International Data Transfers
Our direct data centres are located in the EEA
Our direct data centres are located in the EEA
Our direct data centres (including data back-ups) are located within the European Economic Area. This means that the transfer of school data to Sparx is covered by the European ruling of adequacy by the ICO. Countries within the EEA have been deemed to have adequate data protection laws in line with those of UK GDPR. No further contracting safeguards are needed to cover your school sharing data with Sparx other than those outlined in our Terms and Conditions > Section C: Data handling agreement.
We use SCCs + UK addendum or IDTAs for international sub-processors outside the EEA
We use SCCs + UK addendum or IDTAs for international sub-processors outside the EEA
We do not share student data outside of the EEA. We do share teacher and parent names and emails with support companies outside the EEA with fully GDPR-compliant contracts in place. Contract terms to cover international data transfers have changed significantly in the last few years.
After Brexit, Sparx relied on EU adequacy ruling plus the US privacy shield.
Post the Schrems II ruling in July 2020, the US privacy shield was no longer valid and we followed ICO guidance to use EU Standard Contractual Clauses to provide additional contracting safeguards for support companies outside the EEA. This ensured broadly the same protection rights as companies based in Europe. The latest version of the EU SCCs where released in September 2021, these are the ones that are used now.
Following the ICO’s consultation on international data transfers, new legislation came into force in March 2022. This means that any contracts for data transfers outside of the EEA must contain the latest EU SCCs plus a UK addendum or International Data Transfer Agreement (or IDTA). Any new agreements Sparx enters with sub-processors will have this.
Contracts for data transfers outside the EEA signed before the 22nd of September 2022 with just EU SCCs in them are still valid until March 2024. We have a rolling program to make sure these are all amended by the end of 2023.
In July 2023, the European Commission passed the adequacy ruling for the USA for companies that are signed up to the Data Privacy Framework. Whilst this is encouraging, it does not mean the USA is adequate under UK GDPR. We still rely on the contracted terms listed above and await any change in adequacy ruling by the ICO.
Contracts for data transfers inside the EEA are still covered by EU adequacy ruling.
Data that we share with sub-processors
We carefully select, audit and approve support companies to help us provide a service to you.
We conduct due diligence to ensure that they will keep your data safe and we have binding written UK GDPR-compliant data processing contracts with each of our support companies. It is Sparx's responsibility to ensure our sub-processors comply with data privacy legislation.
To aid transparency, our Support companies guide lists the companies that help us, what types of data we share with them (student, teacher, parent), what service they provide and a copy of our data handling agreement plus each company’s security information.
You aren't obliged to check all of our sub-processors
You aren't obliged to check all of our sub-processors
As a controller, your obligations under GDPR are to check that you are happy that Sparx is taking all necessary technical and operational measures to keep your data safe and that we have a process for evaluating our sub-processors.
In our Terms and Conditions > Section C: Data handling agreement > Sub-processors, it states: “We will remain liable to you for all the acts and omissions of our support companies in respect of their processing activities for us as if they were our own.”
Per the ICO's guidance > When do I need to carry out a Transfer Risk Assessment?:
"If you are a controller, and your processor is making the restricted transfer, only the processor (Sparx) must complete the Transfer Risk Assessment (TRA). In that situation, you (the school/trust) must still carry out reasonable and proportionate checks about whether the processor’s restricted transfers are compliant with UK GDPR, including its obligation to carry out a TRA. This is part of your obligation to ensure your processor provides you with “sufficient guarantees” in Art 28 UK GDPR.”
It is our responsibility to carry out the due diligence on our support companies. To evidence this and aid transparency, we cite the data processing contracts and security information of our sub-processors on our support companies page should you wish to view them.
We don't share any of your data with third parties
We don't share any of your data with third parties
Per our Terms and Conditions > Section C: Data handling agreement > Sub-processors:
“Save for our support companies, we will never share school data with third parties without your prior written permission.”
This means we will never share your data with another controller, or sell or monitise personal school data you have shared with us.
No student data goes outside the European Economic Area
No student data goes outside the European Economic Area
Our direct data centres including back-ups are within the EEA. Per our Terms and Conditions > Section C: Data handling agreement > Sub-processors:
“No personal data derived from school data relating to students is transferred outside the European Economic Area.”
Teacher and parent names and emails are shared with support companies based in the USA.