Privacy and data protection

GDPR Privacy and Data Protection Addendum:

Data Processing Agreement (EU GDPR) for EU-based Schools

Last updated: 17 September 2025

1. Introduction

This GDPR Privacy & Data Protection Addendum (“Addendum”) forms part of the Services Agreement between Pamoja Education Ltd (“Pamoja” or “PMJ” or “we”) and the school customer (the “School”). The purpose of the Addendum is to ensure that the processing of School Personal Data in connection with the services performed by PMJ (the “Services”) is carried out in compliance with applicable data protection law, including the UK GDPR, the EU GDPR, and related regulations. This Addendum sets out the roles of the parties, the obligations of Pamoja as a data processor, and the rights and responsibilities of the School as data controller. It also establishes the terms governing international data transfers, the use of Sub-processors, and the security and compliance measures that Pamoja must maintain.

Definitions

“Data Protection Requirements”: as applicable:

  1. the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU GDPR”) or equivalent legislation, the Privacy and Electronic Communications (EC Directive) Regulations 2003, Directive 2002/58/EC of the European Parliament (the “ePrivacy Directive”) and all other applicable laws (including judgments of any relevant court of law) and regulations relating to the processing of personal data, data privacy, electronic communications, marketing and data security, in each case as amended, extended or re-enacted from time to time and all orders, regulations, statutes, instruments or other subordinate legislation made thereunder in any jurisdiction from time to time; and
  2. the guidelines, recommendations, best practice, opinions, directions, decisions, codes of practice and codes of conduct issued, adopted or approved by the European Commission, the European Data Protection Board, the UK’s Information Commissioner’s Office (“ICO”) and/or any other supervisory authority or data protection authority from time to time in relation to the processing of personal data, data privacy, electronic communications, marketing and data security. 

“Cross-Border Processing” or “School Personal Data Transfers” means any communication, copying or transmission of School Personal Data to a Third Country.
“School Personal Data” means any personal data processed or transferred by the School to Pamoja in relation to the Services Agreement and in connection with the Services.

“Third Country” means any country outside the European Union that has not been recognised by the European Commission as providing an adequate level of protection for personal data under the Data Protection Requirements.


1.1. For the Services Agreement, including this Addendum, personal data and the terms “process”, “data subject”, “data controller”, “controller”, “data processor”, “processor”, “sub-processor”, “personal data breach” and “supervisory authority” shall have the meanings set out in the applicable Data Protection Requirements.

1.2. The Parties acknowledge that the School is the data controller and Pamoja is the data processor of School Personal Data. Each Party agrees to comply with its respective obligations under the Data Protection Requirements accordingly.

1.3. The School shall remain solely responsible for upholding data subjects’ rights in relation to the processing of such School Personal Data under the Services Agreement, specifically their rights of access, right to rectification and/or erasure and if necessary the right to object to processing, and the School shall promptly notify Pamoja of any data subject request it receives that relates to School Personal Data and may affect Pamoja’s processing activities.

1.4. Each Party warrants that it shall comply with all obligations under the Data Protection Requirements in connection with the Services and its performance under this Agreement, and that it shall not, in respect of any School Personal Data processed, do any act or omit to do anything that would cause the other party to be in breach of its obligations under the Data Processing Requirements.

1.5. The School shall ensure that it has all necessary consents from data subjects or that an appropriate legal basis (such as consent or another lawful base) is established under the Data Protection Requirements in order for Pamoja’s processing of School Personal Data to comply with the Data Protection Requirements, including (without limitation) processing for the purposes of providing international education systems for curriculum planning, assessment, reporting and admissions and related services for students, parents, schools and exam boards.

1.6. The School’s instructions relating to the processing of School Personal Data shall comply with the Data Protection Requirements and the School shall have the sole responsibility for the accuracy, quality, integrity, reliability and lawfulness of the School Personal Data;

1.7. The School shall promptly notify Pamoja in writing if it becomes aware of any actual or suspected breaches of or other irregularities with the Data Protection Requirements that may impact the processing of School Personal Data under this Agreement.

2. Pamoja's Obligations

2.1. General Obligations

2.1.1. Pamoja shall process School Personal Data for the sole purpose of the provision of the Services to the School and any members and shall act only in accordance with the commercially reasonable documented instructions of the School in respect of the processing of School Personal Data during the term of the Services Agreement.

2.1.2. Pamoja shall promptly notify the School if, in Pamoja’s opinion, the School’s documented data processing instructions breach the Data Protection Requirements, and Pamoja shall be entitled without penalty to suspend execution of the instructions concerned, until the School confirms such instructions in writing. Any notification by Pamoja under this clause shall not constitute legal advice and Pamoja shall not be required to perform a legal assessment of the School’s instructions. The School shall seek its own legal advice on applicable Data Protection Requirements. If and to the extent Pamoja is unable to comply with any instruction received from the School, it shall promptly notify the School accordingly.

2.1.3. The purpose of Pamoja’s processing of School Personal Data is the performance of the Services pursuant to this Addendum. The categories of data subjects and the types of School Personal Data processed under this Addendum are set out in Appendix 1 (School Personal Data).

2.1.4. Pamoja shall provide reasonable assistance to the School to ensure the School’s compliance with the Data Protection Requirements, including in case of inspection by a supervisory authority considering the nature of the processing and the information available to Pamoja.

2.1.5. Pamoja shall promptly respond to any request of the School concerning the processing of School Personal Data, and provide the School with all reasonable information, so that the School can: 

  1. inform the data subjects and respond to their requests for access, objection, rectification, restriction or deletion of School Personal Data; and/or
  2. respond to any administrative formalities concerning the processing of such personal data to the supervisory authority; and/or
  3. comply with all requests of any administrative or judicial authority regarding the processing of School Personal Data under this Agreement. 

2.1.6. Pamoja shall promptly correct any errors or inaccuracies in the School Personal Data which are notified to it either by the School or a data subject, or shall provide a means for the data subject to self-correct any errors or inaccuracies, to ensure that such School Personal Data is kept accurate and up to date in accordance with Article 5(1)(d) GDPR.

2.1.7. Pamoja shall provide reasonable assistance to the School to ensure its compliance with its obligations to maintain a record of all categories of School Personal Data processing activities. Pamoja shall record and make available such School Personal Data for a period of eighteen (18) months from the Services Agreement expiration or termination date and shall ensure that the School Personal Data records are backed up regularly throughout this period. Thereafter, Pamoja shall either delete or return all School Personal Data (including copies) to the School upon termination or expiry of the Agreement, unless required to retain any School Personal Data by applicable law or to establish, exercise or defend legal claims in accordance with Article 17(3) GDPR. 

2.2. Security

2.2.1. Pamoja shall implement appropriate technical and organisational security measures necessary for the processing of School Personal Data and Services to be performed under the Services Agreement to ensure the confidentiality and security of School Personal Data and, in particular, to prevent such School Personal Data from being distorted, damaged or communicated to unauthorised third parties, and to protect the School Personal Data against any accidental or unlawful destruction, accidental loss, alteration, dissemination and/or unauthorised access, as well as against all unlawful forms of processing. Such measures shall ensure a level of security appropriate to the risks associated with the processing, in accordance with Article 32 of the GDPR, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the varying likelihood and severity of risk to data subjects. These measures shall include, where appropriate:

  • Encryption and pseudonymisation of personal data;
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems;
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.

2.2.2. In case of a personal data breach involving School Personal Data, Pamoja shall:

  1. notify the School without undue delay and where feasible not later than 72 hours after becoming aware of any confirmed or reasonably suspected personal data breach involving School Personal Data, and;
  2. take steps to remedy such personal data breach as soon as possible to minimise the impact of any personal data breach to all relevant data subjects.

2.2.3. The breach notification shall include the following (where available):

  1. A description of the nature of the personal data breach including:
    • Categories of School Personal Data concerned;
    • Approximate number of data subjects concerned;
    • Categories of School Personal Data records concerned;
    • Approximate number of School Personal Data records concerned,
  2. A description of the likely consequences of the personal data breach involving School Personal Data, and;
  3. A description of the measures taken or proposed to be taken by Pamoja to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

2.2.4. Pamoja shall document any personal data breach involving School Personal Data, comprising the facts relating to it, its effects and the remedial action taken, in accordance with Article 33(5) of the GDPR. This documentation shall be made available to the School upon reasonable request.

2.3. Access to Personal Data

2.3.1. In accordance with confidentiality obligations as defined in the Services  Agreement, Pamoja shall not transfer, communicate or disclose in any manner any personal data to any third parties, except to those sub-processors and personnel required to provide the Services to the School (hereinafter the “Authorised Recipients”) for the sole purpose  of performing the Services under the Services Agreement. Where Pamoja engages a sub-processor, we shall ensure that they are appointed in accordance with clause 2.4 below and subject to a written data processing agreement that meets the requirements of Article 28(3) of the GDPR.

2.3.2. Pamoja shall ensure that the Authorised Recipients process the School Personal Data only on a need-to-know basis and are subject to appropriate obligations of confidentiality and security and bound by a non-disclosure agreement equivalent in strength to those binding Pamoja under this Agreement.

2.3.3. In case of any investigation or seizure of School Personal Data by government officials, a supervisory authority or any law enforcement authority, Pamoja shall take reasonable steps to protect the confidentiality of School Personal Data in accordance with applicable law and, where feasible, shall notify the School before disclosing any such data.

2.3.4. If a Party is compelled to disclose School Personal Data by law, such Party shall promptly notify the other Party of the disclosure order to the extent legally permitted and shall cooperate with the other Party to challenge or limit the scope of the disclosure where possible.

2.4. Personal Data Transfers

2.4.1. As part of the Services, the School acknowledges that Pamoja transfers School Personal Data all over the world as part of its business operations to facilitate the provision of the Services to the School. Where Pamoja transfers personal data to a Third Country, it shall take steps to ensure that it has appropriate safeguards in place to protect the School Personal Data in accordance with Article 44 et seq. of the GDPR and other applicable and other Data Protection Requirements. Further information about the transfers and the basis on which those transfers are made is set out in this paragraph 2.4.

2.4.2. The School provides its prior consent to Pamoja transferring School Personal Data between its group companies in UK, USA, Taiwan and Hong Kong, and data centres in Canada, USA, Hong Kong, Singapore, Ireland, and UK. Where required by Data Protection Requirements, appropriate safeguards shall be in place to cover such transfers. Where such transfers involve a Third Country that does not benefit from an adequacy decision by the European Commission, Pamoja shall ensure that the transfer is subject to appropriate safeguards in accordance with Article 46 of the GDPR, including the use of the latest European Commission Standard Contractual Clauses (“SCCs”) and supplementary measures, as required by the EDPB following the Schrems II judgment.

2.4.3. The School provides its general authorisation for Pamoja to engage third party suppliers (each a “Sub-processor”) to process School Personal Data on Pamoja’s behalf as necessary to deliver the Services. A current summary list of Pamoja’s Sub-processors is published and kept up to date on the Pamoja website here.

2.4.4. Pamoja will review and update the list of Sub-processors on the above webpages when changes occur. The School may raise any reasonable, documented data protection concerns about a new Sub-processor by writing to Pamoja within thirty (30) days of the update. If an objection is raised, both parties will discuss in good faith to agree an appropriate way forward.

2.4.5. Pamoja will ensure that any Sub-processor it engages is bound by written terms that impose the same data protection obligations as this Addendum. Pamoja will remain fully responsible for the actions or failures of its Sub-processors as if it had carried out the processing itself.

2.4.6. Where Sub-processors are in a Third Country, Pamoja shall put in place appropriate safeguards to protect the School Personal Data and ensure that such transfers of School Personal Data are always in accordance with the Data Protection Requirements. This shall include, for EU transfers, entering into the latest SCCs adopted by the European Commission (June 2021); and for UK transfers, entering into the International Data Transfer Agreement (“IDTA”) or the UK Addendum to the SCCs, as issued by the ICO. Where a Sub-processor is in the USA, Pamoja may rely on that Sub-processor’s certification under the EU-US Data Privacy Framework (“DPF”), or UK-US extension to the DPF, as applicable.

2.5. Information Requests and Review

2.5.1. The School shall be entitled to request information and review Pamoja’s documents, processes and workflows relating to its internal Data Protection and Compliance standards and its obligations set out in this Addendum. The School shall also be entitled to request Pamoja to contribute to and allow for audits and inspections by the School or its designated independent auditor. The School may not exercise its audit right more than once in any twelve-month period, unless required by a competent data protection authority or in the event of a confirmed or suspected personal data breach. The School shall use all reasonable endeavours to ensure that the conduct of any audit does not unreasonably disrupt Pamoja or its business. Any audit by the School or its authorised agents will be limited to an audit of the School Personal Data and the processes relating to the School Personal Data and will not include any information relating to any other customer of Pamoja or any other third party. The School will be responsible for any fees or costs incurred in connection to such an audit. Any information and review requests can be directed to Pamoja’s Data Compliance Officer at data.protection@pamojaeducation.com 

3. Personal Data Processing Conditions

3.1. Pamoja’s Server locations

3.1.1. Pamoja informs the School that School Personal Data will be hosted on servers located in the following countries: Canada, USA, Hong Kong, Singapore, Ireland and UK.

3.1.2. Servers may be added or relocated in line with operational requirements, provided that such changes comply with applicable Data Protection Requirements. Pamoja will notify the School of any material changes to server locations that involve a new country not previously listed in this Addendum.

Appendix 1

School Personal Data

Categories of Data Subjects
Data Subjects include: Students, Parents/Guardians of students, Teachers, School Administrators (“Admin”) and External Advisors.

Types of School Personal Data
The School Personal Data may include the following types of data: Student First and Last Name; Student Year Level; Student Email Address; Student Password; Student ID Number; Student Gender; Student Date of Birth; Student Languages; Student Nationality; Student IBIS Personal Code; Student SEN Status; Student Activities; Student Grades; Student University List; Student Address and Telephone; Parent(s) First and Last Name; Parent(s) Email Address; Parent(s) Password; Parent(s) Phone Number; Teacher First and Last Name; Teacher Email Address; Teacher Password; Teacher Phone Number; Admin First and Last Name; Admin Role; Admin Email Address; Admin Password; Admin Phone Number; School Name; School Address; Geolocation: coarse (city-level); location data; Browser Type; Machine Model; Access Time; Referring URLs; Page Views; IP Address; Device ID; Device Type and OS.

Purposes
School Personal Data is processed by Pamoja for the following purposes:
To provide international education platforms and related services, including but not limited to:

  • curriculum planning and delivery,
  • student assessment and reporting,
  • admissions and enrolment management,
  • activities and co-curricular programme management,
  • online payments and fee processing, and
  • associated communication and administrative services for students, parents, schools, and examination boards.

Such processing is carried out solely for the performance of the Services under the Services Agreement and in accordance with applicable Data Protection Requirements.