For the purposes of this clause, “Data Protection Legislation” means: the General Data Protection Regulation ((EU) 2016/679) (GDPR) unless and until GDPR is no longer directly applicable in the UK, together with any national implementing laws, regulations and secondary legislation as amended or updated from time to time in the UK, including the Data Protection Act 2018 (DPA), and any successor legislation to the GDPR and the DPA.
Each party shall comply with applicable requirements of the Data Protection Legislation. This clause is in addition to and does not replace a party's obligations under the Data Protection Legislation. The terms "Data Controller", "Data Processor", “Data Subject”, "Personal Data", "Process" and "Processing" have the meanings set out in the Data Protection Legislation.
With the exception of Personal Data processes in the circumstances described in 4, the Parties acknowledge and agree that with regard to the Processing of Personal Data, the Customer is the Data Controller, Virtual College is the Data Processor and that Virtual College will engage sub-processors pursuant to the requirements set forth in section 5(a) below.
Where Virtual College Content forms part of the services, Virtual College will be joint Data Controller with the Customer in order for Us to determine training outcomes and retain records of Virtual College certifications.
We shall:
- be entitled to engage sub-processors to fulfil its obligations in the Agreement only with the Customer’s written consent. For these purposes, the Customer consents to the engagement as sub-processors of Virtual College’s affiliated companies and the third parties listed in Exhibit A. For the avoidance of doubt, the above authorisation constitutes the Customer’s prior written consent to the sub-processing by Virtual College for purposes of the Data Protection Law.Where We engage sub-processors, the sub-processing shall be carried out in accordance with the Data Protection Law and with at least the same level of protection for the Processing of Personal Data as the Virtual College under GDPR requirements
- have in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of, accidental loss or destruction of or damage to Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected;
- not engage another processor without prior specific or general written authorisation from you and without ensuring that the same data protection obligations as set out in the Contract are imposed on that other processor and we shall remain fully liable to you for performance of the other processor’s obligations to the extent the other processor fails to fulfil their data protection obligations;
- ensure that personnel who have access to or process Personal Data keep the Personal Data confidential and we shall remain liable to you for any failure by personnel to do so;
- not transfer Personal Data outside of the European Economic Area without your prior written consent and we shall ensure that the transfer is made in accordance with the Data Protection Legislation and that the organisations to which the Personal Data is transferred ensure an adequate level of protection;
- assist you to respond to any request from a Data Subject and to comply with your obligations under the Data Protection Legislation;
- notify you without undue delay of a Personal Data breach (which has the meaning given to it in the Data Protection Legislation);
- at your written direction, delete or return Personal Data to you on termination of the Contract unless we are required by law to store the Personal Data; and
- maintain complete and accurate records and information to demonstrate our compliance with this clause and allow for audits by you or your designated auditor, provided that you shall provide reasonable notice of any audit you wish to carry out and such audits shall be on a supervised basis and no more than once in any calendar year.
We shall immediately inform you if, in our opinion, an instruction from you infringes the Data Protection Legislation.
If we wish to appoint a third-party processor, we shall seek your prior written consent.