Spellzone - Data Sharing Agreement

For schools, colleges, organisations, private tutors and families.

Contents

Introduction

1. Definitions

2. General Provisions

3. Term of the Agreement

4. Transfer of School Data

5. Ownership of the School Data and Confidential Information

6. Security of the Data

7. Quality Assurance and other duties

8. Permission to use Sub-contractor

9. Insurance

10. Deletion or return of School Data

11. Audit and Information Rights

12. Technical and Organisational Measures

13. Data Subject Rights and Associated Matters

14. Authority of the School to issue instructions

15. Liability

16. Rights of Third Parties

17. Entire Agreement

18. Variation

19. Governing Law

20. Contacting Spellzone

Introduction

This agreement records the terms upon which Spellzone will process Data for the purpose of providing access to the Spellzone Website under the domain name www.spellzone.com and other Spellzone domains.


1. Definitions

1.1 In this Agreement the following definitions shall apply:

“Agreement”

means this Data Sharing Agreement;

“Confidential Information”

means all confidential information (however recorded or preserved) disclosed by the Data Controller to Spellzone in connection with this Agreement which is either labelled as such or else which could be reasonably considered confidential because of its nature and the manner of its disclosure;

“Data Controller”

has the meaning given in Art. 4 GDPR as amended or replaced from time-to-time;

“Data Subject”

means a student or member of staff;

“Data Processor”

has the meaning given in Art. 4 GDPR as amended or replaced from time-to-time;

“Data Protection Laws”

means the GDPR, and all applicable laws and regulations relating to the processing of Personal Data and privacy applicable in the United Kingdom from time-to-time;

“Designated Contact”

means the person designated to take responsibility for data protection compliance;

“GDPR”

means General Data Protection Regulation ((EU) 2016/679) (GDPR) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK; and then any successor legislation to the GDPR or the Data Protection Act 1998.

“Good Industry Practice”

means using standards practices methods and procedures conforming to the law and exercising that degree of skill and care diligence prudence and foresight which would reasonably and ordinarily be expected from a skilled and experienced person or body engaged in a similar type of undertaking under the same or similar circumstances;

“Order or Contract”

means a free trial and/or paid subscription to the Website on school computers, home computers and mobile devices;

“Personal Data”

has the meaning given in Art. 4 GDPR as amended or replaced from time-to-time;

“Personal Data Breach”

means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data transmitted, stored or otherwise processed;

“processed” or “processing”

has the meaning given in Art. 28 GDPR as amended or replaced from time-to-time;

“Services”

means the services performed by Spellzone:

a) for the benefit of the School, utilising the Website, of transferring selected School Data from the School to the Website; and

b) to allow students and staff at the School to access the Website;

“School”

means the Establishment; school, college, organisation, private tutor or family managing the user data (Data Controller) and using the Website;

“School Data”

means Personal Data relating to students and staff at the School, and other data regarding the School;

“Subcontracting”

means third party providers of services which relate directly to the provision of the Order or Contract;

“Spellzone”

means Spellzone Limited, a company registered in England and Wales under company number 6884807 whose principal place of business is located at:
Holme Hill Cottage, Church Street, Whixley, York YO26 8AR United Kingdom

and whose registered office is at Club Chambers, Museum Street, York, YO1 7DN United Kingdom (Spellzone);

"Website"

means the entire contents of the website under the domain name www.spellzone.com and other Spellzone domains.


1.2. A reference to writing or written includes faxes, emails and writing in any electronic form.

2. General Provisions

2.1. By continuing to use the Website, and by granting access to Spellzone and the Website to some or all of the School Data, the School agrees to the terms of this Agreement.

2.2. The School and Spellzone acknowledge that, for the purposes of Data Protection Legislation, Spellzone is a Data Processor and the School is a Data Controller in respect of the School Data comprising Personal Data.

2.3. Spellzone shall comply with all applicable Data Protection Laws in respect of the processing of the School Data.

2.4. Spellzone shall not process any School Data other than on the instructions of the School (unless such processing shall be required by any law to which Spellzone is subject).

2.5. The School hereby instructs and authorises Spellzone to process School Data to allow students, and staff of the School to access certain School Data using the Website, and as otherwise reasonably necessary for the provision of the Services by Spellzone to the School.

For staff (when logged in):

  • To create and amend their school name and contact details.
  • To create and amend their own username, password and contact details.
  • To view their own activity and results.
  • To create, view, amend and print student details.
  • To view, print and download the student activity and results for evaluation
    and reporting.
  • To create word lists and content on Spellzone.

For students (when logged in):

  • To view, print and download their activity and results.
  • To create private word lists and content.

For staff and students:

  • Technical support upon request by email and telephone
  • Staff training

2.6. The School warrants and represents that it has obtained all consents from individuals (including students, parents and guardians, and staff at the School) whose Personal Data the School supplies to Spellzone as part of the School Data which are necessary (whether under Data Protection Laws or otherwise) for the lawful processing of the School Data by the School and Spellzone for the purposes set out in this Clause 2. The School shall indemnify Spellzone against all costs, claims, damages, expenses, losses and liabilities incurred by Spellzone arising out of or in connection with any failure (or alleged failure) by the School to obtain such consents.

2.7. The School and Spellzone confirm that:

2.7.1. the processing of School Data by Spellzone will comprise of the following categories:

Organisation Data:

  • School name
  • Billing address
  • Email address
  • Telephone number
  • Class names
  • VAT number
  • Invoices

Administrator (Key Person(s)) and Staff Data:

  • First name
  • Surname
  • Job title – non mandatory
  • Telephone number
  • Mobile number – non mandatory
  • Email address
  • Username
  • Password
  • Spellzone activity
  • Spellzone results
  • Email communications
  • Telephone communications notes (we do not mechanically record telephone conversations)
  • Internet Protocol (IP) address and browser information

Student Data:

  • First name
  • Surname
  • Email address (optional - can be turned off for the account)
  • Username
  • Password
  • Spellzone activity
  • Spellzone results
  • Email communications for support
  • Internet Protocol (IP) address and browser information

2.7.2. the purpose of the processing of School Data by Spellzone is to enable Spellzone to provide the Services; and

2.7.3. the data that will be processed by Spellzone will be School Data, and the Data Subjects will be students and staff of the School who are permitted to access the Website.

3. Term of the Agreement

3.1. This Agreement shall commence on the date of this Agreement is made, and shall continue in full force for the duration of the Order or Contract, at which point this Agreement shall automatically terminate.

3.2. Upon termination of this Agreement, Clauses 2.6, 5 and 9 shall continue to apply.

4. Transfer of School Data

4.1. The School hereby consents to the School Staff accessing the Website and adding School Data by electronic means, for the purposes set out in this Clause 2.

4.2. Prior to leaving the School premises by electronic means (via HTTPS) the School Data will be encrypted by the Website.

4.3. The Processing of Data shall be carried out within the United Kingdom.

5. Ownership of the School Data and Confidential Information

5.1. The School Data shall always remain the property of the School.

5.2. Spellzone shall have no responsibility to maintain the security of any School Data held or controlled by the School.

5.3. Spellzone shall keep all Confidential Information and School Data confidential and shall not:-

5.3.1.1. use any Confidential Information or School Data except for the purpose of performing the services it provides to the School; or

5.3.1.2. disclose any Confidential Information in whole or in part to any third party, except as expressly permitted by this Agreement, or as required for the purpose of any services provided by Spellzone to the School, or to the extent required by law.

6. Security of the Data

6.1. Spellzone shall establish the security in accordance with Data Protection Laws.

The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of GDPR must be taken into account.

6.2. In assessing the appropriate level of security, Spellzone shall take account in particular of the risks that are presented by processing of the School Data, in particular from a Personal Data Breach.

7. Quality Assurance and other duties

In addition to complying with the rules set out in this Order or Contract, Spellzone shall comply with the statutory requirements referred to in GDPR; accordingly, Spellzone ensures, in particular, compliance with the following requirements:

7.1. To demonstrate commitment to data protection, and to enhance the effectiveness of compliance efforts, the Spellzone has designated Mr Barry Perks, Director as the person to take responsibility for data protection compliance (Designated Contact).

7.2. Spellzone entrusts only such employees with the data processing outlined in this Order or Contract who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. Spellzone and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the School, which includes the powers granted in this Order or Contract, unless required to do so by law.

7.3. The School and the Spellzone shall cooperate, on request, with the supervisory authority in performance of its tasks.

7.4. The School shall be informed immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to this Order or Contract. This also applies insofar as the Spellzone is under investigation or is party to an investigation by a competent authority in connection with infringements to any Civil or Criminal Law, or Administrative Rule or Regulation regarding the processing of Personal Data in connection with the processing of this Order or Contract.

7.5. Insofar as the School is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the Order or Contract data processing by Spellzone, Spellzone shall make every effort to support the School.

7.6. Spellzone shall periodically monitor the internal processes and the Technical and Organisational Measures to ensure that processing within this area of responsibility is in accordance with the Data Protection Laws and the protection of the rights of the Data Subject.

7.7.  Verifiability of the Technical and Organisational Measures conducted by the School as part of the School’s supervisory powers referred to in Clause 12 of this Agreement.

8. Permission to use Sub-contractor

8.1. Spellzone may appoint a sub-contractor to carry out any or all of its processing activities in accordance with the terms of this clause.

8.2. The School hereby authorises Spellzone to appoint third parties to provide electronic data storage and transmission services to Spellzone in connection with the processing of the School Data. Spellzone shall notify the School of any changes to the identity of such third parties from time-to-time.

8.3. Save as permitted by clause 8.2, Spellzone shall not appoint any sub-contractor in connection with the processing of the School Data without the prior written permission of the School.

8.4. Where Spellzone appoints a sub-contractor pursuant to this clause 8, it shall ensure that the arrangement between it and the sub-contractor includes terms which offer at least the same level of protection for the School Data as those set out in this Agreement, and meet the requirements of Data Protection Laws.

8.5. Spellzone shall ensure that each sub-contractor appointed by it performs the obligations under clauses 2.4, 6.1, 11, 13 as they apply to processing of the School Data carried out by that sub-contractor, as if they were a party to this Agreement in place of Spellzone.

9. Insurance

Spellzone maintains a policy of insurance in respect of the services provided by Spellzone and the processing of the School Data, and shall produce a copy of such policy to the School if requested to do so.

10. Deletion or return of School Data

10.1. Spellzone will process School Data for the duration of a free trial and/or a paid subscription and will retain the School Data for a maximum of 18 months after the free trial and/or a paid subscription has expired.

This will enable reinstatement of the account in the event of change of mind or absence of School Staff due to illness or sabbatical leave. During this time Spellzone may contact the School regarding renewal or any special offers.

At the end of, or before the end of the 18 months retention period, Spellzone shall destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material.

Some data such as word lists or results may remain on the Spellzone databases after account deletion but will not be identifiable to any School Data.

Documentation which is used to demonstrate orderly data processing in accordance with the Order or Contract shall be stored beyond the contract duration by the Spellzone in accordance with the respective retention periods to meet any accountancy or legal obligations.

Copies or duplicates of the data shall never be created without the knowledge of the Client, with the exception of back-up copies as far as they are necessary to ensure orderly data processing.

10.2. Subject to clause 10.3, the School may in its absolute discretion by written notice to Spellzone at any time require Spellzone to:

10.2.1. return a complete copy of all School Data by secure file transfer in such format as is reasonably notified by the School to Spellzone; and

10.2.2. delete and use all reasonable endeavours to procure the deletion of all other copies of School Data processed by Spellzone or any of its sub-contractors.

Spellzone shall use all its reasonable endeavours to comply with any such written request within 14 days of receiving such request accompanied by reasonable evidence of identity and authority.

Spellzone shall, within 7 days of completing the request from the School, provide written confirmation to the School that it has fully complied with clause 10.2

10.3. Spellzone and its sub-contractors may retain School Data to the extent required by any applicable law, provided that Spellzone and its sub-contractors shall ensure the confidentiality of all such School Data retained, and shall ensure that such School Data is only processed as necessary for the purpose(s) specified by the applicable laws requiring its storage and for no other purpose.

11. Audit and Information Rights

11.1. Subject to clauses 11.2, 11.3 and 11.4, Spellzone shall:

11.1.1. make available to the School on request all information necessary to demonstrate Spellzone’s compliance with this Agreement; and

11.1.2. allow for and contribute to audits, including inspections, by the School or any auditor nominated by the School in relation to the processing of the School Data by Spellzone and its sub-contractors.

11.2. The information and audit rights of the School under clause 11.1 shall apply only to the extent required by Data Protection Laws.

11.3. The School shall give Spellzone reasonable notice of any audit or inspection that it wishes to conduct under this clause 11.1, and shall (and shall ensure that any nominated auditor shall) avoid causing (or, if it cannot avoid, minimise) any damage, injury or disruption to Spellzone’s or its sub-contractors’ premises, equipment, personnel and business.

11.4 Spellzone may claim remuneration for enabling any audit or inspection.

11.5. Without prejudice to clause 11.3, Spellzone or its sub-contractors are not required to give access to their premises for the purposes of an audit or inspection:

11.5.1. to any individual unless he or she produces reasonable evidence of identity and authority;

11.5.2. outside normal business hours at those premises,

11.5.3. for the purposes of more than one audit or inspection in any calendar year.

12. Technical and Organisational Measures

12.1. Before the commencement of processing, Spellzone shall document the execution of the necessary Technical and Organisational Measures, set out in advance of the awarding of the Order or Contract, specifically with regard to the detailed execution of the contract, and shall present these measures to the School for inspection in the Spellzone Terms and Conditions.

Upon acceptance by the School, the documented measures become the foundation of the Order or Contract. Insofar as the inspection by the Client shows the need for amendments, such amendments shall be implemented by mutual agreement.

12.3. The Technical and Organisational Measures are subject to technical progress and further development. In this respect, it is permissible for the Spellzone to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented.

13. Data Subject Rights and Associated Matters

13.1. Taking into account the nature of the processing conducted by Spellzone, Spellzone shall (and shall use all reasonable endeavours to procure that its subcontractors shall) assist the School by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the School’s obligations, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

13.2. Spellzone shall:

13.2.1. promptly notify the School if it or any sub-contractor receives a request from a Data Subject under any Data Protection Law in respect of School Data; and

13.2.2. shall use all reasonable endeavours to ensure that the subcontractor does not respond to that request except on the written instructions of the School or as required by any applicable laws to which Spellzone or the sub-contractor is subject.

13.3.2. Insofar as it is included in the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by Spellzone in accordance with documented instructions from the School without undue delay.

13.4. Spellzone shall notify the School without undue delay upon Spellzone becoming aware of a Personal Data Breach in respect of any School Data processed by Spellzone, providing the School with sufficient information to allow the School to meet any obligations to report, or inform the individuals to which the Personal Data related, of such Personal Data Breach under Data Protection Laws.

13.5. Spellzone shall cooperate with the School and take such reasonable commercial steps as are directed by the School to assist in the investigation, mitigation and remediation of each such Personal Data Breach referred to in clause 13.4.

13.6. Spellzone shall provide reasonable assistance to the School with any data protection impact assessments, and prior consultations with competent data privacy authorities, which the School reasonably considers to be required under any Data Protection Laws, in each case solely in relation to processing of Personal Data comprised in the School Data, by and taking into account the nature of the processing and information available to Spellzone.

13.7. Spellzone may claim compensation for support services which are not included in the Order or Contract and which are not attributable to failures on the part of the Spellzone.

14. Authority of the School to issue instructions

14.1. The School shall immediately confirm oral instructions by email or in writing.

14.2. Spellzone shall inform the School immediately if they consider that an instruction violates Data Protection Regulations. Spellzone shall then be entitled to suspend the execution of the relevant instructions until the School confirms or changes them.

15. Liability

15.1. Spellzone shall have no liability to the School, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, for or in connection with:

15.1.1. loss, interception or corruption of any data;

15.1.2. loss, interception or corruption of any data resulting from any negligence or default by any provider of telecommunications services to Spellzone, the School or any School Supplier;

15.1.3. any loss arising from the default or negligence of any School Supplier;

15.1.4. damage to reputation or goodwill;

15.1.5. any indirect or consequential loss.

15.2. Nothing in this clause shall limit the liability of Spellzone for any death or personal injury caused by its negligence, fraud or fraudulent misrepresentation, or any other matter for which liability cannot be limited or excluded as a matter of law.

16. Rights of Third Parties

No person who is not a party of this Agreement shall have any rights under this Agreement, whether pursuant to The Contracts (Rights of Third Parties) Act 1999 or otherwise.

17. Entire Agreement

Save for any statement, licence, representations or assurances as to the method or location of storage this Agreement and the schedules to it constitutes the entire agreement and understanding between the parties and with respect to all matters which are referred to and shall supersede any previous agreements between the parties in relation to the matters referred to in this Agreement.

18. Variation

Any variation to the terms of this Agreement shall be made in writing between Spellzone and the School.

19. Governing Law

19.1. This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual dispute or claims) shall be governed by and construed in accordance with the laws of England and Wales.

19.2. The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation (including non-contractual dispute or claims).

20. Contacting Spellzone

20.1. If you have any questions or concerns please contact Spellzone:

Email

Telephone +44 (0)333 990 0132

Or in writing to:

Spellzone Limited
Holme Hill Cottage
Church Street
Whixley
York  YO26 8AR
United Kingdom

Spellzone Limited is registered in England and Wales. Company Reg. No. 6884807
Registered office: Club Chambers, Museum Street, York, YO1 7DN United Kingdom