This Data Sharing Agreement (“DSA”) is a part of the Explore Terms and Conditions (“Terms”) and should be read in line with those Terms. This DSA governs the sharing of personal data between Explore and the Customer.

1. DEFINITIONS & INTERPRETATION

“Agreed Purpose” shall have the meaning ascribed to it under Clause 2 of this DSA.

“Business Day” shall mean a day other than a Saturday, Sunday, or public holiday in England when banks in London are open for business.

“Data Protection Legislation” shall mean all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679) (UK GDPR); the Data Protection Act 2018 (DPA 2018); the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended; any other UK legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications), and the guidance and codes of practice issued by the relevant data protection or supervisory authority applicable to a party.

“Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data.

“Shared Personal Data” shall mean the personal data to be shared between the parties as identified in Clause 2.1 of this DSA.

“Subject Access Request” shall mean the exercise by a Data Subject of their rights under Article 15 of the UK GDPR and the DPA 2018.

“Supervisory Authority” shall mean the relevant supervisory authority in the territories where the parties to this DSA are established. In the case of the UK, the Information Commissioner.

“Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and “appropriate technical and organisational measures” shall have the meanings given to them in the Data Protection Legislation.

Clause, schedule, annexure, and paragraph headings shall not affect the interpretation of this DSA.

This DSA forms part of the Terms and shall have effect as if set out in full in the body of the Terms. Any capitalised words not defined in the DSA shall have the meaning ascribed to them in the Terms.

A reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision.

Unless the context otherwise requires, any reference to European Union law that is directly applicable or directly effective in the UK at any time is a reference to it as it applied in England and Wales from time to time including as retained, amended, extended or re-enacted or otherwise given effect after 11 PM on January 31, 2020.

A reference to writing or written includes email.

2. SHARED PERSONAL DATA & AGREED PURPOSE

2.1 This DSA sets out the framework for the sharing of the Shared Personal Data between Explore and the Customer as Data Controllers. It defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other. The parties agree that the sharing of the Shared Personal Data must not be irrelevant or excessive with regarding the Agreed Purposes.

2.2 The following categories of Personal Data shall be shared between the parties during the Term in respect of a prospective student or Qualifying Student:

• a. Full name
• b. Date of birth
• c. Domicile and Citizenship
• d. Target School name
• e. Course title and code
• f. Application status
• g. Tuition fee and fee status
• h. School unique identifier (UCAS / CEEB code)
• i. Email address
• j. Direct marketing consent
• k. Graduating year
• l. Contact number
• m. Subject preferences
• n. University interests
• o. Curriculum and grades

2.3 The parties agree to only process the Shared Personal Data for the following purposes (the “Agreed Purposes”):

• a. Delivering and optimising the Explore Services in accordance with the Terms;
• b. Attribution of students who have applied to or matriculated to the Customer from an Explore Target School;
• c. Supporting prospective students’ applications and enrolment to a course offered by the Customer; and
• d. Sending of direct marketing communications, including but not limited to emails, telephone calls, and SMS messages to consenting Explore students about educational programs, student services, and related opportunities.

2.4 The parties shall not process Shared Personal Data in a way that is incompatible with the Agreed Purpose. For the avoidance of doubt, the Customer agrees that it will not use any Shared Personal Data provided by Explore in any internal or external marketing or sales activities, with the exception of direct marketing to consenting Explore students as defined in the Agreed Purpose.

3. LAWFUL, FAIR & TRANSPARENT PROCESSING

3.1 The parties shall ensure that they process the Shared Personal Data fairly and lawfully in accordance with this DSA.

3.2 Each party shall ensure that it has identified a legal basis under the Data Protection Legislation for the processing of Shared Personal Data, having particular regard that the Shared Personal Data may belong to a minor.

3.3 Each party undertakes to provide all necessary notices to and obtain any necessary consents from Data Subjects and where applicable consents from any parent or legal guardian, to enable each of them to process the Shared Personal Data, including to ensure that such notices and consents (where applicable) are appropriate for minors, and disclose the Shared Personal Data to the other party, where necessary, for the purposes of the DSA.

4. DATA SUBJECTS’ RIGHTS

4.1 The parties each agree to provide such assistance as is reasonably required to enable the other Party to comply with requests from Data Subjects to exercise their rights under the Data Protection Legislation within the time limits imposed by the Data Protection Legislation.

4.2 Each party is responsible for maintaining a record of individual requests for information, the decisions made regarding any information that was exchanged.

5. DATA RETENTION

5.1 Each party shall retain the Shared Personal Data for the periods specified in its own data retention policies and to the extent necessary:

• a. to comply with its legal or regulatory obligations;
• b. for the establishment, exercise or defence of legal claims; and/or
• c. for any other purposes permitted by the Data Protection Legislation.

6. TRANSFERS

6.1 The parties may not transfer the Shared Personal Data to a third party located outside the UK or EEA unless it:

• a. complies with the provisions of Article 26 of the UK GDPR (in the event the third party is a joint controller); or
• b. ensures that the:
  • i. transfer is to a country approved by the Supervisory Authority as providing adequate protection pursuant to Article 45 of the UK GDPR;
  • ii. there are appropriate safeguards in place pursuant to Article 46 of the UK GDPR including Module Two (Controller to Controller) of the EU SCCs as amended by the UK addendum to the EU SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018 (“UK Addendum”) which are deemed entered into (and incorporated into this Data Sharing Agreement by this reference); or
  • iii. one of the derogations for the specific situations in Article 49 of the UK GDPR applies to the transfer.

7. SECURITY & TRAINING

7.1 The parties shall share the Shared Personal Data using the secure technical and organisational measures as set out in clause 12.

7.2 Customer shall act dutifully and in good faith, and provide to Explore all current and accurate information, documentation, and Customer Materials requested by Explore for the performance of the Explore Services.

7.3 It is the responsibility of each party to ensure that its staff members are appropriately trained to handle and process the Shared Personal Data in accordance with the technical and organisational security measures and have due regard for the nature of the Shared Personal Data which may include Personal Data belonging to a minor, together with any other applicable Data Protection Legislation and guidance.

7.4 The level, content, and regularity of training referred to in clause 7.3 shall be proportionate to the staff members’ role, responsibility, and frequency with respect to their handling and processing of the Shared Personal Data.

8. PERSONAL DATA BREACHES AND REPORTING PROCEDURES

8.1 Having considered the Data Protection Legislation and guidance, the parties have in place their own guidance that must be followed in the event of a Data Security Breach.

8.2 The parties are under a strict obligation to notify any potential or actual losses of the Shared Personal Data to the other party without undue delay and, in any event, within twenty-four (24) hours of identification of any potential or actual loss, to enable the parties to consider what action is required in order to resolve the issue in accordance with the applicable Data Protection Legislation and guidance.

8.3 Each party agrees to provide such assistance as the other may reasonably request to facilitate the handling of any Data Security Breach in an expeditious and legally compliant manner.

9. REVIEW

9.1 The parties may review the effectiveness of this DSA and may agree to amend this DSA pending the outcome of such review.

9.2 If during the Term, the Data Protection Legislation changes in a way that this DSA is no longer adequate for the purpose of governing the lawful data sharing exercises, the parties agree to negotiate in good faith to review this DSA.

10. RESOLUTION OF DISPUTES WITH DATA SUBJECTS OR THE SUPERVISORY AUTHORITY

10.1 In the event of a dispute or claim brought by a Data Subject or the Supervisory Authority concerning the processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes or claims and will cooperate with a view to settling them amicably in a timely fashion.

10.2 The parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Supervisory Authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation, or other dispute resolution proceedings developed for data protection disputes.

11. REPRESENTATIVES

Explore shall notify the Customer contact specified in the Order Form in respect of any matter arising under this DSA. The Explore representative for any matters arising under this DSA shall be as set out below: Attn: Data Protection Officer
UK Representative Address: 145 City Road, London, England, EC1V 1AZ
EU Representative Address: 145 City Road, London, England, EC1V 1AZ:
Email: dpo@explore.study

12. TECHNICAL & ORGANISATIONAL MEASURES

Explore requires all partners and suppliers to comply with the Data Protection Legislation and establish the technical and organisational measures to ensure an appropriate level of security. In particular, where the personal data of minors may be shared between Explore and Customers, then particular care should be taken with the security measures and, where applicable, the appropriate consents must be obtained.

Where the parties share information in accordance with these Terms, in particular, where that information may include the personal data of minors, the parties agree to use a secure file-sharing service. The secure file sharing will be one of Google Drive, Microsoft OneDrive, pCloud, or WeTransfer, or a similarly secure service as agreed at the time. The secure files will be one of Google Sheets, CSV or PDF files. The secure file sharing service will, as a minimum, provide:

• a. Industry standard encryption of both storage and file transfer (at-rest and in-transit)
• b. Access limited to named individuals (email addresses)
• c. Named users must authenticate their email address (this ensures that only the named users access the secure file and prevents users from sharing access credentials such as passwords)
• d. Named users must re-authenticate after 7 days or less (that reduces the risk of secure files being accessed by unauthorised users if computers are left unattended)
• e. Permissions management to prevent unauthorised modification of the data including making access to secure files time-limited (e.g. access to secure files expires after a set period of no more than 30 days)
• f. Full audit trail to check compliance and enable any investigation required.

The parties shall ensure that any employees who are given permission to use the secure file-sharing service undergo training.

The parties shall ensure that they maintain a process to minimize the risk that data is shared incorrectly or with unauthorised users that includes checklists and review by a second, independent person (sometimes called the four-eyes principle).

The parties agree to only use the secure file sharing services as set out in this clause 12 and to only permit authorized users to access the Explore Services. The parties shall not share any Shared Personal Data or files over insecure mechanisms such as email.