International Data Transfers
Our direct data centres are located in the EEA
Our direct data centres are located in the EEA
Our direct data centres (including data back-ups) are located within the European Economic Area. This means that the transfer of school data to Sparx is covered by the European ruling of adequacy by the ICO. Countries within the EEA have been deemed to have adequate data protection laws in line with those of UK GDPR. No further contracting safeguards are needed to cover your school sharing data with Sparx other than those outlined in our Terms and Conditions > Section C: Data handling agreement.
We use SCCs + UK addendum or IDTAs for international sub-processors outside the EEA
We use SCCs + UK addendum or IDTAs for international sub-processors outside the EEA
We do not share student data outside of the EEA. We do share teacher and parent names and emails with support companies outside the EEA with fully GDPR-compliant contracts in place. Contract terms to cover international data transfers have changed significantly in the last few years.
After Brexit, Sparx relied on EU adequacy ruling plus the US privacy shield.
Post the Schrems II ruling in July 2020, the US privacy shield was no longer valid and we followed ICO guidance to use EU Standard Contractual Clauses to provide additional contracting safeguards for support companies outside the EEA. This ensured broadly the same protection rights as companies based in Europe. The latest version of the EU SCCs where released in September 2021, these are the ones that are used now.
Following the ICO’s consultation on international data transfers, new legislation came into force in March 2022. This means that any contracts for data transfers outside of the EEA must contain the latest EU SCCs plus a UK addendum or International Data Transfer Agreement (or IDTA).
Contracts for data transfers inside the EEA are still covered by EU adequacy ruling.
In July 2023, the European Commission passed the adequacy ruling for the USA for companies that are signed up to the Data Privacy Framework. In October 2023, the UK Extensions to the EU-US Data Privacy Framework became effective as part of the UK-US data bridge. If a support company has a current certification with the DPF, they are deemed adequate under UK GDPR. If USA companies are not certified under the DPF, we still rely on the contracted terms listed above.
Data that we share with sub-processors
We carefully select, audit and approve support companies to help us provide a service to you.
We conduct due diligence to ensure that they will keep your data safe and we have binding written UK GDPR-compliant data processing contracts with each of our support companies. It is Sparx's responsibility to ensure our sub-processors comply with data privacy legislation.
To aid transparency, our Support companies guide lists the companies that help us, what types of data we share with them (student, teacher, parent), what service they provide and a copy of our data handling agreement plus each company’s security information.
You aren't obliged to check all of our sub-processors
You aren't obliged to check all of our sub-processors
As a controller, your obligations under GDPR are to check that you are happy that Sparx is taking all necessary technical and operational measures to keep your data safe and that we have a process for evaluating our sub-processors.
In our Terms and Conditions > Section C: Data handling agreement > Sub-processors, it states: “We will remain liable to you for all the acts and omissions of our support companies in respect of their processing activities for us as if they were our own.”
Per the ICO's guidance > When do I need to carry out a Transfer Risk Assessment?:
"If you are a controller, and your processor is making the restricted transfer, only the processor (Sparx) must complete the Transfer Risk Assessment (TRA). In that situation, you (the school/trust) must still carry out reasonable and proportionate checks about whether the processor’s restricted transfers are compliant with UK GDPR, including its obligation to carry out a TRA. This is part of your obligation to ensure your processor provides you with “sufficient guarantees” in Art 28 UK GDPR.”
It is our responsibility to carry out the due diligence on our support companies. To evidence this and aid transparency, we cite the data processing contracts and security information of our sub-processors on our support companies page should you wish to view them.
We don't share any of your data with third parties
We don't share any of your data with third parties
Per our Terms and Conditions > Section C: Data handling agreement > Sub-processors:
“Save for our support companies, we will never share school data with third parties without your prior written permission.”
This means we will never share your data with another controller, or sell or monetise personal school data you have shared with us.