This Data Processing Agreement (“Agreement”) is entered into by and between Bitz ‘n’ PC’z Ltd (“Data Processor”) and your school (“Data Controller”) and outlines the terms and conditions under which the Data Processor will provide IT services to the Data Controller, in compliance with the United Kingdom General Data Protection Regulation (UK GDPR).

1. Definitions

1.1 “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

1.2 “Personal Data” means any information relating to a Data Subject.

1.3 “Processing” means any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

2. Data Processing

2.1 The Data Processor shall process Personal Data on behalf of Data Controller, in accordance with this Agreement and the applicable data protection laws, including the UK GDPR.

2.2 The Data Processor shall process Personal Data only as necessary to provide the IT services outlined in the Service Level Agreement (SLA) between the parties, including user account creation, cloud backups, Microsoft 365 support and other services as agreed upon by the parties.

3. Subprocessors

3.1 The Data Processor may engage sub-processors to process Personal Data, provided that the Data Processor enters into a written agreement with each sub-processor that imposes the same data protection obligations as this Agreement.

3.2 The Data Processor will notify Data Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Data Controller the opportunity to object to such changes.

3.3 The Data Processor’s current sub-processors are listed here.  The Data Processor will update the Data Controller if any changes are made to this list.

4. Security Measures

4.1 The Data Processor shall implement and maintain appropriate technical and organisational security measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

4.2 The Data Processor shall ensure that its personnel authorised to process Personal Data are subject to appropriate confidentiality agreements.

5. Data Breach Notification

5.1 In the event of a Personal Data breach, the Data Processor shall notify the Data Controller without undue delay and in any case within 72 hours, providing all relevant details of the breach.

6. Data Subject Rights

6.1 The Data Processor shall assist the Data Controller in responding to any requests by Data Subjects to exercise their rights under the UK GDPR, including the rights to access, rectification, erasure, restriction, data portability, and objection to processing.

7. Audit and Inspection

7.1 The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with this Agreement and the UK GDPR and shall allow for and contribute to audits and inspections conducted by the Data Controller or an auditor mandated by the Data Controller.

8. Termination

8.1 Upon termination of the SLA between the parties, the Data Processor shall, at the choice of the Data Controller, delete or return all Personal Data to the Data Controller and delete existing copies, unless required to retain the Personal Data by applicable law.

This Agreement shall be governed by and construed in accordance with the laws of the United Kingdom. Each party hereby submits to the exclusive jurisdiction of the courts of the United Kingdom.