall ensure that its employees, and any other persons with access to personal data the Processor processes on the Controller’s behalf, are made aware of their data protection and security obligations and are subject to binding obligations of confidentiality.
4.4. In accordance with the above requirements:
4.4.1. Only nominated members of the Controller’s staff authorised by the Controller are invited to register to use Lexonik’s secure Educator Platform and accept the terms its use.
4.4.2. Lexonik staff access is limited to keep access to the minimum number necessary to provide the Services contracted by the purchasing organisation and for the minimum time necessary.
4.4.3. Lexonik staff are governed by our data protection and data breach policies.
The Processor shall:
5.1. not engage another person to process any of the Controller’s personal data (a “sub-processor”) without the Controller’s prior specific or general written authorisation;
5.2. in the case of a general written authorisation, inform the Controller of any intended changes concerning the addition or replacement of any sub-processor (and allow the Controller reasonable opportunity to object to such change);
5.3. ensure that its sub-processor(s) are engaged on terms equivalent to those to which the Processor is itself subject under this Schedule (and any other confidentiality or similar obligations contained in this Agreement);
5.4. ensure that any sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Data Protection Law (including the requirements relating to security, integrity and confidentiality); and
5.5. where a sub-processor fails to fulfil its data protection or confidentiality obligations, remain fully liable to the Controller for the performance of (or failure to perform) those obligations.
6. Requests from Data Subjects and Supervisory Authorities
If a data subject makes a request relating to the exercise of his or her legal rights in relation to personal data, the Processor shall, at the Controller’s reasonable cost, provide the Controller with any information and assistance reasonably required by the Controller in order to respond to requests for exercising the data subject’s rights laid down in Chapter III.
7. Personal Data Breaches and Notification
If the Processor becomes aware of a personal data breach relating to any personal data processed on the Controller’s behalf, the Processor shall notify the Controller immediately upon becoming aware of the breach and thereafter provide details of the nature of the personal data breach, and shall provide the Controller with such information and assistance as it requires in relation to the personal data breach.
8. Privacy Impact Assessments
Taking into account the nature of the processing and the information available to the Processor, the Processor shall, at the Controller’s cost, provide the Controller with such information and assistance as the Controller reasonably requires in order to:
8.1. carry out any privacy impact assessments (under Article 35);
8.2. consult with a supervisory authority prior to processing (under Article 36); and/or
8.3. meet any obligations under Data Protection Law which derive from the activities described in Paragraphs 8.1 and 8.2 above.
9. Deletion and Return of DataAfter completing any processing of personal data on the Controller’s behalf, the Processor shall (at the Controller’s option) delete or return all such personal data (and any copies of the same), unless the Processor is required to store such copies to comply with a requirement imposed by Applicable Law (in which case the Processor may store such copies to the extent necessary to meet that requirement). Where the Processor is required to delete personal data, to the extent that it is not practical for the Processor to do so immediately, the Processor shall do so as soon as possible, and in the meantime shall ensure appropriate safeguards are put in place and the data is not retained for a longer period than is appropriate.
10. International Transfers
The Processor shall not transfer any of the Controller’s personal data to a third country or international organisation without having the Controller’s prior written consent to that transfer and either:
10.1. the European Union Commission having decided that country or organisation ensures adequate protection under Article 45; or
10.2. having other appropriate safeguards in place (as set out in Article 46); or
10.3. one or more of the derogations in Article 49 applies.
11.1. The Processor shall (subject to the Controller providing appropriate confidentiality undertakings) make available to the Controller all assistance and information necessary to demonstrate compliance with Article 28 and including reasonable cooperation, during business hours and upon reasonable notice, with audits and/or inspections conducted by or on behalf of the Controller or another auditor mandated by the Controller.
11.2. Nothing in this Paragraph 11 shall require the Processor to disclose or permit access to any of its (or any third party’s) confidential or commercially sensitive information.
Part 2 – Data Processing Details
1. Subject-Matter of the Processing
- The processing of customer data (the purchasing organisation’s staff and for those customers purchasing products which including the Assessment App, students) for fulfilment of contracted products and services and for additional product information in a marketing capacity in line with GDPR.
2. Duration of the Processing
The duration of processing in respect of Staff and Student data is the period during which services are provided to the purchasing organisation that the individual is employed at and thereafter any further period in accordance with Lexonik’s data storage and deletion policy from time to time.
3. Types of Personal Data to be Processed
- job titles;
- email addresses;
- telephone numbers;
- staff feedback;
AND only for organisations purchasing products including the Assessment App service, Student data consisting of Name, Date of Birth and progress data.
4. Nature and Purpose of the Processing
Staff Personal Data will only ever be used in the following ways:
- to assist Lexonik in the provision of Services to the Purchasing organisation;
- to enable password-controlled access to data held by Lexonik under its contract with the Purchasing organisation
- Subject to opt-out arrangements to provide information and news about Lexonik and our products and services to the staff member
- For invoicing and debt collection procedures.
- Student Personal Data will only ever be used in the following ways:
- To provide progress data to those staff members of the purchasing organisation nominated to access Lexonik’s Assessment App service.
The following categories of personal data will be processed for the Controller by the Processor:
4.1. Personal data:
- In the case of Staff: name, purchasing organisation employed at, email address, contact telephone number
- In the case of Students: name, date of birth, progress data
4.2. No special category data is processed by the data processor
5. Categories of Data Subjects
Employees and students of the purchasing organisation’s sites.