UK SCC

Last updated 18th March 2022

Explanatory note.

This document contains the UK standard contractual clauses (UK SCCs). This document is automatically incorporated into the terms of the contract entered into between you, a Teacher registered on the Teach Platform (as data exporter), and Teach Digital Software L.L.C. (as data importer) (the “Teacher Contract“). This document has been pre-signed by Teach. Because the terms of this document are incorporated into the Teacher Contract, you are deemed to have signed this document when the Teacher Contract comes into existence.

		Non-legally binding guidance
		This column does not form part of the standard contractual clauses, and is not legally binding on either party

Parties
Name of the data exporting organisation:	The entity identified as the “Teacher” in the Teacher Contract.	This is the sender of the restricted transfer of personal data (referred to as the exporter). Insert the full legal name: If a sole trader, his/her full name. If a company or limited liability partnership – as formally registered. If a partnership as set out in Partnership Deed. If an unincorporated association, check the establishing document, as to who should enter into this contract.
Address	The address and country for the Teacher associated with its Teach Platform account or as otherwise specified in the Teacher Contract.	This is the contact address for the exporter. It may be the registered address but does not need to be.

		Non-legally binding guidance
	Country: as above.	You must include the country.
Telephone	N/A	This can be the exporter's general contact telephone number.
Fax	N/A	This can be the exporter's general contact fax number. Leave this blank if you do not have a fax.
Email	The email address associated with the Teacher's account, or as otherwise specified in the Teacher Contract.	This can be the exporter's general contact email address
Other information needed to identify the organisation	Click here to enter text.	For UK companies and limited liability partnerships it is helpful to include the following: A company/limited liability partnership (delete as appropriate) registered in England and Wales/Scotland/Northern Ireland (delete as appropriate). Company number: insert number. For companies outside the UK, if possible it is helpful to include the registration number and country of incorporation. A company number is useful as it can help identify a company even if it has changed its name and address.
	(the data exporter”)
	And
Name of the data importing organisation:	Teach Digital Software L.L.C.	This is the receiver of the restricted transfer of personal data (referred to as the importer). Insert the full legal name: If a sole trader, his/her full name.

		Non-legally binding guidance
		If a company or limited liability partnership – as formally registered. If a partnership as set out in Partnership Deed. If an unincorporated association, check the establishing document, as to who should enter into this contract.
Address	Office 1006,10th floor, single Business Tower, Shaikh Zayed Road, Dubai, UAE Country: UAE	This is the contact address for the importer. It may be the registered address but does not need to be. You must include the country.
Telephone	N/A	This can be the importer's general contact telephone number.
Fax	N/A	This can be the importer's general contact fax number. Leave this blank if you do not have a fax.
Email	james@teach.io	This can be the importer's general contact email address
Other information needed to identify the organisation	UAE commercial license number 1018442	For UK companies and limited liability partnerships it is helpful to include the following: A company/limited liability partnership (delete as appropriate) registered in England and Wales/Scotland/Northern Ireland (delete as appropriate). Company number: insert number For companies outside the UK, if possible it is helpful to include the registration number and country of incorporation.

		Non-legally binding guidance
		A company number is useful as it can help identify a company even if it has changed its name and address.
	(the data importer”)
Clause 1. Definitions	For the purposes of the Clauses: (a)‘personal data', ‘special categories of data', ‘process/processing', ‘controller', ‘processor', ‘data subject' and ‘Commissioner' shall have the same meaning as in the UK GDPR;	A brief overview of these definitions are: “Personal data” Information relating to an identified or identifiable natural person. “Special categories of data” Personal data which relates to an individual's race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life, or sexual orientation. “Process/processing” In practice means anything which can be done to data, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Controller” A natural or legal person which decides the purposes and means of processing data “Processor” A natural or legal person which is responsible for processing personal data on behalf of a controller

		Non-legally binding guidance
		“Data subject” The individual that personal data relates to. “The Commissioner” The Information Commissioner, as the UK's independent data protection authority, which we refer to as the ‘ICO'.
	(b) ‘the data exporter' means the controller who transfers the personal data;	This is the sender/exporter of the personal data, set out on page 1.
	(c) ‘the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system covered by UK adequacy regulations issued under Section 17A Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 of the Data Protection Act 2018;	This is the receiver/importer of the personal data, set out on page 3. The definition clarifies that the importer should not be in a country covered by UK “adequacy regulations”. These are UK regulations confirming that the legal framework in a country (or territory or sector) provides an adequate level of data protection for personal data. Currently, it includes all EEA countries and all countries (territories or sectors) covered by a European Commission “adequacy decision” You do not need to use the standard contractual clauses if the importer is covered by UK adequacy regulations.
	(d) ‘the sub-processor' means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;	This is a sub-contractor of the processor, to which the processor has delegated some of its personal data processing services.

Non-legally binding guidance

(e) ‘the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the UK;

“Applicable data protection law” means the data protection law of the UK which is the UK GDPR and the Data Protection Act 2018 ("DPA 2018").

(f) ‘technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

This definition is aligned with UK GDPR Art 32, which places obligations on both controllers and processors to keep personal data secure.

In brief, this requires security measures that involve policies, processes and people as well as technology. This usually means that:

You consider things like risk analysis, organisational policies and physical and technical measures.
You take into account additional requirements about the security of your processing.
You consider the state of the art and costs of implementation when deciding what measures to take – but they must be appropriate both to your circumstances and the risk your processing poses.
Where appropriate, you should look to use measures such as pseudonymisation and encryption.
Your measures must ensure the confidentiality, integrity and availability of your systems and services and the personal data you process within them.

		Non-legally binding guidance
		The measures must also enable you to restore access to and availability of personal data in a timely manner in the event of a physical or technical incident. You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures regularly (such as pen testing and testing application security), and undertake any required improvements.
Clause 2. Details of the transfer	The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.	You must fill in Appendix 1 with the details of the restricted transfer (see below). Clause 2 flags that if “special categories of personal data” are being transferred these should be set out, as they receive a higher standard of protection in data protection law.
Clause 3. Third-party beneficiary clause		Clause 3 sets out the rights of data subjects to enforce certain provisions in the standard contractual clauses against the importer and exporter. Data subjects do not sign up to the standard contractual clauses, but they can enforce compliance with particular clauses which are intended to benefit them. The clauses which can be enforced by a data subject are set out below. If a data subject wishes to bring a claim for non-compliance with the standard contractual clauses, it must first try to bring the claim against the exporter.

		Non-legally binding guidance
		If it is not possible to bring a claim against the exporter, the data subject can try to bring a claim against the importer (see Cl 3(2)) If it is not possible to bring a claim against the importer, the data subject can try to bring a claim against a sub-processor (if there is one) (see Cl 3(3)).
3(1)	The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.	Data subjects can enforce the clauses listed directly against the exporter.
		Data subject enforcement against: Exporter (if that is not possible:) Importer (if that is not possible:) Sub-processor
3(2)	The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.	Data subjects can enforce the clauses listed directly against the importer, but only where: the exporter has “factually disappeared” (for example, it is not contactable or traceable) OR it no longer legally exists (for example, it is a company which has been dissolved); and there is no entity which has taken over all of the exporter's obligations.
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor

		Non-legally binding guidance
3(3)	The data subject can enforce against the sub- processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.	Data subjects can enforce the clauses set out listed directly against the sub-processor if: both the exporter and importer have either “factually disappeared” (for example, neither is contactable or traceable) OR no longer legally exist (for example: a company which has been dissolved); and there is no entity which has taken on all of the exporter's obligations.
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
3(4)	The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.	This clause prevents the exporter and importer objecting to data subjects being represented by associations or other bodies (eg interest or campaign groups).
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
Clause 4. Obligations of the data exporter	The data exporter agrees and warrants:	Clause 4 sets out the general commitments which the exporter provides in relation to the data. These commitments are “warranties”, which are promises given in a contract.

		Non-legally binding guidance
		If the exporter does not comply with a warranty, this may lead to a claim from the importer for damages. If the exporter does not comply with certain obligations, this may lead to a claim from data subjects. We have shown below where a data subject can take such action in relation to a clause. These are also set out in Clause 3 above.
4(a)	that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the Commissioner) and does not violate the applicable data protection law;	The exporter of the data must make sure that it has complied with the UK GDPR and DPA 2018 (and all other UK laws which apply to it), in relation to its collection, use and transfer of the personal data being sent under the standard contractual clauses. The clause refers to notifying the ICO about processing activities. However, exporters in the UK no longer need to notify the ICO of their processing of personal data.
4(b)	that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;	The exporter must only instruct the importer to process the data on the exporter's behalf (i.e. for the purposes instructed by the exporter). The instructions must also be: in accordance with the UK GDPR and the DPA 2018; and in accordance with the standard contractual clauses. This means that the exporter cannot instruct the importer to do something which is not permitted by the UK GDPR and DPA 18, or by the standard contractual clauses.

		Non-legally binding guidance
		Data subject enforcement against: Exporter
4(c)	that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;	The exporter must ensure that the importer provides sufficient guarantees in relation to the security measures set out by the parties in Appendix 2. In practice, ensuring that the importer provides sufficient guarantees is likely to involve the exporter carrying out due diligence on the importer before it selects it as a processor. This might include: asking questions about the importer's data protection practices; reviewing its security measures; reviewing its internal data protection policies; and asking questions about any previous data security incidents.
4(c)		Data subject enforcement against: Exporter
4(d)	that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;	This clause requires the exporter to have assessed the importer's security measures, both technical and organisational (which includes policies, processes and people). The exporter must be satisfied that these security measures offer appropriate protection for the data being transferred, to protect it against it being destroyed, lost, altered or disclosed, or accessed by unauthorised persons.

		Non-legally binding guidance
		The UK GDPR and the standard contractual clauses do not set any specific mandatory security measures. It is for the exporter to assess what measures are appropriate in the circumstances, taking into account: the nature of the data; the nature of the technology used to process the data; the cost of implementing any particular measures; and the risks that could arise from any accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access to the personal data. The parties should keep the measures under review and be aware that they may need to change or update them over time as new technology becomes available, or if the risks of the processing change.
		Data subject enforcement against: Exporter
4(e)	that it will ensure compliance with the security measures;	This clause makes the exporter responsible for ensuring that the importer complies with the security measures set out in Appendix 2. This is an on-going obligation which lasts for the duration of the processing by the importer. This means that the exporter should take steps throughout the life of the contract to make

		Non-legally binding guidance
		sure that the importer is complying with the measures. This could be by asking questions to the importer or by audits of the importer on a regular basis (such as annually).
		Data subject enforcement against: Exporter
4(f)	that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not covered by adequacy regulations issued under Section 17A Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 Data Protection Act 2018;	This clause only applies where special categories of data are transferred to the importer. In that case, the exporter must tell data subjects that their data has been transferred outside the UK to a country not covered by UK adequacy regulations.
		Data subject enforcement against: Exporter
4(g)	to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the Commissioner if the data exporter decides to continue the transfer or to lift the suspension;	This clause relates to circumstances in which the exporter has received one (or both) of the following notifications from the importer. A notification under clause 5(b): that the laws which apply to the importer have changed and this is likely to have a substantial adverse effect on the importer's obligations under the standard contractual clauses. A notification under clause 8(3): telling the exporter about any laws applicable to the importer which prevent an audit by the ICO of the importer or any sub-processor. If the exporter receives such a notification but still plans to continue the transfer of data to

		Non-legally binding guidance
		the importer or (if it has stopped transferring personal data) to lift a suspension, it must forward the notification to ICO). This is so that the ICO can decide whether to audit the importer to ensure that the personal data is adequately protected.
		Data subject enforcement against: Exporter
4(h)	to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;	The exporter must provide copies of the following documents/ information to data subjects who request them: the standard contractual clauses (excluding Appendix 2); a summary description of the security measures in Appendix 2; and any contract for sub- processing services which has to be made in accordance with the standard contractual clauses (see clause 11 below which covers using a sub-processor). The exporter can remove commercial information before disclosing the standard contractual clauses and any sub-processing contract to a data subject.
		Data subject enforcement: Exporter
4(i)	that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the	The exporter must make sure that: any sub-processing is carried out in

		Non-legally binding guidance
	rights of data subject as the data importer under the Clauses;	accordance with the requirements of clause 11; and any sub-processor provides at least the same level of data protection and rights of data subjects as the importer is required to provide under the standard contractual clauses.
		Data subject enforcement against: Exporter
4(j)	that it will ensure compliance with Clause 4(a) to (i).	This clause requires the exporter to ensure its own compliance with clauses 4(a) to 4(i), set out above. In practice, this means that the exporter will need to make sure its employees, contractors and agents comply with clauses 4(a) to 4(i).
Clause 5. Obligations of the data importer1	The data importer agrees and warrants:	Clause 5 sets out the general commitments which the importer gives in relation to the data. These commitments are “warranties”, which are promises given in a contract. If the importer does not comply with a warranty, this may lead to a claim from the exporter for damages against the importer.

1 Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti- money-laundering reporting requirements.

		Non-legally binding guidance
		In addition, if the importer does not comply with certain obligations, this may lead to a claim from data subjects. We have indicated below where a data subject can take such action in relation to a clause. These are also set out in Clause 3 above. The obligations in Clause 5 are intended to make sure that the importer, who is not subject to the UK GDPR, provides at least the same level of protection for the personal data as required under the UK GDPR.
5(a)	to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;	The importer must process the data: only on behalf of the exporter; and in accordance with the exporter's instructions. If the importer cannot do this, it must promptly tell the exporter. Following this, the exporter can suspend the transfer of data to the importer and/or the exporter can terminate the contract.
5(a)		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
5(b)	that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as	This clause requires the importer to consider the laws that apply to it and whether any of those laws will prevent it from meeting the exporter's instructions and complying with its obligations under the standard contractual clauses.

		Non-legally binding guidance
	soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;	If any of the laws which apply to the importer change – and these changes are likely to have a substantial adverse effect on the promises and obligations set out in the standard contractual clauses – the importer must notify the exporter as soon as it becomes aware of the changes. A “substantial adverse effect” would be any legal requirement on the importer which might prevent the importer from complying with the standard contractual clauses. In these circumstances, the exporter can stop the transfer of data to the importer and/or terminate the contract.
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
5(c)	that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;	The importer must put in place the security measures contained in Appendix 2 before it starts processing the data. This effectively means that the security measures must be place before the data is transferred to the importer. The UK GDPR or the standard contractual clauses do not set any mandatory security measures. It is for the exporter to assess what is appropriate in the circumstances. When deciding what security measures are appropriate, the receiver should think about the type of data (eg how sensitive it

		Non-legally binding guidance
		is), the type of processing carried out (eg how intrusive it is) and the likely harm which could come to data subjects if the data were lost, stolen or accessed by an unauthorised person. Further guidance: ICO: A Practical Guide to IT Security NCSC: Cyber Security: Small Business Guide NCSC: Cyber Essentials Scheme
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
5(d)	that it will promptly notify the data exporter about: any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; any accidental or unauthorised access; and any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;	The importer must promptly tell the exporter about: any legally binding request for disclosure of the personal data it receives from a law enforcement agency (unless it is prohibited by law from telling the exporter); any accidental, unlawful or unauthorised access to the data; and any request the importer receives directly from a data subject. The importer must not respond to a request from a data subject unless the exporter authorises it to do so.

		Non-legally binding guidance
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
5(e)	to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the Commissioner with regard to the processing of the data transferred;	The importer must respond promptly to any questions from the exporter about the importer's processing of the data. The importer must also follow the advice of the ICO about the processing of the personal data transferred, as the restricted transfer is from an exporter in the UK.
5(e)		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
5(f)	at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the Commissioner;	If the exporter requests, the importer must allow the exporter to carry out an audit of the facilities it uses to process the personal data transferred. Audits can be carried out by: the exporter itself; or third party auditors appointed by the exporter. These auditors must be independent and have appropriate professional qualifications. They must also be subject to confidentiality obligations in relation to the data.

		Non-legally binding guidance
		The appointment of third party auditors does not currently require agreement by the ICO.
5(g)	to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;	The importer must provide copies of the following documents/information to data subjects who request them: the standard contractual clauses (excluding Appendix 2); a summary description of the security measures in Appendix 2; and any existing contract for sub-processing. The importer can remove commercial information from the sub-processing contracts and the standard contractual clauses before disclosing them to a data subject.
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
5(h)	that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;	The importer can only appoint sub-processors to process the personal data if it has told the exporter about this – and the exporter has consented in writing beforehand to this appointment. The authorisation required for appointing sub-processors should be set out in the main contract between the exporter and the importer (under UK GDPR rules on controller- processor contracts).
		Data subject enforcement: Exporter

		Non-legally binding guidance
		Importer Sub-processor
5(i)	that the processing services by the sub-processor will be carried out in accordance with Clause 11;	The importer must make sure that its sub-processors process the personal data in accordance with clause 11.
5(i)		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
5(j)	to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.	The importer must promptly provide to the exporter a copy of all sub-processing agreements it enters into under the standard contractual clauses.
5(j)		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
Clause 6. Liability		Clause 6 sets out which parties will be liable for breaches of the standard contractual clauses. It also sets out data subjects' rights to enforce compliance with the standard contractual clauses by both the exporter and importer.
6(1)	The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.	If a data subject suffers damage due to a breach of clauses 3 or 11 by any of the exporter, the importer or a sub- processor, the exporter is responsible in the first instance for compensating the data subject.

		Non-legally binding guidance
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
6(2)	If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.	As set out against clause 3, above, if there has been a breach of the clauses set out in clauses 3 or 11 by the exporter, importer or any sub-processor, the data subject should try to bring a claim against the exporter first. If the data subject cannot bring a claim against the exporter because the exporter has factually disappeared, no longer exists in law, or is insolvent, the data subject can bring a claim against the importer. This does not apply if a successor entity has taken on all the legal obligations of the exporter by contract or by operation of law. In that case, the data subject should bring a claim against the exporter's successor.
6(2)		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
6(3)	If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees	As set out in clause 3, if there has been a breach by a sub- processor of clause 3 or 11, the data subject should try to bring a claim first against the exporter and then the importer.

		Non-legally binding guidance
	that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.	This clause explains that: if the data subject cannot bring a claim against the exporter or the importer because they have factually disappeared, no longer exist in law or are insolvent, the sub-processor agrees that the data subject can bring a claim against it for the sub- processor's own breaches. This does not apply if a successor entity has taken on all the legal obligations of the exporter or importer by contract or operation of law. In this case, the data subject should bring a claim against the successor.
Clause 7. Mediation and jurisdiction		Clause 7 relates to circumstances in which a data subject can bring a claim against the importer for breach of the standard contractual clauses.
7(1)	The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject: to refer the dispute to mediation, by an independent person or, where applicable, by the Commissioner; to refer the dispute to the UK courts.	If a data subject decides to bring a claim against the importer for breach of the standard contractual clauses, the data subject can choose to either: refer disputes to mediation by an independent person or the ICO; or bring a claim in the courts of the UK. The importer must accept the data subject's decision.
7(1)		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor

		Non-legally binding guidance
7(2)	The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.	This is an acknowledgement by the exporter and importer that: regardless of whether the data subject chooses mediation or a court action, the data subject can still take advantage of any other remedies which are available to them under national or international law.
		Data subject enforcement: Exporter Importer Sub-processor
Clause 8. Cooperation with supervisory authorities	The data exporter agrees to deposit a copy of this contract with the Commissioner if it so requests or if such deposit is required under the applicable data protection law.	The exporter must give a copy of the standard contractual clauses to the ICO if the ICO requests it (or if it is required under applicable data protection law).
8(2)	The parties agree that the Commissioner has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.	The ICO can audit the importer and any sub-processor, in the same way as it could audit the exporter.
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
8(3)	The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).	The importer must tell the exporter about any laws which apply to the importer or any of its sub-processors which would prevent the importer/sub- processor from being audited by the ICO. If there are such laws, the exporter can suspend the transfer of data to the importer and/or terminate the contract.

		Non-legally binding guidance
Clause 9. Governing law	The Clauses shall be governed by the law of the country of the United Kingdom in which the data exporter is established, namely the country specified as the Teacher's location in the Teacher Contract.	The standard contractual clauses are governed by the law of the UK country of the exporter. ACTION: Fill out this section with the law of the UK where the exporter is established. i.e. choose one of "England and Wales", “Scotland” or “Northern Ireland”.
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
Clause 10. Variation of the contract	The parties undertake not to vary or modify the Clauses. This does not preclude the parties from (i) making changes permitted by Paragraph 7(3) & (4) of Schedule 21 Data Protection Act 2018; or (ii) adding clauses on business related issues where required as long as they do not contradict the Clause.	The parties must not amend the standard contractual clauses although: they must fill in the Appendices and governing law in clauses 9 and 11; they may make changes which are only to make the Clauses make sense in a UK context (as permitted by Paragraph 7(3) & (4) of Schedule 21 DPA 2018). - they may add commercial clauses which don't contradict the standard contractual clauses.
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
		This clause covers the use of sub-processors by the importer.

		Non-legally binding guidance
Clause 11. Sub- processing		A sub-processor is a processor engaged by the importer to carry out processing activities on behalf of the exporter.
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
11(1)	The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub- processor's obligations under such agreement.	The importer can only use a sub-processor if the exporter agrees to this in writing beforehand. There should be rules in the main controller-processor contract regarding how the importer appoints a sub- processor, to meet the requirements of the UK GDPR. If the importer uses a sub- processor, it must enter into a written agreement with the sub- processor. This written agreement must include the same obligations for the sub- processor as those which apply to the importer under the standard contractual clauses. In practice, many importers meet this requirement by having the sub-processor co- sign the standard contractual clauses between the exporter and the importer. Alternatively, many importers meet this requirement by entering into a duplicate with the sub-processor (i.e. entering into a copy of the same standard contractual clauses as the importer and exporter have signed).

		Non-legally binding guidance
		If a sub-processor does not comply with its equivalent contractual obligations, the importer remains liable to the exporter for this. It is therefore in the importer's interests to choose its sub-processors carefully.
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
11(2)	The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.	The contract between the importer and the sub-processor must include rights for data subjects to bring claims against the sub-processor if: both the exporter and importer no longer exist in law (eg a company which has been dissolved), have factually disappeared (for example, they are uncontactable or traceable) or are insolvent; and no entity has taken on all of the exporter's obligations (in which case the data subject may bring action against that successor entity). Claims by data subjects against a sub-processor are limited to damages caused by sub- processor's own processing activities.
		Data subject enforcement against: Exporter If that is not possible:

		Non-legally binding guidance
		Importer If that is not possible: Sub-processor
11(3)	The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the laws of the country of the UK where the exporter is established.	The agreement between the importer and the sub-processor must be governed by the same law as the standard contractual clauses, set out in Clause 9 above.
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
11(4)	The data exporter shall keep a list of sub- processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the Commissioner.	The exporter must keep a list of sub-processing agreements which the importer has: entered into in relation to the data which is being transferred under the standard contractual clauses; and has told the exporter about. The exporter must update this list at least once a year. The exporter must provide this to the ICO if the ICO requests it.
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
Clause 12. Obligation		Clause 12 sets out obligations under the standard contractual clauses which the parties must

		Non-legally binding guidance
after termination		still comply with even after the contract has ended, and the importer is no longer providing the data processing services.
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
12(1)	The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.	On termination of the data processing services, the importer and all sub-processors must either return all the personal data to the exporter or destroy it. It is up to the exporter to choose whether the data should be returned or destroyed. If the exporter chooses for the importer and sub-processors to destroy the data, the importer and sub-processors must confirm in writing to the exporter that they have done this. If laws which apply to the importer/sub-processor mean that they cannot destroy or return the data, they must keep the data confidential and not process it in any other way. The importer is responsible for making sure its sub-processors do this.
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor

		Non-legally binding guidance
12(2)	The data importer and the sub-processor warrant that upon request of the data exporter and/or of the Commissioner, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.	The exporter can audit the importer and the sub-processor to check that they have destroyed the personal data and/or kept it confidential after its processing activity for the exporter has come to an end. The ICO can also audit the importer and the sub-processor to check that they have destroyed this data after its processing activity for the exporter has come to an end.
		Data subject enforcement against: Exporter If that is not possible: Importer If that is not possible: Sub-processor
Priority of standard contractual clauses	Please click in the box if you wish to include the following optional clause: Include The Standard Contractual Clauses take priority over any other agreement between the parties, whether entered into before or after the date these Clauses are entered into. Unless the Clauses are expressly referred to and expressly amended, the parties do not intend that any other agreement entered into by the parties, before or after the date the Clauses are entered into, will amend the terms or the effects of the Clauses, or limit any liability under the Clauses, and no term of any such other agreement should be read or interpreted as having that effect.	This clause is provided as it may also be helpful to you. Please review it carefully and only include it if you think it is appropriate for your circumstances. The intended effect of the clause is to make sure that you and the other party do not inadvertently amend the standard contractual clauses or limit your liability. If you did, then you would risk not being able to rely on the standard contractual clauses for compliance with the UK GDPR rules on restricted transfers. The clause allows you the freedom to amend the standard contractual clauses, but only if you expressly refer to them. If you are going to amend the standard contractual clauses, we would always recommend

		Non-legally binding guidance
		you seek professional legal advice. Any amendment runs the risk that the standard contractual clauses will not comply with the UK GDPR rules on restricted transfers.

On behalf of the data exporter: Name (written out in full): The contact details associated with the Teacher's account, or as otherwise specified in the Teacher Contract. Position: As above. Address: As above. Other information necessary in order for the contract to be binding (if any): Click here to enter text. Signature: By creating a Teach Platform account subject to the Teacher Contract, the data exporter will be deemed to have signed these UK SCCs.		ACTION: The exporter should fill in this section with the: Full name of the person signing. This must be a person who is authorised to enter into contracts on behalf of the exporter. Their position. Their business addresses. And sign where indicated.
On behalf of the data importer: Name (written out in full): James Watts Position: CEO Address: Office 1006,10th floor, single Business Tower, Shaikh Zayed Road, Dubai, UAE Other information necessary in order for the contract to be binding (if any): Signature:		ACTION: The importer should fill in this section with the: Full name of the person signing. This must be a person who is authorised to enter into contracts on behalf of the importer. Their position. Their business addresses. And sign where indicated.
Date of the Standard Contractual Clauses: The date of the Teacher Contract (being the date of deemed signature).		Do not date the standard contractual clauses until both

Non-legally binding guidance

the exporter and importer have signed.

It can be the date of the last signature, or a later date if that is agreed by the exporter and importer.

		Non-legally binding guidance
Appendix 1
This Appendix forms part of the Clauses and must be completed and signed by the parties.		ACTION: This Appendix must be appropriately completed for the standard contractual clauses to be an appropriate safeguard and allow restricted transfers of personal data under the UK GDPR. Currently, the UK does not require any additional information to be included in the Appendix. Instructions for using the checklists: To help you completing this Appendix, we have provided optional checklists. These are just suggestions. You do not need to use the checklists at all. You can also amend the contents of any category, as you consider best reflects the international transfer of personal data, including to add specific details. If you do not fit into any of these types, you may add your own description at the end of the checklist.
Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer): Please select one option:		ACTION: Set out the exporter's type of business and its activities relevant to the restricted transfer.
Option 1: The data exporter is (please specify briefly your activities relevant to the transfer): an educational course provider which is based in the UK or is subject to the extra-territorial effect of UK GDPR. The data exporter sells and distributes its course material, and hosts its community hub, via the data importer's SaaS platform. Option 2: The following checklist and other details set out, in brief, what the data exporter is and its activities relevant to the transfer: The data exporter's business or organisation type is:		You have two options: Option 1. You may set this out in your own words. As a suggestion, you could use the following form: The data exporter is: insert description of importer.
Central government

Non-legally binding guidance

Charitable and voluntary
Education and childcare
Finance, insurance and credit
General business
Health
IT, digital, technology and telecoms
Justice and policing
Land and property services
Legal and professional advisers
Local government
Marketing and research
Media
Membership association
Political
Regulators
Religious
Research
Retail and manufacture
Social care
Trade, employer associations, and professional bodies
Traders in personal data
Transport and leisure
Utilities and natural resources
Other – Please add details:
The data exporter is using the personal data which is being transferred for the following purposes or activities:
The data exporter is using the personal data which is being transferred for the following purposes or activities:
Standard business activities, which apply to most businesses and organisations
Staff administration, including permanent and temporary staff, including appointment or removals, pay, discipline; superannuation, work management, and other personnel matters in relation to the data exporter's staff.

Advertising, marketing and public relations of the data exporter's own business or activity, goods or services.

The data exporter's activities which are relevant to the restricted transfer are: add activities.

For example:

"The data exporter is a UK- based supplier of home office equipment and is contracting with the importer for it to provide a software solution for managing the exporter's customer database".

You should also have a controller-processor contract in place. If so, you may be able to re-use a description of the exporter's activities as set out in that contract.

Option 2: you may find it easier to use the checklists provided.

Instructions:

Step 1: Think about the exporter's type of business or organisation and click in the box next to the appropriate category, making any appropriate amendments or adding specific detail.

Step 2: Think about why the exporter is using the personal data to be transferred and why it is making the transfer. Click in the box next to all of the activities which apply, making appropriate amendments or adding specific details. You can click “other” and add your own description at the end.

Non-legally binding guidance

Accounts and records, including
- keeping accounts relating to the data exporter's business or activity;
- deciding whether to accept any person or organisation as a customer;
- keeping records of purchases, sales or other transactions, including payments, deliveries or services provided by the data exporter or to the data exporter;
- keeping customer records
- records for making ﬁnancial or management forecasts; and
- other general record keeping and information management. Other activities:

Accounting and auditing services
Administration of justice, including internal administration and management of courts of law, or tribunals and discharge of court business.
Administration of membership or supporter records.
Advertising, marketing and public relations for others, including public relations work, advertising and marketing, host mailings for other organisations, and list broking.
Assessment and collection of taxes, duties, levies and other revenue
Beneﬁts, welfare, grants and loans administration
Canvassing, seeking and maintaining political support amongst the electorate.
Constituency casework on behalf of individual constituents by elected representatives.
Consultancy and advisory services, including giving advice or rendering professional services, and the provision of services of an advisory, consultancy or intermediary nature.
Credit referencing, including the provision of information by credit reference agencies relating to the ﬁnancial status of individuals or organisations on behalf of other organisations
Data analytics, including profiling
Debt administration and factoring, including the tracing of consumer and commercial debtors and the collection on behalf of creditors, and the purchasing of consumer or trade debts from business, including rentals and instalment credit payments.
Education, including the provision of education or training as a primary function or as a business activity.

Non-legally binding guidance

Financial services and advice including the provision of services as an intermediary in respect of any ﬁnancial transactions including mortgage and insurance broking
Fundraising in support of the objectives of the data exporter
Health administration and services, including the provision and administration of patient care.
Information and databank administration, including the maintenance of information or databanks as a reference tool or general resource. This includes catalogues, lists, directories and bibliographic databases.
Insurance administration including the administration of life, health, pensions, property, motor and other insurance business by an insurance firm, an insurance intermediary or consultant
IT, digital, technology or telecom services, including use of technology products or services, telecoms and network services, digital services, hosting, cloud and support services or software
Journalism and media, including the processing of journalistic, literary or artistic material made or intended to be made available to the public or any section of the public.
Legal services, including advising and acting on behalf of clients.
Licensing and registration, including the administration of licensing
or maintenance of ofﬁcial registers.
Not-for-proﬁt organisations' activities, including
- establishing or maintaining membership of or support for a not-for-profit body or association, and
- providing or administering activities for individuals who are either members of the not-for-profit body or association or have regular contact with it.
Pastoral care, including the administration of pastoral care by a vicar or other minister of religion.
Pensions administration, including the administration of funded pensions or superannuation schemes.
Procurement, including deciding whether to accept any person or organisation as a supplier, and the administration of contracts, performance measures and other records.
Private investigation, including the provision on a commercial basis of investigatory services according to instruction given by clients
Property management, including the management and administration of land, property and residential property, and the estate management of other organisations.

	Non-legally binding guidance
Realising the objectives of a charitable organisation or voluntary body, including the provision of goods and services in order to realise the objectives of the charity or voluntary body. Research in any ﬁeld, including market, health, lifestyle, scientiﬁc or technical research. Security of people and property, including using CCTV systems for this purpose. Trading/sharing in personal information, including the sale, hire, exchange or disclosure of personal information to third parties in return for goods/services/beneﬁts. Other activities (please provide details):
Data importer
The data importer is (please specify briefly your activities relevant to the transfer): Please select one option: Option 1: The data importer is (please specify briefly your activities relevant to the transfer): the provider of the Teach.io SaaS platform which allows the data exporter to host its educational course content and community hub space and facilitates the collection and management of paid-for subscriptions with the data exporter's customers (Students). Option 2: The following checklist and other details set out, in brief, what the data importer is and its activities relevant to the transfer: The data importer's business or organisation type is: Central government Charitable and voluntary Education and childcare Finance, insurance and credit General business Health IT, digital, technology and telecoms Justice and policing Land and property services Legal and professional advisers	ACTION: Set out the importer's type of business and its activities relevant to the restricted transfer. You have two options: Option 1. You may set this out in your own words. As a suggestion, you could use the following form: The data importer is: insert description of importer. The data importer's activities which are relevant to the restricted transfer are: add activities. For example: "The data importer is a US- based supplier of software solutions. It is supplying a software package to the exporter and will host the importer's customer data on its servers in the US." You should also have a controller-processor contract in place. If so, you may be able to re-use a description of the importer's activities as set out in that contract.

Non-legally binding guidance

Local government
Marketing and research
Media
Membership association
Political
Regulators
Religious
Research
Retail and manufacture
Social care
Trade, employer associations, and professional bodies
Traders in personal data
Transport and leisure
Utilities and natural resources
Other – Please add details: activities

The data importer's activities for the data exporter, which are relevant to the transfer are:

Accounts and records services, including
- keeping accounts;
- deciding whether to accept any person or organisation as a customer
- keeping records of purchases, sales or other transactions, including payments, deliveries or services provided by the data exporter or to the data exporter;
- records for making ﬁnancial or management forecasts
- other general records and information management services.

Administration services relating to membership or supporter records.
Advertising, marketing, and public relations services.
Auditing services
Facilities management services, including cleaning, catering, reception, security, maintenance, gardening, events management, business travel, meetings, vehicle hire, copying, printing and post services.
Beneﬁts, grants and loans administration services.
Consultancy and general advisory services.

Option 2: you may find it easier to use the checklists provided.

Instructions:

Step 1: Think about the importer's type of business or organisation and click in the box next to the appropriate category, making appropriate amendments or adding specific detail.

Step 2: Think about why the data importer is using the personal data to be transferred. Click in the box next to all of the activities which apply, making appropriate amendments or adding specific details. You can click “other” and add your own description at the end.

Non-legally binding guidance

Debt administration and factoring services, including the tracing of consumer and commercial debtors and the collection on behalf of creditors.
Education or training services.
Financial services administration and advice services including the provision of services as an intermediary in respect of any ﬁnancial transactions including mortgage and insurance broking.
Fundraising services.
Health administration and health services, including the provision and administration of patient care.
Information and databank administration, including the maintenance of information or databanks as a reference tool or general resource. This includes catalogues, lists, directories and bibliographic databases.
Insurance administration including the administration of life, health, pensions, property, motor and other insurance business.

IT, digital, technology or telecom services, including provision of technology products or services, telecoms and network services, digital services, hosting, cloud and support services or software licensing

Legal administration and legal support services.
Licensing and registration services, including the administration of
licensing or maintenance of ofﬁcial registers.
Media services.
Pensions administration, including the administration of funded pensions or superannuation schemes.
Property management services, including the management and administration of land, property and residential property, and the estate management of other organisations.
Procurement services, including deciding whether to accept any person or organisation as a supplier, and the administration of contracts, performance measures and other records.
Provision of temporary and agency staff.
Research and development services, including market, health,
lifestyle, scientiﬁc or technical research.
Services in relation to the assessment and collection of taxes, duties, levies and other revenue.
Services in relation to trading/sharing in personal information, including the sale, hire, exchange or disclosure of personal information to third parties in return for goods/services/beneﬁts.
Staff administration services, including appointment or removals, pay, discipline; superannuation, training, employee benefits, work management, and other personnel matters in relation to the data exporter's staff.

	Non-legally binding guidance
Other services (please provide a description):
Data subjects
The personal data transferred concern the following categories of data subjects (please specify): Each category includes current, past and prospective data subjects. Where any of the following is itself a business or organisation, it includes their staff. staff including volunteers, agents, temporary and casual workers customers and clients (including their staff) suppliers (including their staff) members or supporters shareholders relatives, guardians and associates of the data subject complainants, correspondents and enquirers; experts and witnesses advisers, consultants and other professional experts patients students and pupils offenders and suspected offenders other (please provide details of other categories of data subjects):	ACTION: The parties should list the categories of data subject. Instructions: Think about who the personal data being transferred is about, and click in the box next to all of the categories of data subjects which are included in the personal data being transferred. You may make appropriate amendments or add specific details to any of the categories or click “other” and add your own categories at the end.
Categories of data
The personal data transferred concern the following categories of data (please specify): The following is a list of standard descriptions of categories of data: Personal details, including any information that identiﬁes the data subject and their personal characteristics, including: name, address, contact details, age, date of birth, sex, and physical description. Personal details issued as an identifier by a public authority, including passport details, national insurance numbers, identity card numbers, driving licence details. Family, lifestyle and social circumstances, including any information relating to the family of the data subject and the data subject's lifestyle and social circumstances, including current marriage and partnerships, marital history, details of family and other household members, habits, housing, travel details, leisure activities, and membership of charitable or voluntary organisations.	ACTION: The parties should list the categories of personal data being transferred. Instructions: Think about what the personal data being transferred is about and click in the box next to all of the categories of personal data which are being transferred You may make appropriate amendments or add specific details to any of the categories, or click “other” and add your own categories at the end.

	Non-legally binding guidance
Education and training details, including information which relates to the education and any professional training of the data subject, including academic records, qualiﬁcations, skills, training records, professional expertise, student and pupil records. Employment details, including information relating to the employment of the data subject, including employment and career history, recruitment and termination details, attendance records, health and safety records, performance appraisals, training records, and security records. Financial details, including information relating to the ﬁnancial affairs of the data subject, including income, salary, assets and investments, payments, creditworthiness, loans, beneﬁts, grants, insurance details, and pension information. Goods or services provided and related information, including details of the goods or services supplied, licences issued, and contracts. Personal data relating to criminal convictions and offences Other (please provide details of other data subjects):
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify): Personal data which is on, which reveals, or which concerns: racial or ethnic origin political opinions religious or philosophical beliefs trade union membership genetic data biometric data (if used to identify a natural person) health sex life or sexual orientation criminal convictions and offences none of the above	ACTION: Include a list of any of the special categories of data which are being transferred: For completeness, and to ensure the Clauses work under the UK GDPR, we have included the new special categories of data added by the UK GDPR and criminal convictions and offences data. Instructions: Think about the set of personal data being transferred and click in the box next to any of the special categories of data or criminal records and convictions data, which are included.
Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify): Receiving data, including collection, accessing, retrieval, recording, and data entry	ACTION: List the processing activities which may be carried out. Instructions: Think about how the data importer will be using

Non-legally binding guidance

Holding data, including storage, organisation and structuring

Using data, including analysing, consultation, testing, automated decision making and profiling

Updating data, including correcting, adaptation, alteration, alignment and combination
Protecting data, including restricting, encrypting, and security testing

Sharing data, including disclosure, dissemination, allowing access or otherwise making available

Returning data to the data exporter or data subject
Erasing data, including destruction and deletion

Other (please provide details of other types of processing):

and handling the set of personal data transferred to it, and click in the box next to all of the processing activities which apply.

You may make appropriate amendments or add specific details to any of the categories, or click “other” and add your own categories at the end.

DATA EXPORTER Name: By creating a Teach Platform account subject to the Teacher Contract, the data exporter will be deemed to have signed this Annex 1. Authorised Signature N/A	ACTION: The exporter should fill in this section with the: Full name of the person signing. This must be the same person throughout the document.
	Their position.
	Their business addresses.
	And sign where indicated.

DATA IMPORTER Name: James Watts Authorised Signature	ACTION: The importer should fill in this section with the:
	Full name of the person signing. This must be the same person throughout the document.
	Their position.
	Their business addresses.
	And sign where indicated.

Appendix 2

Non-legally binding guidance

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Please click in a box to select one option:

Option 1: Please refer to the description of the importer's security measures set out in the Data Protection Annex of the Teacher Contract.

Option 2: The following is the description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
Option 3: The following checklist and supplementary details set out the description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5 (c):
We use firewalls to protect our internet connection This will be your first line of defence against an intrusion from the internet.
Supplementary details of firewalls used (add any relevant details):
We choose the most appropriate secure settings for our devices and software Most hardware and software will need some level of set-up and configuration in order to provide effective protection.
Supplementary details of security settings used (add any relevant details):
We control who has access to your data and services Restrict access to your system to users and sources you trust.
Supplementary details of how access to your system is controlled (add any relevant details):
We protect ourselves from viruses and other malware? Anti- virus products can regularly scan your network to prevent or detect threats.

Supplementary details of antivirus and malware protection used (add any relevant details):

ACTION: The parties should fill in Appendix 2 with details of the security measures which the importer will provide for the transferred data.

You should also have a controller-processor contract in place, this is often the main service contract you have between you. If so, you may refer to or re-use the importer's security measures set out in that contract.

There are 3 main options for completing this Appendix.

Option 1: simply add in the name and date of the main service contract, to refer to the description of the importer's security measures contained in that agreement.

Option 2: insert your description of the importer's security measures there. You may choose to copy all or part of this from the main service contract.

Option 3: complete the checklist, adding in additional details which are relevant.

Instructions:

The checklist includes the baseline security measures that any business (small or large) should implement to protect its data/systems.

It is unlikely to be appropriate if the data importer is providing IT, digital, technology or telecom processor services.

This checklist for use where the transfer to the data importer and its processing of the personal data does not cause a

Appendix 2		Non-legally binding guidance
We keep our software and devices up-to-date Hardware and software needs regular updates to fix bugs and security vulnerabilities. Supplementary details of how software and devices are kept up to date (add any relevant details, including details of the software packages, cloud services and devices you use in processing the personal data transferred, and how you keep those updated):		particularly high risk to the rights of individuals. For example, where the personal data transferred is: not special category data;
We regularly backup our data Regular backups of your most important data will ensure it can be quickly restored in the event of disaster or ransomware infection. Supplementary details of how data is backed up (add any relevant details):		not criminal convictions and offences data; not personal details issued as an identifier by a public authority; not bank account, credit card or other payment data; and
		not a large volume of data.
		Consider each statement, and the relevant guidance set out below, and click in the box next to those statements which apply.
		Add supplementary notes to provide any further relevant detail of those security measures.
		Further guidance:
		A Practical Guide to IT Security
		Cyber Security: Small Business Guide
		Cyber Essentials Scheme

DATA EXPORTER

Name: By creating a Teach Platform account subject to the Teacher Contract, the data exporter will be deemed to have signed this Annex 1.

Authorised Signature N/A

ACTION: The exporter should fill in this section with the:

Full name of the person signing. This must be the same person throughout the document.

And sign where indicated.

ACTION: The importer should fill in this section with the:

DATA IMPORTER

Name: James Watts

Authorised Signature

ACTION: The importer should fill in this section with the:

Full name of the person signing. This must be the same person throughout the document.

And sign where indicated