This addendum
This Data Processing Addendum (the DPA) to the FamiyBookform Terms of Service applies whenever we process personal data on behalf of schools and other educational establishments (referred to in this DPA as ‘you’). We do this when teachers or students upload content that contains personal data to a book created using the eBookform technology. More information about the personal data that we process and the purposes for processing is set out in the Schedule to this DPA.
1. Definitions
Data Protection Legislation: means the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any replacement legislation coming into effect from time to time including (without limitation) the GDPR.
GDPR: means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Valid Transfer Mechanism: a mechanism governing the transfer of personal data outside of the European Union which is recognised by the European Commission as providing adequate protection for personal data, including (without limitation) transfers to countries that have been designated as adequate by the European Commission, use of model contract clauses approved by the European Commission, use of approved binding corporate rules and reliance on Privacy Shield certification (for transfers to the US).
1.1. For the purposes of this DPA, "personal data", "data controller", "data processor" and "data subject" shall have the respective meanings given in the Data Protection Legislation.
2. Data controller and data processor
2.1. You and we both acknowledge that in respect of the personal data and the processing set out in the Schedule to this DPA, you will be the data controller and we will be the data processor.
3. Your obligations
3.1. Where we process personal data as data processor on your behalf, you shall:
3.1.1. ensure that the personal data is and remains accurate and up-to-date;
3.1.2. ensure that all necessary consents under the Data Protection Legislation have been obtained for the supply of the personal data and its processing by us; and
3.1.3. not do anything in connection with the personal data that would or might cause us to be in breach of any Data Protection Legislation or other law and/or to incur liability to any data subject.
4. Our obligations
4.1. Where we process personal data as data processor on your behalf in connection with eBookform:
4.1.1. solely process the personal data for the purposes of providing eBookform Terms of Use;
4.1.2. ensure that any persons we use to process personal data are required to treat the personal data confidentially;
4.1.3. take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data taking into account the nature of the processing and harm that might result from such unauthorised or unlawful processing, loss, destruction or damage and the nature of the personal data to be protected including without limitation, all such measures that may be required to ensure compliance with Article 32 of the GDPR;
4.1.4. taking into account the nature of the data processing activities undertaken by us and the information available to us:
(a) provide all reasonable possible assistance and co-operation to enable you to fulfil your obligations to respond to requests from individuals exercising their rights under the Data Protection Legislation;
(b) notify you as soon as reasonably practicable if we suffer a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that is processed under this DPA;
(c) following a notification under clause 4.1.4(b), provide reasonable cooperation, information and assistance to you as may be necessary to enable you to notify relevant supervisory authorities and data subjects of the data security breach to the extent such notification is required under the Data Protection Legislation;
4.1.5. assist you with carrying out data protection impact assessments and consulting with relevant supervisory authorities where such assessments and/or consultation are required pursuant to the Data Protection Legislation, provided that the scope of such assistance shall be agreed between you and us in advance and you shall pay our reasonable costs incurred in providing such assistance;
4.1.6. upon termination of your use of eBookform, at your choice, delete or return to you all personal data;
4.1.7. upon reasonable request with not less than 4 weeks' notice, and provided that you shall not make more than one request in any rolling 12 month period, make available to you all information necessary to demonstrate compliance with the obligations set out in this clause 4 and allow for and contribute to audits, including inspections, conducted by you or on your behalf.
5. Subcontracting
5.1. You acknowledge that we use AWS Cloud Servers to store all personal data we process under this DPA and you hereby consent to us using AWS as a sub-processor for this purpose. AWS participates in the EU-US Privacy Shield arrangement. The model clauses are available here: https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf