This Agreement records the terms upon which Wonde Limited (“Wonde”) will process the School Data for the purpose of transferring the School Data to Wonde’s applications and/or to one or more third party application providers of services or products to the School and this Agreement is therefore formed between Wonde and the School.
This Agreement includes international data transfer terms to permit the export and import of School Data which is necessary for Wonde to provide its Services pursuant to this Agreement.
BY GRANTING ACCESS TO THE WONDE SOFTWARE TO SOME OR ALL OF THE SCHOOL DATA, THE SCHOOL AGREES TO THE TERMS OF THIS AGREEMENT.
THESE TERMS ARE INCORPORATED INTO ALL TERMS AND CONDITIONS UNDER WHICH WONDE HAS AGREED TO PROVIDE ITS WONDE SOFTWARE TO THE SCHOOL AND THE SCHOOL SUPPLIERS INCLUDING ANY TERMS OF LICENCE OR SERVICE.
1. Definitions
1.1. In this Agreement the following definitions shall apply:
“Agreement” means this data processing agreement also known as a data handling agreement.
“Authorised Persons” shall mean the persons or categories of persons that the School authorises to give Wonde processing instructions pursuant to this Agreement.
“Confidential Information” means all confidential information (however recorded or preserved) disclosed by the School to Wonde in connection with this Agreement which is either labelled as such or else which could be reasonably considered confidential because of its nature and the manner of its disclosure.
“Data” has the meaning given in the Data Protection Laws as amended or replaced from time-to-time.
“Data Controller” shall be interpreted and construed by reference to the term Controller as defined under Data Protection Laws.
“Data Processor” shall be interpreted and construed by reference to the term Processor as defined under Data Protection Laws.
“Data Protection Laws” means all applicable data protection and privacy legislation in force from time to time in the UK including the Data Protection Act 2018 (“DPA”) (as amended or replaced from time-to-time), UK GDPR and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Information Commissioner or other relevant regulatory authority and applicable to a party.
“Effective Date” means the date upon which the School accepts these terms.
“MIS” means the School’s database which holds the School Data also known as a student information system or school management system.
“Non-UK Data Protection Laws” Means any data protection or privacy laws in force outside of the UK which may apply to this Agreement.
“Personal Data” has the meaning given in Data Protection Laws.
“Personal Data Breach” has the meaning given in Data Protection Laws but shall include any breach of School Data.
“processed” or “processing” has the meaning given in Data Protection Laws.
“School” means the school or education establishment using the Wonde Software.
“School Data” means any Data sets relating to students, parents and guardians, and staff at the School, and other forms of data regarding the School which are approved by any Authorised Persons.
“School Suppliers” means third party providers of services or products via third party applications to the School to which the School wishes to transfer certain data sets of the School Data.
“Services” Means the services performed by Wonde:
a. for the benefit of the School and School Suppliers, utilising the Wonde Software, of transferring selected School Data from the School or its MIS to selected School Suppliers; and
b. to allow students, parents and guardians, and staff at the School to access selected data from the MIS and/or School Suppliers using a single account within the Wonde Software; and
C. to allow access to, and use of the Wonde Software.
“Standard Contractual Clauses (SCC)” means with respect to the United Kingdom, the standard contractual clauses supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as set out in Schedule 2.
“Sub-Processors” means any third-party, person or company appointed by or on behalf of Wonde who may process Personal Data to facilitate the provision of the Services in connection with the Agreement.
“UK GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time).
“Wonde Software” means the software applications and platform supplied (directly or indirectly) by Wonde and used by the School including the Wonde school portal.
1.1 A reference to writing or written includes emails and writing in any electronic form.
2. General Provisions
2.1. The Effective Date of this Agreement shall be the date that the School accepts the terms of this Agreement and the School acknowledges that this Agreement shall be effective and replace any previously applicable data processing, handling and security terms.
2.2. This Agreement applies to the extent that Wonde processes School Data which is subject to the Data Protection Laws.
2.3. The parties acknowledge that Non-UK Data Protection Laws shall also apply to this Agreement in the export of any School Data to Wonde.
2.4. By granting access to (some or all of) the School Data to Wonde and the Wonde Software , the School agrees to the terms of this Agreement.
2.5. The School and Wonde acknowledge that, for the purposes of Data Protection Laws, Wonde is a Data Processor and the School is a Data Controller in respect of the School Data comprising Personal Data which is processed by the Wonde Software. This scenario applies whether Wonde is importing or exporting any School Data from the School pursuant to this Agreement. Each party shall comply with their respective obligations under the Data Protection Laws and Non-UK Data Protection Laws.
2.6. Wonde will be a Data Controller in respect of certain other Personal Data collected by Wonde, including details of staff of the School when they interact with Wonde directly, and the contact details of parents who may login to the Wonde Software directly. This Agreement does not apply to any information Wonde collects as a Data Controller. Further information relating to Wonde’s collection and handling of Personal Data is outlined in its Privacy Notice, which is made available to the School and is further available on Wonde’s website or by request.
2.7. Wonde shall comply with all applicable Data Protection Laws in respect of its obligations for the processing of the School Data.
2.8. Wonde shall not use or disclose any School Data other than on the instructions of the School (unless such processing shall be required by any applicable law to which Wonde is subject to and where Wonde has a legal basis to do so).
2.9. The School hereby instructs and authorises Wonde to process School Data for the purpose of:
2.9.1. transferring certain School Data through its instructions via the Wonde school portal from the School to School Suppliers, which permits students, parents and guardians, and staff of the School to access and manage the School Data effectively;
2.9.2. carrying out requests and/or instructions to restrict or approve data sets via the Wonde school portal;
2.9.3. Wonde providing the School with access to the Wonde Software; and
2.9.4. as otherwise reasonably necessary for the provision of the Services by Wonde to the School.
2.10. The School warrants and represents that the transfer by the School of the School Data to Wonde for the purpose of Wonde processing the School Data as set out in this clause 2, is lawful under, and in full compliance with, Data Protection Laws. The School shall indemnify Wonde against all costs, claims, damages, expenses, losses and liabilities incurred by Wonde arising out of or in connection with any breach of the foregoing warranty and representation.
2.11. The School and Wonde confirm that Schedule 1 determines the subject matter, duration, nature and purpose of processing which includes the following:
2.11.1. the processing of School Data by Wonde will comprise the collection or extraction of School Data from the MIS, the organisation and re-categorisation of that School Data, the transfer of the School Data to School Suppliers notified to Wonde by the School via the Wonde school portal, the processing of School Data within and for the purpose of the Wonde Software, and the transfer of the School Data to parents, guardians, students and staff of the School who are permitted access to the Wonde Software;
2.11.2. the purpose of the processing of School Data by Wonde is to enable Wonde to provide the Services; and
2.11.3. the data that will be processed by Wonde will be School Data, and the data subjects will be students of the School, their parents and guardians, and staff of the School.
3. Term and Termination
3.1. This Agreement shall commence on the Effective Date, and shall continue in full force unless and until the School removes the Wonde Software from the School’s computer network or MIS, at which point this Agreement shall automatically terminate.
3.2. Upon termination of this Agreement, clauses 2.6, 4, 5, 6 and 9 shall continue to apply.
3.3. Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the licence terms or this Agreement, in order to protect the School Data, will remain in full force and effect.
4. Transfer of School Data
4.1. The School hereby consents to the Wonde Software accessing School Data held on the MIS, for the purpose of extracting and transferring such School Data to Wonde and to School Suppliers.
4.2. Upon leaving the School MIS by electronic means (via HTTPS) the School Data will be encrypted by the Wonde Software.
4.3. Wonde shall ensure that the School has access to the Wonde school portal whereby the School has visibility and control over the categories of School Data they are sharing with each School Supplier; subject to any terms and conditions of use for the online portal.
4.4. School Data will only be transferred to School Suppliers where instructed by the School to the school portal in the Wonde Software.
4.5. The School will also enter into separate contractual terms with the School Suppliers to ensure that all Data Protection Laws are being complied with by the School Suppliers and to protect the data relationships.
4.6. The School agrees that it has determined the lawful basis for such a transfer to Wonde and has received all consents and rights necessary under the Data Protection Laws to enable Wonde to handle the School Data.
4.7. In particular, the School acknowledges and agrees that it will be solely responsible for (i) the accuracy, quality, and legality of the School Data and the means by which it has been acquired; (ii) complying with all necessary transparency and lawfulness requirements under the Data Protection Laws for the collection and use of the School Data; (iii) ensuring the School has the right to transfer or provide Wonde access to the School Data for processing under this Agreement; (iv) ensuring that the School’s instructions to Wonde comply with applicable laws including the Data Protection Laws and Non-UK Data Protection Laws.
4.8. The School shall indemnify Wonde against all costs, claims, damages, expenses, losses and liabilities incurred by Wonde arising out of or in connection with any breach of this clause 4.
5. Ownership of the School Data and Confidential Information
5.1. The School Data shall always remain the property of the School.
5.2. The School therefore retains control of the School Data and remains responsible for its compliance obligations under the Data Protection Laws, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Wonde.
5.3. Wonde shall have no responsibility to maintain the security of any School Data to the extent it is held or processed outside of Wonde’s direct control.
5.4. Wonde shall keep all Confidential Information and School Data confidential and shall not:-
5.4.1. use any Confidential Information or School Data except for the purpose of performing the Services it provides to the School; or
5.4.2. disclose any Confidential Information in whole or in part to any third party, except as expressly permitted by this Agreement, or as required for the purpose of any Services provided by Wonde to the School, or to the extent required by law.
5.5. Wonde shall ensure that all persons authorised by Wonde to process the School Data are:
5.5.1. informed of the confidential nature of the School Data and are bound by confidentiality obligations and use the appropriate restrictions in place in respect of preserving the School Data; and
5.5.2. have undertaken training on the Data Protection Laws relating to any handling of the School Data.
6. Security of the Data
6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing to be carried out by Wonde, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Wonde shall in relation to the School Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk.
6.2. In assessing the appropriate level of security, Wonde shall take account in particular of the risks that are presented by processing of the School Data, in particular from a Personal Data Breach and to preserve the security and confidentiality of the School Data, in accordance with Wonde’s Privacy Notice. Further details of Wonde’s security policies and processes are available on request.
7. Sub-Processors and International Transfers
7.1. The Parties acknowledge and agree that Non-UK Data Protection Laws may also apply to the Processing of School Data. Except to the extent this Agreement states otherwise, the terms of this Agreement will apply irrespective of whether the Data Protection Laws or Non-UK Data Protection Laws applies to the Processing of School Data by Wonde. If Non-UK Data Protection Laws apply to either Party’s Processing of School Data, the Parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under those laws with respect to the Processing of that School Data and agree it may be necessary to enter into further terms in this regard.
7.2. Through the use of Wonde’s Services, the School will control and instruct Wonde to facilitate the transfer of School Data to and from School Suppliers. There may be circumstances, for example, where the School has chosen to engage and use a School Supplier that is located outside of the country the School operates in. In this scenario, therefore, Wonde may be instructed by the School to transfer School Data to such overseas recipients. Whilst Wonde will comply with the relevant data protection and information security requirements and will undertake its own due diligence of such third party School Suppliers, ultimately, Wonde is relying on the School and its instructions to transfer such information. It is important to note that such a transfer to a School Supplier would occur ordinarily even if Wonde was not providing the Services to the School, because that School Supplier would require such information directly from the School (whether by CSV file transfer or such other methodology from time to time) to provide its own services to such school from time to time. It is also important to note that the School always remains in control of any such data transfer to a School Supplier whilst using the Services from time to time.
7.3. The School therefore acknowledges that the School Data may be exported via the Wonde Software to enable Wonde to facilitate its Services pursuant to this Agreement.
7.4. Like any other established software business, Wonde may use third party service providers i.e. Sub-Processors for example to optimise its provision of Services, improve internal efficiencies and assist with providing data controls. To that end, Wonde may also transfer School Data to such third parties providing services to us who are based outside of the Country which it operates, such as to the United Kingdom without obtaining specific written consent. Specific examples of this include to facilitate services supporting Wonde, providing IT administration services and hosting services, and parties providing assistance with managing Wonde’s databases. Wonde will only engage with Sub-Processors after undertaking due diligence and Wonde will only work with reputable and established brands who offer high levels of protection of data. If it is necessary to do this, Wonde will always look to limit the amount of data and if possible, anonymise any data that is transferred to such parties from time to time. Wonde may continue to use such Sub-Processors already engaged by Wonde and a list of its current Sub-Processors may be found at www.wonde.com/subprocessors. Wonde will continue to update this list when required to do so.
7.5. The School hereby provides a general authorisation to Wonde to appoint future Sub-Processors for the processing of School Data by Wonde, so long as Wonde carries out due diligence on all potential Sub-Processors, complies with the requirements under the Data Protection Laws and complies with clause 7.5.
7.6. Where Wonde appoints a Sub-Processor pursuant to this clause 7, it shall ensure that the arrangement between it and the Sub-Processor is governed by a written contract including terms which offer at least the same level of protection for the School Data as those set out in this Agreement, which meets the requirements of Data Protection Laws.
7.7. Wonde shall ensure that each Sub-Processor appointed by it performs the obligations under clauses 2.4, 6.1, 10, 11 as they apply to processing of the School Data carried out by that Sub-Processor, as if they were a party to this Agreement in place of Wonde. Wonde shall remain liable for the acts and omissions of any Sub-Processor in respect of the processing of the School Data.
7.8. The School authorises Wonde to transfer or otherwise process the School Data outside the UK or the European Economic Area, without obtaining the School’s specific prior written consent, provided that:
7.8.1. the School Data is transferred to or processed in a territory which is subject to adequacy regulations under the Data Protection Laws and that the territory provides adequate protection for the privacy rights of individuals; or
7.8.2. Wonde participates in a valid cross-border transfer mechanism under Data Protection Laws, so that Wonde (and, where appropriate, the School) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by the UK GDPR; or
7.8.3. the transfer otherwise complies with Data Protection Laws.
7.9. The SCCs shall be incorporated by reference in this Agreement which shall include Controller to Processor terms as set out in Schedule 2. In the case of conflict or ambiguity between any of the provisions of this Agreement and the SCCs, the provisions of the SCCs will prevail
8. Insurance
8.1. Wonde maintains a policy of insurance in respect of public liability in respect of the services provided by Wonde and the processing of the School Data, and shall produce a copy of such policy to the School if requested to do so.
9. Deletion or return of School Data
9.1. Wonde shall within a reasonable period of either a written request from the School or upon instruction from an Authorised Person, or the termination of this Agreement, delete and procure the deletion of all copies of the School Data.
9.2. Subject to clause 9.3, the School may in its absolute discretion by written notice to Wonde at any time require Wonde to:
9.2.1. return a complete copy of all School Data by secure file transfer in such format as is reasonably notified by the School to Wonde; and
9.2.2. delete and use all reasonable endeavours to procure the deletion of all other copies of School Data processed by Wonde or any of its Sub-Processors.
9.3. Wonde shall use all its reasonable endeavours to comply with any such written request within 30 days of receiving such request.
9.4. Wonde shall, within 30 days of a formal request from the School, provide written certification to the School that it has fully complied with this clause 9.
10. Audit and Information Rights
10.1. Subject to clauses 10.2, 10.3 and 10.4, Wonde shall:
10.1.1. make available to the School on request all information reasonably necessary to demonstrate Wonde’s compliance with this Agreement; and
10.1.2. allow for and contribute to audits, including inspections, by the School or any auditor nominated by the School in relation to the processing of the School Data by Wonde and its Sub-Processors.
10.2. The information and audit rights of the School under clause 10.1 shall apply only to the extent required by Data Protection Laws.
10.3. The School shall give Wonde reasonable notice of any audit or inspection that it wishes to conduct under clause 10.1, and shall (and shall ensure that any nominated auditor shall) avoid causing (or, if it cannot avoid, minimise) any damage, injury or disruption to Wonde’s or its Sub-Processors’ premises, equipment, personnel and business.
10.4. Without prejudice to clause 10.3, Wonde or its Sub-Processors are not required to give access to their premises for the purposes of an audit or inspection:
10.4.1. to any individual unless he or she produces reasonable evidence of identity and authority; or
10.4.2. outside normal business hours at those premises; or
10.4.3. for the purposes of more than one audit or inspection in any calendar year.
11. Individual’s Rights and Associated Matters
11.1. Taking into account the nature of the processing conducted by Wonde, Wonde shall (and shall use all reasonable endeavours to procure that its Sub-Processors shall) assist the School by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the School’s obligations, to respond to requests to exercise individual’s and data subject rights under the Data Protection Laws.
11.2. Wonde shall:
11.2.1. promptly notify the School if it or any Sub-Processor receives a request from any individual under any Data Protection Law in respect of School Data;
11.2.2. notify the School promptly in writing if it receives any complaint or notice that relates directly or indirectly to the processing of the School Data and/or to either party’s compliance with the Data Protection Laws; and
11.2.3. not, and shall use all reasonable endeavours to ensure that the Sub-Processor does not, respond to any request from a data subject, except on the written instructions of the School or as required by any applicable laws to which Wonde or the Sub-Processor is subject to.
11.3. Wonde shall notify the School without undue delay upon Wonde becoming aware of:
11.3.1. the loss, unintended destruction or damage, corruption, or unusability of part or all of the School Data. Wonde will restore any School Data at its own expense as soon as possible;
11.3.2. any accidental, unauthorised or unlawful processing of the School Data; or
11.3.3. any Personal Data Breach
in respect of any School Data processed by Wonde, providing the School with sufficient information to allow the School to meet any obligations to report, or inform the individuals to which the School Data related, of such Personal Data Breach under Data Protection Laws. It shall be the responsibility of the School to report the Personal Data Breach to the Information Commissioner’s Office or any other appropriate regulatory authority, where appropriate.
11.4. Wonde shall co-operate with the School and take such reasonable commercial steps as directed by the School to include: assisting in the investigation, facilitating any interviews, remediation and making any records available in relation to any such Personal Data Breach referred to in clause 11.3.
11.5. Wonde shall provide reasonable assistance to the School (at the School’s expense) with:
11.5.1. responding to any request from an individual; and
11.5.2. any data protection impact assessments, risks assessments, and prior consultations with competent data privacy authorities, which the School reasonably considers to be required under any Data Protection Laws, in each case solely in relation to processing of School Data comprised in the School Data, by and taking into account the nature of the processing and information available to Wonde.
12. Liability
12.1. Wonde shall have no liability to the School, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, for or in connection with:
12.1.1. loss, interception or corruption of any data; other than to the extent such loss is caused by the negligence or fault of Wonde;
12.1.2. loss, interception or corruption of any data resulting from any negligence or default by any provider of telecommunications services to Wonde, the School or any School Supplier;
12.1.3. any loss arising from the default or negligence of any School Supplier;
12.1.4. damage to reputation or goodwill;
12.1.5. any indirect or consequential loss.
12.2. In all other circumstances, Wonde’s maximum liability to the School, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, in connection with the Services or related to this Agreement shall be limited to the aggregate amount paid or payable for the Services during the 12 month period preceding the event giving rise to the claim.
12.3. Nothing in this clause shall limit the liability of Wonde for any death or personal injury caused by its negligence, fraud or fraudulent misrepresentation, or any other matter for which liability cannot be limited or excluded as a matter of law.
13. Records
13.1. Wonde agrees that it shall keep detailed, accurate and complete records regarding any processing activities it carries out pursuant to this Agreement, including but not limited to, the access, control and security of the School Data.
13.2. Wonde will ensure that any such records referred to in clause 13.1 are sufficient to enable the School to verify Wonde’s compliance with its obligations under this Agreement and will respond to any reasonable request by the School for copies.
14. Miscellaneous Provisions
14.1. Save for any statement, licence, representations or assurances as to the method or location of storage this Agreement and the Schedules to it constitutes the entire agreement and understanding between the parties and with respect to all matters which are referred to and shall supersede any previous agreements between the parties in relation to the matters referred to in this Agreement.
14.2. No one other than a party to this Agreement, its successors and permitted assignees shall have any right to enforce any of its terms.
14.3. Wonde may vary the terms of this Agreement from time to time by giving notice to the School in advance of the variation.
14.4. This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual dispute or claims) shall be governed by and construed in accordance with the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.
14.5. Wonde may transfer, assign or novate its rights and obligations under this Agreement to any member of its group companies to whom Wonde transfers all or substantially all of its business.
SCHEDULE 1
Subject matter of processing:
The transfer is necessary to enable the provision of services by Wonde as set out in clause 2.8 (provision of data integration / data extraction services).
Duration of Processing:
For as long as it is necessary to provide the Services and until the School removes the Wonde Software from the School’s computer network or MIS, and then School Data is held and then deleted in accordance with Wonde’s data retention policy.
Nature of Processing:
The collection, storage, organisation and re-categorisation of the School Data in connection with, and for the purpose of, providing the Services to the School.
Personal Data Categories and Types:
The School Data being processed concerns the following categories of individuals / data subjects:
Students / Pupils
School Employees Including volunteers, agents, temporary and casual workers
Relatives, guardians, and associates of the data subject
Data Types:
Identifying information – names and former names, and dates of birth, reference numbers, personal pupil number, etc
Contact information – postal and email addresses (current and former), telephone number
Education/training records and examination results
Employment details for School employees such as name, address, email, DBS information, bank details, national insurance information, previous history
Usernames, passwords, IP addresses and cookies
Attendance / Absence information
Information collected by the school to form a student record
Characteristic data such as financial information, pupil premium and free school meal eligibility.
Special Categories of Personal Data as defined by Data Protection Laws
Schedule 2 – International Data Transfer Addendum
This addendum has been issued by the Information Commissioner for parties making restricted transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Table 1. Parties
Start Date Shall be the Effective Date referred to in this Agreement
Parties Wonde Limited | The School that accepts this Agreement
Key Contacts DPO | DPO
Table 2. Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum.
Module | Module in operation | Clause 7 Docking information | Clause 11 (option) | Clause 9a (prior authorisation) | Clause 9a (time period) | Is personal data received from the Importer combined with personal data collected by the Exporter?
2 | Yes | n/a | Yes | Option 2 | 30 days | Yes
Table 3 Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: As set out in the main body of this Agreement
Annex 1B: Description of Transfer: As set out in the main body of this Agreement
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As set out in the main body of this Agreement
Annex III: List of Sub processors (Modules 2 and 3 only): Not applicable as Clause 9(a), Option 1 has not been selected
Table 4 – Ending this Addendum
Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum as set out in Section 19:
Importer x
Exporter x
Part 2: Mandatory Clauses
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs, those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum: This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
Addendum EU SCCS: The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
Appendix Information: As set out in Table 3.
Appropriate Safeguards: The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) of the UK GDPR.
Approved Addendum: The template Addendum issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.
Approved EU SCCs: The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
ICO: The Information Commissioner.
Restricted Transfer: A transfer which is covered by Chapter V of the UK GDPR.
UK: The United Kingdom of Great Britain and Northern Ireland.
UK Data Protection Laws: All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPR: As defined in section 3 of the Data Protection Act 2018.
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation ((EU) 2016/679), then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCC.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
(a) together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
(b) Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
(c) this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
(a) references to the “Clauses” mean this Addendum, incorporating the Addendum EU SCCs;
(b) In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
(c) Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
(d) Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
(e) Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
(f) References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
(g) References to Regulation (EU) 2018/1725 are removed;
(h) References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with “the UK”;
(i) The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module 1 is replaced with “Clause 11(c)(i)”;
(j) Clause 13(a) and Part C of Annex I are not used;
(k) The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
(l) In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
(m) Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
(n) Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
(o) The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
(a) makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
(b) reflects changes to UK Data Protection Laws.
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
(a) its direct costs of performing its obligations under the Addendum; and/or
(b) its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
Alternative Part 2 Mandatory Clauses
Mandatory Clauses Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.