Phonics Tracker ("We") are committed to protecting and respecting your privacy.
Our Policy has been updated in accordance with the new GDPR legislation. To the best of our knowledge, and in line with legal advice and auditing that we have undertaken, we are compliant with GDPR policies.
If you have any questions or concerns please do not hesitate to contact us.
This policy is not legally binding and the Data Controller (School) should implement their own GDPR compliant agreement between the two parties which we will review and comply with accordingly.
In this Schedule, the following terms shall have the following meanings:
- "Controller", "Processor", "Data Subject", "Personal Data" and "Processing" (and "Process") shall have the meanings given in Applicable Data Protection Law as amended from time to time;
- "Applicable Data Protection Law" From 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); and the Data Protection Act 2018.
- "Company" means Phonics Tracker Limited (us)
- "School" means the relevant school or establishment using the Product;
- "School Data" means Personal Data relating to students, parents and guardians, and staff at the School, and other data regarding the school, including year group information;
- "Product" means the any us of Phonics Tracker - website, printed reports or printed sheets.
- Phonics Tracker considers themselves to be a processor of data. The school is the controller of data.
- By continuing to use Phonics Tracker, and by providing us with the school data, the School agrees to the terms of this schedule. You should, as the data controller, implement your own GDPR compliant processing agreement which we are happy to comply with to ensure reciprocal agreement as per GDPR requirements.
- The school and the company acknowledge that, for the purposes of applicable data Protection Law, the Company is a Processor and the School is a Controller in respect of the School Data comprising Personal Data
The School Data to be processed concern the following categories of Data Subjects:
The School Data to be Processed concern the following categories of data:
- school name and contact information (including school postal address, phone number and email address), teachers’ names and contact information (including phone numbers and email addresses), pupils’ names, pupils’ data (including SEN status, Pupil Premium status, gender, English as an Additional Language status and class year groups; This data is optional and does not need to be entered into the Tracker.
- details of interactions that the School and its Data Subjects have with us regarding the Product, together with any other information that the Data Controller (School) choose to provide us with, for example, through correspondence and interactions with our customer and technical support teams;
- information collected automatically relating to the Product about how a user’s device has interacted with the Site, including the pages accessed and links clicked, download errors, length of visits to certain pages, page interaction information, and methods used to browse away from any page;
- the answers provided by users of the Product to the phonemes and words.
The School Data will be obtained, held and used by the Company to enable the Company to carry out its obligations arising from the terms and conditions entered into between the School and the Company regarding the use by the School and its users of the Product, including the Site and Apps.
- The Company and the School shall comply with all Applicable Data Protection Law in respect of the Processing of the data.
- The Company shall Process the Data as a Processor for the purposes described in Annex A to this Schedule and otherwise strictly in accordance with the instructions of the School (the "Permitted Purpose"), except where otherwise required by any EU (or any EU Member State) law applicable to the Company.
- The School hereby instructs and authorises the Company to process the Data for the purposes described in Annex A to this Schedule, and as otherwise reasonably necessary to enable the Company to provide the Product to the School.
- The School warrants and represents that it has obtained all consents from individuals (including students, parents and guardians, and staff at the School) whose Data the School supplies to the Company in connection with the School’s use of the Product for the lawful Processing of the Data. The School shall indemnify the Company against all costs, claims, damages, expenses, losses and liabilities incurred by the Company arising out of or in connection with any failure (or alleged failure) by the School to obtain such consents.
- The Company shall not transfer the Data outside of the United Kingdom.
- The Company shall ensure that any person that it authorises to Process the Data (including the Company’s staff, agents and subcontractors) (an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty or otherwise), and shall not permit any person to Process the Data who is not under such a duty of confidentiality.
- The Company shall ensure that all Authorised Persons Process the Data only as necessary for the Permitted Purpose.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing to be carried out by the Company, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall implement appropriate technical and organisational measures to protect the Data from (i) accidental or unlawful destruction, (ii) accidental loss, alteration, unauthorised disclosure or access, and (iii) any other breach of security ((i), (ii) and (iii) together, a "Security Incident") in each case appropriate to that risk.
- The Company may appoint sub-contractors to carry out any or all of its Processing activities.
- The School hereby authorises the Company to appoint third parties to provide web and app development services to the Company in connection with the Product, and third parties to provide electronic data storage and transmission services to the Company in connection with the Product.
- The School hereby authorises the Company to appoint the sub-contractors listed below to this Schedule to carry out Processing activities in connection with the Data. The Company shall notify the Data Controller (School) of any changes to the identity of such third parties and provide reasonable opportunity to submit objections.
- Where the Company appoints a sub-contractor pursuant to this paragraph 6, it shall ensure that the Company imposes data protection terms on any sub-contractor it appoints that protect the Data to the same standard as those provided for in this schedule, and meet the requirements of Applicable Data Protection Law.
- The Company acknowledges that it remains fully liable for the acts, errors or omissions of any of its sub-contractors in respect of the Processing of the Data.
Our subcontractors are:
- HostingUK.net (https://hostinguk.net) for Electronic data storage, cloud server and transmission service. All data centres are within the UK and no transfer occurs outside of the UK.
The Company shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to the School to enable the School to respond to:
- any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and
- any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the processing of the Data.
- In the event that any such request, correspondence, enquiry or complaint is made directly to the Company, the Company shall promptly inform the School providing full details of the same and the School shall provide all reasonable and timely assistance to the Company to enable the Company to take appropriate action.
- If the Company believes or becomes aware that its Processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform the School and provide the School with all such reasonable and timely assistance as the School may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
- Upon becoming aware of a Security Incident, the affected party shall inform the other party without undue delay and shall provide all such timely information and cooperation as the other party may reasonably require including in order for the affected party to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law.
- The parties shall each further take all such measures and actions as are reasonably necessary to remedy or mitigate the effects of the Security Incident and shall keep the other party up-to-date about all developments in connection with the Security Incident.
- Upon written request by the School, the Company shall destroy all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing).
- This requirement shall not apply to the extent that the Company is required by any EU (or any EU Member State) law to retain some or all of the Data, in which event the Company shall isolate and protect the Data from any further processing except to the extent required by such law.
- The Company shall permit the School (or its appointed third party auditors) to audit the Company's compliance with this Schedule, and shall make available to the School all information, systems and staff reasonably necessary for the School (or its third party auditors) to conduct such audit.
- The School will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) the School believes a further audit is necessary due to a Security Incident suffered by the Company.
- The information and audit rights of the School shall apply only to the extent required by Applicable Data Protection Law.
- The School shall give the Company reasonable notice of any audit or inspection that it wishes to conduct, and shall (and shall ensure that any nominated auditor shall) avoid causing (or, if it cannot avoid, minimise) any damage, injury or disruption to the Company or its sub-contractors’ business.
- Any changes to this only affect the policy and not contractual agreements between the two parties under GDPR provisions.
The Company shall have no liability to the School, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, for or in connection with:
- any loss arising from the default or negligence of any supplier to the School;
- damage to reputation or goodwill; and/or
- any indirect or consequential loss.
- Nothing in this clause shall limit the liability of the Company for any death or personal injury caused by its negligence, fraud or fraudulent misrepresentation, or any other matter for which liability cannot be limited or excluded as a matter of law.