GCSE Classroom Ltd

This Data Processing Agreement (“Agreement”) is between GCSE Classroom Ltd (“Data Processor”) and schools or individuals who choose to use the platform (“Users”). Throughout this Agreement, organisations (usually schools) will be referred to as “Schools,” but this term also applies to individual users where relevant.

1. Introduction and Scope

This Agreement outlines how GCSE Classroom Ltd processes personal data on behalf of Schools in accordance with applicable data protection laws, including the UK GDPR, the Data Protection Act 2018, and the EU General Data Protection Regulation (GDPR). This Agreement applies to the processing of personal data relating to:

• Teacher names and email addresses
• Pupil names and email addresses
• Assessment data such as quiz answers and exam question responses

2. Roles and Responsibilities

• Schools act as the Data Controller.
• GCSE Classroom Ltd acts as the Data Processor.
• Schools instruct GCSE Classroom Ltd to process personal data for the purpose of providing its educational platform and services.

3. Obligations of the Data Processor

GCSE Classroom Ltd shall:

• Process Personal Data only on documented instructions from Schools.
• Implement appropriate technical and organisational measures to ensure data security, in accordance with Article 32 of the GDPR.
• Ensure all employees and contractors with access to Personal Data are bound by confidentiality obligations.
• Assist Schools in responding to data subject requests (e.g., access, rectification, deletion, portability, or restriction requests) in accordance with GDPR requirements.
• Maintain an internal data protection policy and conduct regular security audits to ensure ongoing compliance.

4. Use of Subprocessors

GCSE Classroom Ltd engages third-party service providers (“Subprocessors”) to support its services, ensuring that they meet GDPR compliance requirements. All Subprocessors implement appropriate safeguards, such as Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA) for transfers outside the UK/EEA.

A list of subprocessors is available upon request.

5. Data Retention and Deletion

GCSE Classroom Ltd will:

• Retain data for 30 days following membership expiry, after which it will be securely deleted.
• Delete data promptly upon request (e.g., when a class of pupils no longer requires access).
• Ensure backups are securely managed and deleted in line with the above policy.

Schools may also request a copy of stored data before deletion.

6. Data Breaches

In the event of a data breach affecting School Personal Data, GCSE Classroom Ltd will:

• Notify Schools without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
• Provide sufficient information to support Schools in meeting their regulatory obligations.
• Cooperate fully in investigating and resolving the breach.
• Implement necessary corrective measures to prevent future breaches.

7. Data Transfer Safeguards

Where data is transferred outside the UK/EEA, GCSE Classroom Ltd ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs)
• UK International Data Transfer Agreement (IDTA)
• Data encryption and secure transfer protocols

8. Audit Rights

Upon request, GCSE Classroom Ltd will provide Schools with information necessary to demonstrate compliance with this Agreement. Where required, Schools may request an independent audit to verify compliance with GDPR obligations.

9. Contact for Data Protection Inquiries

For data protection inquiries or concerns, Schools may contact GCSE Classroom Ltd directly:

📧 support@thepeclassroom.com

10. Governing Law

This Agreement is governed by and construed in accordance with the laws of England and Wales. Any disputes shall be submitted to the exclusive jurisdiction of the UK courts.

📧 support@thepeclassroom.com
📞 01789 569013