Data Processing Agreement

Updated 24th May 2018

This Data Processing Agreement (“DPA”) supplements the General Terms and Conditions of Business (the “Conditions”) and forms part of the Agreement between Lumina Learning LLP (established at Alderwick James & Co, 4 The Sanctuary, 23 Oakhill Grove, Surbiton, Surrey KT6 6DU, United Kingdom) and the individual or organisation that is party to the Agreement (“You, Your”).

1.              Overview

1.1.           This DPA sets out how Personal Data shall be processed in accordance with EU Data Protection Law where:

1.1.1.       You are Data Controller; and

1.1.2.       Lumina Learning LLP is Data Processor.

1.2.           This DPA shall be interpreted in accordance with the Conditions, save that in the case of a conflict between the Conditions and this DPA, the DPA shall prevail.

1.3.           All data disclosed under this DPA shall be treated confidentially and not disclosed to a third party without Your written agreement.

 

2.              Definitions

2.1.           “Agreement” means the contractual relationship between the parties, as defined by the Conditions.

2.2.           “Data Controller” means the individual or legal entity who determines the purposes and means of the processing of Personal Data, as detailed in this DPA.

2.3.           “Data Processor” means the natural or legal person that processes Personal Data on behalf of the Data Controller, as detailed in this DPA.

2.4.           “Data Subject” means any individual natural person about whom Personal Data is gathered.

2.5.           “EU Data Protection Law” means the legal framework of the European Union (EU) governing the treatment of Personal Data, including Regulation (EU) 2016/679 (the General Data Protection Regulation), associated national implementing laws, official guidelines and other applicable laws.

2.6.           “Participant” means a Data Subject to whom You provide the Practitioner Services.

2.7.           “Participant Data” means data, including Personal Data, gathered by You about Participants.

2.8.           “Personal Data” means any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.9.           Other capitalised terms in this DPA shall have the specific meaning as defined in this DPA or, where this DPA contains no definition, as defined in the Conditions.

 

3.              Processing Activities

3.1.           This DPA applies to the following:

3.1.1.       Subject matter of processing: the provision of Services to You by Lumina Learning LLP under the Agreement.

3.1.2.       Duration of processing: for the duration of the Agreement.

3.1.3.       Nature & purpose of processing: to enable Lumina Learning to provide You with the Services and to facilitate Your provision of the Practitioner Services to Participants.

3.1.4.       Type of personal data: Participant Data; and

3.1.5.       Categories of data subjects: Participants.

 

4.              Your Obligations as Data Controller

4.1.           You shall:

4.1.1.       Comply with all relevant EU Data Protection Laws; and.

4.1.2.       Implement appropriate technical and organisation measures to ensure an appropriate level of security for Personal Data.

4.2.           You hereby give Lumina Learning LLP instruction to process Personal Data in any manner reasonably required to achieve the purposes of processing.

4.3.           You hereby give Lumina Learning LLP general written instruction to:

4.2.1.       Engage another processor to conduct the processing. Lumina Learning LLP shall inform You of any intended changes concerning the addition or replacement of other processors, thereby giving You the opportunity to object to such changes; and

4.2.2.       Transfer Personal Data outside the European Economic Area (EEA) where reasonably necessary to achieve the purposes of processing.

 

5.              Lumina Learning LLP’s Obligations as Data Processor

5.1.           Lumina Learning LLP shall: .

5.1.1.       Comply with all relevant EU Data Protection Laws;

5.1.2.       Process Personal Data only on documented instructions from You as provided by You in paragraph 4 of this DPA. Lumina Learning LLP may also handle data in accordance with applicable law to which it is subject, provided that it undertakes to inform You of that legal requirement before processing takes place, unless that law prohibits such information on important grounds of public interest;

5.1.3.       Implement appropriate technical and organisation measures to ensure an appropriate level of security for Personal Data, including by implementing reasonable measures to keep Personal Data safe from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access;

5.1.4.       Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

5.1.5.       Ensure that persons authorised to process Personal Data have committed themselves to implement appropriate technical and organisation measures to ensure an appropriate level of security for Personal Data;

5.1.6.       At Your choice, delete or return all Personal Data to You after the purposes for processing are complete and delete existing copies, unless applicable law requires storage of the Personal Data;

5.1.7.       Transfer Personal Data outside the EEA only with Your instruction, as provided by You in paragraph 4 of this DPA, and only where satisfied that adequate safeguards are in place, or if the transfer is required by law;

5.1.8.       Notify You as soon as possible once becoming aware of a Personal Data breach and cooperate in implementing appropriate remedial action; and

5.1.9.       Notify You as soon as possible once becoming aware of a complaint relating to the processing.

5.2.           Lumina Learning LLP shall assist You, where reasonably possible and insofar as it relates to the processing, to comply with Your obligations established by EU Data Protection Law to:

5.2.1.       Implement appropriate technical and organisation measures to ensure an appropriate level of security for Personal Data;

5.2.2.       Report a Personal Data breach to a supervisory authority;

5.2.3.       Communicate a Personal Data breach to the Data Subject, where required by law;

5.2.4.       Conduct data protection impact assessments; and

5.2.5.       Respond to Data Subjects to exercise their Data Subject access rights, including their right to access, rectify, port and in some circumstances erase their Personal Data.

5.3.           Lumina Learning LLP shall not carry out Your instructions that it believes are incompatible with EU Data Protection Laws and shall notify You immediately if it believes such is the case.

 

6.              Audit

6.1.           Lumina Learning LLP shall make available to You information necessary to demonstrate compliance with obligations laid down by EU Data Protection Law and at Your sole cost allow You to conduct audits at a mutually agreed time.

6.2.           Lumina Learning LLP shall make available to You a copy of Personal Data held under this agreement upon request.

 

7.              Term and Termination

7.1.           This DPA shall remain in force for the duration of the Agreement or where Personal Data is held beyond the termination of the Agreement until Personal Data is returned to You or erased.