GDPR Privacy & Data Protection Addendum
“Data Protection Requirements”: as applicable: (i) the Data Protection Act 2018, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) or equivalent legislation, the Privacy and Electronic Communications (EC Directive) Regulations 2003, Directive 2002/58/EC of the European Parliament (the ePrivacy Directive) and all other applicable laws (including judgments of any relevant court of law) and regulations relating to the processing of personal data, data privacy, electronic communications, marketing and data security, in each case as amended, extended or re-enacted from time to time and all orders, regulations, statutes, instruments or other subordinate legislation made thereunder in any jurisdiction from time to time; and (ii) the guidelines, recommendations, best practice, opinions, directions, decisions, codes of practice and codes of conduct issued, adopted or approved by the European Commission, the European Data Protection Board, the UK’s Information Commissioner’s Office and/or any other supervisory authority or data protection authority from time to time in relation to the processing of personal data, data privacy, electronic communications, marketing and data security.
“Cross-Border Processing” or “School Personal Data Transfers” means any communication, copying or transmission of School Personal Data to a Third Country.
“School Personal Data” means any personal data processed or transferred by the School to ManageBac in relation to the Services Agreement and in connection with the Services.
“Third Country” means any country that is not in the European Union or which has not been recognised by the European Commission as providing an adequate level of protection for personal data under the Data Protection Requirements.
1.1. For the purpose of this Services Agreement, including this Privacy and Data Protection Annex, personal data and the terms process, data subject, data controller, controller, data processor, processor, subprocessor, personal data breach and supervisory authority shall have the meanings given to them in the applicable Data Protection Requirements.
1.2. The Parties acknowledge that the School is the data controller and ManageBac is the data processor of School Personal Data.
1.3. The School remains solely liable for upholding data subject’s rights in relation to the processing of such School Personal Data under the Services Agreement, specifically their rights of access, right to request rectification and/or erasure and if necessary the right to object to processing, and the School shall promptly notify ManageBac of any request relating to the same received from a data subject.
1.4. Each Party warrants that it shall comply with all of its obligations under the Data Protection Requirements which arise in connection with the Services, or either party’s performance of its obligations, and that it shall not, in respect of any School Personal Data processed, do any act or make any omission which puts the other party in breach of its obligations under the Data Processing Requirements.
1.5. The School shall ensure that it has all necessary consents from data subjects or that another legal basis is satisfied under the Data Protection Requirements in order for ManageBac’s processing of School Personal Data to comply with the Data Protection Requirements, including without limitation, processing for the purposes of providing international education systems for curriculum planning, assessment, reporting & admissions and related services for students, parents, schools and exam boards.
1.6. The School’s instructions relating to the processing of School Personal Data shall comply with the Data Protection Requirements and the Customer shall have the sole responsibility for the accuracy, quality, integrity, reliability and lawfulness of the School Personal Data;
1.7. The School shall promptly notify ManageBac if it becomes aware of any breaches of or other irregularities with the Data Protection Requirements.
2. MANAGEBAC’S OBLIGATIONS
2.1. General Obligations
2.1.1. ManageBac shall process School Personal Data for the sole purpose of the provision of the Services to the School and any Members and shall act only in accordance with the commercially reasonable documented instructions of the School in respect of the processing of School Personal Data during the term of the Services Agreement.
2.1.2. ManageBac shall promptly notify the School if, in ManageBac’s opinion, the School’s documented data processing instructions breach the Data Protection Requirements, and ManageBac shall be entitled without penalty to suspend execution of the instructions concerned, until the School confirms such instructions in writing. Any notification by ManageBac under this clause should not be regarded as legal advice and ManageBac shall not be required to perform a legal assessment of the School’s instructions. The School shall seek its own legal advice on applicable Data Protection Requirements. If and to the extent ManageBac is unable to comply with any instruction received from the School, it shall promptly notify the School accordingly.
2.1.3. The purpose of ManageBac’s processing School Personal Data is the performance of the Services pursuant to this Privacy and Data Protection Addendum. The categories of data subjects and the types of School Personal Data processed under this Addendum are set out in Appendix 1 (School Personal Data).
2.1.4. ManageBac shall provide reasonable assistance to the School in order to ensure the School’s compliance with the Data Protection Requirements and/or in case of inspection by a supervisory authority taking into account the nature of the processing and the information available to ManageBac.
2.1.5. ManageBac shall promptly respond to any request of the School concerning the processing of School Personal Data carried out by ManageBac, and provide the School with all reasonable information, so that the School is able to: (i) inform the data subjects and respond to their requests for access, objection, rectification, restriction or deletion of School Personal Data; and/or (ii) respond to any administrative formalities concerning the processing of such personal data to the supervisory authority; and/or (iii) comply with all requests of any administrative or judicial authority regarding the processing carried out under the Services Agreement.
2.1.6. ManageBac shall promptly correct any errors or inaccuracies in the School Personal Data which are notified to it either by the School or a data subject, or shall provide a means for the data subject to self-correct any errors or inaccuracies within such personal data, to ensure that such School Personal Data is kept accurate and up to date.
2.1.7. ManageBac shall provide reasonable assistance to the School in order to ensure its compliance with its obligations to maintain a record of all categories of School Personal Data processing activities. In particular, ManageBac shall record and make available such School Personal Data for a period of eighteen (18) months from the Services Agreement expiration or termination date, and shall ensure that the School Personal Data records are backed-up regularly throughout this period. Thereafter, ManageBac shall destroy all files containing School Personal Data, or return all such School Personal Data to the School, unless required to retain any or part of the School Personal Data by applicable law.
2.2.1. ManageBac shall implement appropriate technical and organisational security measures necessary for the processing of School Personal Data and Services to be performed under this Services Agreement to ensure the confidentiality and security of School Personal Data and, in particular, to prevent such School Personal Data from being distorted, damaged or communicated to unauthorized third-parties, and to protect the School Personal Data against any accidental or unlawful destruction, accidental loss, alteration, dissemination and/or unauthorized access, as well as against all unlawful forms of processing provided that, such measures shall ensure a level of security appropriate to the risks inherent in the processing and the nature of the School Personal Data to be protected.
2.2.2. In case of a personal data breach involving School Personal Data, ManageBac shall:
(i) notify the School without delay after becoming aware of an actual personal data breach involving School Personal Data, and;
(ii) take steps to remedy such personal data breach involving School Personal Data as soon as possible so as to minimize the impact of any personal data breach to all relevant data subjects.
2.2.3. Such notification must contain:
a) A description of the nature of the personal data breach including:
- Categories of School Personal Data concerned;
- Approximate number of data subjects concerned;
- Categories of School Personal Data records concerned;
- Approximate number of School Personal Data records concerned, and;
b) A description of the likely consequences of the personal data breach involving School Personal Data and;
c) A description of the measures taken or proposed to be taken by ManageBac to address such personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
2.2.4. ManageBac shall document any personal data breach involving School Personal Data, comprising the facts relating to it, its effects and the remedial action taken.
2.3. Access to Personal Data
2.3.1. In accordance with confidentiality obligations as defined in the Services Agreement, ManageBac shall not transfer, communicate or disclose in any manner any personal data to any third parties, except to those subcontractors and personnel required to provide the Services to the School (hereinafter the “Authorised Recipients”) for the sole purpose of such Authorised Recipients of performing the Services under the Services Agreement. Where a subcontactor is engaged by ManageBac shall ensure that they are appointed in accordance with clause 2.4 below.
2.3.2. ManageBac shall ensure that the Authorised Recipients in charge of the performance Services process the School Personal Data only on a need-to-know basis and are subject to appropriate obligations of confidentiality and security, and bound by a non-disclosure agreement that is least as stringent as the one in force between the parties.
2.3.3. In case of any investigation or seizure of School Personal Data by government officials, a supervisory authority or any law enforcement authority, ManageBac shall take reasonable steps at its disposal to protect the confidentiality of School Personal Data.
2.3.4. If a Party is compelled to disclose School Personal Data by law, such Party shall promptly notify the other Party of the disclosure order (if and to the extent permitted by laws and/or regulations).
2.4. Personal Data Transfers
2.4.1. As part of the Services, the School acknowledges that ManageBac transfers School Personal Data all over the world as part of its business operations to facilitate the provision of the Services to the School. Where ManageBac transfers personal data to a Third Country, it shall take steps to ensure that it has appropriate safeguards in place to protect the School Personal Data in accordance with Data Protection Requirements. Further information about the transfers and the basis on which those transfers are made is set out in this paragraph 2.4.
2.4.2. The School provides its prior consent to ManageBac transferring School Personal Data between its group companies in UK, USA, Taiwan and Hong Kong, and data centres in Canada, USA Hong Kong, Singapore, Ireland and UK. Where required by Data Protection Requirements, appropriate safeguards shall be in place to cover such transfers, where personal data is transferred outside of the European Union, ManageBac has entered into standard contractual clauses issued by the European Commission as required under the Data Protection Requirements.
2.4.3. The School provides its general authorisation to ManageBac’s use third party suppliers, as listed and updated on ManageBac’s website via https://www.managebac.com/terms/privacy-policy/subprocessors, https://www.openapply.com/terms/privacy-policy/subprocessors, https://www.onatlas.com/terms/privacy-policy/subprocessors, https://www.schoolsbuddy.com/terms/privacy-policy/subprocessors, and https//www.pamojaeducation.com/terms/privacy-policy/subprocessors which may process School Personal Data on behalf of ManageBac (“Subprocessors”) in order for ManageBac to provide the Services to the School.
2.4.4. ManageBac shall provide updates to the list of Subprocessors and proposed Subprocessers via https://www.managebac.com/terms/privacy-policy/subprocessors, https://www.openapply.com/terms/privacy-policy/subprocessors, https://www.onatlas.com/terms/privacy-policy/subprocessors, https://www.schoolsbuddy.com/terms/privacy-policy/subprocessors and https//www.pamojaeducation.com/terms/privacy-policy/subprocessors, Schools may object in writing to the processing of its Personal Data by a new sub-processor within thirty (30) days following the update of the list of Subprocessors and such objection shall describe School’s legitimate reason(s) for objection. If a School does not object during such time period the new Subprocessor(s) shall be deemed accepted.
2.4.5. ManageBac shall include in any contract with its Subprocessors which will process School Personal Data obligations on such Subprocessors which are equivalent to those obligations imposed upon ManageBac in this Privacy and Data Protection Addendum. ManageBac shall be liable for the acts and omissions of its Subprocessors to the same extent ManageBac would be liable if performing the services of each Subprocessor directly under the terms of this Privacy and Data Protection Addendum.
2.4.6. Where Subprocessors are located in a Third Country, ManageBac shall put in place appropriate safeguards to protect the School Personal Data and ensure that such transfers of School Personal Data are at all times in accordance with the Data Protection Requirements. This shall include, entering into and maintaining accurate standard contractual clauses adopted by the European Commission, or, where a Subprocessor is located in the USA, ManageBac may rely upon a Subprocessor’s Privacy Shield certification, to the extent that these data transfer mechanisms are considered to be lawful under the Data Protection Requirements (where applicable).
2.5. Information Requests & Review
2.5.1. The School shall be entitled to request information and review Faria Education Group’s ISO 27001 certification and related documents, processes and workflows relating to its internal Data Protection and Compliance standards and its obligations set out in this Privacy and Data Protection Addendum. The School shall also be entitled to request ManageBac to contribute to and allow for audits and inspections by the School. The School may not exercise its audit right more than once in any twelve month period. The School shall use all reasonable endeavours to ensure that the conduct of any audit by the School or its authorised agents does not unreasonably disrupt ManageBac or its business. Any audit by the School or its authorised agents will be limited to an audit of the School Personal Data and the processes relating to the School Personal Data and will not include any information relating to any other customer of ManageBac or any other third party. The School will be responsible for any fees or costs incurred from carrying out such an audit.
Any information and review requests can be directed to ManageBac’s Information Security Officer at [email protected].
3. PERSONAL DATA PROCESSING CONDITIONS
3.1. ManageBac’s Server locations
3.1.1. ManageBac informs the School that the Personal Data will be hosted in servers located in the following countries: Canada, USA, Hong Kong, Singapore, Ireland and UK.
3.1.2. Any change of the server(s) location by ManageBac shall be promptly notified to the School and shall be included in the form of a written amendment pursuant to the conditions of this Services Agreement.
3.2. ManageBac’s Information Security Certification
3.2.1. Faria Education Group is ISO/IEC 27001:2013 certified by BSI under certificate number IS 664562. Implementing ISO 27001 demonstrates a commitment to information security at every level of our organization.
School Personal Data
Categories of Data Subjects
Data subjects include:
Students, Parents/Guardians of students, Teachers, School Administrators (“Admin”) and External Advisors.
Types of School Personal Data
The School Personal Data may include the following types of data:
Student First and Last Name
Student Year Level
Student Email Address
Student ID Number
Student IBIS Personal Code
Student FSM/Free or Reduced Lunch Status
Student Pupil Premium / SEN Status
Student SSN Last 4 Digits
Student University List
Student Address and Telephone
Parent(s) First and Last Name
Parent(s) Email Address
Parent(s) Phone Number
Teacher First and Last Name
Teacher Email Address
Teacher Phone Number
Admin First and Last Name
Admin Email Address
Admin Phone Number
Geolocation: coarse (city-level) location data
Device Type and OS
School Personal Data is processed by ManageBac for the following purposes:
Providing international education systems for curriculum planning, assessment, reporting, admissions, activities management, transport management and online payments and related services for students, parents, schools and exam boards.