Eudaiton Education 

Data Protection and Security

1) The terms "data controller", "data processor", "data subject", "personal data", "process", "processing", "transfer" and "appropriate technical and organisational measures" shall be interpreted in accordance with the applicable Data Protection Laws. "Client Personal data" shall mean any personal data in relation to which Client is data controller.

2) The parties shall comply with the provisions and obligations imposed on them by the Data Protection Laws at all times when processing personal data in connection with this Agreement.

3) Each party shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Laws, and shall make such information available to any DP Regulator on request.

4) The parties acknowledge and agree that the Tutor may process Client Personal Data in the course of providing the Tuition Services.  As such and to the extent the Tutor receives from, or processes any Personal Data on behalf of the Client, the Tutor shall in relation to any such Personal Data so received or processed:

a. process such Personal Data (i) only in accordance with the relevant data controller's written instructions from time to time (including those set out in this Agreement), unless it is otherwise required by applicable law (in which case, unless such law prohibits such notification on important grounds of public interest, the Tutor shall notify the data controller of the relevant legal requirement before processing the personal data) and (ii) only for the duration of this Agreement;

b. not process such personal data for any purpose other than expressly authorised by the relevant data controller;

c. take reasonable steps to ensure the reliability of all its personnel who have access to such personal data, and ensure that any such personnel are committed to binding obligations of confidentiality when processing such personal data;

d. implement and maintain technical and organisational measures and procedures to ensure an appropriate level of security for such personal data, including protecting  such personal data against the risks of accidental, unlawful or unauthorised destruction, loss, alteration, disclosure, dissemination or access; 

e. not transfer, access or process such personal data outside the UK or the European Economic Area without the prior written consent of the relevant data controller (and, if the relevant data controller so consents, take such steps as are required by the relevant data controller to ensure that the relevant transfer, access or processing complies with the Data Protection Laws);

f. inform the relevant data controller within 24 hours if any such personal data is (while within the Tutor's possession or control) subject to a personal data breach (as defined in Article 4 of GDPR) or is lost or destroyed or becomes damaged, corrupted or unusable;

g. only appoint a third party (including any subcontractors) to process such personal data with the prior written consent of the relevant data controller, and notwithstanding any such appointment the Tutor shall be liable for the acts and omissions of any such third party as if they were the acts and omissions of the Tutor;

h. not disclose any personal data to any data subject or to a third party other than at the written request of the relevant data controller or as expressly provided for in this Agreement;

i. as the relevant data controller so directs, return or irretrievably delete all personal data on termination or expiry of this Agreement, and not make any further use of such personal data (except to the extent applicable law requires continued storage of the personal data by the Tutor, and the Tutor has notified the other party accordingly, in which case the provisions of this paragraph 4(i) shall continue to apply to such personal data);

j. provide to the relevant data controller and any DP Regulator all information and assistance necessary or desirable to demonstrate or ensure compliance with the obligations in this paragraph 4(i) and/or the Data Protection Laws;

k. permit the relevant data controller's representatives to access any relevant premises, personnel or records of the Tutor on reasonable notice to audit and otherwise verify compliance with this Schedule 3 (Data protection and security); 

l. take such steps as are reasonably required to assist the relevant data controller in ensuring compliance with its obligations under Articles 30 to 36 (inclusive) of GDPR; 

m. notify the relevant data controller within 2 Business Days if it receives a request from a data subject to exercise its rights under the Data Protection Laws in relation to that person's personal data; and

n. provide the relevant data controller with its full co-operation and assistance in relation to any request made by a data subject to exercise its rights under the Data Protection Laws in relation to that person's personal data.

5) To the extent that the Tutor processes Personal Data on behalf of the Client, the Tutor shall, when requested to do so by the Client or the Company, enter into legally binding data processing obligations which reflect the obligations set out in paragraph 4 of this Schedule 3 (Data protection and security).

6) If either party receives any complaint, notice or communication which relates directly or indirectly to the processing of personal data by the other party or to either party's compliance with the Data Protection Laws, it shall as soon as reasonably practicable notify the other party and it shall provide the other party with reasonable co-operation and assistance in relation to any such complaint, notice or communication.

7) Each party shall without undue delay (and in any event within 24 hours) after discovering any security breach notify the other of the same (including full details of the security breach and its consequences, to the extent known) and will co-operate with the other in respect of the security breach. Unless required by any Data Protection Laws not make any notifications to any applicable regulator or data subjects about the security breach without the data controller's prior written consent (not to be unreasonably withheld or delayed).

8) The Tutor shall do nothing to place the Client/the Company in breach of Data Protection Laws.

9) The Tutor acknowledges and agrees that where processes the Client Personal Data, the Client's data processing policies shall apply to such processing.

10) If you have any questions or concerns about this Policy or our data practices, or if you wish to exercise your data subject rights, please contact us at:

Eudaiton Education 

Office 1, Izabella House

24-26 Regent Place, City Centre

Birmingham B1 3NJ

admin@eudaitoneducation.co.uk

07831553354

Last updated: April 2026