Skip to main content
Log in / Register support icon Training & Support Basket

You are using an outdated browser. Please upgrade your browser to improve your experience and security.

DATA PROCESSING AGREEMENT

This data processing agreement (“DPA”) is effective as of the date on which this DPA has been signed by both Parties and is entered into by and between: (1) The Customer (“Customer”) defined below; and (2) GL Education Group Limited, a company incorporated and registered in England and Wales with company number 02603456 with its registered office at 1st Floor Vantage London, Great West Road, Brentford, United Kingdom, TW8 9AG (“GL”), together the “Parties” and each a “Party”.
  1. INTERPRETATION
    1. In this DPA the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:
      1. Agreement” means the Commercial Agreement pursuant to which GL (or its affiliate or subsidiary entity) provides the Products to Customer.
      2. Controller” shall have the same meaning as set out in the GDPR.
      3. Customer” means the individual, company, organization, or other legal entity that has entered into this Agreement.
      4. Customer Personal Data” means any Personal Data Processed by or on behalf of GL or its Sub-Processor(s) on behalf of Customer and/or any Member School pursuant to or in connection with the Agreement.
      5. Data Protection Legislation” means, as applicable: (1) the GDPR; (2) the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003; (3) the United Kingdom (“UK”) Data Protection Act of 2018; and (4) all other applicable laws and regulations relating to the Processing and protection of Personal Data, including where applicable the guidance and codes of practice issued by a Supervisory Authority.
      6. Data Subject” means any identified or identifiable individual to whom Customer Personal Data relates (including Users).
      7. Data Subject Request” means a request made by a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation (including requests to access, rectify, erase, object to, restrict processing of, or port his/ her/their Personal Data).
      8. GDPR” means, as applicable: (1) the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) (“EU GDPR”) together with any applicable implementing or supplementary legislation in any member state of the European Economic Area (“EEA”); and (2) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (“UK GDPR”).
      9. Member School” means any schools and/or other educational institutions that are directly or indirectly operated by the Customer.
      10. Personal Data” shall have the same meaning as set out in the GDPR.
      11. Processing” shall have the same meaning as set out in the GDPR (and the terms “Process” and “Processes” shall be construed accordingly).
      12. Processor” shall have the same meaning as set out in the GDPR.
      13. Products” means the commercial educational online software products being provided to Customer under the Agreement. The products include: CAT4, NGRT, Progress Tests.
      14. Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (1) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EEA Restricted Transfer”); and/or (ii) in the context of the UK, any country or territory outside the UK which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
      15. Security Measures” means the Security Measures set out in our Information Security Overview.
      16. Services” means the service provided by GL to Customer under the Agreement.
      17. Special Categories of Data” shall have the same meaning as set out in the GDPR.
      18. Staff” means all persons employed by GL to perform its obligations under the Agreement together with GL’s servants and agents and those of any other member of the Group of companies of which GL is a member, used in the performance of its obligations under the Agreement.
      19. Sub-Processor” means an additional Processor appointed by GL to Process Customer Personal Data on its behalf, as listed from time to time for all Products at: Sub-Processors Supporting GL Assessment or Sub-Processors Supporting GL Education.
      20. Third-Party Services” means hardware, software, content, data or services not provided by GL.
      21. License Period” means the time period for which Controller has a license to use the Product as set forth in the Agreement.
      22. Supervisory Authority” shall have the same meaning as set out in the GDPR (and shall also include any equivalent national regulatory body in any non-EEA jurisdiction).
  2. GENERAL OBLIGATIONS
    1. Compliance with Laws. Each Party shall comply with all applicable Data Protection Legislation applicable to it in its respective Processing of Personal Data under the Agreement.
    2. Controller and Processor. The Parties acknowledge and agree that, with respect to Customer Personal Data: (i) Customer is the Controller and GL is the Processor; and (ii) GL shall Process such Customer Personal Data strictly on behalf of Customer for the purposes described in the Agreement or as otherwise agreed in writing by the Parties. Customer (the Controller) appoints GL as a Processor to Process the Customer Personal Data as described in the Agreement.
    3. Intentionally Omitted.
    4. Anonymized Data. Customer acknowledges and agrees that GL may use Customer Personal Data in an anonymized and aggregated format to analyze how the Products are used and to improve the Products, provided that GL will act as an independent Controller of the Customer Personal Data in doing so.
    5. Notices and Consents. Customer shall provide all notices and obtain all such consents required under applicable Data Protection Legislation from the Data Subjects (or where necessary their parents) to share the Customer Personal Data with GL via the Products for GL to Process in accordance with the terms of this DPA (collectively, the “Notices and Consents”). Customer represents and warrants on an ongoing basis that it has obtained and will maintain the Notices and Consents for all Data Subjects through the entire term of the Agreement.
    6. Details of Processing. Annex 1 (Data Processing Details) sets out certain information regarding GL’s Processing of Customer Personal Data as required by Article 28(3) of the GDPR.
  3. GL OBLIGATIONS
    1. GL shall implement, maintain and use appropriate technical and organizational measures which comply with the requirements of Data Protection Legislation to preserve the confidentiality, integrity and availability of all Customer Personal Data Processed by GL via the Products. Customer hereby acknowledges and agrees that it has reviewed the Security Measures and confirmed that it is satisfied with them. Customer acknowledges and agrees that GL may revise the Security Measures from time to time without notifying Customer, provided that any such revisions do not decrease the overall level of protection for Customer Personal Data. GL agrees to perform regular reviews of the Security Measures and perform system auditing to maintain the protection of its systems.
    2. GL shall take all reasonable steps to ensure the reliability and integrity of any Staff who have access to the Customer Personal Data and ensure that the Staff (i) are aware of and comply with GL’s duties under this DPA; (ii) are under a duty of confidentiality with respect to their Processing of the Customer Personal Data; and (iii) have undergone adequate training in the use, care, protection and handling of Customer Personal Data.
    3. GL shall use its reasonable efforts to assist Customer to comply with its obligations under applicable Data Protection Legislation where required and shall not perform its obligations under the Agreement to the extent that GL is aware, or ought reasonably to have been aware, that the same would cause Customer to be in breach of such obligations.
    4. Customer hereby authorizes GL to appoint the Sub-Processors to process Customer Personal Data on its behalf. GL shall impose data protection terms on such Sub-Processors that require it to protect the Customer Personal Data to substantially the same standard as set out in this DPA. GL shall remain liable to Customer for any act or omission of its Sub-Processors in respect of the Customer Personal Data. Customer consents to GL engaging the Sub-Processors for the purposes set forth in the Agreement. GL will inform Customer of any changes to the Sub-Processors via email to the email address GL has on file 10 days prior to the appointment of the new Sub-Processor(s). Customer may object to GL’s appointment or replacement of a Sub-Processor prior to its appointment or replacement, provided that such objection is based on reasonable grounds relating to data protection. In such event, GL will either not appoint the new Sub-Processor or otherwise resolve the objection to the reasonable satisfaction of the Customer. If GL is unable to do so, Customer may terminate the Agreement at any time if the Customer objects to a new Sub-Processor, in accordance with the terms of this subsection, by providing GL with written notice. If Customer elects to terminate the Agreement under this subsection, Customer shall receive a prorated refund of any prepaid fees for the remainder of the License Period.
    5. If it becomes aware of a confirmed breach of security leading to the accidental or unlawful destruction, loss, alternation, unauthorized disclosure of, or access to the Customer Personal Data (a “Security Incident”), GL shall inform Customer without undue delay with respect to the Security Incident and provide reasonable information and assistance to enable Customer to fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) applicable Data Protection Legislation. GL shall further take any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer notified of all material developments in connection with the Security Incident.
    6. GL shall make available to Customer reasonable information and documentation necessary to demonstrate GL’s compliance with its obligations under this DPA. If Customer (acting reasonably and in good faith) considers that the information provided in accordance with this Section is not sufficient to demonstrate GL’s compliance with its obligations under this DPA, or where otherwise required by applicable Data Protection Legislation or a Supervisory Authority, Customer may perform on-site audits at the GL processing facilities that provide the Services to Customer, subject to the following: (i) on-site audits may only be carried out once per calendar year; (ii) requests for on-site audits shall be made in writing by Customer at least thirty (30) days in advance and shall specify the scope of the information sought and the specific purpose of the audit; (iii) on-site audits shall be conducted during normal business hours for the relevant facility and shall be coordinated with GL so as to cause minimal disruption to GL’s business operations; (iv) on-site audits will be conducted at Customer’s expense; and (v) on-site audits shall be performed by Customer’s employees and/or a reputable third party auditor agreed to by both Parties, who shall at all times be bound by a confidentiality agreement and shall be accompanied by a representative of GL.
    7. Data Subject Requests. Users may review and amend their Personal Data by contacting the Customer and following the Customer’s procedures for amending Personal Data. Customer shall handle all Data Subject Requests in accordance with applicable Data Protection Legislation. To the extent the Customer cannot amend the Customer Personal Data, the Customer may contact GL and GL, with Customer’s express written permission, will make such amendment according to applicable Data Protection Legislation. GL shall forward to Customer any Data Subject Request (or purported Data Subject Request) it receives from a Data Subject (or a third party on his/her behalf) relating to the Customer Personal Data within 5 working days of receipt and shall provide reasonable assistance to Customer in responding to such Data Subject Request.
    8. Notices and Complaints. Unless otherwise prohibited by law, GL shall notify Customer within 15 working days if it receives: (i) any request, complaint or communication relating to the Customer’s obligations under applicable Data Protection Legislation; (ii) any communication from a Supervisory Authority in connection with the Customer Personal Data; or (iii) a request from any third party for disclosure of any Customer Personal Data where compliance with such request is required or purported to be required by applicable law.
  4. AUTHORIZED DISCLOSURE OF CUSTOMER PERSONAL DATA
    1. Customer hereby acknowledges and agrees that GL may disclose Customer Data, including Customer Personal Data therein, to a third party to the extent: (a) that such third party is the provider of a Third Party Services; and/or (b) authorized by Customer in writing; and/or (c) authorized by Customer via the administrator account by enabling the data sharing feature from within the Products (each an “Authorization”). Customer acknowledges and agrees that each Authorization will result in Customer electing, in its sole discretion, to transfer (the “Transfer”) the Customer Data, including Customer Personal Data therein, selected by Customer (the “Disclosed Information”) to the recipients that Customer selects (the “Recipients”).
    2. Customer warrants that the User of the Administrator Account shall be an individual or individuals elected by Customer to have sufficient authority to authorize the Transfer of Customer Data, including Customer Personal Data therein, to the Recipients on behalf of the Customer.
    3. Customer acknowledges that the Disclosed Information may contain Personal Data and may be subject to applicable Data Protection Legislation. Customer will hold GL harmless, and not liable in any way, in respect of any disclosure of Personal Data to the Recipients pursuant to an Authorization.
    4. In the event that this Section 4 applies, Customer shall ensure that it fully complies with its obligations as Controller and shall be fully responsible for notifying and obtaining any necessary consents or authorization from the Data Subjects (or where necessary their parents) regarding the disclosure and subsequent Processing of their Personal Data by the Recipients.
    5. GL makes no warranty that: (i) any Disclosed Information is complete and accurate; (ii) any Transfer is in compliance with applicable Data Protection Legislation or Customer’s organization’s policies; (iii) the use of the Disclosed Information by the Recipient is valid and in compliance with applicable Data Protection Legislation and Customer’s organization’s policies; or (iv) the Disclosed Information will remain secure upon transfer to the Recipient, and disclaims any responsibility in respect of any Transfer. Customer acknowledges that the Disclosed Information will be provided on as “as is”, “as available” basis.
  5. INTERNATIONAL TRANSFERS OF CUSTOMER PERSONAL DATA
    1. Customer acknowledges and agrees that GL may from time-to-time store and Process Customer Personal Data outside of the EEA or UK. Where GL is certified under a scheme (such as the EU–U.S. Data Privacy Framework and/or UK Extension (as applicable)) that benefits from an adequacy decision of the European Commission and UK Government (as applicable) (each a “Transfer Scheme”), GL will rely on such Transfer Scheme and corresponding adequacy decision for Restricted Transfers. Where a Transfer Scheme does not otherwise apply to a Restricted Transfer, GL shall endeavour to ensure that the Customer Personal Data subject to such Restricted Transfer is appropriately safeguarded in accordance with the GDPR.
  6. DATA RETENTION
    1. Customer Personal Data will be deleted within a reasonable amount of time after the cessation of the Services and/or as otherwise instructed by the Customer, except that GL may retain Customer Personal Data as required by applicable legal requirements or as agreed by Customer.
  7. DATA PROTECTION IMPACT ASSESSMENT
    1. If GL believes or becomes aware that its Processing of the Customer Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall inform Customer and provide reasonable assistance to Customer (at Customer’s expense) in connection with any data protection impact assessment that may be required under applicable Data Protection Legislation.

Annex 1

DETAILS OF PROCESSING

GL's Activities

GL offers an education technology platform to provide formative educational assessments that provide teachers tools to measure student ability.

Subject matter and duration of the Processing of Customer Personal Data

The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and the DPA.

The nature and purpose of the Processing of Customer Personal Data

GL will Process the Customer Personal Data to: (i) deliver the Services to Customer pursuant to the Agreement or as otherwise set out in the Agreement and the DPA; (ii) validate the accuracy of GL’s assessments (including by supplementing the Customer Personal Data with Personal Data from third-party data sources); (iii) validate the effectiveness of the Products and Services and improving the Products; and (iv) create De-identified Data and Anonymized Data.

The types of Personal Data to be Processed

Personal Data provided to GL by Customer as part of GL’s provision of the Services, which may include first name, last name, and unique pupil numbers.

The Special Categories of Data to be Processed

Special Categories of Data may include racial data and other special categories provided to GL by Customer as part of GL’s research validation.

The Categories of Data Subjects to whom the Customer Personal Data Relates

Users, pupils, parents/guardians, teachers, administrators.

Competent Supervisory Authority

The competent Supervisory Authority is the authority in the country where the Customer is established.