Privacy and data protection

International Data Transfers: EU-US, UK Extension and Swiss-US Data Privacy Framework

Last updated: 26 September 2025

Pamoja Education Ltd. (“PMJ”) is committed to respecting the privacy and personal data of individuals, and to handling personal information in a secure, transparent and responsible manner. We respect the privacy rights of our students, families, employees, business partners, and other individuals whose personal data we process. PMJ seeks to collect, use, and disclose personal data only in a manner consistent with applicable data protection laws in the countries where we operate and with the highest standards of ethical business practice.

This notice explains how PMJ stores and safeguards customer data in the context of international transfers. It supplements our main Global Privacy Notice and should be read alongside it. Our Data Privacy Framework Notice (“Notice”) sets out the privacy principles PMJ follows when handling personal data transferred from the European Union (“EU”), the United Kingdom (“UK”) and Switzerland to the United States (“US”) under:

  • the EU-US Data Privacy Framework (“EU-US DPF”)
  • the UK Extension to the EU-US DPF
  • and the Swiss-US Data Privacy Framework (“Swiss-US DPF”)

PMJ has certified its adherence to these frameworks and commits to applying their privacy principles to all such personal data received from the EU, UK and Switzerland.

Data Privacy Framework (“DPF”)

The US Department of Commerce, the European Commission and the Swiss Administration have established the DPF, a set of data protection principles and associated Frequently Asked Questions, to enable US companies to provide adequate protection for personal information transferred from the EU and Switzerland to the United States. Consistent with its commitment to protecting personal privacy, PMJ adheres to the DPF Principles when transferring personal data between these countries.

PMJ complies with the EU-US DPF, the UK Extension to the EU-US DPF and the Swiss-US DPF as set out by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and United Kingdom and Switzerland to the United States. We have certified to the US Department of Commerce that we adhere to the DPF Principles. If there is any conflict between the terms in our policies and the DPF Principles, the DPF Principles shall govern. To view our certification, please visit https://www.dataprivacyframework.gov/list

Scope of the Notice

This Notice applies to all personal information received by PMJ in the United States from the European Economic Area, the United Kingdom, and Switzerland, in any format, including electronic, paper or oral.

Definitions

For the purposes of this Notice, the following definitions shall apply:

“Personal information” means any information or set of information that identifies, or is used by or on behalf of PMJ to identify, an individual. Personal information does not include information that is encoded or anonymised, or publicly available information that has not been combined with non-public personal information.

“Sensitive” means personal information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns an individual’s health. In addition, PMJ will treat as sensitive personal information any information received from a third party where that third party treats and identifies the information as sensitive.

Notice, Responsibilities and Compliance Oversight

PMJ enters into Service Agreements with its customers in the US, EU, UK and Switzerland which may include the processing and/or storage of information relating to their customers (students, parents and staff). In these agreements, PMJ’s customer agrees and recognises that it is the ‘data controller’ for the purposes of data protection legislation. This means that our US, EU, UK and Swiss customers are responsible for complying with the data protection legislation in the relevant Member State, and with US and Switzerland national law before they send their customer data to PMJ for processing and/or storage. This includes informing individuals about the choices and the means which they offer to individuals for limiting the use and disclosure of their personal data.

To exercise their rights under this principle, the individual must contact their School (PMJ’s customer), as data controller. Any data processed or stored by PMJ is only disclosed to third parties at the request and direction of its European, US and Swiss customer as the data controller, in accordance with the choices made by the individuals to whom such personal information relates, or when required by law. Any information that our EU, US and Swiss customers identify as sensitive will be treated as such.

PMJ has a Data Compliance Officer (“DCO”) who is responsible for the internal supervision of PMJ privacy policies. PMJ also has technicians to handle data security. PMJ continuously educates its employees about compliance with the UK GDPR, the Data Protection Act 2018 and the DPF Principles and has self-assessment procedures in place to ensure its compliance. PMJ also monitors developments under the DPDI Bill to ensure it remains aligned with future UK data protection requirements. 

Data Collection and Use

PMJ takes appropriate technical and organisational measures to protect personal information in its possession from loss, misuse, and unauthorised access, disclosure, alteration, or destruction.

PMJ uses the personal information it collects only for legitimate business purposes, including providing and improving its services, correcting errors, enhancing user experience, administering accounts, and (where permitted) improving its communications and marketing.

Your use of PMJ’s services (the “Service”) results in collection of audit log records, which are collected through third party solutions. These facilitate providing the Service, through web hosting companies or by using analytics providers. This allows us to monitor system and application performance, to track usage activity and to enable our support team to provide you with a professional standard of service when you have any issue.

Use of  Sub-processors

While providing the Service, we use and disclose to sub-processors the information provided to:

  1. Process account registration and enrolment;
  2. Organise curriculum, activity and assessment information
  3. Compile academic histories and formal academic records;
  4. Aggregate, collect and input details of your academic records into our system for central management;
  5. Compile your profile and the other information described above for your School.
  6. Present information to other logged-in users, where parental consent has been provided (if applicable);
  7. Monitor system performance and collect aggregate analytics;
  8. Where applicable, you or your School may also make such information available to the International Baccalaureate, which in turn may share it with qualified higher education institutions.

PMJ may also disclose personal information if necessary to:

  1. investigate, prevent, or take action regarding illegal activities, suspected fraud, or situations involving potential threats to the physical safety of any person;
  2. respond to suspected or actual violations of our Terms of Service; or
  3. comply with legal obligations, such as responding to a subpoena or cooperating with law enforcement agencies.

All sub-processors engaged by PMJ are contractually required to process personal data only on PMJ’s documented instructions and to implement appropriate technical and organisational measures to protect the data, in accordance with the UK GDPR.

Summary list of Pamoja’s main sub-processors

Access to Personal Data

If your personal information changes, you can log in to keep it up to date by changing your profile. If you no longer wish to receive our Service or if you find that information on the platform is not accurate and you cannot update it, please inform your School in the first instance. 

If you have any questions or concerns about the handling of your personal data, or wish to exercise your data protection rights, please contact us at:
data.protection@pamojaeducation.com

We will review and respond to your enquiry as soon as reasonably possible.

Onward Transfers, Compliance and Enforcement

PMJ shall not engage another processor (“sub-processor”) to process personal data on its behalf without complying with the requirements of UK GDPR Article 28(2)-(4). Where PMJ appoints a sub-processor, PMJ shall:

  • ensure that a written contract is in place imposing data protection obligations equivalent to those set out in this Agreement;
  • remain fully liable to the Controller for the performance of that sub-processor’s obligations; and
  • be responsible for any acts or omissions of its sub-processors as if they were its own.

PMJ shall also remain liable in cases of onward transfers of personal data to any third country or international organisation, ensuring that such transfers comply with UK GDPR Chapter V. PMJ will conduct periodic compliance audits of its relevant privacy practices to verify adherence to this Policy. Any employee that PMJ determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment. Under certain limited circumstances, individuals may invoke binding arbitration as a last resort to resolve complaints regarding PMJ’s handling of personal data.

Pamoja’s compliance with the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF is subject to the investigatory and enforcement powers of the US Federal Trade Commission (“FTC”).

Complaints and Dispute Resolution

If you believe that PMJ is not abiding by its Privacy Notice or is not in compliance with the DPF Principles, you should first contact PMJ’s Data Compliance Officer by email. If you do not receive acknowledgment of your enquiry or your enquiry has not been satisfactorily addressed, you may invoke a binding arbitration process. Please refer to Annex I of the DPF Principles available here: https://www.dataprivacyframework.gov.

In compliance with the EU-US DPF, the UK Extension to the EU-US DPF and the Swiss-US DPF, PMJ commits to cooperate and comply with the advice of the following authorities regarding unresolved complaints about its handling of personal data received:

  • the panel established by the European Data Protection Board (EU data protection authorities, “DPAs”);
  • the Information Commissioner's Office (“ICO”) in the UK;
  • the Federal Data Protection and Information Commissioner (“FDPIC”) in Switzerland.

Contact details for these authorities are available here:
•    DPAs
•    ICO
•    FDPIC

Contacting us about your personal data  

PMJ complies with the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss–US DPF as set out by the US Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union, the United Kingdom, and Switzerland. If you have any questions, comments, or concerns about this Policy or if you want to access, update, correct, or delete any personal information submitted, please contact our Data Compliance Officer (“DCO”) at: data.protection@pamojaeducation.com 

Changes to this Notice

This Notice may be amended from time to time, in line with the requirements of the DPF Principles.