Data processing agreement

This data processing agreement records the terms upon which Wonde Limited trading as MyLogin (‘MyLogin’, ‘we’, ‘us’) will process the School Data for the purpose of transferring the School Data from a Digital Environment to School Suppliers to the School and this Agreement is therefore formed between MyLogin and the School.

BY GRANTING ACCESS TO THE MYLOGIN SOFTWARE TO THE SCHOOL DATA, THE SCHOOL AGREES TO THE TERMS OF THIS DATA PROCESSING AGREEMENT.

THESE TERMS ARE INCORPORATED INTO ALL TERMS AND CONDITIONS UNDER WHICH MYLOGIN HAS AGREED TO PROVIDE ITS MYLOGIN SOFTWARE TO THE SCHOOL AND THE SCHOOL SUPPLIERS.

1. Definitions

1.1 In this Agreement the following definitions shall apply:

“Agreement”means this Data Processing Agreement.
“Authorised Persons”shall mean the persons or categories of persons that the School authorises to give MyLogin processing instructions pursuant to this Agreement.
“Confidential Information”means all confidential information (however recorded or preserved) disclosed by the School to MyLogin in connection with this Agreement which is either labelled as such or else which could be reasonably considered confidential because of its nature and the manner of its disclosure.
“Data”has the meaning given in the Data Protection Laws as amended or replaced from time-to-time.
“Data Controller”shall be interpreted and construed by reference to the term Controller as defined under Data Protection Laws.
“Data Processor”shall be interpreted and construed by reference to the term Processor as defined under Data Protection Laws.
“Data Protection Laws”means all applicable data protection and privacy legislation in force from time to time in the UK including the Data Protection Act 2018 (“DPA”) (as amended or replaced from time-to-time), UK GDPR (as defined in the Data Protection Act 2018) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Information Commissioner or other relevant regulatory authority and applicable to a party.
“Digital Environment”means third party providers of any software that is used by the school for the purpose of managing its digital workspace.
“Effective Date”means the date upon which the School accepts these terms.
“Good Industry Practice”means using standards, practices, methods and procedures conforming to the law and exercising that degree of skill and care diligence prudence and foresight which would reasonably and ordinarily be expected from a skilled and experienced person or body engaged in a similar type of undertaking under the same or similar circumstances.
“Personal Data”has the meaning given in Data Protection Laws.
“Personal Data Breach”has the meaning given in Data Protection Laws but shall include any breach of School Data.
“processed” or “processing”has the meaning given in Data Protection Laws.
“School”means the school or education establishment using the MyLogin Software.
“School Data”means Personal Data relating to students, and staff at the School, and other data regarding the school, including but not limited to:
1. Names
2. Email addresses
3. Dates of Birth
“School Suppliers”means third party providers of services or products via third party applications to the School to which the School wishes to transfer certain data sets of the School Data.
“Services”Means the services performed by MyLogin:
a. for the benefit of the School and School Suppliers, utilising the MyLogin Software, for transferring selected School Data between the School Suppliers.
“Standard Contractual Clauses (SCC)”means all Controller to Processor SCCs, any Controller to Controller SCCs or any other SCCs that may apply and are entered into between the parties or the European Commission’s SCCs for the transfer of Personal Data pursuant to the European Commission’s decision (C92010)593) of 5 February 2010.
“Sub-Processors”means any third-party, person or company appointed by or on behalf of MyLogin who may process Personal Data to facilitate the provision of the Services in connection with the Agreement.
“UK GDPR”means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time).
“MyLogin Software”means the software applications and platform supplied (directly or indirectly) by MyLogin and used by the School.

1.2 A reference to writing or written includes emails and writing in any electronic form.

2. General Provisions

2.1 The Effective Date of this Agreement shall be the date that the School accepts the terms of this Agreement and the School acknowledges that this Agreement shall be effective and replace any previously applicable data processing, handling and security terms.

2.2 This Agreement applies to the extent that MyLogin processes School Data which is subject to the Data Protection Laws.

2.3 By granting access to the School Data to MyLogin and the MyLogin Software, the School agrees to the terms of this Agreement.

2.4 The School and MyLogin acknowledge that, for the purposes of Data Protection Laws, MyLogin is a Data Processor and the School is a Data Controller in respect of the School Data comprising Personal Data which is processed by the MyLogin Software. Each party shall comply with their respective obligations under the Data Protection Laws.

2.5 MyLogin will be a Data Controller in respect of certain other Personal Data collected by MyLogin, including details of staff of the School when they interact with MyLogin directly. This Agreement does not apply to any information MyLogin collects as a Data Controller. Further information relating to MyLogin’s collection and handling of Personal Data is outlined in its Privacy Notice, which is made available on MyLogin’s website or by request.

2.6 MyLogin shall comply with all applicable Data Protection Laws in respect of its obligations for the processing of the School Data.

2.8 The School hereby instructs and authorises MyLogin to process School Data for the purpose of:

2.8.1 transferring certain School Data through its instructions via the MyLogin software from the Digital Environment to School Suppliers, which permits students, and staff of the School to access and managetheSchool Data effectively;

2.8.2 MyLogin providing the School with access to the MyLogin Software; and

2.8.3 as otherwise reasonably necessary for the provision of the Services by MyLogin to the School.

2.9 The School warrants and represents that the transfer by the School of the School Data to MyLogin for the purpose of MyLogin processing the School Data as set out in this clause 2, is lawful under, and in full compliance with, Data Protection Laws. The School shall indemnify MyLogin against all costs, claims, damages, expenses, losses and liabilities incurred by MyLogin arising out of or in connection with any breach of the foregoing warranty and representation.

2.10 The School and MyLogin confirm that Schedule 1 determines the subject matter, duration, nature and purpose of processing which includes the following:

2.10.1 the processing of School Data by MyLogin will comprise the collection or extraction of School Data from the Digital Environment, the organisation of that School Data, the transfer of the School Data to School Suppliers documented on the MyLogin app directory, the processing of School Data within and for the purpose of the MyLogin Software, and the transfer of the School Data to staff of the School who are permitted access to the MyLogin Software;

2.10.2 the purpose of the processing of School Data by MyLogin is to enable MyLogin to provide the Services; and

2.10.3 the data that will be processed by MyLogin will be School Data, and the data subjects will be students and staff of the School.

3. Term and Termination

3.1 This Agreement shall commence on the Effective Date, and shall continue in full force unless and until the School removes the MyLogin Software from the School’s computer network, at which point this Agreement shall automatically terminate.

3.2 Upon termination of this Agreement, clauses 2.6, 2.9, 4 and 5 and 9 shall continue to apply.

3.3 Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the licence terms or this Agreement, in order to protect the School Data, will remain in full force and effect.

4. Transfer of School Data

4.1 The School hereby consents to the MyLogin Software accessing School Data held on the Digital Environment, for the purpose of extracting and transferring such School Data to MyLogin and to School Suppliers.

4.2 Upon leaving the Digital Environment by electronic means (via HTTPS) the School Data will be encrypted by the MyLogin Software.

4.3 School Data will only be transferred to School Suppliers where instructed by the School to the school portal in the MyLogin Software.

4.4 The School will enter into written agreements with all School Suppliers who also act as Data Processors of the School, in the terms required by the Data Protection Laws, before instructing MyLogin to transfer any School Data to such School Supplier.

4.7 Where School Data is to be transferred to a School Supplier outside of the United Kingdom, the School has sole responsibility for ensuring that adequate safeguards are in place for the transfer of that School Data, as required by Data Protection Laws, to a jurisdiction outside of the United Kingdom (including, if applicable, written agreements incorporating the appropriate SCCs).

4.8 The School agrees that it has determined the lawful basis for such a transfer as described in clause 4.6, and has received all consents and rights necessary under the Data Protection Laws to enable MyLogin to process the School Data.

4.9 In particular, the School acknowledges and agrees that it will be solely responsible for (i) the accuracy, quality, and legality of the School Data and the means by which it hasbeenacquired; (ii) complying with all necessary transparency and lawfulness requirements under the Data Protection Laws for the collection and use of the School Data; (iii) ensuring the School has the right to transfer or provide MyLogin access to the School Data for processing under this Agreement; (iv) ensuring that the School’s instructions to MyLogin comply with applicable laws including the Data Protection Laws.

5.0 The School shall indemnify MyLogin against all costs, claims, damages, expenses, losses and liabilities incurred by MyLogin arising out of or in connection with any breach of the clauses 4.5, 4.6, 4.7 and/or 4.8 above.

5. Ownership of the School Data and Confidential Information

5.1 The School Data shall always remain the property of the School.

5.2 The School therefore retains control of the School Data and remains responsible for its compliance obligations under the Data Protection Laws, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to MyLogin.

5.3 MyLogin shall have no responsibility to maintain the security of any School Data to the extent it is held or processed outside of MyLogin’s direct control.

5.4 MyLogin shall keep all Confidential Information and School Data confidential and shall not:

5.4.1 use any Confidential Information or School Data except for the purpose of performing the Services it provides to the School; or

5.4.2 disclose any Confidential Information in whole or in part to any third party, except as expressly permitted by this Agreement, or as required for the purpose of any Services provided by MyLogin to the School, or to the extent required by law.

5.5 MyLogin shall ensure that all persons authorised by MyLogin to process the School Data are:

5.5.1 informed of the confidential nature of the School Data and are bound by confidentiality obligations and use the appropriate restrictions in place in respect of preserving the School Data; and

5.5.2 have undertaken training on the Data Protection Laws relating to any handling of the School Data.

6. Security of the Data

6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing to be carried out by MyLogin, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, MyLogin shall in relation to the School Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk.

6.2 In assessing the appropriate level of security, MyLogin shall take account in particular of the risks that are presented by processing of the School Data, in particular from a Personal Data Breach and to preserve the security and confidentiality of the School Data, in accordance with MyLogin’s Privacy Notice. Further details of MyLogin’s security policies and processes are available on request.

7. Sub-Processors and International Transfers

7.1 The School acknowledges and agrees that MyLogin may use Sub-Processors in the course of its business and to fulfil the Services. MyLogin may continue to use such Sub-Processors already engaged by MyLogin and a list of its current Sub-Processors may be found at www.MyLogin.com/subprocessors . MyLogin will continue to update this list whenrequired to do so.

7.2 The School hereby provides a general authorisation to MyLogin to appoint future Sub-Processors for the processing of School Data by MyLogin, so long as MyLogin carries out due diligence on all potential Sub-Processors, complies with the requirements under the Data Protection Laws and complies with clause 7.3.

7.3 Where MyLogin appoints a Sub-Processor pursuant to this clause 7, it shall ensure that the arrangement between it and the Sub-Processor is governed by a written contract including terms which offer at least the same level of protection for the School Data as those set out in this Agreement, which meets the requirements of Data Protection Laws.

7.4 MyLogin shall ensure that each Sub-Processor appointed by it performs the obligations under clauses 2.4, 6.1, 10, 11 as they apply to processing of the School Data carried out by that Sub-Processor, as if they were a party to this Agreement in place of MyLogin. MyLogin shall remain liable for the acts and omissions of any Sub-Processor in respect of the processing of the School Data.

7.5 The School authorises MyLogin to transfer or otherwise process the School Data outside the UK or the European Economic Area, without obtaining the School’s specific prior written consent, provided that:

7.5.1 the School Data is transferred to or processed in a territory which is subject to adequacy regulations under the Data Protection Laws that the territory provides adequate protection for the privacy rights of individuals; or

7.5.2 MyLogin participates in a valid cross-border transfer mechanism under Data Protection Laws, so that MyLogin (and, where appropriate, the School) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by the UK GDPR; or

7.5.3 the transfer otherwise complies with Data Protection Laws.

7.6 If any School Data transfer between MyLogin and the School requires execution of SCCs in order to comply with the Data Protection Laws, the parties shall agree to enter into a further agreement to reflect the further SCCs.

8. Insurance

8.1 MyLogin maintains a policy of insurance in respect of public liability in respect of the services provided by MyLogin and the processing of the School Data, and shall produce a copy of such policy to the School if requested to do so.

9. Deletion or return of School Data

9.1 MyLogin shall within a reasonable period of either a written request from the School or upon instruction from an Authorised Person, or the termination of this Agreement, delete and procure the deletion of all copies of the School Data.

9.2 Subject to clause 9.3, the School may in its absolute discretion by written notice to MyLogin at any time require MyLogin to:

9.2.1 return a complete copy of all School Data by secure file transfer in such format as is reasonably notified by the School to MyLogin; and

9.2.2 delete and use all reasonable endeavours to procure the deletion of all other copies of School Data processed by MyLogin or any of its Sub-Processors.

9.3 MyLogin shall use all its reasonable endeavours to comply with any such written request within 30 days of receiving such request.

9.4 MyLogin and its Sub-Processors may retain School Data to the extent required by any applicable law, provided that MyLogin and its Sub-Processors shall ensure the confidentiality of all such School Data retained, and shall ensure that such School Data is only processed as necessary for the purpose(s) specified by the applicable laws requiring its storage and for no other purpose.

9.5 MyLogin shall, within 30 days of a formal request from the School, provide written certification to the School that it has fully complied with this clause 9.

10. Audit and Information Rights

10.1 Subject to clauses 10.2, 10.3 and 10.4, MyLogin shall:

10.1.1 make available to the School on request all information reasonably necessary to demonstrate MyLogin’s compliance with this Agreement; and

10.1.2 allow for and contribute to audits, including inspections, by the School or any auditor nominated by the School in relation to the processing of the School Data by MyLogin and its Sub-Processors.

10.2 The information and audit rights of the School under clause 10.1 shall apply only to the extent required by Data Protection Laws.

10.3 The School shall give MyLogin reasonable notice of any audit or inspection that it wishes to conduct under clause 10.1, and shall (and shall ensure that any nominated auditor shall) avoid causing (or, if it cannot avoid, minimise) any damage, injury or disruption to MyLogin’s or its Sub-Processors’ premises, equipment, personnel and business.

10.4 Without prejudice to clause 10.3, MyLogin or its Sub-Processors are not required to give access to their premises for the purposes of an audit or inspection:

10.4.1 to any individual unless he or she produces reasonable evidence of identity and authority; or

10.4.2 outside normal business hours at those premises; or

10.4.3 for the purposes of more than one audit or inspection in any calendar year.

11. Data Subject Rights and Associated Matters

11.1 Taking into account the nature of the processing conducted by MyLogin, MyLogin shall (and shall use all reasonable endeavours to procure that its Sub-Processors shall) assist the School by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the School’s obligations, to respond to requests to exercise data subject rights under the Data Protection Laws.

11.2 MyLogin shall:

11.2.1 promptly notify the School if it or any Sub-Processor receives a request from a data subject under any Data Protection Law in respect of School Data;

11.2.2 notify the School promptly in writing if it receives any complaint or notice that relates directly or indirectly to the processing of the School Data and/or to either party’s compliance with the Data Protection Laws; and

11.2.3 not, and shall use all reasonable endeavours to ensure that the Sub-Processor does not, respond to any request from a data subject, except on the written instructions of the School or as required by any applicable laws to which MyLogin or the Sub-Processor is subject to.

11.3 MyLogin shall notify the School without undue delay upon MyLogin becoming aware of:

11.3.1 the loss, unintended destruction or damage, corruption, or unusability of part or all of the School Data. MyLogin will restore any School Data at its own expense as soon as possible;

11.3.2 any accidental, unauthorised or unlawful processing of the School Data; or

11.3.3 any Personal Data Breach

in respect of any School Data processed by MyLogin, providing the School with sufficient information to allow the School to meet any obligations to report, or inform the individuals to which the School Data related, of such Personal Data Breach under Data Protection Laws. It shall be the responsibility of the School to report the Personal Data Breach to the Information Commissioner’s Office or any other appropriate regulatory authority, where appropriate.

11.4 MyLogin shall co-operate with the School and take such reasonable commercial steps as directed by the School to include: assisting in the investigation, facilitating any interviews, remediation and making any records available in relation to any such Personal Data Breach referred to in clause 11.3.

11.5 MyLogin shall provide reasonable assistance to the School (at the School’s expense) with:

11.5.1 responding to any request from a Data Subject; and

11.5.2 any data protection impact assessments, and prior consultations with competent data privacy authorities, which the School reasonably considers to be required under any Data Protection Laws, in each case solely in relation to processing of School Data comprised in the School Data, by and taking into account the nature of the processing and information available to MyLogin.

12. Liability

12.1 MyLogin shall have no liability to the School, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, for or in connection with:

12.1.1 loss, interception or corruption of any data; other than to the extent such loss is caused by the negligence or fault of MyLogin;

12.1.2 loss, interception or corruption of any data resulting from any negligence or default by any provider of telecommunications services to MyLogin, the School or any School Supplier;

12.1.3 any loss arising from the default or negligence of any School Supplier;

12.1.4 damage to reputation or goodwill;

12.1.5 any indirect or consequential loss.

12.2 In all other circumstances, MyLogin’s maximum liability to the School, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, in connection with the Services or related to this Agreement shall be limited to the aggregate amount paid or payable for the Services during the 12 month period preceding the event giving rise to the claim.

12.3 Nothing in this clause shall limit the liability of MyLogin for any death or personal injury caused by its negligence, fraud or fraudulent misrepresentation, or any other matter for which liability cannot be limited or excluded as a matter of law.

13. Records

13.1 MyLogin agrees that it shall keep detailed, accurate and complete records regarding any processing activities it carries out pursuant to this Agreement, including but not limited to, the access, control and security of the School Data.

13.2 MyLogin will ensure that any such records referred to in clause 13.1 are sufficient to enable the School to verify MyLogin’s compliance with its obligations under this Agreement and will respond to any reasonable request by the School for copies.

14. Miscellaneous Provisions

14.1 Save for any statement, licence, representations or assurances as to the method or location of storage this Agreement and the Schedules to it constitutes the entire agreement and understanding between the parties and with respect to all matters which are referred to and shall supersede any previous agreements between the parties in relation to the matters referred to in this Agreement.

14.2 No one other than a party to this Agreement, its successors and permitted assignees shall have any right to enforce any of its terms.

14.3 MyLogin may vary the terms of this Agreement from time to time by giving notice to the School in advance of the variation.

14.4 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual dispute or claims) shall be governed by and construed in accordance with the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.

14.5 MyLogin may transfer, assign or novate its rights and obligations under this Agreement to any member of its group companies to whom MyLogin transfers all or substantially all of its business.

Schedule 1

Subject matter of processing:

The transfer is necessary to enable the provision of services by MyLogin as set out in clause 2.8 (provision of data integration / data extraction services).

Duration of Processing:

For as long as it is necessary to provide the Services and until the School removes the MyLogin Software from the School’s computer network or Digital Environment, and then School Data is held and then deleted in accordance with MyLogin’s data retention policy.

Nature of Processing:

The collection, storage, organisation and re-categorisation of the School Data in connection with, and for the purpose of, providing the Services to the School.

Personal Data Categories and Types:

The School Data being processed concerns the following categories of Data

Subjects:

Students / pupils
School Employees including volunteers, agents, temporary and casual workers.

Data Types

Identifying information – names and former names, date of birth, reference numbers, personal pupil number, etc
Contact information – email addresses
Employment details for School employees such as name and email address
Usernames, passwords, IP addresses and cookies

02/2024 | V1.0