Data Protection Policy

  1. In this Policy:
  1. Terms not defined in this Policy shall unless the context clearly requires otherwise have the meaning given them in the Agreement.
  2. The terms ‘personal data’, ‘data subject’, ‘processor’, ‘controller’, ‘processing’, ‘personal data breach’, ‘pseudonymisation’, ‘special categories of data’, and ‘supervisory authority’ have the meanings set out in Article 4 of the GDPR.
  3. The following words and phrases will have the following meanings:



The Spongy Elephant Training Platform Subscription Agreement concluded between Spongy Elephant Limited and the Customer, a template of which is located at

Customer Personal Data

Personal Data relating to citizens of any country of the European Union or the United Kingdom, received by SE from or on behalf of the Customer in connection with the performance of the Services.

Data Protection Law

all applicable legislation protecting the fundamental rights and freedoms of individuals in relation to their Personal Data and right to privacy as applicable to SE, the Customer, and/or the Services, (including the GDPR and/or any corresponding or equivalent national laws or regulations in the United Kingdom) as amended and updated from time to time.

Data Protection Losses

means all liabilities, including all:

costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage);

to the extent permitted by Data Protection Law, all administrative fines, penalties, sanctions, liabilities or other remedies imposed by a supervisory authority, as well as any compensation which must be paid to a Data Subject by order of a supervisory authority.


the General Data Protection Regulation (2016/679), and ‘Articles’ refers to the articles of the GDPR.


the Services supplied to the Customer pursuant to the Agreement.

  1. The Customer agrees that:
  1. all Customer Personal Data provided for use in connection with the Services shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Law;
  2. it is satisfied that SE has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Law.
  1. SE will only process Customer Personal Data on the Customer’s documented instructions and in full compliance with the Agreement, this Policy and any obligations imposed on SE by Data Protection Law.
  2. SE shall inform the Customer if it becomes aware of a processing instruction that, in the opinion of SE, infringes Data Protection Law, provided that to the maximum extent permitted by Data Protection Law, SE shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Customer’s processing instructions following the Customer’s receipt of that information, including Data Protection Losses.
  3. The processing of Customer Personal Data to be carried out by SE under this Policy shall comprise the processing set out in Annex 1 (Data Processing Details).
  4. SE acknowledges that Customer Personal Data constitutes confidential information of the Customer.
  5. Taking into account the nature of the processing and the information available to it, SE will provide the Customer with such information and assistance as the Customer reasonably requires (at SE’s standard rates for such assistance as are then in force) in order to:
  1. carry out any relevant privacy impact assessment (under Article 35); and/or
  2. consult with a supervisory authority prior to processing (under Article 36).
  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as risks to the rights and freedoms of natural persons, SE will implement and maintain technical and organisational measures to ensure a level of security appropriate to those risks, including the following (as appropriate):
  1. preserving the ongoing confidentiality, integrity, availability and resilience of processing systems and Services;
  2. preserving the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  3. a process for regularly testing, assessing and evaluating the effectiveness of those security measures.
  1. In assessing the appropriate level of security to be taken under paragraph 3.1, SE will take account of the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed.
  2. SE will ensure that persons (including those of its employees) with access to Customer Personal Data are made aware of their data protection and security obligations and do not process Customer Personal Data except in accordance with this policy.
  1. Subject to the remaining provisions of this paragraph 4, the Customer agrees that SE may engage another processor at its discretion. Where SE does so, it shall inform the Customer of any intended changes concerning the addition or replacement of other processors and allow the Customer a reasonable opportunity to object to such changes.
  2. If SE engages another processor to carry out specific processing activities on behalf of the Customer, SE will ensure that the other processor:
  1. only does so on the same terms as those imposed under this Policy; and
  2. provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR (including the requirements relating to security, integrity and confidentiality); and
  3. where that other processor fails to fulfil its data protection obligations, SE shall remain fully liable to the Customer for the performance of those obligations.
  1. If a data subject makes a request relating to the exercise of his or her legal rights in relation to Customer Personal Data, SE will provide the Customer with any assistance reasonably required by the Customer (at SE’s standard rates for such assistance as are then in force), including any required in order to:
  1. respond to such a request;
  2. erase personal data in accordance with the data subject’s right to erasure;
  3. allow the data subject to exercise his or her right to restrict processing;
  4. notify any persons who have received Customer Personal Data about any rectification, erasure or restriction of processing which has taken place at the request of a data subject;
  5. provide the data subject with a copy of his or her personal data in a structured and common electronic format; or
  6. give effect to the data subject’s rights (under Articles 21 and 22) to object to profiling, automated decision-making and to cease processing for direct marketing purposes.
  1. Any information and assistance SE provide under paragraph 5.1 of this Policy will be given without undue delay and in such time as the Customer reasonably requires in order for it to comply with its obligations under Data Protection Law.
  2. SE will also cooperate with any requests by a supervisory authority.
  1. If SE becomes aware of a personal data breach relating to Customer Personal Data, SE shall:
  1. notify the Customer as soon as reasonably practicable upon becoming aware of the breach, describing the nature of the breach, including where possible:
  1. the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned;
  2. the name and contact details of the SE contact from whom more information can be obtained;
  3. to the extent possible, details of the likely consequences of the personal data breach; and
  4. measures SE has taken or proposes to take to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effect.
  1. provide the Customer with such information and assistance as it reasonably requires in relation to the personal data breach (including in relation to action to remedy or mitigate the breach); and
  2. document the personal data breach and any related action taken by SE.
  1. After completing the processing of Customer Personal Data, SE will (at the Customer’s option) delete or return Customer Personal Data, save to the extent SE is required to store any copies thereof to comply with any applicable law.
  1. SE will maintain a written record (which it shall make available to the supervisory authority on request) of all categories of processing activities carried out on behalf of the Customer, containing:
  1. the names, contact details and (where applicable) data protection officer details for the Customer, SE and any other processors SE appoints;
  2. the categories of processing carried out on behalf of the Customer;
  3. where applicable, details of transfers of personal data to a third country or an international organisation, including details of that country or organisation and the documentation of suitable safeguards; and
  4. a description of the technical and organisational security measures referred to in paragraph 3.1 of this Policy.
  1. SE will not transfer personal data to a country or international organisation unless the Customer has consented to the transfer and:
  1. the EU Commission has decided that that country or organisation ensures adequate protection under Article 45;
  2. appropriate safeguards are in place (as set out in Article 46); or
  3. one or more of the derogations in Article 49 applies
  1. The Customer shall indemnify and keep SE indemnified in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by SE arising from or in connection with any:
  1. non-compliance by the Customer with Data Protection Law;
  2. processing carried out by SE pursuant to any processing instruction that infringes any Data Protection Law;
  3. breach by the Customer of any of the obligations included in this Policy, save to the extent that SE is liable for the same under clause 10.2 below.
  1. SE shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with this Policy:
  1. only to the extent caused by the processing of personal data under this Policy and directly resulting from a breach of it;
  2. in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of this Policy by the Customer.
  3. For the avoidance of doubt, the liability cap and limitations and exclusions of liability in the Agreement apply so as to limit and exclude the liability of SE under this clause.
  1. If a party receives a compensation claim relating to the processing of personal data, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
  1. make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
  2. consult fully with the other party in relation to any such action.
  1. The parties agree that the Customer shall not be entitled to claim back from SE any part of any compensation paid by the Customer in respect of such damage to the extent that the Customer is liable to indemnify SE in accordance with clause 10.1.

Annex 1

Data Subjects

The personal data stored concerns the following categories of data subjects:

  1. Staff: Past, present and future employees of the Customer (or of an Educational Establishment on whose behalf the Customer has contracted) including (without limitation) volunteers, agents, contractors, temporary and casual workers, pensioners and their families.
  2. Advisors, consultants and other professional experts;
  3. Students and pupils; and
  4. Parents.

Categories of Data

The following categories of personal data are stored and processed:

  1. General details:

Name, date of birth, address, phone number, e-mail address,

  1. Employment Details

job description, grade, Educational Establishment, region and cost centre.

Categories of Data (if applicable)

The following special categories of data may be stored and processed:

  1. Membership or otherwise of a trade union

The personal data transferred will be subject to the following basic processing activities:

  1. Storage

Storage of Customer Personal Data by SE as part of the Services, including the relocation of such data between servers or locations for load balancing, failover or other technical reasons.

  1. Access/retrieval

Access to, and retrieval of, the Customer Personal Data by the Customer or its clients.

  1. Operations carried out by the Customer or its clients

Processing operations carried out on the Customer Personal Data by the Customer, acting as the data controller. These processing operations may include retrieval of Customer Personal Data, and analysis thereof in order to establish patterns/gaps in the training offered to staff and monitor the progress of staff training.