Processing your Data

Data Processing Addendum

Parties:

Thorne Widgery Accountancy Ltd of 2 Wyevale Business Park, Kings Acre, Hereford, Herefordshire, HR4 7BS (company number 05834836) “the Supplier”

and

The educational establishment entering into the primary Agreement with the Supplier “the Customer”

Addendum:

means this Data Processing Addendum.

Agreement:

means the overarching Service and Licences Agreement for provision of services between the Supplier and the Customer.

Appropriate Safeguards:

has the meaning given in the UK GDPR.

Controller:

has the meaning given in the UK GDPR.

Data Loss Event:

means any event that results or may result in unauthorised access to, loss of, or destruction of the Personal Data, including any Personal Data Breach.

Data Processing Schedule:

means Schedule 1 to this Addendum which identifies the Personal Data and Data Subjects and sets out the scope, nature, purpose and duration of the Processing by the Supplier.

Data Protection Impact Assessment:

means a risk assessment by the Controller of the impact of the envisaged processing on the protection and confidentiality of the Personal Data.

Data Protection Legislation:

means all applicable laws in the UK relating to data protection, processing of personal data and privacy, including the UK GDPR and Data Protection Act 2018 as amended from time to time.

Data Protection Officer:

has the meaning given in the UK GDPR.

Data Subject:

has the meaning given in the UK GDPR.

Personal Data:

has the meaning given in the UK GDPR.

Personal Data Breach:

has the meaning given in the UK GDPR.

Processor:

has the meaning given in the UK GDPR.

Processing:

has the meaning given in the UK GDPR. The terms Process, Processes and Processed will be construed accordingly.

Security Measures:

means appropriate technical and organisational measures as detailed in Article 32 of the UK GDPR, to ensure the security of the Personal Data and prevention of a Data Loss Event.

Subject Access Request:

means a request made by, or on behalf of, a Data Subject in accordance with rights granted under the Data Protection Legislation to access their Personal Data.

Sub-Processor:

means any third party appointed to Process the Personal Data on behalf of the Supplier in relation to the provision of services under the Agreement.

Supplier Personnel:

means all directors, officers, employees, agents and consultants of the Supplier engaged in the provision of services under the Agreement.

Transfer Risk Assessment:

means an assessment of the privacy and security risks associated with transferring the Personal Data to a territory that is outside the UK and EU.

UK GDPR:

means the retained version of the General Data Protection Regulation (EU 2016/679) as it forms part of UK law by virtue of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419).

1.

Introduction

1.1

This Addendum and its Data Processing Schedule reflects the arrangements between the Parties for Processing of the Personal Data by the Supplier on behalf of the Customer, in connection with the provision of services under the Agreement.

1.2

This Addendum forms an integral part of the Agreement and is incorporated into the Agreement by reference.

3.

Both Parties shall comply with all applicable requirements of the Data Protection Legislation. This Addendum does not relieve, remove, or replace either Party’s obligations under the Data Protection Legislation.

4.

Each Party shall bear its own costs in relation to compliance with this Addendum and the Data Protection Legislation.

5.

The Parties acknowledge that for the purposes of the Data Protection Legislation and this Addendum, the Customer is the Controller and the Supplier is the Processor.

2.

PROCESSOR OBLIGATIONS

2.1

The Processor will process Personal Data only in accordance with the Controller’s written instructions unless the Processor is required to do otherwise by Law. If it is so required, the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law.

2.2

The Processor shall notify the Controller immediately if it considers that any of the Controller’s instructions infringe the Data Protection Legislation.

2.3

Information Security

2.3.1

The Processor shall ensure appropriate technical and organisational measures are implemented to ensure the security of Personal Data held on behalf of the Controller.

2.3.2

The Processor shall ensure that the Supplier Personnel are subject to a contractual duty of confidentiality and do not process Personal Data except in accordance with this Addendum.

2.3.3

In respect of any Data Loss Event the Processor shall:

2.3.3.1

notify the Controller without undue delay;

2.3.3.2

provide timely updates and information about the investigation of the Data Loss Event;

2.3.3.3.

take reasonable steps to contain and mitigate the effects of the Data Loss Event; and

2.3.3.4

provide any reasonable assistance requested by the Controller.

2.4

Reasonable Assistance to the Controller

2.4.1

The Processor shall provide all reasonable assistance to the Controller in connection with:

2.4.1.1

compliance with Article 32; and

2.4.1.2

the preparation of any Data Protection Impact Assessment that may be required, prior to the commencement of the Processing under this Addendum.

2.4.2

In the event that the Processor receives a Subject Access Request or any other request from a Data Subject relating to their rights, the Processor shall:

2.4.2.1

notify the Controller immediately; and

2.4.2.2

provide any reasonable assistance requested by the Controller to comply with relevant Data Protection Legislation.

2.4.3

In the event that the Processor receives any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation; or any communication from the Information Commissioner’s Office or any other regulatory authority in connection with Personal Data processed under this Addendum, the Processor shall:

2.4.3.1

notify the Controller immediately; and

2.4.3.2

provide any reasonable assistance requested by the Controller to comply with relevant Data Protection Legislation.

2.5

Sub-Processors

2.5.1

The Controller authorises the use of the Sub-Processors listed in Schedule 1.

2.5.2

The Processor shall enter into a written agreement with each Sub-Processor which shall contain terms equivalent to those set out in this Addendum such that they apply to the Sub-Processor.

2.5.3

The Processor shall remain fully liable for all acts or omissions of any Sub-Processor.

2.5.4

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, providing the Controller a minimum of 14 calendar days to object to such appointment on reasonable grounds relating to data protection.

2.5.5

In the event that the Controller objects to the appointment of a new Sub-Processor under clause 2.5.4 above, the Parties shall approach such concerns in good faith with a view to achieving resolution.

2.5.6

If the Parties are not able to achieve resolution under clause 2.5.5 above then the Controller may terminate the Agreement, including this Addendum.

2.6

International Transfers

2.6.1

The Processor shall only transfer Personal Data outside of the UK and EU if it has implemented Appropriate Safeguards to ensure the protection of the Personal Data in the destination territory, in accordance with the Data Protection Legislation.

2.6.2

In the event of any transfer of Personal Data outside of the UK and EU, the Processor shall carry out a Transfer Risk Assessment to determine that the Data Subject has sufficiently enforceable rights and effective legal remedies.

2.7

Audits

2.7.1

The Processor shall maintain and make available to the Data Controller upon request complete and accurate records and information to demonstrate its compliance with this Addendum and the Data Protection Legislation.

2.7.2

The Processor shall allow for audits and inspections by the Controller or the Controller’s designated auditor, to establish the Processor’s compliance with the terms of this Addendum.

2.8

Termination of the Agreement

2.8.1

Upon termination of the Agreement and at the written direction of the Controller, the Processor shall either delete or return the Personal Data to the Controller unless the Processor is required by Law to retain the Personal Data.

2.8.2

The Parties agree that the plan for return and destruction of the Personal Data once the Processing is complete is detailed in Schedule 1.

3.

Indemnity

3..1

The Processor shall indemnify the Controller against any losses or damages incurred by the Controller as a direct or indirect result of third-party claims relating to the Processor’s failure to comply with the Data Protection Legislation and the obligations set out in this Addendum. This indemnity shall not apply to the extent that the act or omission was a direct result of an express instruction of the Controller.

Schedule 1:

Data Processing Schedule

Description

Details

Subject matter of the processing

Provision of services by the Supplier to the Customer, under the Agreement.

Duration of the processing

The duration of the Agreement.

Nature and purposes of the processing

The Supplier will use the Personal Data for provision of accountancy consultancy services to the Customer. This will include the deployment of proprietary software and integrations.

Depending on the Services chosen by the Customer, the Supplier will assist the Customer with the implementation of the software into their organisation. This software includes third party software products (Sub-Processors) as stated in the Agreement.

Type of Personal Data

The categories of Personal Data processed will be dependent upon the services provided to the school.

This could include (but is not limited to):

  • Name
  • Address
  • Contact details such as telephone number and email address
  • Payroll information such as bank payment details, submitted travel and subsistence claims
  • Any narrative added by the Customer to purchase orders etc such as pupil or staff initials

The Supplier will process certain types of special category data including (but not limited to):

  • Health data. For example, pupils with EHCPs may have their initials added to identify funding and costs associated with each EHCP.

Categories of Data Subject

Personal Data will be processed which relates to any/all of the below during the course of the Supplier’s delivery of services:

  • Staff employed by the Customer
  • Pupils (children and young people)
  • School suppliers including sole traders

Plan for return and destruction of the data once the processing is complete UNLESS required to retain under UK law

The Customer shall inform the Supplier as to whether they prefer the Personal Data to be deleted or returned at the end of the contract. The Supplier shall comply without undue delay.

Authorised Sub-Processors

The Sub-Processors engaged are dependent on the Services that the Customer purchases. A full list of current sub-processors are:  

  • ApprovalMax
  • Planergy
  • Xero
  • Tugger
  • Fathom
  • Crezco
  • Joiin

We also use Xero certified apps from the app marketplace but will always ask you to connect these directly.

Got questions? We've got a dedicated FAQ page all about how we protect your data. Visit it here.

Ready to make the switch to XfE?