We use cookies on this site to help provide the best possible online experience. By using this site you agree to our use of cookies.

Click to view our cookie policy and customize your cookie preferences.

Icon
A notification message..

Jisc's Chest Platform Data Processing Agreement

This data processing agreement applies to universities, colleges and other organisations which are eligible to participate in Jisc Agreements on the Chest Platform, and is required to ensure compliance with the Data Protection Legislation.

  1. In this Agreement, when they begin with a capital letter, the following terms have the meaning shown:
    • Chest means the marketing and supply channel for software and online resources, as described by this www.chest.ac.uk website. Chest is an enterprise of Jisc and a registered trademark.
    • Jisc means the registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB. T 0203 697 5800.
    • Data Protection Legislation means the Data Protection Act 2018 and the General Data Protection Regulation 2016/679 as each is amended in accordance with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended by SI 2020 no. 1586) and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, as amended to be referred to as “DPA 2018” and the “UK GDPR” respectively; and any legislation or regulation which amends or replaces it.
    • Licensee means any party who purchases licences or might purchase licences from suppliers through Chest.
    • Personal Data is as defined in Data Protection Legislation.
    • Party means Jisc or each Licensee and Parties means Jisc and each Licensee.
  2. Chest requires the Parties to retain each other’s contact details. Data Protection Legislation requires the Parties to have a data processing agreement in place to cover this situation.
  3. Therefore, publishing it on the www.chest.ac.uk website constitutes Jisc's acceptance of this Agreement and using Chest constitutes each Licensee’s acceptance.
  4. Each Party is the Controller of the Personal Data relating to its own personnel. Where a party acts as a Controller in respect of any Personal Data processed under or in connection with the Agreement, it shall comply with its respective obligations under the Data Protection Legislation and it shall only use such Personal Data for the purposes of performing its obligations under the Agreement.
  5. Chest's data protection assumptions and commitments are published in its privacy notice at www.chest.ac.uk/privacy-notice/
  6. The Licensee acting as a Controller authorises Jisc to process the Personal Data for the term of this Agreement as a Processor solely for the purpose of providing the services:
    • Jisc will process the data provided by the Licensee to (a) provide the Licensee the services in accordance with the Licensee’s documented instructions and (b) for business operations incident to providing the products and services to the Licensee.
    • The types of personal data processed by Jisc when providing the services will include the contact information for Licensee personnel and any other personal data the Licensee elects to include.
    • The categories of data subjects are the Licensee’s representatives and end users, such as employees, contractors, collaborators, and customers.
  7. In relation to any Personal Data that the Licensee (as a Controller) provides or makes available to Jisc (as a Processor), in connection with the agreement, Jisc agrees and warrants that it will:
  • use, access or otherwise Process the Personal Data only in connection with Chest services;
  • take, implement, maintain and monitor appropriate technical and organisation measures which are sufficient to comply with the obligations placed on Jisc by the requirements regarding the security of the Personal Data, as set out in the Data Protection Legislation;
  • ensure that its personnel who process Personal Data are subject to a duty of confidence;
  • the Controller grants a general authorisation to engage sub-processors as may be necessary to support the performance of the services.  Jisc shall maintain an up-to-date list of all sub-processors engaged in the processing of personal data and shall notify the Controller of any intended changes to the sub-processors by publishing it on the Jisc website providing the Controller with an opportunity to object;
  • co-operate with the Controller with their rights and obligations, including assistance with: obligations in connection with subject rights requests; controllers’ responsibilities concerning the security of processing, data breaches and data protection impact assessments; and reporting, inspection and audit requirements;
  • immediately notify the Controller if they believe any instructions or requirements of the other Party would infringe Data Protection Legislation;
  • notify the controller promptly if they believe a Personal Data Breach has occurred or is likely to occur under this Agreement;
  • not transfer any personal data outside of the United Kingdom, Switzerland, or the European Economic Area to any third country that does not ensure an adequate level of protection under Data Protection Legislation without ensuring suitable safeguards are in place to legitimise the transfer;
  • make available, promptly following receipt of a written request from the Licensee, all information necessary to demonstrate compliance with the Data Protection obligations;
  • on termination of the Agreement, cease Processing all Personal Data and at the option of the Licensee securely delete or return to Licensee all Personal Data (and all copies under its possession or control), except to the extent Jisc is required to retain copies by Applicable Law.

Join our mailing list for the latest news, event information and resources