DATA PROTECTION AGREEMENT FOR UNIVERSITIES
This Data Protection Agreement was published on 19 September 2019.
(A) BridgeU and University entered into a Master Services Agreement and Order Form on the effective date of the relevant Order Form (the ‘ Agreement‘).
(B) In the course of providing the Services to University pursuant to the Agreement, BridgeU may process Personal Data on behalf of University. In particular, the parties envisage that BridgeU will enable functionality in order to allow certain University staff (e.g. recruitment officers (or equivalent)) to send certain Personal Data (e.g. their contact information) to certain school staff users and student users of BridgeU’s core platform (e.g. school careers guidance counsellors (or equivalent)).
(C) The parties also envisage that BridgeU will enable functionality in order to allow:
(i) certain school staff users of BridgeU’s core platform (e.g. careers guidance counsellors (or equivalent)) to send certain Personal Data (e.g. their contact information) to University; and/or
(ii) certain student users of BridgeU’s core platform to send certain information (e.g. their application) to University.
(D) Accordingly, the parties agree to comply with the following additional terms contained in this Data Protection Agreement (‘DPA‘) with respect to any processing of Personal Data.
1.1 The following definitions and rules of interpretation apply in this DPA:
1.2 This DPA shall remain in full force and effect so long as BridgeU retains any University Data in its possession or control. Unless otherwise specified within this DPA, defined terms set forth in the Agreement shall apply to the interpretation of this DPA.
1.3 In the case of conflict between this DPA and the Agreement, the provisions of this DPA shall prevail.
1.4 This DPA shall survive termination (for any reason) or expiry and continue until no University Data remains in the possession or control of BridgeU or any Sub-Processor, except that paragraphs 11 to 14 (inclusive) shall continue indefinitely.
1.5 Clauses 2 to 12 (inclusive) of this DPA apply in respect of processing by BridgeU of University Data on behalf of University. Clauses 13 to 14 (inclusive) of this DPA apply in respect of transfers of School Data to University.
PART A: UNIVERSITY DATA
2. Processor and Controller
2.1 The parties agree that, for the University Data, University shall be the Controller and BridgeU shall be the Processor.
2.2 Nothing in this DPA relieves University of any responsibilities or liabilities under any Data Protection Legislation.
2.3 To the extent University is not sole Controller of any University Data it warrants that it has full authority and authorisation of all relevant Controllers to instruct BridgeU to process the University Data in accordance with the DPA.
2.4 BridgeU shall process University Data in compliance with:
(a) the obligations of Processors under Data Protection Legislation in respect of the performance of its and their obligations under the DPA; and
(b) the terms of the DPA.
3. Instructions and details of processing
3.1 Insofar as BridgeU processes University Data on behalf of University, BridgeU:
(a) unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the University Data only on and in accordance with University’s documented instructions as set out in this paragraph 3.1 and paragraphs 3.2 and 3.3 (including when making a transfer of University Data to any International Recipient), as updated from time to time (‘ Processing Instructions‘);
(b) if Applicable Law requires it to process University Data other than in accordance with the Processing Instructions, shall notify University of any such requirement before processing the University Data (unless Applicable Law prohibits such information on important grounds of public interest); and
(c) shall promptly inform University if BridgeU becomes aware of a Processing Instruction that, in BridgeU’s opinion, infringes Data Protection Legislation, provided that:
(i) this shall be without prejudice to paragraphs 8.1 and 8.2; and
(ii) to the maximum extent permitted by mandatory law, BridgeU shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance University’s Processing Instructions following University’s receipt of that information.
3.2 University acknowledges and agrees that the execution of any computer command to process (including deletion of) any University Data made in the use of any of the Services by an Authorised User will be a Processing Instruction (other than to the extent such command is not fulfilled due to technical, operational or other reasons). University shall ensure that Authorised Users do not execute any such command unless authorised by University (and by all other relevant Controller(s)) and acknowledge that if any University Data is deleted pursuant to any such command BridgeU is under no obligation to seek to restore it.
3.3 The processing of the University Data by BridgeU under this DPA shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in Schedule 1.
3.4 In connection with any Services which enables University staff (e.g. recruitment officers (or equivalent)) to send certain Personal Data (e.g. their contact information) to certain school staff users of BridgeU’s core platform (e.g. school careers guidance counsellors (or equivalent)), University hereby instructs BridgeU to collect all necessary consents to ensure such processing is lawful in accordance with the Data Protection Legislation.
4. Technical and organisational measures
4.1 Taking into account the nature of the processing, BridgeU shall implement and maintain, at its cost and expense, technical and organisational measures:
(a) in relation to the processing of University Data by BridgeU; and
(b) to assist University insofar as is possible in the fulfilment of University’s obligations to respond to Data Subject Requests relating to University Data.
5. Using staff and other processors
5.1 BridgeU shall not engage any Sub-Processor for carrying out any processing activities in respect of the University Data except in accordance with this DPA without University’s written authorisation of that specific Sub-Processor (such authorisation not to be unreasonably withheld, conditioned or delayed).
5.2 University authorises the appointment of each of the Sub-Processors identified on the List of Sub-Processors as updated from time to time.
5.3 BridgeU shall:
(a) prior to the relevant Sub-Processor carrying out any processing activities in respect of the University Data, appoint each Sub-Processor under a written contract containing at least the information required by the Data Protection Legislation that is enforceable by BridgeU (including those relating to sufficient guarantees to implement appropriate technical and organisational measures);
(b) ensure each such Sub-Processor complies with all such obligations; and
(c) remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
5.4 BridgeU shall ensure that all persons authorised by it (or by any Sub-Processor) to process University Data are subject to a binding written contractual obligation to keep the University Data confidential (except where disclosure is required in accordance with Applicable Law, in which case BridgeU shall, where practicable and not prohibited by Applicable Law, notify University of any such requirement before such disclosure).
6. Assistance with compliance and Data Subject rights
6.1 BridgeU shall refer all Data Subject Requests it receives to University without undue delay.
6.2 BridgeU shall provide such reasonable assistance as University reasonably requires (taking into account the nature of processing and the information available to BridgeU) to University in ensuring compliance with University’s obligations under Data Protection Legislation with respect to:
(a) security of processing;
(b) data protection impact assessments (as such term is defined in Data Protection Legislation);
(c) prior consultation with a Supervisory Authority regarding high risk processing; and
(d) notifications to the Supervisory Authority and/or communications to Data Subjects by University in response to any Personal Data Breach,
provided University shall pay BridgeU for all work, time, costs and expenses incurred in connection with providing the assistance in this paragraph 6.2, calculated on a time and materials basis.
7. International data transfers
7.1 Subject to paragraph 7.2, BridgeU shall not transfer, or otherwise directly or indirectly disclose, any University Data to any International Recipient without the prior written consent of University except where BridgeU is required to transfer the University Data by Applicable Law (and shall inform University of that legal requirement before the transfer, unless those laws prevent it doing so).
7.2 University agrees that BridgeU may transfer University Data for the purposes referred to in paragraph 3.3 to any International Recipient, provided all transfers by BridgeU of University Data to an International Recipient (and any onward transfer) shall (to the extent required under Data Protection Legislation) be effected in accordance with Data Protection Legislation. The provisions of this DPA shall constitute University’s instructions with respect to transfers in accordance with paragraph 3.1(a).
7.3 University acknowledges that due to the nature of cloud services, the University Data may also be transferred to other geographical locations in connection with use of the Services further to access and/or computerised instructions initiated by Authorised Users. University acknowledges that BridgeU does not control such processing and University shall ensure that Authorised Users (and all others acting on its behalf) only initiate the transfer of University Data to other geographical locations if Appropriate Safeguards are in place and that such transfer is in compliance with all Applicable Laws.
8. Obligations of University
8.1 University shall ensure that it, its affiliates and each Authorised User shall at all times comply with:
(a) all Data Protection Legislation in connection with the processing of University Data, the use of the Services (and each part) and the exercise and performance of its respective rights and obligations under the DPA, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Legislation; and
(b) the terms of the DPA.
8.2 University warrants, represents and undertakes, that at all times:
(a) all University Data (if processed in accordance with the DPA) shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Legislation;
(b) fair processing and other information notices have been provided to the Data Subjects of the University Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Legislation in connection with all processing activities in respect of the University Data which may be undertaken by BridgeU and its Sub-Processors in accordance with the DPA;
(c) the University Data is accurate and up to date;
(d) it shall establish and maintain adequate security measures to safeguard University Data in its possession or control from unauthorised access and copying and maintain complete and accurate backups of all University Data provided to BridgeU (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such University Data in the event of loss, damage or corruption of such University Data by BridgeU or any other person;
(e) all instructions given by it to BridgeU in respect of Personal Data shall at all times be in accordance with Data Protection Legislation; and
(f) it has undertaken due diligence in relation to BridgeU’s processing operations and commitments and it is satisfied (and all times its continues to use the Services remains satisfied) that:
(i) BridgeU’s processing operations are suitable for the purposes for which University proposes to use the Services and engage BridgeU to process the University Data; and
(ii) BridgeU has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Legislation.
9. Information and audit
9.1 BridgeU shall maintain, in accordance with Data Protection Legislation binding on BridgeU, written records of all categories of processing activities carried out on behalf of University.
9.2 University may by written notice to BridgeU request information regarding BridgeU’s compliance with the obligations placed on it under this DPA. On receipt of such request BridgeU shall provide University (or auditors mandated by University) with a copy of the latest third party certifications and audits to the extent made generally available to its customers. Such copies are confidential to BridgeU and shall be BridgeU’s confidential information for the purposes of this DPA.
9.3 BridgeU shall, on request by University, in accordance with Data Protection Legislation, make available to University such information as is reasonably necessary to demonstrate BridgeU’s compliance with its obligations under this DPA and Article 28 of the GDPR (and under any Data Protection Legislation equivalent to that Article 28), and allow for and contribute to audits, including inspections, by University (or another auditor mandated by University) for this purpose provided:
(a) such audit, inspection or information request is reasonable, limited to information in BridgeU’s (or any Sub-Processor’s) possession or control and is subject to University giving BridgeU reasonable prior notice of such audit, inspection or information request;
(b) the parties (each acting reasonably and consent not to be unreasonably withheld or delayed) shall agree the timing, scope and duration of the audit, inspection or information release together with any specific policies or other steps with which University or third party auditor shall comply (including to protect the security and confidentiality of other customers, to ensure BridgeU is not placed in breach of any other arrangement with any other customer and so as to comply with the remainder of this paragraph 9.3);
(c) all costs of such audit or inspection or responding to such information request shall be borne by University, BridgeU’s costs, expenses, work and time incurred in connection with such audit or inspection shall be reimbursed by University on a time and materials basis;
(d) University’s rights under this paragraph 9.3 may only be exercised once in any consecutive 12 month period, unless otherwise required by a Supervisory Authority or if University (acting reasonably) believes BridgeU is in breach of this DPA;
(e) University shall promptly (and in any event within one business day) report any non-compliance identified by the audit, inspection or release of information to BridgeU;
(f) University shall ensure that all information obtained or generated by University or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure required by Applicable Law);
(g) University shall ensure that any such audit or inspection is undertaken during normal business hours, with minimal disruption to the businesses of BridgeU and each Sub-Processor; and
(h) University shall ensure that each person acting on its behalf in connection with such audit or inspection (including the personnel of any third party auditor) shall not by any act or omission cause or contribute to any damage, destruction, loss or corruption of or to any systems, equipment or data in the control or possession of BridgeU or any Sub-Processor whilst conducting any such audit or inspection.
10. Breach notification
10.1 In respect of any Personal Data Breach involving University Data, BridgeU shall, without undue delay:
(a) notify University of the Personal Data Breach; and
(b) provide University with details of the Personal Data Breach.
11. Deletion of University Data and copies
Following the end of the provision of the Services (or part) relating to the processing of University Data, BridgeU shall dispose of University Data in accordance with its obligations under this DPA. BridgeU shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such University Data undertaken in accordance with this DPA.
12. Compensation and claims
12.1 BridgeU shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with this DPA:
(a) only to the extent caused by the processing of University Data under this DPA and directly resulting from BridgeU’s breach of this DPA; and
(b) in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of this DPA by University (including in accordance with paragraph 3.1(c)(ii)).
12.2 If a party receives a compensation claim from a person relating to processing of University Data in connection with this DPA or the Services, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
(a) make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
(b) consult fully with the other party in relation to any such action but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible under this DPA for paying the compensation.
12.3 The parties agree that University shall not be entitled to claim back from BridgeU any part of any compensation paid by University in respect of such damage to the extent that University is liable to indemnify or otherwise compensate BridgeU in accordance with this DPA.
12.4 This paragraph 12 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Legislation to the contrary, except:
(a) to the extent not permitted by Applicable Law (including Data Protection Legislation); and
(b) that it does not affect the liability of either party to any Data Subject.
PART B: SCHOOL DATA
13. Processor and Controller
13.1 To the extent that BridgeU is instructed by a Data Subject or a relevant school to transfer School Data to University, the parties agree that:
(a) the relevant school shall be a Controller;
(b) BridgeU shall be a Processor; and
(c) University shall, immediately on receipt, be a separate and independent Controller.
13.2 BridgeU warrants and undertakes that:
(a) School Data shall be transferred to University in accordance with the Data Protection Legislation;
(b) it will respond to enquiries from Data Subjects and a Supervisory Authority, unless the parties have agreed that University will so respond, in which case BridgeU will still respond to the extent reasonably possible and with the information reasonably available to it if University is unwilling or unable to respond. Responses will be made within a reasonable time; and
(c) it will process School Data in accordance with instructions of the Controller, including University’s processing instructions following transfer of the School Data to the University by BridgeU.
13.3 To the fullest extent permitted by law, and subject to the provisions of this clause 13, BridgeU shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing of School Data by University.
14. Obligations of University
University warrants and undertakes that:
(a) it will have in place appropriate technical and organisational measures to protect the School Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the Processing and the nature of the data to be protected;
(b) it will have in place procedures so that any third party it authorises to have access to the School Data, including processors, will respect and maintain the confidentiality and security of School Data. Any person acting under the authority of University, including a data processor, shall be obligated to process the School Data only on instructions from University. This provision does not apply to persons authorised or required by law or regulation to have access to the School Data;
(c) it will not process School Data other than as permitted in accordance with this DPA; and
(d) it has no reason to believe, at the time of entering into the Agreement, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under this clause 14, and it will inform BridgeU if it becomes aware of any such laws.
Data processing details
Subject-matter of processing:
BridgeU will process Personal Data as necessary to perform the Services pursuant to the Agreement and this DPA and as further instructed by University.
Duration of the processing:
BridgeU will process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
Nature and purpose of the processing:
BridgeU shall process Personal Data:
(a) in accordance with the rights and obligations of the parties under the Agreement;
(b) as reasonably required to provide the Services; and/or
(c) as initiated, requested or instructed by Authorised Users in connection with their use of the Services, or by University, in each case in a manner consistent with the Agreement.
Type of Personal Data:
University may provide Personal Data to BridgeU, the extent of which is determined and controlled by University in its sole discretion, and which may include, but is not limited to :
(a) First name and last name;
(e) Contact information (e.g. email, phone, company, address);
(f) ID data.
Categories of Data Subjects:
University may provide Personal Data to BridgeU, the extent of which is determined and controlled by University in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
(a) Authorised Users;
(b) prospective students; and
(c) staff members (e.g. recruitment officers (or equivalent)).