Educake Ltd Data Protection Addendum (DPA)

 

This Data Protection Addendum (“Addendum”) forms part of the agreement (“Agreement”) between Educake Ltd (“Educake” or “Processor”) and its customer (“Controller”) for the provision of services offered by Educake (“Services”). This Addendum reflects the parties’ agreement regarding the processing of personal data under applicable data protection laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK Data Protection Act 2018.

Educake provides services as a data processor, acting solely on the documented instructions of the Controller. The Controller is fully responsible for ensuring compliance with all applicable data protection laws and for determining the purposes and legal bases for processing Personal Data.

1. Definitions

1.1. Controller: The entity that determines the purposes and means of processing Personal Data and bears sole responsibility for ensuring such processing complies with applicable laws.
1.2. Processor: Educake Ltd, which processes Personal Data strictly on behalf of the Controller and accepts no liability for decisions made by the Controller.
1.3. Personal Data: Any information relating to an identified or identifiable natural person.
1.4. Data Subject: The individual to whom the Personal Data pertains.
1.5. Applicable Data Protection Laws: All laws governing the processing of Personal Data, including the GDPR and the UK Data Protection Act 2018.
1.6. Sub-processor: Any third party engaged by Educake to process Personal Data on behalf of the Controller.

2. Roles and Responsibilities

2.1. Controller’s Responsibility: The Controller shall bear sole responsibility for ensuring that Personal Data is processed lawfully, including obtaining any necessary consents or establishing another legal basis for processing. The Controller also assumes responsibility for the accuracy, integrity, and security of Personal Data prior to transmission to Educake.

2.2. Purpose Limitation: Educake shall only process Personal Data as expressly directed by the Controller and accepts no responsibility for any processing outside the scope of its instructions.

2.3. Compliance and Instructions: The Controller guarantees that its instructions to Educake comply with all applicable data protection laws. The Controller indemnifies Educake against any liability arising from non-compliance with such laws or improper instructions.

3. Educake’s Obligations as Processor

3.1. Confidentiality: Educake shall ensure all personnel authorised to process Personal Data are bound by confidentiality obligations.

3.2. Security Measures: Educake shall implement appropriate technical and organisational measures to safeguard Personal Data from unauthorised access, loss, or alteration, provided that Educake shall not be held liable for any breach arising from the Controller’s failure to ensure secure transmission of data or compliance with security recommendations provided by Educake.

3.3. Data Breach Notification: Educake shall notify the Controller of any breach involving the Controller’s data without undue delay. The Controller shall remain responsible for fulfilling any legal obligations to notify Data Subjects or regulatory authorities.

3.4. Data Subject Requests: Educake shall assist the Controller with responding to Data Subject requests. The Controller is solely responsible for determining the scope of any response and for any costs associated with such assistance.

3.5. Sub-processors: The Controller acknowledges that Educake may use Sub-processors to provide the Services. A list of current Sub-processors can be found at www.educake.co.uk/about/subprocessors, and it will be updated as needed. The Controller gives Educake permission to hire future Sub-processors, as long as Educake checks they follow Data Protection Laws and this Agreement. The Controller also allows Educake to process personal data outside the UK or EEA, without asking for permission first, as long as the destination has proper data protection laws, Educake uses valid transfer methods, and the transfer follows Data Protection Laws. If necessary, the parties will agree on Standard Contractual Clauses (SCCs) for data transfers to meet legal requirements.

  1. Controller Obligations

4.1. Lawfulness of Processing: The Controller shall ensure that all processing of Personal Data complies with Applicable Data Protection Laws. Educake accepts no liability for processing conducted at the Controller’s direction.

4.2. Accuracy of Data: The Controller guarantees the accuracy, completeness, and legality of all Personal Data provided to Educake.

4.3. Data Subject Notices: The Controller shall ensure Data Subjects are provided with all required notices under applicable laws, including information about their rights and how their data will be processed.

4.4. Security Obligations: The Controller shall implement appropriate technical and organisational measures to secure Personal Data within its control, including during transmission to Educake.

4.5. Indemnity: The Controller shall fully indemnify and hold Educake harmless against any claims, liabilities, or regulatory actions arising from the Controller’s failure to fulfil its obligations under this Addendum or applicable data protection laws.

5. Audit Rights

5.1. Educake shall provide the Controller with necessary information to demonstrate compliance with this Addendum. The Controller shall bear all costs associated with any audits or inspections.

5.2. Audits shall be conducted with at least 30 days’ written notice and in a manner that minimises disruption to Educake’s operations. Educake reserves the right to reject any auditor not bound by appropriate confidentiality obligations.

6. Return and Deletion of Data

6.1. Upon termination of the Agreement, Educake shall, at the Controller’s written request, return or delete all Personal Data, provided that Educake shall not be required to delete data that must be retained to comply with applicable laws.

6.2. The Controller assumes responsibility for requesting the return or deletion of Personal Data. Educake shall not be held liable for retaining data in the absence of clear instructions.

7. Liability and Indemnification

7.1. Educake’s liability under this Addendum is strictly limited to the extent permitted by law and excludes any indirect, incidental, or consequential losses.

7.2. The Controller shall indemnify and hold Educake harmless from all claims, fines, or damages resulting from the Controller’s breach of its obligations under this Addendum or applicable data protection laws.

8. General Terms

8.1. In the event of a conflict between this Addendum and the Agreement, this Addendum shall prevail concerning data protection matters.

8.2. This Addendum shall be governed by the laws of England and Wales, and any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.