University Data Sharing Agreement

This University Data Sharing Agreement ("DSA") is entered into between LOPEX UNICONS LTD, trading as UNICONS, whose registered office is at 214 High Street, Second Floor, Hounslow, TW3 1HB, London, United Kingdom ("UNICONS"), and the higher education institution that has executed this DSA or confirmed its acceptance through the UNICONS administrative portal ("University").

Background. UNICONS provides education consultancy and student recruitment services and, in doing so, collects personal data from prospective students with their consent for the purpose of managing their applications to universities and other educational institutions. The University receives applications from UNICONS and requires access to prospective student personal data for the purpose of assessing and processing those applications. Both parties are independent data controllers in respect of the personal data they hold and process.

Definitions. In this DSA:

• "UK GDPR" means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, as amended from time to time, together with the Data Protection Act 2018 ("DPA 2018"), and all associated regulations, codes of practice, and ICO guidance.
• "Personal Data", "Special Category Data", "Data Subject", "Controller", "Processor", "Processing", "Personal Data Breach", and "Data Protection Officer" shall have the meanings given to them in UK GDPR.
• "Shared Data" means the categories of personal data listed in clause 3 of this DSA.
• "Admissions Purpose" means the processing of a Prospective Student's application for admission to the University, including assessment of eligibility, offer decision, and enrolment.
• "SCCs" means the applicable Standard Contractual Clauses approved under UK GDPR for international data transfers.
• "ICO" means the Information Commissioner's Office.

2.1 UNICONS as Controller. UNICONS acts as an independent data controller in respect of all personal data it collects from Prospective Students through the UNICONS Platform and counselling process. UNICONS determines the purposes and means of processing student data for the purposes of providing education consultancy services, managing applications, and complying with its own legal and contractual obligations.

2.2 University as Controller. The University acts as an independent data controller in respect of the personal data it receives from UNICONS and any personal data it independently collects from applicants in the course of its admissions process. The University determines the purposes and means of processing applicant data for its own admissions, enrolment, and institutional purposes.

2.3 No Joint Controller Relationship. The parties are not joint controllers as defined under UK GDPR Article 26. Each party is independently responsible for ensuring that its own processing of Shared Data complies with UK GDPR and any other applicable data protection law. Each party shall maintain its own Record of Processing Activities (ROPA) as required by UK GDPR Article 30.

2.4 Data Protection Officers. Each party shall, where required by UK GDPR, appoint a Data Protection Officer and shall provide the other party with the contact details of their DPO upon request. Each party shall promptly notify the other of any change to its DPO.

2.5 Privacy Notices. UNICONS shall ensure that it provides Prospective Students with a lawful and transparent privacy notice prior to collecting their personal data, which shall include information about sharing their data with universities for admissions purposes. The University shall ensure that it provides a separate privacy notice to applicants covering its own processing of their personal data from the point of receipt.

3.1 Data Shared by UNICONS to the University. UNICONS shall share only such personal data as is strictly necessary for the University to assess and process the Prospective Student's application. The categories of Shared Data shall include:

(a) Identity and Contact Data: Student's full legal name; date of birth; gender (where provided by the student); nationality and country of birth; passport number and expiry date; home address; personal email address; telephone number.

(b) Academic and Educational Records: Previous educational qualifications (including level, awarding institution, grades, and dates); academic transcripts; degree certificates or predicted grades; details of any professional qualifications; details of any prior university study, including any periods of suspension, deferral, or withdrawal.

(c) English Language Proficiency: Results of recognised English language tests (such as IELTS, TOEFL, PTE Academic, Cambridge English, OET, or equivalent); test dates and reference numbers.

(d) Financial Evidence: Evidence of financial capacity to meet tuition fees and living costs for the duration of study (such as bank statements, scholarship award letters, or sponsor letters); details of any financial sponsorship arrangements.

(e) Supporting Documents: Personal statement or statement of purpose; academic and professional references; curriculum vitae (where required); any other documents specified by the University's admissions requirements for the relevant programme.

(f) Immigration Status (where relevant): Current immigration status in the United Kingdom or the country of intended study; details of any current or previous visa; any relevant immigration history provided voluntarily by the student and material to the University's genuine student assessment.

3.2 Data Minimisation. UNICONS shall not share more personal data than is necessary and proportionate for the Admissions Purpose. The University shall not request personal data beyond the categories listed in clause 3.1 without the prior written agreement of UNICONS and the student's explicit consent.

3.3 Special Category Data. The parties acknowledge that some supporting documents (such as medical certificates submitted in support of extenuating circumstances, or evidence of disability) may constitute Special Category Data under UK GDPR Article 9. Such data shall be shared only where the student has provided explicit consent and where sharing is strictly necessary for the Admissions Purpose. Both parties shall apply heightened care and security to any Special Category Data received.

4.1 UNICONS Legal Basis. UNICONS shall rely on the following legal bases for sharing Shared Data with the University:

(a) Consent (UK GDPR Article 6(1)(a)): UNICONS shall obtain the Prospective Student's freely given, specific, informed, and unambiguous consent to the sharing of their personal data with the University for the Admissions Purpose before submitting any Application. Consent shall be obtained through the UNICONS Platform at the point at which the student authorises the submission of their Application. Students shall be informed of their right to withdraw consent at any time, and UNICONS shall maintain records of consents given.

(b) Performance of Contract (UK GDPR Article 6(1)(b)): Where sharing is necessary for UNICONS to fulfil its contractual obligations to the student in connection with the application management services agreed between UNICONS and the student.

4.2 University Legal Basis. The University shall rely on the following legal bases for processing Shared Data:

(a) Legitimate Interests (UK GDPR Article 6(1)(f)): The University has a legitimate interest in processing applicant personal data for the purpose of conducting its admissions function, assessing applications, issuing offers, and managing enrolment. The University confirms that it has conducted and documented a Legitimate Interests Assessment (LIA) in respect of this processing.

(b) Legal Obligation (UK GDPR Article 6(1)(c)): Where processing is required to comply with the University's legal obligations, including UKVI sponsor duties.

4.3 Withdrawal of Consent. Where a Prospective Student withdraws their consent to UNICONS sharing their personal data with the University, UNICONS shall promptly notify the University, and the University shall cease processing the student's personal data to the extent that processing is no longer authorised by an alternative legal basis.

5.1 Security Obligations. Each party shall implement appropriate technical and organisational measures to protect Shared Data against unauthorised or unlawful processing, accidental loss, destruction, alteration, or disclosure, having regard to the nature of the data, the risks associated with processing, and the state of the art in data security. As a minimum, both parties shall implement the following security measures:

(a) Encryption in Transit: All Shared Data transmitted electronically shall be encrypted using industry-standard protocols (TLS 1.2 or higher) to protect data in transit between the parties' systems and via any third-party transmission services.

(b) Encryption at Rest: Shared Data stored on any server, cloud platform, or device shall be encrypted at rest using AES-256 encryption or equivalent.

(c) Access Controls: Access to Shared Data shall be restricted to individuals who require access for the purposes of performing their duties in connection with the Admissions Purpose. Both parties shall implement role-based access controls and shall maintain audit logs of access to Shared Data.

(d) Secure Portal Transmission: Where Shared Data is transferred through the UNICONS Platform or a secure admissions portal, both parties shall ensure that access to such portal is protected by multi-factor authentication (MFA) and that session security meets current NCSC guidance.

(e) Staff Training: Both parties shall ensure that all staff who access or process Shared Data receive appropriate and up-to-date data protection and information security training.

5.2 Security Review. Both parties shall carry out periodic reviews (at least annually) of their security measures and shall promptly address any identified vulnerabilities or weaknesses. Each party shall provide the other with a summary of its information security posture upon reasonable written request.

5.3 Device Security. Shared Data shall not be accessed from unmanaged or personal devices unless protected by mobile device management (MDM) software or equivalent controls. Removable media containing Shared Data shall be encrypted and tracked.

6.1 Transfers Within the UK and EEA. Where the University is located within the United Kingdom or the European Economic Area, data sharing under this DSA shall be conducted in accordance with UK GDPR without the need for additional international transfer safeguards.

6.2 Transfers to Third Countries. Where the University is located outside the United Kingdom or the European Economic Area in a country that has not received an adequacy decision from the UK Secretary of State (an "Inadequate Third Country"), UNICONS shall not transfer Shared Data to the University unless and until an appropriate transfer mechanism has been put in place in accordance with UK GDPR Chapter V, as follows:

(a) Adequacy Decision: Where the UK Secretary of State has issued an adequacy decision in respect of the country in which the University is located, UNICONS may transfer Shared Data on the basis of that adequacy decision;

(b) International Data Transfer Agreement (IDTA): Where no adequacy decision exists, the parties shall execute the UK IDTA (or equivalent Standard Contractual Clauses as approved by the ICO) before any transfer of Shared Data takes place;

(c) Transfer Risk Assessment: Before relying on SCCs or an IDTA, UNICONS shall carry out a transfer risk assessment to evaluate whether the legal framework of the destination country provides an essentially equivalent level of protection to UK GDPR, and shall implement any supplementary measures identified as necessary.

6.3 Student Notification. Where Shared Data is to be transferred to an Inadequate Third Country, UNICONS shall inform the student of this fact and of the applicable transfer mechanism in its privacy notice prior to submitting the Application.

6.4 Ongoing Monitoring. Both parties shall monitor changes to adequacy decisions and applicable transfer mechanisms and shall promptly update their arrangements to reflect any changes that affect the lawfulness of international transfers under this DSA.

7.1 UNICONS Retention. UNICONS shall retain Prospective Student personal data in accordance with its published Data Retention Policy, a copy of which shall be made available to the University upon request. UNICONS shall not retain personal data for longer than is necessary for the purposes for which it was collected, and in any event for no longer than is required by applicable law.

7.2 University Retention — Non-Enrolled Applicants. The University shall delete or anonymise personal data relating to Prospective Students who do not ultimately enrol on a programme within twelve (12) months of the date on which the University's admissions decision was communicated to the student (whether that decision was a rejection, a withdrawal, a deferral not subsequently taken up, or any other non-enrolment outcome), unless the University is required to retain such data for a longer period under a specific legal obligation. The University shall notify UNICONS if any such legal obligation applies.

7.3 University Retention — Enrolled Students. Where a Prospective Student becomes an Enrolled Student, the University may retain that student's personal data in accordance with the University's own records retention schedule applicable to enrolled students, subject to compliance with UK GDPR.

7.4 Deletion Certification. Upon request by UNICONS, the University shall provide written confirmation of the deletion or anonymisation of personal data in respect of identified non-enrolled applicants within thirty (30) days of the relevant retention period expiring.

7.5 Backup Systems. Where personal data is held in backup or archival systems, deletion shall be carried out in a manner that renders the data unrecoverable, in accordance with the University's documented backup deletion procedures. Data in backup systems shall be treated with the same security standards as live data.

8.1 Obligation to Notify. Each party shall notify the other party promptly, and in any event within twenty-four (24) hours of becoming aware of a Personal Data Breach that involves Shared Data or that may affect the rights or freedoms of Prospective Students, whether the breach occurs in its own systems or in those of any sub-processor.

8.2 Content of Notification. The breach notification shall include, to the extent known at the time: (a) the nature of the breach; (b) the categories and approximate number of Data Subjects affected; (c) the categories and approximate volume of personal data records affected; (d) the likely consequences of the breach; (e) the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects; and (f) the contact details of the party's DPO or designated data protection contact.

8.3 ICO Notification. Each party shall comply with its own obligations under UK GDPR Article 33 to notify the ICO of a Personal Data Breach within seventy-two (72) hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of natural persons. The parties shall cooperate to provide each other with information necessary to comply with their respective ICO notification obligations.

8.4 Data Subject Notification. Where a Personal Data Breach is likely to result in a high risk to the rights and freedoms of affected Data Subjects, the party responsible for the breach shall notify the affected Data Subjects without undue delay in accordance with UK GDPR Article 34, and shall promptly inform the other party of the notification and its content.

8.5 Mitigation. Each party shall take prompt action to contain, investigate, and remediate any Personal Data Breach involving Shared Data and shall cooperate fully with the other party and with regulatory authorities in any investigation or enforcement action arising from such breach.

9.1 Audit Rights. Each party shall have the right, upon not less than thirty (30) days' written notice, to audit or commission an independent third-party audit of the other party's compliance with this DSA and applicable data protection law, including inspection of data processing records, security measures, and breach response procedures. Audits shall be conducted during normal business hours, shall not unreasonably disrupt the other party's operations, and shall be conducted at the requesting party's cost unless the audit reveals a material breach, in which case costs shall be borne by the non-compliant party.

9.2 Alternative Assurance. In lieu of an audit, a party may satisfy its audit obligations by providing the other party with a copy of a relevant current third-party certification or attestation, such as ISO 27001 certification, Cyber Essentials Plus, or an independent data protection audit report, where such documentation adequately demonstrates compliance with the requirements of this DSA.

9.3 Sub-Processor Restrictions — University. The University shall not engage any sub-processor to process Shared Data without the prior written consent of UNICONS, which shall not be unreasonably withheld. The University shall ensure that any sub-processor is bound by data protection obligations at least equivalent to those set out in this DSA. The University shall remain fully liable to UNICONS for the acts and omissions of its sub-processors in relation to Shared Data.

9.4 Sub-Processor Restrictions — UNICONS. UNICONS shall not transfer Shared Data to any third-party system, platform, or service provider in a manner that grants that third party access to the University's confidential information or to data shared by the University under this DSA without the University's prior written consent. UNICONS shall maintain a register of sub-processors and shall make this available to the University upon request.

9.5 Changes to Sub-Processors. Each party shall give the other fourteen (14) days' written notice of any intended change to sub-processors involved in processing Shared Data, to enable the other party to raise any objection before the change takes effect.

10.1 Rights of Prospective Students. Prospective Students whose personal data is processed under this DSA retain all rights afforded to them by UK GDPR, including the right of access, the right to rectification, the right to erasure (subject to applicable legal bases), the right to restriction of processing, the right to data portability, and the right to object.

10.2 Handling of Rights Requests. Where either party receives a request from a Data Subject to exercise any of their UK GDPR rights in respect of Shared Data held by both parties, the receiving party shall: (a) acknowledge receipt to the Data Subject within five (5) business days; (b) promptly notify the other party of the request; and (c) cooperate with the other party to ensure that the request is fulfilled within the applicable statutory timescales (ordinarily one calendar month from receipt, extendable by a further two months for complex requests).

10.3 Complaints. Where a Prospective Student raises a complaint or concern with either party relating to the processing of their personal data under this DSA, the receiving party shall investigate and respond within statutory timescales and shall inform the other party of any complaint that may have implications for both parties' compliance.

11.1 Governing Law. This DSA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it shall be governed by and construed in accordance with UK GDPR, the Data Protection Act 2018, and the laws of England and Wales.

11.2 Regulatory Authority. The parties acknowledge the supervisory authority of the Information Commissioner's Office (ICO) in the United Kingdom and undertake to cooperate fully with the ICO in the event of any inquiry, investigation, or enforcement action relating to the processing of personal data under this DSA.

11.3 Jurisdiction. The parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales in respect of any dispute arising from this DSA not resolved through good faith negotiation.

11.4 Term. This DSA shall remain in force for so long as either party processes Shared Data in connection with the Partner Institution Agreement. This DSA shall survive termination of the Partner Institution Agreement for so long as either party retains any Shared Data, and shall govern the secure deletion and return of such data upon termination.

11.5 Precedence. In the event of any conflict between this DSA and the Partner Institution Agreement in respect of data protection matters, this DSA shall prevail.

11.6 Updates to Legislation. This DSA shall be deemed to incorporate any amendments required to reflect changes to applicable data protection legislation, and the parties shall cooperate to execute any necessary formal amendments within sixty (60) days of any such legislative change.

11.7 Entire Agreement on Data Sharing. This DSA constitutes the entire agreement between the parties in respect of the sharing of personal data under the UNICONS–University partnership and supersedes all prior agreements, representations, and understandings on the same subject matter.