Agent Confidentiality and Data Processing Agreement

This Agent Confidentiality and Data Processing Agreement ("DPA") is entered into between LOPEX UNICONS LTD (trading as UNICONS), 214 High Street, Second Floor, Hounslow, TW3 1HB, London, United Kingdom ("UNICONS" or the "Controller"), and the Agent whose details are registered on the UNICONS Platform ("Agent" or the "Processor").

Background. In the course of operating as a UNICONS recruitment agent, the Agent will receive and process personal data relating to Prospective Students and Referred Students on behalf of UNICONS. UNICONS determines the purposes and means of such processing in its capacity as Data Controller. The Agent processes such data only on the documented instructions of UNICONS and in accordance with this DPA, which constitutes the written contract required by Article 28(3) of the UK GDPR.

Definitions. In this DPA:

• "UK GDPR" means Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, and as supplemented by the Data Protection Act 2018.
• "Personal Data", "Data Subject", "Processing", "Personal Data Breach", "Supervisory Authority", "Controller", and "Processor" shall have the meanings given to them in the UK GDPR.
• "Student Personal Data" means the personal data of Prospective Students and Referred Students that the Agent receives from or on behalf of UNICONS for the purpose of facilitating referrals and applications through the Platform.
• "Confidential Information" means all non-public information of UNICONS disclosed to the Agent in connection with the Agent Agreement Suite, including commission schedules, partner agreements, platform credentials, business strategies, and pricing structures.
• "Sub-Processor" means any third party engaged by the Agent to carry out processing activities in respect of Student Personal Data on the Agent's behalf.
• "ICO" means the Information Commissioner's Office, the UK Supervisory Authority for data protection.

2.1 Categories of Student Personal Data. In connection with its referral activities, the Agent is authorised to access and process only the following categories of Student Personal Data, and only to the extent strictly necessary for the legitimate purpose of facilitating student referrals and applications:

(a) Identity Data: full name, date of birth, nationality, passport number (where submitted by the student for application purposes);

(b) Contact Data: personal email address, telephone number, residential address;

(c) Academic Data: details of prior educational qualifications, grade transcripts, English language test scores, and personal statements provided by the student;

(d) Application Status Data: the stage of the student's application within the Platform, the institutions applied to, offers received, and CAS or enrolment status;

(e) Financial Eligibility Data: evidence of financial means submitted by the student in connection with a visa or admissions application, but only where the Agent is directly facilitating that submission with the student's informed consent.

2.2 Limitation of Access. The Agent shall access Student Personal Data only to the extent necessary for the specific referral and application activities described in clause 2.1. The Agent shall not access, download, copy, or otherwise process any Student Personal Data that exceeds the minimum necessary for the stated purpose.

2.3 Purposes of Processing. The Agent is authorised to process Student Personal Data solely for the following purposes:

(a) registering and tracking referrals through the Platform;

(b) supporting students in completing their applications to Partner Institutions;

(c) communicating with students about the progress of their applications;

(d) complying with the Agent's legal obligations under Applicable Laws.

2.4 No Processing for Other Purposes. The Agent shall not process Student Personal Data for any purpose other than those described in clause 2.3 without the prior written authorisation of UNICONS. This prohibition includes using Student Personal Data for the Agent's own marketing, sharing it with competing referral networks, or combining it with data from other sources to build student profiling databases.

3.1 Processing Only on Instructions. The Agent shall process Student Personal Data only on the documented instructions of UNICONS, as set out in this DPA and in any additional written instructions communicated through the Agent Portal or by email. If the Agent is required by Applicable Laws to process Student Personal Data other than as instructed by UNICONS, the Agent shall inform UNICONS of that legal requirement before processing unless the relevant law prohibits such disclosure.

3.2 Confidentiality of Processing. The Agent shall ensure that all persons authorised to process Student Personal Data — including employees, contractors, and sub-agents — are subject to enforceable obligations of confidentiality (whether by contract or by operation of law) and receive appropriate training on data protection obligations before being granted access to Student Personal Data.

3.3 Security Measures. The Agent shall implement and maintain appropriate technical and organisational security measures to protect Student Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, having regard to the state of the art, the costs of implementation, the nature of the data, and the risks presented by the processing. Such measures shall include, as a minimum:

(a) encryption of Student Personal Data at rest and in transit using industry-standard protocols (AES-256 or equivalent);

(b) role-based access controls ensuring that only personnel who require access to Student Personal Data for the purposes described in clause 2.3 are granted access;

(c) password policies requiring strong, unique passwords and multi-factor authentication for systems containing Student Personal Data;

(d) regular security assessments and vulnerability scanning of systems used to process Student Personal Data;

(e) documented procedures for securely disposing of Student Personal Data when it is no longer required.

3.4 Assistance with Data Subject Rights. Taking into account the nature of the processing and the information available to the Agent, the Agent shall provide reasonable assistance to UNICONS in fulfilling UNICONS' obligations to respond to requests from Data Subjects exercising their rights under UK GDPR (including rights of access, rectification, erasure, restriction, portability, and objection). The Agent shall notify UNICONS immediately — and in any event within three (3) business days — if the Agent receives any such request directly from a Data Subject.

3.5 Assistance with Compliance Obligations. The Agent shall provide reasonable assistance to UNICONS in ensuring compliance with UNICONS' obligations in relation to data security, data breach notification, data protection impact assessments, and prior consultation with the ICO, taking into account the nature of the processing and the information available to the Agent.

4.1 Notification Obligation. The Agent shall notify UNICONS without undue delay — and in any event within twenty-four (24) hours of the Agent becoming aware of a Personal Data Breach involving Student Personal Data. Notification shall be made in writing to enquiry@unicons.co.uk, marked for the attention of the Data Protection Lead.

4.2 Content of Notification. The breach notification must include, to the extent available at the time of notification:

(a) a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects affected and the categories and approximate number of personal data records concerned;

(b) the name and contact details of the Agent's data protection lead or other relevant contact;

(c) a description of the likely consequences of the Personal Data Breach;

(d) a description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

4.3 Cooperation. The Agent shall cooperate fully with UNICONS in investigating, containing, and remedying any Personal Data Breach, and shall take all reasonable steps to mitigate the effects of the breach and to prevent recurrence.

4.4 No Unauthorised Disclosure. The Agent shall not notify any Data Subject, regulatory authority, law enforcement body, or other third party of a Personal Data Breach involving Student Personal Data without the prior written consent of UNICONS, unless the Agent is required to do so by Applicable Laws, in which case the Agent shall, to the extent permitted by law, inform UNICONS in advance.

5.1 Prior Written Consent Required. The Agent shall not engage any Sub-Processor to carry out processing of Student Personal Data on UNICONS' behalf without the prior specific or general written authorisation of UNICONS.

5.2 Sub-Processor Obligations. Where UNICONS authorises the engagement of a Sub-Processor, the Agent shall:

(a) carry out appropriate due diligence on the Sub-Processor's data protection practices before engagement;

(b) enter into a written data processing agreement with the Sub-Processor that imposes data protection obligations equivalent to those set out in this DPA;

(c) remain fully liable to UNICONS for the Sub-Processor's performance of its data protection obligations.

5.3 List of Sub-Processors. Upon UNICONS' request, the Agent shall provide a current list of all Sub-Processors engaged in connection with the processing of Student Personal Data under this DPA.

5.4 Changes to Sub-Processors. The Agent shall give UNICONS reasonable prior written notice of any intended addition to or replacement of Sub-Processors involved in the processing of Student Personal Data. UNICONS reserves the right to object to such changes on reasonable data protection grounds.

6.1 Prohibition on Unrestricted International Transfers. The Agent shall not transfer or permit the transfer of Student Personal Data to any country or territory outside the United Kingdom, or make Student Personal Data accessible to persons located outside the United Kingdom, without UNICONS' prior written consent and the implementation of appropriate safeguards as required by UK GDPR Chapter V.

6.2 Appropriate Safeguards. Where UNICONS grants consent to an international transfer, the Agent shall ensure that one of the following appropriate safeguards is in place before any transfer is made:

(a) a UK adequacy decision in respect of the destination country, issued by the Secretary of State under the Data Protection Act 2018;

(b) International Data Transfer Agreements (IDTAs) approved for use under UK GDPR, executed between the Agent and each recipient in the destination country;

(c) binding corporate rules approved by the ICO, where applicable;

(d) any other mechanism permitted under UK GDPR Chapter V as recognised by the ICO.

6.3 Agent's Responsibility. The Agent is solely responsible for ensuring the validity and enforceability of any transfer mechanism it relies upon. The Agent shall notify UNICONS immediately if any transfer mechanism ceases to be valid or adequate.

6.4 Particular Caution in High-Risk Jurisdictions. The Agent shall apply additional diligence before transferring Student Personal Data to jurisdictions identified by the ICO or the UK Government as presenting elevated privacy risks, and shall seek UNICONS' specific written approval for any transfer to such jurisdictions.

7.1 Retention Period. The Agent shall retain Student Personal Data only for as long as is necessary for the purposes set out in clause 2.3 and in any event for no longer than:

(a) six (6) years from the date of the last interaction with the relevant student in connection with a UNICONS-facilitated referral; or

(b) such shorter period as UNICONS specifies in writing; or

(c) such longer period as is required by Applicable Laws, provided the Agent notifies UNICONS of the legal basis for the extended retention.

7.2 Deletion on Termination. Upon termination or expiry of the Agent's registration — for whatever reason — the Agent shall, within thirty (30) calendar days:

(a) securely delete or destroy all Student Personal Data held in electronic or digital form, in a manner that renders it unrecoverable; and

(b) securely destroy all physical documents containing Student Personal Data;

(c) provide UNICONS with a written certificate of deletion confirming compliance with this clause.

7.3 Exception for Legal Hold. Where the Agent is required by law to retain certain Student Personal Data beyond the period specified in clause 7.1, the Agent shall notify UNICONS in writing before the scheduled deletion date, identifying the specific data to be retained, the legal basis, and the expected retention period. Such data shall be stored securely and isolated from other data processing activities, and shall be deleted as soon as the legal obligation expires.

7.4 Return of Data. Upon UNICONS' written request, the Agent shall promptly return to UNICONS (in a structured, commonly used, and machine-readable format) any or all Student Personal Data held by the Agent, prior to deletion. UNICONS may elect to request return in lieu of deletion, except where Applicable Laws require continued retention by the Agent.

8.1 Audit and Inspection. UNICONS (and its authorised representatives) shall have the right, on reasonable prior written notice of not less than five (5) business days (or without notice where UNICONS has reasonable grounds to suspect a material data protection breach or non-compliance), to:

(a) audit the Agent's data processing practices, technical and organisational security measures, and compliance with this DPA;

(b) inspect premises, systems, and records used to process Student Personal Data;

(c) interview relevant personnel of the Agent.

8.2 Cooperation. The Agent shall cooperate fully with any audit or inspection under clause 8.1, and shall make available all information, documentation, and personnel reasonably required by UNICONS for the purposes of the audit.

8.3 Third-Party Audits. The Agent shall, where requested by UNICONS, arrange for an independent third-party auditor to conduct a data protection audit and provide the results to UNICONS. The cost of such third-party audits shall be shared equally between the parties, except where a material breach is identified, in which case the full cost shall be borne by the Agent.

8.4 Audit Findings. Where an audit reveals a material deficiency in the Agent's compliance with this DPA, the Agent shall prepare and implement a written remediation plan within thirty (30) days of the audit findings being communicated to the Agent, subject to UNICONS' reasonable approval.

9.1 Scope of Confidential Information. In addition to its obligations with respect to Student Personal Data, the Agent acknowledges that it will have access to Confidential Information of UNICONS during the course of its engagement, including:

(a) commission schedules, rate cards, and payment terms;

(b) partner institution agreements, commercial terms, and relationship details;

(c) Platform access credentials, system architecture, and technical specifications;

(d) UNICONS' marketing strategies, product roadmaps, and business development plans;

(e) UNICONS' internal policies, procedures, and compliance frameworks.

9.2 Confidentiality Obligations. The Agent shall:

(a) keep all Confidential Information strictly confidential and not disclose it to any third party without UNICONS' prior written consent;

(b) use Confidential Information solely for the purpose of performing its obligations under the Agent Agreement Suite;

(c) restrict access to Confidential Information to those of its personnel who have a genuine need to know for the purpose of the engagement and who are bound by equivalent confidentiality obligations;

(d) promptly notify UNICONS of any actual or suspected unauthorised disclosure of Confidential Information.

9.3 Exceptions. The obligations in clause 9.2 do not apply to information that: (a) is or becomes publicly known other than through the Agent's breach of this clause; (b) was in the Agent's possession before it was disclosed by UNICONS, free of any obligation of confidence; (c) the Agent is required to disclose by law or by order of a court of competent jurisdiction, provided the Agent gives UNICONS as much prior notice as possible and cooperates with any application by UNICONS to seek a protective order.

9.4 Survival. The confidentiality obligations in this clause 9 shall survive termination or expiry of the Agent's registration for a period of five (5) years.

10.1 Material Breach. A breach by the Agent of any obligation in this DPA — including any unauthorised disclosure of Student Personal Data, failure to notify a Personal Data Breach, unauthorised international transfer, failure to implement required security measures, or misuse of Confidential Information — shall constitute a material breach of the Agent Agreement Suite and may result in immediate termination of the Agent's registration in accordance with the Agent Registration Agreement.

10.2 Regulatory Consequences. The Agent acknowledges that breaches of UK GDPR obligations can give rise to regulatory action by the ICO, including fines of up to £17.5 million or 4% of global annual turnover (whichever is higher). UNICONS shall not be liable for any regulatory fines or penalties arising from the Agent's failure to comply with its obligations as a Processor under this DPA.

10.3 Indemnity. The Agent shall indemnify, defend, and hold harmless UNICONS and its officers, directors, employees, and affiliates against all losses, damages, costs, expenses (including reasonable legal fees), regulatory fines, and third-party claims arising out of or in connection with:

(a) any breach by the Agent of its obligations as a Processor under this DPA or UK GDPR;

(b) any unauthorised processing, disclosure, loss, or destruction of Student Personal Data by the Agent or any Sub-Processor;

(c) any breach of the confidentiality obligations in clause 9.

10.4 Limitation. The indemnity in clause 10.3 shall not apply to the extent that a loss is caused by UNICONS' own negligence, fraud, or wilful misconduct.

10.5 Governing Law and Jurisdiction. This DPA and any dispute or claim (including non-contractual disputes) arising out of or in connection with it shall be governed by and construed in accordance with the law of England and Wales. The parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.

10.6 ICO Registration. The Agent is solely responsible for assessing whether its own data processing activities require it to register with the ICO and for maintaining any required registration throughout the term of its engagement as a UNICONS Agent.

10.7 Entire Agreement on Data Processing. This DPA, together with the Agent Registration Agreement, constitutes the complete agreement between the parties with respect to the processing of Student Personal Data and supersedes all prior representations, discussions, and agreements on that subject. In the event of any conflict between this DPA and any other document in the Agent Agreement Suite on a data processing matter, this DPA shall prevail.