Cambridge OCR homepage
1.1 In this Schedule 2, the following words have the following meanings:
Agreed Purposes: the purposes set out in the Annex to this Schedule 2.
Data Subject Request: means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Legislation.
Data Protection Legislation: all applicable laws including: (a) to the extent the UK GDPR applies, the laws of the United Kingdom or a part of the United Kingdom which relates to the protection of personal data; and (b) to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the relevant party is subject, which relate to the protection of personal data.
Data Sharing: the transfer of the Shared Personal Data.
EEA: European Economic Area.
EU GDPR: the General Data Protection Regulation (EU) 2016/679.
International Data Transfer: the disclosure, grant of access or other transfer of Shared Personal Data to a third party in a country or territory outside the UK and EEA.
Shared Data Breach: any security breach or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to Shared Personal Data;
Shared Personal Data: any personal data shared between the Parties in connection with the Agreement.
Transfer Mechanism: Standard Contractual Clauses approved by the European Commission Decision of 4 June 2021 (as amended from time to time), for the transfer of personal data from the EEA or Adequate Country to a third country and International Data Transfer Addendum issued by the Information Commissioner’s Office under Section 119A of the Data Protection Act 2018, effective from 21 March 2022.
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the UK Data Protection Act 2018.
1.2 Where used in this Schedule 2, the terms Data Controller, Data Processor, Data Subject, Personal Data, Data Importer, Data ExporterandprocessingandSpecial Category Dataall have the meanings given to those terms in the Data Protection Legislation.
1.3 In case of any conflict or inconsistency between the provisions of this Agreement, this shall be the order on precedence: Schedule 3, Schedule 2; Schedule 1; the main terms of the Agreement.
1.4 To the extent that a term of this Schedule 2 requires the performance by a party of an obligation “in accordance with Data Protection Legislation” (or similar), unless otherwise expressly agreed in this Schedule 2, this requires performance in accordance with the relevant requirements of such Data Protection Legislation as is in force and applicable at the time of performance (if any).
2.1 In relation to the Shared Personal Data, each of the Parties agrees that it is a Data Controller.
2.2 During the term of this Agreement, the Parties shall share with each other certain Personal Data. This Data Sharing Schedule is necessary to support the Agreed Purposes of both Parties.
2.3 The Annex to this Schedule 2 describes the categories of Data Subjects to whom the Shared Personal Data relate, the types of Personal Data that may be processed and the limited purposes of the processing of Shared Personal Data.
2.4 For the avoidance of doubt, the parties shall only use the Shared Personal Data for lawful purposes in connection with the Agreed Purposes and not process the Shared Personal Data in a way that is incompatible with the Agreed Purposes or Data Protection Legislation.
3.1 Each Party shall comply with all the obligations imposed on a Data Controller under the Data Protection Legislation. Any material breach of the Data Protection Legislation by a Party in connection with the Data Sharing shall constitute a material breach of this Schedule 2.
3.2 Each Party shall:
(a)process the Shared Personal Data fairly and lawfully, each of them as a Data Controller; (b)for each Agreed Purpose, ensure that it has legitimate grounds under the Data Protection Legislation for the processing of the Shared Personal Data (c)inform, or otherwise make information available to the Data Subjects of the purposes for which it will process Personal Data and provide or make available all information that it must provide in accordance with its own applicable law to ensure that Data Subjects understand how their Personal Data will be processed by that Party; (d)ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data; and (e)not transfer any personal data outside the UK or European Economic Area otherwise than in compliance with clause 7 below.
4.1 Each Party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, in connection with the Shared Personal Data, each Party shall:
(a) ensure that any notices given to Data Subjects in relation to the Shared Personal Data are provided in a manner and according to timing that is compliant with Data Protection Legislation; (b) inform the other Party if any Personal Data has been transferred to the other Party in error or otherwise in breach of the Data Protection Legislation, requesting the immediate deletion of such inappropriately transferred Personal Data; (c) if legally required, inform the other Party about the receipt of a complaint or Data Subject Request from any Data Subject regarding the Shared Personal Data; (d) deal at its discretion with all Data Subject Requests and complaints that it receives directly from a Data Subject or the person making the complaint. For the avoidance of doubt, a Data Subject Request made to one Party in its capacity as Data Controller shall not oblige the other Party to disclose any Personal Data it holds independently in its capacity as a Data Controller; (e) if legally required, inform the other Party without delay if a Data Subject requests the erasure of any Shared Personal Data. For the avoidance of doubt, where one Party is obliged to erase any Shared Personal Data, the other Party shall not be obliged to erase the same Shared Personal Data if that other Party may lawfully continue to hold and process such Shared Personal Data; (f) provide reasonable and prompt assistance to the other Party as is necessary to enable it to comply with a Data Subject Request and/or to respond to any other queries or complaints received from Data Subjects or supervisory authorities or regulators and, in each case related to the Shared Personal Data; (g) provide the other Party with such information as the other Party reasonably requires for maintaining the records it is required to maintain by the Data Protection Legislation; and (h) provide the other Party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the procedures to be followed in the event of a Shared Data Breach.
5.1 In respect of each Shared Data Breach, each Party shall:
(a) promptly notify the other Party of the Shared Data Breach; (b) provide the other Party without undue delay (wherever possible, no later than 48 hours after becoming aware of the Shared Data Breach) with such details as the other Party reasonably requires regarding the Shared Personal Data.
5.2 To the extent permitted by applicable laws, neither Party shall:
(a) notify a supervisory or regulatory authority of any Shared Data Breach; (b) issue a public statement or otherwise notify any Data Subject of such Shared Data Breach, without first consulting with, and obtaining the consent (not to be unreasonably withheld or delayed) of, the other Party.
6.1 Neither Party shall retain or process the Shared Personal Data for longer than is necessary in connection with carrying out the Agreed Purposes.
6.2 Notwithstanding clause 6.1, the Parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and/or industry.
7.1 Both Parties agree that International Data Transfers will be governed by Schedule 3 of this Agreement.
The Personal Data transferred concern the following categories of Data Subjects:
Candidates (including under 13 years old).
The personal data transferred concern the following categories of data:
Full names, sex, identification numbers (such as Candidate number), centre/school details, test details, candidate answers, contact details, native language, year group, date of birth, class name, place of birth, previous school, test scores, test venue, test session, application to university, special arrangements and any other information that may be required in connection with the Agreed Purposes.
For the purposes of this Agreement, Agreed Purposes refer to the following purposes:
(a) Candidates to be entered for STEP by Cambridge OCR; (b) Cambridge OCR to collect and mark a Candidate’s scripts, report results and issue certificates; (c) Cambridge OCR to consider and respond to any requests for additional time, assistance or other accommodations in relation to a particular Candidate in light of that Candidate’s personal circumstances (which may include consideration of special category data in response to any request by a Candidate entered for a STEP test); (d) Cambridge OCR to verify a Candidate’s identity; (e) Cambridge OCR to investigate and take such action as it deems appropriate in relation to malpractice, maladministration and other irregularities in relation to STEP tests; (f) Cambridge OCR to run the administrative systems used to support the delivery of STEP tests; (g) Cambridge OCR to develop STEP tests and improve on their quality and integrity, including the collection of statistics and other information relating to STEP tests for Cambridge OCR’s future use; (h) Cambridge OCR to carry out marketing and market research, and provide training in order to improve on the delivery of STEP tests; (i) the centre to enter any Candidate for a STEP test; (j) the centre to report any incident of malpractice or maladministration or any other irregularity in relation to STEP tests; (k) the centre to forward any request relating to the delivery of a STEP test to a Candidate; and (l) the Parties to comply with their legal and regulatory obligations and to assist each other in relation to any exercise by a Candidate of their rights as a Data Subject.
The personal data transferred may be disclosed only to the following recipients or categories of recipients:
As per the agreement/s between the Parties or otherwise as the Parties see fit in accordance with their own privacy policies and applicable legislation.
The personal data transferred concern the following categories of special category personal data:
Some special category data such as disabilities may be inferred by special arrangements.
UK ICO registration number: Z6641083
As set out in the agreements that govern the relationship between the Parties.
Centre: As provided to Cambridge OCR as soon as this Agreement is accepted by it.
Cambridge OCR: privacy@cambridge.org
The Parties agree that:
A. where in the performance of this Agreement there is an International Data Transfer subject to EU Data Protection Legislation, the Parties shall comply with the terms of the EU Standard Contractual Clauses and their Annexes I and II;
B. where in the performance of this Agreement there is an International Data Transfer subject to UK Data Protection Legislation, the Parties shall comply with the terms of the EU Standard Contractual Clauses, their Annexes I and II, and the UK International Data Transfer Addendum attached below.
1. To the extent that the EU GDPR standard contractual clauses apply to this Agreement pursuant to the Transfer Mechanism, including the election of specific terms and/or optional clauses, this paragraph 4 applies, and any optional clauses not expressly selected are not included:
a. Clause 7 (Docking Clause):
i. All Modules: the optional Clause 7 in Section I of the EU SCCs is not incorporated;
b. Clause 9 (Subprocessors):
i. Modules 2 & 3: Option 2 (‘General written authorisation’) is selected and the process and time period for the addition or replacement of sub-processors shall be the Notification Period;
c. Clause 11 (Redress):
i. All Modules: The optional wording is not included;
d. Clause 17 (Governing Law):
i. Modules 1, 2 & 3: Option 1 is selected. The parties agree that this shall be the laws of Ireland;
e. Clause 18 (Choice of forum and jurisdiction):
i. Modules 1, 2 & 3: The parties agree that any dispute shall be resolved by the courts of Ireland;
ii.Modules 4: Any dispute arising from these clauses shall be resolved by the courts of England.
2. To the extent that the UK GDPR mandatory clauses apply pursuant to the Transfer Mechanism, this Agreement incorporates the following terms, and the Parties shall be bound by them:
Transfer Details
Encryption at rest and in transit.
The Exporter considers that it is reasonable and proportionate for it make the data transfer on the basis of the TRA.
The Exporter will review the TRA if a new or amended version of the DSIT analysis is published, or the DSIT analysis is withdrawn.
No extra protection clauses or additional commercial clauses are required.