We use cookies on this site to help provide the best possible online experience. By using this site you agree to our use of cookies.

Click to view our cookie policy and customize your cookie preferences.

A notification message..

Chest Data Processing Agreement

This data processing agreement applies to universities, colleges and other organisations which are eligible to participate in Chest Agreements, and is required to ensure compliance with the GDPR Regulations which come into effect on 25 May 2018.

  1. In this Agreement, when they begin with a capital letter, the following terms have the meaning shown:

    • Chest means the marketing and supply channel for software and online resources, as described by this www.chest.ac.uk website. Chest is an enterprise of Jisc and a registered trademark.
    • Jisc means the registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.
    • GDPR means the General Data Protection Regulation (EU 2016/679) and any legislation or regulation which amends or replaces it.
    • Licensee means any party who purchases licences or might purchase licences from suppliers through Chest.
    • Personal Data is as defined in GDPR.
    • Party means Jisc or each Licensee and Parties means Jisc and each Licensee.

  2. Chest requires the Parties to retain each other’s contact details.

  3. GDPR requires the Parties to have a data processing agreement in place to cover this situation.

  4. Therefore, publishing it on the www.chest.ac.uk website constitutes Jisc's acceptance of this Agreement and using Chest constitutes each Licensee’s acceptance.

  5. Each Party will comply with GDPR. Chest's data protection assumptions and commitments are published in its privacy notice on the www.chest.ac.uk website.

  6. Each Party is the controller of the Personal Data relating to its own personnel and both are processors of Personal Data relating to the other Party’s personnel. Therefore each Party will:

    • only use such Personal Data only in connection with Chest services
    • take appropriate measures to ensure the security of the Personal Data that they process
    • ensure that its personnel who process Personal Data are subject to a duty of confidence
    • ensure that no third party processes any Personal Data received from the other Party except solely in connection with Chest services and in accordance with GDPR requirements and with the consent of the other Party
    • co-operate with the other Party with their rights and obligations as data controllers, including assistance with: obligations in connection with subject access requests and other data subject rights under GDPR; controllers’ responsibilities concerning the security of processing, data breaches and data protection impact assessments; and reporting, inspection and audit requirements
    • immediately notify the other Party if:
      1. they believe any instructions or requirements of the other Party would infringe GDPR
      2. they believe a GDPR breach has occurred or is likely to occur under this Agreement
      3. they have received a subject access request from the other Party’s personnel
    • only retain Personal Data after the end of this Agreement if there is a statutory basis for doing so or for the period specified in its own published privacy policy, provided such privacy policy complies with GDPR requirements. Each Party will also delete Personal Data upon request of the other Party unless there is a statutory basis to retain it or some other lawful reason, independent of this Agreement, allows the Party to retain the Personal Data.

Join our mailing list for the latest news, event information and resources