Data Protection and Data Processing
1.1 The School shall own all right, title and interest in and to all of the School Data and shall have sole responsibility for the legality, reliability, integrity, accuracy backing up and quality of the School Data.
1.2 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
1.3 The parties acknowledge that for the purposes of the Data Protection Legislation, the School is the data controller and Coscole is the data processor (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). The Schedule sets out the scope, nature and purpose of processing by Coscole, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation, Personal Data) and categories of Data Subject.
1.4 Without prejudice to the generality of clause 1.2, the School will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Coscole for the duration and purposes of this Contract and has entered into appropriate data sharing agreements and the School shall, whenever requested by Coscole provide copies of all agreements and consents to Coscole such that Coscole can satisfy itself as to these consents (provided always that it shall be the School’s sole responsibility to ensure that it has all necessary consents);
1.5 The School shall have sole responsibility for the legality, reliability, integrity, accuracy backing up and quality of the School Data
1.6 Without prejudice to the generality of clause 1.2, Coscole shall, in relation to any Personal Data processed in connection with the performance by Coscole of its obligations under this Contract:
1.6.1 process that Personal Data only on the written instructions of the School and any Data Controller in relation to the Personal Data unless Coscole is required by the laws of any member of the European Union or by the laws of the European Union applicable to Coscole to process Personal Data (Applicable Laws). Where Coscole is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, Coscole shall promptly notify the School of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Coscole from so notifying the School;
1.6.2 ensure that it has in place appropriate technical and organisational measures, reviewed by School (if the School requests), to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
1.6.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
1.6.4 assist the School and any Data Controller of the Personal Data, at the School’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
1.6.5 at the written direction of the School or the relevant Data Controller, delete or return Personal Data and copies thereof to the School or the Data Controller on termination of the Agreement unless required by Applicable Laws to store the Personal Data;
1.6.6 notify the other party without undue delay on becoming aware of a Personal Data breach of security leading to the accidental or unlawful distribution, loss, deterioration, unauthorised disclosure of or access to personal data, processed by the other party;
1.6.7 maintain complete and accurate records and information to demonstrate its compliance with this clause;
1.6.8 assist the other party and the Data Controller in carrying out data protection impact assessments and consulting with relevant supervisory authorities where such assessments and/or consultations are required pursuant to the Data Protection Legislation, provided that the scope of such assistance shall be agreed by the parties in advance; and
1.6.9 not transfer any Personal Data outside of the European Economic Area unless either:
188.8.131.52 this is at the request of the Reseller (for example but not limited to a request for the delivery of Personal Data to a person or a server situated outside the European Economic Area);
184.108.40.206 the prior written consent of the School has been obtained and the School must ensure that prior to giving any such consent, it has ensured that the relevant Data Controller has obtained the written consent of the relevant Data Subjects as required by Applicable Laws; or
220.127.116.11 the transfer is permitted by Chapter V of the GDPR or other provisions of Applicable Laws.
1.7 The School does not consent to Coscole appointing any third party processor of Personal Data under this Contract.
1.8 The School shall indemnify and hold Coscole harmless from and against any and all Losses to the extent arising from or related to School Data (except to the extent that any such claim, demand or action arose out of or is in connection with Coscole’s intentional misuse of, infringement of, or gross negligence or willful misconduct in relation to Licensee Data).
1.9 It is the School’s sole responsibility to encrypt the School Data other than data stated in the Cloud Based Service.
1.10 The parties shall co-operate with each other to demonstrate compliance with this clause 9 and allow for and contribute to audits, including inspections conducted by or on behalf of the School.