MY BARCELONA SCHOOL DATA PROCESSING AGREEMENT

In accordance with the General Data Protection Regulation 679/2016 ("GDPR") and Ley Orgánica de Protección de Datos Personales y Garantía de los Derechos Digitales ("LOPDGDD") (collectively, the "Data Protection Regulation"), this agreement ("DPA") governs the processing by Anya van der Drift (“My Barcelona School”, “Data Processor” or “Processor”) of the personal data of My Barcelona School Clients (“Client”, “Data Controller” or “Controller”).

​

Hereinafter, the term "the Parties" will be used to refer indistinctly to Controller and My Barcelona School.

​

1. Definitions

​

Capitalized terms in this DPA shall have the same definition as set forth in the Data Protection Regulations and any other data protection laws applicable to this DPA.

​

2. Purpose and duration

​

The purpose of this DPA is to regulate the Processing of Personal Data under the responsibility of Data Controller, carried out by My Barcelona School, derived from the provision of the services by My Barcelona School to the Controller (hereinafter, the “Contract”) and during the term of the same.

​

3. Data accessed and purpose of processing

​

My Barcelona School, as Data Processor, shall process the Personal Data identified in Section I of this DPA, for the purposes and in relation to the data subjects also indicated in such Section I ("Controller's Personal Data").

​

4. Obligations of My Barcelona School

​

As established by the Data Protection Regulations, My Barcelona School undertakes to:

​

a. Process the Controller's Personal Data only according to the documented instructions of the Controller, including with respect to transfers of personal data to a third country or an international organization. Notwithstanding the foregoing, My Barcelona School may process the Controller's Personal Data for purposes other than the documented instructions of the Controller where it is obliged to do so under Union or Member State law applicable to My Barcelona School; in such a case, My Barcelona School shall inform the Controller of such legal requirement prior to the Processing, unless such law prohibits it for important reasons of public interest.

​

b. Ensure that persons authorized to process the Controller's Personal Data have undertaken to respect confidentiality or are subject to a confidentiality obligation of a statutory nature.

​

c. Take all technical and organizational measures required by the applicable regulations to ensure a level of security appropriate to the risk of processing.

​

d. Respect the conditions for using another data processor, as established in the data protection regulations.

​

e. To assist the Controller, taking into account the nature of the processing, through appropriate technical and organizational measures, whenever possible, to enable the Controller to fulfill its obligation to respond to requests aimed at exercising the rights of data subjects.

​

f. Assist the Controller in ensuring compliance with its obligations, taking into account the nature of the processing and the information at its disposal.

​

g. At the Controller's option, delete or return all Controller's Personal Data upon termination of the provision of the processing services, and delete existing copies unless the retention of Controller's Personal Data is required by Union or Member State law.

​

h. Make available to the Controller all information necessary to demonstrate compliance with the obligations set forth in this Article, as well as to allow and contribute to the performance of audits, including inspections, by the Controller or another auditor authorized by the Controller.

​

i. Process the Controller's Personal Data in a way that ensures that the personnel in charge, if any, follow the instructions of the Controller.

​

j. Ensure that the Data Protection Officer or, in his or her absence, the Privacy Officer is involved in a timely and appropriate manner in all matters relating to the protection of Controller's Personal Data.

​

k. Adhere to the Code of Conduct that may be approved by the corresponding Commission or body, if applicable.

​

l. Keep a record of processing activities in the event of processing personal data that poses a risk to the rights and freedoms of the data subject and/or on a non-occasional basis, or that involves the processing of special categories of data and/or data relating to convictions and offences.

​

5. Security Measures

​

My Barcelona School shall adopt the security measures that are appropriate to each case, in order to ensure the lawfulness of the processing, as set forth in the GDPR. In this regard, My Barcelona School undertakes to assess the possible risks arising from the processing, taking into account the means used and the circumstances that may have an impact on security.

​

6. Exercise of rights by the Data Subject

​

(a) Response Time: If a Data Subject submits a request or exercises any of the rights established in the Data Protection regulations, the Controller and/or My Barcelona School shall provide him/her with information on the actions requested and carried out, without delay and at the latest within one month from the receipt of the request, which may be extended for a maximum of another two months if necessary, taking into account the complexity of the request and the number of requests.

​

(b) Notification of Rejection of the Request: If the Controller and/or My Barcelona School decide not to proceed with the data subject's request, they must inform the data subject of this decision without delay and at the latest within one month of receipt of the request. This notification must include detailed reasons for the refusal and information on the data subject's right to lodge a complaint with the Supervisory Authority and to lodge a judicial remedy.

​

(c) Format of the Response: The response to the request to exercise the right will be in the same format used by the data subject, unless the data subject requests otherwise.

​

7. Subcontractors

​

My Barcelona School may not provide access to the Controller’s Personal Data to third parties other than those expressly authorized by the Controller in writing in Section III. My Barcelona School ensures that, in which case, it has signed an agreement with each subcontractor mentioned in Section III, which is sufficient in accordance with the provisions of this DPA and the Data Protection Regulation.

​

8. International Data transfers

​

My Barcelona School may not make any international transfer of the Controller’s Personal Data, without the Controller’s express authorization, with the exception of transfers to the international subcontractors mentioned in Section III, provided that an agreement with appropriate contractual guarantees is signed with each of them, as prescribed by the Data Protection Regulations.

​

9. Data security breaches

​

(a) Breach Notification: As soon as there is an instruction from the supervisory authority, a national legislative development regulating these communications or a delegated act, in the event of a breach of security of the Controller’s Personal Data My Barcelona School shall notify Controller of all security breaches of this data without undue delay and, if possible, no later than 24 hours after the breach has occurred.

​

(b) Content of the Notice: The notification shall include at least the following information:

​

• A description of the nature of the security breach, including the category and approximate number of individuals affected and the number of personal data records compromised.

​

•  The date and time the breach occurred and its estimated date and time of detection.

​

•  A description of the possible consequences of the security breach.

​

• Measures taken to mitigate potential adverse effects and corrective actions taken.

​

• The contact information of the person responsible for managing the breach.

​

(c) Documentation and Reporting: My Barcelona School shall maintain a detailed record of all security breaches that occur, including actions taken and communications made. This record shall be available for review by the Controller or the competent authorities, if required.

​

10. Termination, resolution and extinction

​

The termination, resolution or extinction of the contractual relationship for the provision of services arising from the Contract between the Controller and My Barcelona School, shall oblige the latter to delete the Controller’s Personal Data provided by the Controller, and to keep such data only and exclusively as long as there is a legal obligation of conservation. Once the term established to cover the legal responsibilities has elapsed, the personal data must be destroyed or returned to the Controller, as well as any support or document containing any Controller’s Personal Data.

​

And in witness whereof, the parties sign the present DPA in the place and on the date indicated in the heading of the present document.

​

MY BARCELONA SCHOOL AS DATA CONTROLLER

​

Within the framework of the Contract, the Client may share certain personal data to My Barcelona School (“Shared Personal Data”) for their own purposes. In these cases, the following conditions shall apply.

​

1. Warranties. The Client represents and warrants that:

​

a. Will collect and process the Shared Personal Data in accordance with the applicable data protection legislations (“Data Protection Laws”);

​

b. The Client has the appropriate legal basis to communicate to My Barcelona School the Shared Personal Data.

​

2. Obligations of My Barcelona School. My Barcelona School undertakes to:

​

(i) Not respond to any inquiry, complaint, request or claim from a Data Subject with respect to the data processing practices of the Client and shall promptly forward any such request to the Client.

​

(ii) Provide assistance to the Client in case of any request from a Data Subject to access, rectify, erase, restrict processing, request portability or object to the processing of data.

​

(iii) Comply with Data Protection Laws in connection with the processing of Shared Personal Data.

​

(iv) Delete Shared Personal Data once the Contract between My Barcelona School and the Client has ended.

​

3. Obligations of the Client. The Client undertakes to:

​

(v) Provide mandatory information to data subjects in accordance with Article 14 of the GDPR in relation to the processing of personal data of both the Client and My Barcelona School. In particular, provide Data Subjects with the Directory Privacy Policy accessible from the following link: https://www.mybarcelonaschool.com/privacy-policy-1

​

(vi) Maintain records of the processing activities it performs with respect to the Shared Personal Data, as required by the Data Protection Laws;

​

SECTION I. CATEGORY AND TYPE OF DATA PROCESSED AS DATA PROCESSOR

​

(a) Categories of Data Subjects and types of data:

​

Pursuant to the provisions of the Data Protection Regulations and for the provision of the services set forth in the Contract, My Barcelona School shall process as Data Processor the type and categories of the Client’s Personal Data detailed below.

​

• Data Subjects: Employees, Clients, users, students, teachers, and management team of the Client.

• Data categories: Identification data, Contact data, Image, Professional data.

​

(b) Purpose of Processing:

​

Provide the Client with access to the My Barcelona School Directory.

​

(c) Nature of processing:

​

The provision of the contracted services implies the performance by My Barcelona School of the following processing: Collection, Broadcast, Structuring, Registration, Organization, Usage, Suppression or Destruction, Conservation.

​

SECTION II. CATEGORIES AND TYPE OF DATA PROCESSED AS DATA CONTROLLER:

​

Pursuant to the provisions of the Data Protection Regulations and for the provision of the services set forth in the Contract, My Barcelona School shall process as Data Controller the type and categories of the Client’s Personal Data detailed below.

​

• Data Subjects: Employees of the clients, students, teachers, and management team of the Client.

• Data categories: name of headteacher and image included in the pictures uploaded to the School Directory by the Client.

​

Purpose: promote the Client's information on My Barcelona School's social media accounts and in the My Barcelona School Directory.

​

SECTION III. AUTHORIZED SUBCONTRACTORS

​

Sub-Processor Wix.com Inc.

​

• Description of the services: Hosting of the Directory and storage of the personal data

• Privacy Policy URL https://es.wix.com/about/privacy

• Country: USA

• Security Measures: Data Privacy Framework