The Parties have agreed to enter into this Data Protection Addendum on the following terms:
Capitalised terms used in this Addendum which are defined in the Terms of Service shall have the meaning given to them in the Terms of Service unless otherwise indicated. The following additional definitions and rules of interpretation will also apply in this Addendum:
The provision of the Platform by Pobble to Users and Subscribers in accordance with the Terms of Service.
means (for so long as and to the extent that they apply to the Pobble) the law of the European Union, the law of any member state of the European Union and/or any UK data protection legislation and any other law that applies in the UK.
Data Protection Authority
the Information Commissioner's Office (ICO) and any subsequent data protection authority within the United Kingdom.
Data Protection Legislation
the Data Protection Act 2018 (the DPA), the Data Protection Directive (95/46/EC), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) (as amended) the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and General Data Protection Regulation (2016/679) (GDPR) and all applicable laws and regulations relating to the processing of the personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner or any other national data protection authority, and the equivalent of any of the foregoing in any relevant jurisdiction. For the avoidance of doubt, the UK-GDPR will replace the GDPR in respect of England and Wales.
Data Security Breach
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data.
Data Subject Rights
The rights of the Data Subject in accordance with chapter 3 of the GDPR.
Shared Personal Data
the Personal Data which is shared between the Parties under this Addendum as set out in Appendix 1 to this Addendum. Only Personal Data which is processed by Pobble as a Data Processor shall be considered Shared Data for the purposes of this Addendum.
Shall have the meaning given to it in the Pobble Terms of Service which can be found here.
For the Subscription Term, or for as long the Parties share Personal Data, whichever is the longer.
1.2 Data Controller, Data Processor, Data Subject and Personal Data Processing, Special Category Data Processing and appropriate technical and organisational measures shall have the meanings given to them in the Data Protection Legislation.
1.3 Clause and paragraph headings shall not affect the interpretation of this Addendum.
1.4 Unless the context otherwise, requires, words in the singular shall include the plural and in the plural shall include the singular.
1.5 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.6 A reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision, save for EU regulations and/or any directive and/or amendment to the same. Where EU legislation is replaced by English legislation, then that English legislation shall apply to the exception of the preceding EU legislation.
1.7 References to clauses are to the clauses of this Addendum.
1.8 Any words following the terms including, include, in particular or for example or any similar phrase shall be construed as illustrative and shall not limit the generality of the related general words.
1.9 A reference to writing or written includes email but not fax.
1.10 Unless the context otherwise requires the reference to one gender shall include a reference to the other genders.
1.11 As of the Registration Start Date, this Addendum replaces any previous data processing agreements between the Parties. For the avoidance of doubt, this Addendum does not replace or take precedence over any other contractual agreement between the Parties (including the Pobble Terms of Service) and is supplemental to the Terms of Service and any other written agreement in place.
2. STATUS AND SCOPE
2.1 In the majority of cases Pobble acts as a Data Controller in providing the Pobble Platform to its Users and Subscribers. When Pobble is acting as a Data Controller it is required to comply with the requirements of the Data Protection Legislation in its own right and the terms of this Addendum will not apply to any processing Pobble carries out as a Data Controller. However, to the extent that Pobble is acting as a Data Processor in providing services to Subscriber’s and processing the Shared Personal Data the terms set out in this Addendum will apply to such processing.
2.2 This Addendum will be deemed to have been entered into as of the Registration Start Date. This Addendum sets out the framework for the sharing of Personal Data between Subscribers and Pobble and where processing takes place, the obligation between the Subscriber and Pobble. It defines the principles and procedures that both Parties shall adhere to and the responsibilities they owe to each other.
2.3 Appendix 1 sets out the scope, nature and purpose of processing by Pobble, the types of Personal Data being processed and the categories of Data Subject. The duration of the processing will be for the duration the services are provided by Pobble to the Subscriber.
2.4 When acting as a Data Processor within the meaning of the Data Protection Legislation, Pobble agrees to only process Shared Personal Data for the Agreed Purpose on the documented written instructions of the Subscriber which are set out in this Addendum unless Pobble is required by Applicable Laws to otherwise process the Shared Personal Data. Where Pobble is relying on Applicable Laws as the basis for processing Shared Personal Data, Pobble shall promptly notify the Subscriber of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Pobble from so notifying the Subscriber.
3. FAIR AND LAWFUL PROCESSING
3.1 The Shared Personal Data must not be irrelevant or excessive with regard to the Agreed Purposes.
3.2 Each Party must ensure compliance with applicable Data Protection Legislation and any other relevant and applicable domestic legislation which relates to the processing and protection of the Shared Personal Data at all times during the Term of this Addendum. This clause 3.2 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
3.3 Each party shall ensure that it processes the Shared Personal Data fairly and lawfully in accordance with clause 3.2 during the Term of this Addendum.
3.4 The Subscriber agrees not to provide Pobble with any Special Category Data without the explicit consent of the Data Subject.
3.5 The Subscriber shall, in respect of Shared Personal Data, ensure that their privacy notices are clear and provide sufficient information to the Data Subjects for them to understand the extent to which their Personal Data is shared with Pobble by the Subscriber, the circumstances in which it will be shared, the purposes for the data sharing and either the identity of Pobble or a description of the type of organisation that will receive the Personal Data.
4. DATA SUBJECTS’ RIGHTS AND COOPERATION
4.1 The Parties agree to provide reasonable assistance as is necessary to each other to enable them to comply with Data Subject Rights requests and to respond to any other queries or complaints from Data Subjects or any applicable data protection authority.
4.2 In the event that a Data Subject submits a Personal Data deletion request to Pobble, the Subscriber hereby instructs and authorises Pobble to delete or anonymise the Data Subject’s Personal Data on the Subscriber’s behalf.
4.3 Upon the Subscriber’s written request Pobble agrees to make available to the Subscriber all information reasonably necessary to demonstrate its compliance with the obligations set out in this Addendum.
5. DATA RETENTION AND DELETION
5.1 Except where Pobble is acting as a Data Controller, Pobble shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes.
5.2 Notwithstanding clause 5.1, Parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable to their business.
5.3 Except where Pobble is acting as a Data Controller, Pobble shall ensure that any Shared Personal Data is returned to the Subscriber or destroyed (at the Subscriber’s option) in the following circumstances:
a) on termination of the agreement between Pobble and the Subscriber for any reason; or,
b) once processing of the Shared Personal Data is no longer necessary for the Agreed Purposes it was originally shared for.
5.4 Following the deletion of Shared Personal Data in accordance with clause 5.3, Pobble shall notify the Subscriber that the Shared Personal Data in question has been deleted.
6.1 For the purposes of this clause, transfers of Personal Data shall mean any sharing of Personal Data by Pobble with a third party, and shall include, but is not limited to, the following:
a) storing Shared Personal Data on servers outside the UK;
b) subcontracting the processing of Shared Personal Data to data processors located outside the UK,
c) granting third parties located outside the UK access rights to the Shared Personal Data.
6.2 Both Parties agree to ensure that Shared Personal Data will only be disclosed or transferred outside of the UK by Pobble where:
a) It is to an EEA country;
b) an adequacy decision has been made by the European Data Protection Commission permitting the transfer of data to that country; or
c) Standard Contractual Clauses (SCCs) are in place; or
d) assurances that an adequate level of protection of the Personal Data is achieved (based on a case by case assessment of the circumstances of the transfer) have been received, including adequate technical and operational measures in place to protect the Personal Data.
7. SECURITY AND TRAINING
7.1 Having regard to the state of technological development and the cost of implementing such measures, the Parties have in place appropriate technical and organisational security measures in accordance with the requirements within Data Protection Legislation to:
i) unauthorised or unlawful processing of the Shared Personal Data; and
ii) the accidental loss or destruction of, or damage to, the Shared Personal Data.
b) ensure a level of security appropriate to the:
i) harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and
ii) nature of the Shared Personal Data to be protected.
7.2 It is the responsibility of each party to ensure that its staff members are appropriately trained to handle and process the Shared Personal Data in accordance with the technical and organisational security measures set out in the Data Protection Legislation. Pobble shall ensure that all personnel who have access to and/or process Shared Personal Data are obliged to keep the Shared Personal Data confidential.
7.3 The level, content and regularity of training referred to in clause 7.2 shall be proportionate to the staff members' role, responsibility and frequency with respect to their handling and processing of the Shared Personal Data.
8. DATA SECURITY BREACHES AND REPORTING PROCEDURES
8.1 Having considered the applicable Data Protection Legislation and guidance, the Parties have in place their own guidance that must be followed in the event of a Data Security Breach.
8.2 Pobble shall notify the Subscriber of any potential or actual losses of the Shared Personal Data without undue delay to enable the Parties to consider what action is required in order to resolve the issue in accordance with the applicable Data Protection Legislation.
8.3 The Parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Data Security Breach in an expeditious and compliant manner.
9. RESOLUTION OF DISPUTES
9.1 In the event of a dispute or claim brought by a Data Subject or the Data Protection Authority concerning the processing of Shared Personal Data against either or both Parties, the Parties will inform each other about any such disputes or claims without delay, and will cooperate with a view to settling them amicably in a timely fashion.
9.2 The Parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Data Protection Authority. If they do participate in the proceedings, the Parties may elect to do so remotely (such as by telephone or other electronic means). The Parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
9.3 Each party shall abide by a decision of a competent court or of the Data Protection Authority, except where further appeal is possible.
Except as expressly stated in this Addendum, all warranties, conditions and terms, whether express or implied by statute, common law or otherwise are hereby excluded to the extent permitted by law.
11.1 The Subscriber and Pobble undertake to indemnify each other and hold each other harmless from any cost, charge, damages, expense or loss which they cause each other as a result of their breach of any of the provisions of this Addendum, except to the extent that any such liability is excluded under the Terms of Service and/or subject to any limitation specified in the Terms of Service.
11.2 Indemnification hereunder is contingent upon:
a) the party to be indemnified (the indemnified party) promptly notifying the other party (the indemnifying party) of a claim;
b) the indemnifying party having sole control of the defence and settlement of any such claim; and
c) the indemnified party providing reasonable cooperation and assistance to the indemnifying party in defence of such claim at their own cost.
12. COSTS OF COMPLIANCE
Each party shall perform its obligations under this Addendum at its own cost.
13. LIMITATION OF LIABILITY
The limits on liability set out in clause 18 of the Terms of Service shall apply to this Addendum.
14.1 If any provision or part-provision of this Addendum is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this Addendum.
14.2 If one party gives notice to the other of the possibility that any provision or part-provision of this Addendum is invalid, illegal or unenforceable, the Parties shall negotiate in good faith to amend such provision so that, as amended, it is legal, valid and enforceable, and, to the greatest extent possible, achieves the intended commercial result of the original provision.
15. FURTHER ASSURANCE
Each party shall, and shall use all reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this Addendum.
16. FORCE MAJEURE
Neither party shall be in breach of this Addendum nor liable for delay in performing, or failure to perform, any of its obligations under this agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances the affected party shall be entitled to a reasonable extension of the time for performing such obligations. If the period of delay or non-performance continues for 2 weeks, the party not affected may terminate this Addendum by giving 2 days' written notice to the affected party.
17. RIGHTS AND REMEDIES
The rights and remedies provided under this Addendum are in addition to, and not exclusive of, any rights or remedies provided by law.
18. ENTIRE AGREEMENT AND VARIATION
18.1 This Addendum constitutes the entire agreement between the Parties and supersedes and extinguishes all previous drafts, agreements, arrangements and understandings between them, whether written or oral, relating to its subject matter.
18.2 Each party agrees that it shall have no remedies in respect of any representation or warranty (whether made innocently or negligently) that is not set out in this Addendum. Each party agrees that its only liability in respect of those representations and warranties that are set out in this Addendum (whether made innocently or negligently) shall be for breach of contract.
18.3 No variation of this Addendum shall be effective unless it is in writing and signed by each of the Parties (or their authorised representatives).
19. NO WAIVER
19.1 Failure to exercise, or any delay in exercising, any right or remedy provided under this Addendum or by law shall not constitute a waiver of that or any other right or remedy, nor shall it preclude or restrict any further exercise of that or any other right or remedy.
19.2 No single or partial exercise of any right or remedy provided under this Addendum or by law shall preclude or restrict the further exercise of that or any other right or remedy.
20.1 A notice given to a party under or in connection with this Addendum shall be in writing and sent in accordance with the Terms of Service.
21. NO PARTNERSHIP
Nothing in this Addendum is intended to, or shall be deemed to, establish any partnership or joint venture between any of the Parties, constitute any party the agent of another party, nor authorise any party to make or enter into any commitments for or on behalf of any other party.
22. THIRD PARTY RIGHTS
A person who is not a party to this Addendum shall not have any rights under or in connection with it.
23. GOVERNING LAW AND JURISDICTION
The validity, construction and performance of the Addendum shall be governed by English law and shall be subject to the exclusive jurisdiction of the English courts to which the Parties submit.
Appendix 1 - Shared Personal Data
The subject matter, scope, nature, types of Personal Data processed and categories of Data Subjects are determined by the Subscriber in its sole discretion through the Subscriber’s use of the Platform and the services it receives from Pobble and will depend entirely on the Personal Data the Subscriber provides to Pobble but may include:
Without limitation, Personal Data relating to the following categories of data subjects:
Employees, and Pupils of the Subscriber
Types of Personal Data (without limitation):
With respect to employees of the Subscriber (including Teachers) where provided by the Subscriber to Pobble:
With respect to Pupils where provided by the Subscriber to Pobble:
In some limited circumstances the following additional information may be processed about Pupils:
Personal Data provided by Users themselves direct to Pobble (that is not provided by a Subscriber) shall not be considered Shared Personal Data for the purposes of this Addendum as Pobble will not be processing such Personal Data on behalf of the Subscriber (being a School, home tutor or other education provider).