Last updated: 10th December 2024.
This Data Processing Agreement ( or DPA) forms part of the Libresoft Terms of Use, as updated from time to time, between Libresoft (as defined below) and you, the Customer (as defined below). The latest version of our Terms of Use are located at www.libresoft.co.uk/legal/libresoft-terms-of-use/.
This DPA only applies where a Customer qualifies as a Data Controller with respect to the Personal Data which Libresoft Processes on behalf of that Customer under Applicable Data Protection Law (as defined below).
On the basis of the above, the parties agree as follows:
1. DEFINITIONS
For the purposes of this DPA:
- Libresoft, we, us and our has the same meaning as in the Libresoft Terms of Use
- Customer, you and your have the same meaning as in the Libresoft Terms of Use
- Applicable Data Protection Law means the EU General Data Protection Regulation (EU) 2016/679 and UK General Data Protection Regulation (collectively, the GDPR) and any EU Member state and/or UK laws made pursuant to the GDPR
- Personal Data, Special Categories of Personal Data, Data Subject, Processing (and Process), Controller, and Processor have the meanings given in the GDPR
- Services means all the services we provide now or in the future, including our online and mobile library and visitor management products.
- Subscription means the right granted to the Customer to use our Services.
- Subscription Fees means the fees and charges applicable to the Services chosen by the Subscriber.
2. CONTROLLER, PROCESSOR AND PURPOSE OF PROCESSING
2.1 The Customer (the Controller) appoints Libresoft as a Processor to Process the Personal Data described in Appendix I
2.2 When Libresoft Processes Personal Data as a data Processor, it is acting as a data Processor on behalf of you, the data Controller
2.3 Libresoft will Process the data on the basis of the Controller’s documented instructions and as per the terms set out in this DPA, for the purposes described in the Terms of Use and this DPA
2.4 The Processing of Personal Data shall only take place to the extent necessary for Libresoft to provide the Services chosen by the Customer
3. TYPES OF PERSONAL DATA AND DATA SUBJECTS
3.1 The Personal Data Processed by the Processor may include, but is not limited to, the following types of data:
- For all Customers: first name, surname, date of birth, email address, photo, vehicle registration, custom data chosen by the Customer
- For schools: Unique identifier for student/staff members, year group, class
3.2 The categories of Data Subjects whose Personal Data will be Processed may include, but is not limited to:
- For all Customers: customers, employees, contractors, volunteers
- For schools: students, parents, governors
3.3 The Customer will not disclose any “Special Categories of Personal Data” to Libresoft for Processing unless explicitly requested by Libresoft
4. DURATION OF PROCESSING
4.1 The Processor will Process Personal Data for the duration of the Terms of Use and this DPA and as necessary to fulfill the contractual relationship between the parties. Upon termination of this DPA, the Processor will archive all Personal Data for a period of up to 3 years and then delete the Personal Data, unless retention is required by law. The Customer may export the Personal Data prior to the end of their Subscription.
5. PROCESSOR’S OBLIGATIONS
5.1 The Processor agrees to:
- Process Personal Data only in accordance with the documented instructions of the Controller, including for the purposes set out in this DPA
- Ensure that its personnel authorised to Process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage
- Assist the Controller in ensuring compliance with its obligations under the GDPR, including Data Subject rights requests (access, rectification, erasure, etc.) and data breach notifications
6. CONTROLLER’S OBLIGATIONS
6.1 The Controller agrees to:
- Assist the Processor in responding to requests from Data Subjects exercising their rights under the GDPR
- Provide clear and specific instructions to the Processor regarding the Processing of Personal Data
- Ensure that it has obtained all necessary consents and legal bases for Processing Personal Data under Applicable Data Protection Laws, including the GDPR
7. INTERNATIONAL TRANSFERS OF PERSONAL DATA
7.1 Libresoft will only transfer Personal Data outside of the European Economic Area (EEA) or the UK if it has been ensured that such transfers comply with the requirements of the GDPR, including the use of Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.
7.2 Libresoft will promptly inform you of any changes to the location(s) where the Personal Data is Processed.
8. DATA SUBJECT RIGHTS
8.1 Libresoft will provide reasonable assistance to the Controller in responding to requests from Data Subjects for exercising their rights under the GDPR (such as access, rectification, erasure, and portability) in a timely manner.
8.2 If the Processor receives a direct request from a Data Subject, the Processor will promptly notify the Controller and assist in responding.
9. DATA PROTECTION IMPACT ASSESSMENT
9.1 Data Protection Impact Requirement. Libresoft shall, in accordance with Applicable Data Protection Laws, carry out a Data Protection Impact Assessment (DPIA) for any new Processing activity that is likely to result in a high risk to the rights and freedoms of individuals. The DPIA shall be conducted prior to the initiation of such Processing.
9.2 Notification of Processing Risks. In the event that the DPIA identifies a high risk to the privacy or data protection rights of Data Subjects, the Processor shall promptly notify the Data Controller of the identified risks and provide reasonable cooperation in connection with any DPIA that may be required under Applicable Data Protection Law.
10. SUBPROCESSING
10.1 You consent to Libresoft engaging subprocessors to Process Personal Data as necessary to perform the services. Libresoft’s list of subprocessors is located at www.libresoft.co.uk/legal/subprocessors (“Libresoft Subprocessor List”). You acknowledge that Libresoft’s subprocessors are essential to provide the services.
10.2 Libresoft shall ensure that the subprocessors are bound by the same data protection obligations as those in this DPA.
10.3 If a subprocessor fails to fulfill its data protection obligations, Libresoft will remain liable to you for the acts and omissions of its subprocessor to the same extent Libresoft would be liable.
11. SECURITY MEASURES
11.1 The Processor agrees to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including but not limited to:
- Regular security audits
- Data encryption
- Access control and authentication
12. BREACH NOTIFICATION
12.1 The Processor agrees to notify the Controller without undue delay after becoming aware of any data breach involving Personal Data Processed under this DPA. The notification will include:
- The measures taken to address the breach.
- A description of the breach, including the type of Personal Data involved.
- The likely consequences of the breach.
13. AUDITS
13.1 The Controller has the right to audit the Processor’s compliance with this DPA. The Processor agrees to cooperate with such audits, including by providing reasonable access to necessary records, systems, and personnel.
14. VARIATIONS
14.1 Libresoft will publish any changes to this DPA and endeavour to let you know of upcoming material changes with reasonable notice via email, system notifications or other methods at least 30 days before the changes take effect. You may reasonably object to a change on legitimate grounds within 30 days after Libresoft publishes any changes or provides notice of the change, and you may choose to suspend or terminate the DPA without penalty (without prejudice to any Subscription Fees incurred by the Customer up to and including the date of suspension or termination).
15. TERMINATION
15.1 This DPA will terminate upon termination or expiration of the main Terms of Use between the parties.
Appendix I – Data Processing schedule
1. Subject matter and duration of Processing of Personal Data
The subject matter of Personal Data to be Processed is that of (as applicable) the employees, customers, visitors, volunteers and/or students of the Customer entered by or at the election of the Customer into the Libresoft Services.
The duration of Processing Personal Data shall be for as long as We maintain a business relationship with the Customer. Once this relationship ends, We will follow the procedures outlined in clause 4.1 for the deletion of the Personal Data.
2. Nature and purpose of Processing Personal Data
The nature and purpose of Processing Personal Data is to enable the functionality of the Libresoft Services as set out in the Terms of Use, this DPA and related documentation.
3. Types of Personal Data Processed
The types of Personal Data Processed include:
a) names
b) addresses
c) contact details
d) identification details (for example, Unique Pupil Number)
e) other Personal Data types for use in the Libresoft Services
4. Categories of Data Subjects
The categories of Data Subjects include the following with whom the Customer has a relationship:
a) suppliers / service providers
b) customers / clients
c) employees / contractors
d) students
e) governors
f) other contacts
