1. Terms of Agreement

1. This agreement supplements the Principal Contract and makes legally binding provisions for compliance with the Data Protection Laws as set forth in this agreement. As per the requirements of relevant Data Protection Law, all processing of personal data by a processor on behalf of a controller, shall be governed by a contract. The terms, obligations and rights set forth in this agreement relate directly to the data processing activities and conditions laid out in Schedule 1.

2. The terms used in this agreement have the meanings as set out in the ‘definitions’ part of the document

2. Obligations and Rights of the Processor

1. The Processor shall comply with the relevant Data Protection Laws and must: –
a) only act on the written instructions of the Controller
b) ensure that people processing the data are subject to a duty of confidence
c) ensure that any natural person acting under their authority who has access to personal data, does not process that data except on instructions from the Controller
d) use its best endeavours to safeguard and protect all personal data from unauthorised or unlawful processing, including (but not limited to) accidental loss, destruction or damage and will ensure the security of processing through the demonstration and implementation of appropriate technical and organisational measures as specified in Schedule 1 of this agreement
e) ensure that all processing meets the requirements of the GDPR and related Data Protection Laws and is in accordance with the Data Protection Principles
f) ensure that where a Sub-Processor is used, they: –
i. only engage a Sub-Processor with the prior consent of the data controller
ii. inform the controller of any intended changes concerning the addition or replacement of Sub-Processors
iii. they implement a written contract containing the same data protection obligations as set out in this agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Laws
iv. understand that where any Sub-Processor is used on their behalf, that any failure on the part of the sub-processor to comply with the Data Protection Laws or the relevant data processing agreement, the initial processor remains fully liable to the controller for the performance of the Sub-Processor’s obligations
g) assist the Controller in providing subject access and allowing data subjects to exercise their rights under the Data Protection Laws
h) assist the Controller in meeting its data protection obligations in relation to: –
i) the security of processing
j) data protection impact assessments
k) the investigation and notification of personal data breaches
l) delete or return all personal data to the Controller as requested at the end of the contract
m) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the relevant Data Protection Laws and allow for, and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller
n) tell the Controller immediately if they have done something (or are asked to do something) infringing the GDPR or other Data Protection Law of the EU or a member state
o) co-operate with supervisory authorities in accordance with GDPR Article 31
p) notify the Controller of any personal data breaches in accordance with GDPR Article 33
q) where applicable, employ a Data Protection Officer if required
r) where applicable, appoint (in writing) a representative within the EU if required in accordance with GDPR Article 27

2. Nothing within this agreement relieves the processor of their own direct responsibilities, obligations and liabilities under the GDPR or other Data Protection Laws.

3. The Processor is responsible for ensuring that each of its employees, agents, subcontractors or vendors are made aware of its obligations regarding the security and protection of the personal data and the terms set out in this agreement.

4. The Processor shall maintain induction and training programs that adequately reflect the Data Protection Law requirements and regulations, and ensure that all employees are afforded the time, resources and budget to undertake such training on a regular basis.

5. Any transfers of personal data to a third country or an international organisation shall only be carried out on documented instructions from the controller; unless required to do so by Union or Member State law. Where such a legal requirement exists, the Processor shall inform the Controller of that legal requirement before processing.

6. The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller, containing: –
a) the name and contact details of the Processor and of each Controller on behalf of which the Processor is acting, and, where applicable, the data protection officer
b) the categories of processing carried out on behalf of each Controller
c) transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, the documentation of suitable safeguards
d) a general description of the technical and organisational security measures referred to in Article 32(1)

7. The Processor shall maintain records of processing activities in writing, including in electronic form and shall make the record available to the supervisory authority on request

8. When assessing the appropriate level of security and the subsequent technical and operational measures, the processor shall consider the risks presented by any processing activities, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

3. Obligations and Rights of the Controller

1. The Controller is responsible for verifying the validity and suitability of the Processor before entering into a business relationship.

2. The Controller shall carry out adequate and appropriate onboarding and due diligence checks for all Processors, with a full assessment of the mandatory Data Protection Law requirements.

3. The Controller shall verify that the Processor has adequate and documented processes for data breaches, data retention and data transfers in place.

4. The Controller shall obtain evidence from the Processor as to the: –
a) verification and reliability of the employees used by the Processor
b) certificates, accreditations and policies as referred to in the [due diligence/onboarding questionnaire]
c) technical and operational measures described in Schedule 1 of this agreement
d) procedures in place for allowing data subjects to exercise their rights, including (but not limited to), subject access requests, erasure & rectification procedures and restriction of processing measures

5. Where the Controller has authorised the use of any Sub-Processor by the initial Processor, the controller must verify that similar data protection agreements are in place between the initial Processor and Sub-Processor.

4. Penalties & Termination

1. By signing this agreement, the Processor confirms that they understand the legal and enforcement actions that they may be subject to should they fail to uphold the agreement terms or breach the Data Protection Laws. If the processor fails to meet their obligations, they may be subject to: –
a) investigative and corrective powers of supervisory authorities under Article 58 of the GDPR
b) an administrative fine under Article 83 of the GDPR
c) a penalty under Article 84 of the GDPR
d) pay compensation under Article 82 of the GDPR

2. The Controller or Processor can terminate this agreement with immediate effect.

5. Definitions

In this Agreement, unless the text specifically notes otherwise, the below words shall have the following meanings: –

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
Data Protection Laws means all applicable Data Protection Laws, including the General Data Protection Regulation (GDPR) (EU 2016/679), Data Protection Bill and, to the extent applicable, the data protection or privacy laws of any other country
EEA means the European Economic Area
Effective Date means that date that this agreement comes into force
Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
GDPR means the General Data Protection Regulation (GDPR) (EU) (2016/679)
Principal Contract means the main contract between the parties named in this agreement
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of this data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing
Third-party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
Sub Processor means any person or entity appointed by or on behalf of the Processor to process personal data on behalf of the Controller
Supervisory authority means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR
Signed on behalf of the Processor:

IN WITNESS below of the parties or their duly authorised representatives have signed this agreement in accordance with all its clauses and on the day, month and year stated at the top of this agreement.


Print Name:


Company Name: Healthy Kidz CIC


Signed on behalf of the Controller:


Print Name:

Date: 2018

School Name:

Position: Principal

SCHEDULE 1 – Data processing and conditions

1.The Controller named in this agreement has appointed the Processor with regard to specific processing activity requirements. These requirements relate to the pupils’ data (class lists) needed to fulfil the requirements of the Healthy Kidz App and Website

2.The duration of the processing is until further notice

3.The processing activities relate to collection, recording, organisation, storage, retrieval, use and erasure or destruction of data and are for the purpose of the accessing the Healthy Kidz Web Presence.

4.The requirement for the named Processor to act on behalf of the Controller is with regard to the below type(s) of personal data and categories of data subjects: –
a) Name
b) Personal data

5.The Processor can demonstrate and provide sufficient guarantees as to the implementation of appropriate technical and organisational measures taken to ensure data security and protection:
a) Secure software, hourly backups of databases
b) confidentiality agreements signed by all employees

6.The obligations and rights of the Controller and Processor are set out in section (3) and (4) of this agreement.