SCHEDULE 4

Supplemental Terms for Libraries in the United Kingdom Economic Area

 

1.            Definitions and interpretation

1.1          In this Schedule:

Data means all Personal Data collected, generated or otherwise processed by Wheelers as a result of, or in connection with, the provision of the Services.

Data Subject means an individual who is the subject of Personal Data.

UKEA means the United Kingdom Economic Area.

GDPR means the General Data Protection Regulation (EU 2016/679).

Personal Data has the meaning given to it under GDPR.

Relevant Law means the laws of the United Kingdom Union or the laws of a member state of the United Kingdom Union.

Sub‑Processor has the meaning set out in paragraph 3.1 of this Schedule 4.

Supervisory Authority means any data protection authority with jurisdiction over the processing of the Data.

1.2          Terms used in this agreement have the same meaning as ascribed to them in the ePlatform Agreement unless a contrary intention is expressly stated.

2.            Data Processing

2.1          Wheelers may only process Data for the duration of the Agreement and within the scope of:

(a)      the nature and purpose of processing;

(b)      the types of Personal Data; and

(c)      the categories of Data Subject,

set out in the Annexure to this Schedule 4.

2.2          Wheelers shall process the Personal Data only in accordance with the documented instructions of the Library (including in this Agreement), unless Supplier is required to process the Data for other reasons under Relevant Law to which Wheelers is subject.  If Wheelers is required to process the Data for these other reasons, Wheelers shall inform the Library before carrying out the processing, unless prohibited by Relevant Law.

2.3          Wheelers shall immediately inform the Library if, in its opinion, an instruction from the Library infringes GDPR or other date protection provisions in Relevant Law.

2.4          Wheelers shall ensure that all persons authorised by Wheelers to process Data are bound by obligations of confidentiality.

2.5          Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Wheelers shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:

(a)      the pseudonymisation and encryption of Personal Data;

(b)      the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c)      the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

(d)      a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2.6          In assessing the appropriate level of security, Wheelers shall take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

2.7          Wheelers shall take steps to ensure that any natural person acting under the authority of Wheelers who has access to Personal Data does not process such data except within the authority from the Library referred to in paragraph 2.2 of this Schedule 4, unless he or she is required to do so by Relevant Law.

2.8         The Provider is fully GDPR (General Data Protection Regulation) compliant. Terms defined in the Data Protection Act 2018

 

3.            Sub‑Processors

3.1          Wheelers shall not engage any third party to carry out processing in connection with the Services (Sub‑Processor) without prior specific or general authorisation of the Library. In the case of general written authorisation, Wheelers shall inform the Library of any intended changes concerning the addition or replacement of other processors, thereby giving the Library the opportunity to object to such changes.

3.2          Where Wheelers engages a Sub-Processor for carrying out specific processing activities on behalf of the Library, the same data protection obligations as set out in this agreement shall be imposed on that Sub-Processor by way of a contract or other legal act under Relevant Law. Where the Sub-Processor fails to fulfil its data protection obligations, Wheelers shall remain fully liable to the Library for the performance of the Sub-Processor’s obligations.

4.            Co-operation with the Library

4.1          Taking into account the nature of the processing, Wheelers shall assist the Library by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Library’s obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of GDPR.

4.2          Wheelers shall assist the Library in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR taking into account the nature of processing and the information available to Wheelers.

4.3          At the choice of the Library, Wheelers shall delete or return all the Personal Data to the Library after the end of the provision of Services relating to processing, and shall delete existing copies unless Relevant Law requires storage of the Personal Data.

4.4          Wheelers shall make available to the Library all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Library or another auditor mandated by the Library.

 

Annexure 

Data Processing 

Nature and Purpose of Processing 

Logging in to the Library lending platform (by Data Subjects) is managed (by Wheelers) through a variety of authentication methods including LDAP, SAML SSO, SIP2, OpenID and FTP. In a number of these cases the Library to whom Wheelers is providing Services sends Personal Data to Wheelers to enable this authentication to occur accurately.

 

Type of Personal Data to be Processed 

The Personal Data Wheelers receives on Library patrons may include: 

-          Barcode/username

-          Password

-          Year level, for restricting access of certain titles to certain age groups

-          Birthdate, if year level is not chosen by the Library

-          Name, if barcode is not chosen by the Library

-          Email (used to notify availability of a title that has been reserved)

 

Categories of Data Subject whose Personal Data will be Processed 

-          Patrons of a Library which has contracted with Wheelers to provide an eBook/Audio lending platform

-          Students at a school Library which has contracted with Wheelers to provide an eBook/Audio lending platform

-          Teachers at a school Library which has contracted with Wheelers to provide an eBook/Audio lending platform;