By continuing to use our product and providing us with school data, the school agrees to the terms of this policy.
Under data protection laws, the company is considered a "processor" of the school data, which includes personal data, and the school is considered a "controller" of this data.
Both the company and the school will follow all data protection laws when handling the school data.
The company will process the school data on behalf of the school, as instructed and authorised by the school, to provide the product to the school and for the purposes outlined in this policy.
The school confirms that it has a legal reason, as defined by data protection laws, for providing the company with the necessary data and allowing the company to legally process this data for specified purposes. If the school does not have a legal reason for doing this, the school will be responsible for any costs, claims, damages, expenses, losses, or liabilities that the company incurs as a result.
The company will not send or allow the school data to be sent outside of the European Economic Area ("EEA") without first ensuring that the data is protected. This may involve using standard data protection clauses that the European Commission or other measures have approved that data protection authorities have approved.
The company will make sure that any person it allows to process the data (including its staff, agents, and subcontractors) (called an "authorised person") has a strong obligation to keep the data confidential, whether through a contract, a legal requirement, or any other means. The company will not allow anyone who does not have this obligation to process the data. The company will also ensure that all authorised persons only process the data for the permitted purpose.
The company will implement appropriate technical and organisational measures to protect the school data from unauthorised or illegal processing and accidental loss, destruction, or damage. The level of security applied to the data and the nature of the processing will be taken into consideration when determining these measures.
The company may use other companies or organisations (called "sub-processors") to process school data on our behalf. The company will ensure that sub-processors follow the same data protection standards and will be held responsible if they do not.
The company will also help the school respond to requests from individuals (called "data subjects") to exercise their rights as specified by data protection laws.
The company will provide all necessary and timely assistance (including appropriate technical and organisational measures) to the school (at the school's expense) to help the school respond to the following:
If the company believes or becomes aware that processing of the data may pose a high risk to the data protection rights and freedoms of data subjects, it will promptly inform the school and provide the school with all necessary and timely assistance to conduct a data protection impact assessment and, if necessary, consult with the relevant data protection authority.
If either party becomes aware of a security incident, they must promptly inform the other party and provide all necessary and timely information and cooperation to help the other party fulfil their data breach reporting obligations under applicable data protection laws. Both parties must also take all necessary measures and actions to address or minimise the effects of the security incident and keep the other party informed of any related developments.
Upon request from the school, the company will destroy all data (including all copies of the data) in its possession or control (including any data that has been subcontracted to a third party for processing).
This requirement does not apply if the company is required by EU or EU member state law to retain some or all of the data. In this case, the company will isolate and protect the data from further processing, except as required by law.
The company will allow the school (or its appointed third-party auditors) to audit the company's compliance with this schedule and will provide the school with all necessary information, systems, and staff to conduct the audit.
The school will not exercise its audit rights more than once in a 12-month period unless instructed by a competent data protection authority or if the school believes a further audit is necessary due to a security incident suffered by the company.
As described in this paragraph, the school's information and audit rights apply only to the extent required by applicable data protection laws.
The school will give the company reasonable notice of any audit or inspection that it plans to conduct and will (and will ensure that any nominated auditor will) avoid or minimise any damage, injury, or disruption to the company or its subcontractors' business.
Each party (the "indemnifying party") will protect the other party (the "indemnified party") from any loss, cost, harm, expense (including reasonable legal fees), liabilities, or damage ("damage") that the indemnified party suffers or incurs as a result of the indemnifying party's violation of the provisions of this schedule. This protection is subject to the following conditions:
The company will not be liable to the school, whether for breach of contract, tort (including negligence), breach of statutory duty, or any other reason, for or in connection with the following:
However, the company's liability for death or personal injury caused by its negligence, fraud, or fraudulent misrepresentation, or any other matter for which liability cannot be limited or excluded by law, is not limited by this clause.
This part of our terms and conditions explains how we will handle data for the school. The data we will process is called "school data", and it relates to the following groups of people:
The types of data we will process are:
We will use the school data to help us fulfil our obligations to the school under the terms and conditions for using our product, which includes all Fixturr websites, apps and services.