End User License Agreement


DEFINITIONS

Data Controller: has the meaning set out in section 1(1) of the Data Protection Act 1998.
Data Processor: has the meaning set out in section 1(1) of the Data Protection Act 1998.
Data Subject: an individual who is the subject of Personal Data.
Personal Data: has the meaning set out in section 1(1) of the Data Protection Act 1998 and relates only to personal data, or any part of such personal data, of which the School is the Data Controller and in relation to which the Service Provider is providing services under this Agreement.
Processing and process: have the meaning set out in section 1(1) of the Data Protection Act 1998.

CLAUSES

  1. OBLIGATIONS OF THE SERVICE PROVIDER
    1. The School and the Service Provider acknowledge that for the purposes of the Data Protection Act 1998, the School is the Data Controller and the Service Provider is the Data Processor of any Personal Data.
    2. The Service Provider shall process the Personal Data only to the extent, and in such a manner, as is necessary for the purposes specified in Schedule 1 of this Agreement and in accordance with the School’s instructions from time to time and shall not process the Personal Data for any other purpose. The Service Provider will keep a record of any processing of personal data it carries out on behalf of the School.
    3. The Service Provider shall promptly comply with any request from the School requiring the Service Provider to amend, transfer or delete the Personal Data.
    4. If the Service Provider receives any complaint, notice or communication which relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Act 1998 and the data protection principles set out therein, it shall immediately notify the School and it shall provide the School with full co-operation and assistance in relation to any such complaint, notice or communication.
    5. At the School's request, the Service Provider shall provide to the School a copy of all Personal Data held by it in the format and on the media reasonably specified by the School.
    6. The Service Provider shall not transfer the Personal Data outside the European Economic Area without the prior written consent of the School.
    7. The Service Provider shall promptly inform the School if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable.  The Service Provider will restore such Personal Data at its own expense.
  2. SERVICE PROVIDER'S EMPLOYEES
    1. The Service Provider shall ensure that access to the Personal Data is limited to:
      1. those employees who need access to the Personal Data to meet the Service Provider's obligations under this Agreement; and
      2. in the case of any access by any employee, such part or parts of the Personal Data as is strictly necessary for performance of that employee's duties.
    2. The Service Provider shall ensure that all employees:
      1. are informed of the confidential nature of the Personal Data;
      2. have undertaken training in the laws relating to handling personal data; and
      3. are aware both of the Service Provider's duties and their personal duties and obligations under such laws and this Agreement.
    3. The Service Provider shall take reasonable steps to ensure the reliability of any of the Service Provider's employees who have access to the Personal Data.
  3. RIGHTS OF THE DATA SUBJECT
    1. The Service Provider shall notify the School within three working days if it receives a request from a Data Subject for access to that person's Personal Data.
    2. The Service Provider shall provide the School with full co-operation and assistance in relation to any request made by a Data Subject to have access to that person's Personal Data.
    3. The Service Provider shall not disclose the Personal Data to any Data Subject or to a third party other than at the request of the School or as provided for in this Agreement.
  4. RIGHTS OF THE SCHOOL
    1. The School is entitled, on giving at least three days' notice to the Service Provider, to inspect or appoint representatives to inspect all facilities, equipment, documents and electronic data relating to the processing of Personal Data by the Service Provider.
    2. The requirement under clause 4.1 to give notice will not apply if the School believes that the Service Provider is in breach of any of its obligations under this Agreement.
  5. WARRANTIES
    1. The Service Provider warrants that:
      1. it will process the Personal Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments; and
      2. it will take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against the accidental loss or destruction of, or damage to, personal data to ensure the School's compliance with the seventh data protection principle including, but not limited to, the security measures set out in Schedule 2.
    2. The Service Provider shall notify the School immediately if it becomes aware of:
      1. any unauthorised or unlawful processing, loss of, damage to or destruction of the Personal Data;
      2. any advance in technology and methods of working which mean that the School should revise the security measures set out in Schedule 2.
  6. INDEMNITY
    1. The Service Provider agrees to indemnify and keep indemnified and defend at its own expense the School against all costs, claims, damages or expenses incurred by the School or for which the School may become liable due to any failure by the Service Provider or its employees or agents to comply with any of its obligations under this Agreement.
    2. The Service Provider shall take out insurance sufficient to cover any payment that may be required under clause 6.1 and produce the policy and receipt for premium paid, to the School on request.
  7. APPOINTMENT OF SUBCONTRACTORS
      The Service Provider will not authorise a third party (sub-contractor) to process the Personal Data.
Schedule 1    Purposes for which the Service Provider may process the Personal Data

The Service Provider shall process the Personal Data in accordance with requirements set out by the Data Controller:

Schedule 2    Security measures

The Service Provider will take all necessary and appropriate technical and organisational measures to ensure against the unauthorised or unlawful processing of personal data and against the accidental loss or destruction of, or damage to, personal data: