- This Agreement shall be governed by and construed in accordance with English law. The courts of England shall have exclusive jurisdiction to adjudicate any dispute arising under or in connection with these General Conditions.
- If any of the General Conditions are held to be unenforceable, invalid or illegal for any reason, the remaining terms and conditions will nevertheless continue in full force.
SCHEDULE TO GENERAL CONDITIONS
DATA PROTECTION WITH SCHOOLS
Please note that this Schedule only applies to school subscriptions and not to family subscriptions. This is because when contracting with schools, schools are “controllers” of data and we are considered to be “processors” of that data. Whenever a controller uses a processor, standard contract terms need to be put in place to identify the responsibilities and liabilities of each party regarding the processing of data. For further details on data protection and family subscriptions, please visit our Privacy Notice.
- In this Schedule, the following terms shall have the following meanings:
- "Controller", "Processor", "Data Subject", "Personal Data" and "Processing" (and "Process") shall have the meanings given in Applicable Data Protection Law as amended from time to time;
- "Applicable Data Protection Law" shall mean: (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data together with any transposition of that Directive into member state law to which the controller is subject; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
- "Company" means Maths Circle Ltd (Company Number: 09861676) whose registered office is at Ossory Offices, Hazelwood Lane, Ampthill MK45 2HF;
- "School" means the relevant school or establishment using the Product;
- "School Data" means Personal Data relating to students, parents and guardians, and staff at the School, and other data regarding the school, including year group information;
- "Product" means the Times Tables Rock Stars educational resource which consists of paper based resources, the https://ttrockstars.com website (the “Site” ) and Times Tables Rock Stars apps (the “Apps”);
- A reference to writing or written includes faxes, emails and writing in any electronic form.
- GENERAL PROVISIONS
- 2.1. By continuing to use the Product, and by providing the Company with the School Data, the School agrees to the terms of this Schedule.
- 2.2. The School and the Company acknowledge that, for the purposes of Applicable Data Protection Law, the Company is a Processor and the School is a Controller in respect of the School Data comprising Personal Data described in Annex A to this Schedule (the “Data”).
- The Company and the School shall comply with all Applicable Data Protection Law in respect of the Processing of the Data.
- The Company shall Process the Data as a Processor for the purposes described in Annex A to this Schedule and otherwise strictly in accordance with the instructions of the School (the "Permitted Purpose"), except where otherwise required by any EU (or any EU Member State) law applicable to the Company.
- The School hereby instructs and authorises the Company to process the Data for the purposes described in Annex A to this Schedule, and as otherwise reasonably necessary to enable the Company to provide the Product to the School.
- The School warrants and represents that it has a lawful basis (pursuant to Applicable Data Protection Law) for supplying all Data to the Company in connection with the School’s use of the Product and the lawful Processing of the Data by both the School and the Company for the purposes set out in this paragraph 2. The School shall indemnify the Company against all costs, claims, damages, expenses, losses and liabilities incurred by the Company arising out of or in connection with any failure (or alleged failure) by the School to have a lawful basis for Processing Data.
- INTERNATIONAL TRANSFERS
The Company shall not transfer the Data (nor permit the Data to be transferred) outside of the European Economic Area ("EEA") unless it first takes such measures as are necessary to ensure any such transfer is in compliance with Applicable Data Protection Law.
- CONFIDENTIALITY OF PROCESSING
- The Company shall ensure that any person that it authorises to Process the Data (including the Company’s staff, agents and subcontractors) (an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty or otherwise), and shall not permit any person to Process the Data who is not under such a duty of confidentiality.
- The Company shall ensure that all Authorised Persons Process the Data only as necessary for the Permitted Purpose.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing to be carried out by the Company, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall implement appropriate technical and organisational measures to protect the Data from (i) accidental or unlawful destruction, (ii) accidental loss, alteration, unauthorised disclosure or access, and (iii) any other breach of security ((i), (ii) and (iii) together, a "Security Incident") in each case appropriate to that risk.
- The Company may appoint sub-contractors to carry out any or all of its Processing activities in accordance with the terms of this paragraph 6.
- The School hereby authorises the Company to appoint third parties to provide web and app development services to the Company in connection with the Product, and third parties to provide electronic data storage and transmission services to the Company in connection with the Product.
- The School hereby authorises the Company to appoint the sub-contractors listed in Annex B to this Schedule to carry out Processing activities in connection with the Data. The Company shall use reasonable endeavours to promptly notify the School of any changes to the identity of such third parties from time-to-time.
- Save as permitted by paragraphs 6.2 and 6.3, the Company shall not appoint any other sub-contractor in connection with the processing of the Data without the prior permission of the School.
- Where the Company appoints a sub-contractor pursuant to this paragraph 6, it shall ensure that the Company imposes data protection terms on any sub-contractor it appoints that protect the Data to the same standard as those provided for in this schedule, and meet the requirements of Applicable Data Protection Law.
- The Company acknowledges that it remains fully liable for the acts, errors or omissions of any of its sub-contractors in respect of the Processing of the Data.
- COOPERATION AND DATA SUBJECTS' RIGHTS
- The Company shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to the School (at the School’s expense) to enable the School to respond to:
- any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and
- any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the processing of the Data.
- In the event that any such request, correspondence, enquiry or complaint is made directly to the Company, the Company shall promptly inform the School providing full details of the same and the School shall provide all reasonable and timely assistance to the Company to enable the Company to take appropriate action.
- DATA PROTECTION IMPACT ASSESSMENT
If the Company believes or becomes aware that its Processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform the School and provide the School with all such reasonable and timely assistance as the School may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
- SECURITY INCIDENTS
- 9.1. Upon becoming aware of a Security Incident, the affected party shall inform the other party without undue delay and shall provide all such timely information and cooperation as the other party may reasonably require including in order for the affected party to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law.
- 9.2. The parties shall each further take all such measures and actions as are reasonably necessary to remedy or mitigate the effects of the Security Incident and shall keep the other party up-to-date about all developments in connection with the Security Incident.
- DELETION OR RETURN OF DATA
- 10.1. Upon written request by the School, the Company shall destroy all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing).
- 10.2. This requirement shall not apply to the extent that the Company is required by any EU (or any EU Member State) law to retain some or all of the Data, in which event the Company shall isolate and protect the Data from any further processing except to the extent required by such law.
- The Company shall permit the School (or its appointed third party auditors) to audit the Company's compliance with this Schedule, and shall make available to the School all information, systems and staff reasonably necessary for the School (or its third party auditors) to conduct such audit.
- The School will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) the School believes a further audit is necessary due to a Security Incident suffered by the Company.
- The information and audit rights of the School under paragraph 11.1 shall apply only to the extent required by Applicable Data Protection Law.
- The School shall give the Company reasonable notice of any audit or inspection that it wishes to conduct, and shall (and shall ensure that any nominated auditor shall) avoid causing (or, if it cannot avoid, minimise) any damage, injury or disruption to the Company or its sub-contractors’ business.
Each party (the "Indemnifying Party") shall indemnify the other (the "Indemnified Party") from and against all loss, cost, harm, expense (including reasonable legal fees), liabilities or damage ("Damage") suffered or incurred by the Indemnified Party as a result of the Indemnifying Party's breach of the provisions of this Schedule, and provided that: (i) the Indemnified Party gives the Indemnifying Party prompt notice of any circumstances of which it is aware that give rise to an indemnity claim under this Clause; and (ii) the Indemnified Party takes reasonable steps and actions to mitigate any ongoing Damage it may suffer as a consequence of the Indemnifying Party's breach.
- The Company shall have no liability to the School, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, for or in connection with:
- loss, interception or corruption of any Data resulting from any negligence or default by any provider of telecommunications services to the Company or the School;
- any loss arising from the default or negligence of any supplier to the School;
- damage to reputation or goodwill; and/or
- any indirect or consequential loss.
- Nothing in this clause shall limit the liability of the Company for any death or personal injury caused by its negligence, fraud or fraudulent misrepresentation, or any other matter for which liability cannot be limited or excluded as a matter of law.
Data Processing Description
This Annex A forms part of the General Conditions and describes the Processing that the Company will perform on behalf of the School.
The School Data to be processed concern the following categories of Data Subjects:
- Parents and Guardians
CATEGORIES OF DATA
The School Data to be Processed concern the following categories of data:
- school name and contact information (including school postal address, phone number and email address), teachers’ names and contact information (including phone numbers and email addresses), pupils’ names, dates of birth (optional) and class year groups;
- details of interactions that the School and its Data Subjects have with us regarding the Product, together with any other information that the School and its Data Subjects choose to provide us with, for example, through correspondence and interactions with our customer and technical support teams;
- information collected automatically relating to the Product to include information like a user’s IP address, device type, unique device identification numbers and login information, browser-type and version, time zone setting, operating system and platform, broad geographic location (e.g. country or city-level location) and other technical information;
- information collected automatically relating to the Product about how a user’s device has interacted with the Site, including the pages accessed and links clicked, download errors, length of visits to certain pages, page interaction information, and methods used to browse away from any page;
- the answers provided by users of the Product to the times table questions and the length of time taken to respond in each case.
PROCESSING OPERATIONS/PERMITTED PURPOSE
The School Data will be obtained, held and used by the Company to enable the Company to carry out its obligations arising from the terms and conditions entered into between the School and the Company regarding the use by the School and its users of the Product, including the Site and Apps.