SIPS Education Ltd General Data Protection Regulation 2018
SIPS Education Ltd, through its provision of services to customers, will need to process personal data provided to it by the customer. SIPS Education Ltd as the Processor in accordance with the definition under the General Data Protection Regulation 2018, will only process such personal data in order to supply the services agreed in individual contracts with customers.
SIPS Education Ltd as the Processor will process the personal data in accordance with the following principles:
- The Processor only acts on the instructions from the customer in relation to the processing of personal data, and in order to deliver the services outlined in the contract for services
- The Processor shall employ appropriate technical and organisational processes and procedures to keep the personal data safe from unauthorised use or access, loss, destruction, theft or disclosure, as appropriate to the services being provided to the customer.
- The Processor will not keep the personal / confidential data on any laptop or other removable drive or device unless that device is protected by being fully encrypted, and the use of the device or laptop is necessary for the provision of the services under this agreement.
- The Processor shall ensure that only such of its employees who may be required by it to assist it in meeting its obligations under the contractual agreements shall have access to the personal / confidential data.
- The Processor shall ensure that all employees used by it to provide the services as defined in the contracts have undergone training in the law of data protection, their duty of confidentiality under contract and in the care and handling of personal data.
- The Processor will assist their customers promptly with all subject information requests, which may be received from the data Subjects of the personal data.
- The Processor shall NOT use the personal / confidential data for any purposes other than to deliver those services detailed in the individual contracts.
- The Processor shall NOT disclose the personal / confidential data to a third party in any circumstances other than at the specific written request of the customer or when required to ensure continuity of the agreed services or if required by law.
- The Processor will NOT transfer the personal data to any country outside the European Economic Area (EEA) without explicit written agreement from the customer.
- The Processor will notify the customer of any information security incident that may impact the processing of the personal data covered by this agreement within two working days of discovering, or becoming aware of any such information security incident. Following the report of any such incident, The Processor will cooperate with the customers whilst they carry out a risk assessment, root cause analysis and identify any corrective action required. The Processor will cooperate with the customer in implementing any required corrective action agreed between the parties.
- The Processor shall immediately refer to and support the customer if the Data Processor receives:
i) A request from any person whose Personal Data it holds to access his Personal Data; or ii) A complaint or request relating to the obligations under the GDPR.