Covenant Digital Educational Resources and Privacy 3.0

Covenant on the protection of personal data and guarantees for the careful handling of Personal Data processed in the context of the use of Digital Educational Resources by Educational Institutions, including the use of digital educational resources, tests,
administration and information systems.

The Covenant initiators:

  • the Association PO-Council
  • the association VO council
  • the association MBO Council
  • the association GEU
  • the Association of Digital Education Service Providers
  • members of the educational section of the Cooperative Koninklijke Coöperatieve Koninklijke Bookseller’s Association U.A., who have signed the covenant as initiator;

consider that:

  1. Educational institutions in primary and secondary education and secondary vocational education are increasingly using Digital Educational Resources for the organization and provision of education, including digital products or services for the benefit of education (process), such as learning resources, tests, student administration systems, core registration system, student information system, participant administrations, electronic learning environments and student tracking systems;
  2. the use of these Digital Educational Resources has major advantages. It makes it possible to offer tailor-made education to pupils and students: a wish that is increasingly shared in the Netherlands;
  3. condition for the use of Digital Educational Resources is that clear agreements are made about the Processing of Personal Data. Pupils in primary and secondary education in particular are a vulnerable group with regard to the protection of Personal Data. It is therefore important that educational institutions make good agreements with all parties (suppliers and providers) that process personal data for the educational institutions in this context about arranging and safeguarding privacy;
  4. for the purpose of this condition in the Covenant, agreements are laid down between the PO Council, VO Council, MBO Council and the members of the sector organizations of providers of learning materials, tests and educational services (GEU), suppliers of services and systems in education. ICT (Association of Digital Education Service Providers), and school suppliers / distributors (educational section of the Royal Booksellers’ Union);
  5. The starting point for these agreements is that the Educational Institutions have and keep control over the (Processing of) Personal Data and determine to whom the data may be provided. The Educational Institutions are the Data Controllers for the Processing of Personal Data within the meaning of the Agreement;
  6. The Digital Educational Resources and Privacy 2.0 Covenant from 2016 requires adjustment in connection with the entry into force of the European General Data Protection Regulation on 25 May 2018, and in connection with the connection of the MBO sector to the Covenant, which adjustments have been included in this Digital Educational Resources and Privacy 3.0 Covenant, which replaces the previously established covenants;
  7. The Covenant is accompanied by an explanation with explanations and examples for clarification;

and wish to record the following agreements:

Article 1: Definitions
In the Covenant and its annexes are understood by:

  1. Data Subject, Disclosure, Processor, Third Party, Personal Data, Processing of Personal Data, Disclosure, and Controller: the terms as defined in the GDPR;
  2. Attachment (s): attachment (s) to the Covenant or the Processor Agreement;
  3. Covenant: the Digital Educational Resources and Privacy 3.0 Covenant;
  4. Covenant Party: an Educational Institution or Supplier that has entered into the Covenant;
  5. Data breach: a breach in connection with personal data, as referred to in Article 4 sub 12 AVG;
  6. Digital Education Resources: Learning resources and tests, and School and Pupil information resources;
  7. Initiators: parties who are the initiators of the Agreement as included in the preamble of the Covenant;
  8. Chain iD: a pseudonym of a personal number of an Education Participant that makes the Education Participant no longer directly identifiable. After this, that pseudonym is re-encrypted into the Chain iD, which is used for identification purposes for accessing and using Digital Educational Resources. The Chain iD is also called ECK iD;
  9. Teaching Tools and Tests: digital product and / or digital service consisting of teaching material and / or tests and the related digital services, aimed at teaching learning situations, for the purpose of teaching by or on behalf of educational institutions;
  10. Supplier: supplier of a Digital Educational resource, such as a distributor, publisher or supplier of an administration system;
  11. Model Processor Agreement: the model for a processor agreement that is included as an appendix to the Agreement;
  12. Education participant: education participant in primary education, secondary education or secondary vocational education;
  13. Platform: the platform as referred to in Article 8 of the Covenant, currently known as Edu-K;
  14. Privacy leaflet: one or more privacy leaflet (s) as included in Appendix 1 to the Model Processor Agreement, which apply to (the use of) the Digital Educational Resources offered;
  15. Product and Services Agreement: the agreement between the Education Institution and Processor, as described in consideration a of the Model Processor Agreement, or the agreement between an Education Participant and Supplier for the product or service as described in consideration a of the Model Processor Agreement;
  16. Regulations: the regulations as referred to in Article 8 paragraph 4 of the Covenant;
  17. School and Pupil Information Resources: a digital product and / or digital services for the purpose of education (process), such as a student administration system, core registration system, student information system, participant administration, timetable system, parent portal, student and parent communication system, dashboards and quality management systems insofar as they contain Personal Data of Education Participants, an electronic learning environment and a student tracking system;
  18. Standard attribute set: the additional standardized Personal Data of Education Participants established by the Platform that can be used in addition to the Chain iD for access to and use of Digital Educational Resources (as published on the Platform’s website);
  19. Sub-processor: the party engaged by Processor as Processor for the Processing of Personal Data in the context of the Model Processor Agreement and the Product and Services Agreement;
  20. GDPR: the General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95 / 46 / EC).

Article 2: Purpose and scope of the Covenant

  1. The aim of the Covenant is to create guarantees for the careful handling of Personal Data by Educational Institutions and Suppliers that are Processed in the context of the use of Digital Educational Resources.
  2. The scope of the Covenant extends to the Processing of Personal Data by or on behalf of Educational Institutions in the context of the use of Digital Educational Resources.
  3. The Agreement does not apply to any Processing Operations for which the Suppliers themselves are the Controller.

Article 3: Division of roles

  1. For Processing of Personal Data within the meaning of the Agreement, the Educational Institution is the Controller and the Supplier is the Processor. The Educational Institution has and maintains independent control over the purpose and means of the Processing of Personal Data.
  2. The Supplier will ensure that the Educational Institution is informed (in advance) of the services it provides in relation to the Processing.
  3. Parties to the Agreement and Initiators consider it of great importance, and in that context, encourage educational institutions and suppliers to be aware of and comply with obligations under the GDPR.
  4. The PO Council, VO Council and MBO Council will support educational institutions with questions about the interpretation of the Covenant and the Model Processor Agreement.

Article 4: Processor agreement

  1. The Model Processing Agreement is included as an appendix to the Agreement.
  2. Educational institutions and Suppliers make use of the Model Processing Agreement in agreements on Digital Educational Resources whereby Personal Data is Processed. The contents of the Model Processing Agreement can only be deviated from between these parties in writing and with reasons.
  3. For the purpose of implementing the agreement in the second paragraph of this article, Initiators will encourage, among other things through information and support, that the Model Processing Agreement is used when making agreements between Educational Institutions and Suppliers.
  4. In the processor agreement that is concluded between the Educational Institution and Suppliers, at least agreements are made as included in Article 28 of the GDPR, as well as on the following subjects:
    • nature and purposes of the Processing of Personal Data as permitted in Article 5 of the Agreement;
    • the division of roles agreed between the parties;
    • engaging Sub-processors;
    • the conditions for transferring data to countries and international organizations
    • outside the EEA;
    • the method of handling incidents, including data leaks;
    • the procedure related to the rights of the Data Subjects;
    • the disclosures regarding the Processing of Personal Data in
    • in the context of the use of Digital Educational Resources at the Educational Institution
    • also for the benefit of Education participants and parents;
    • overview regarding security policy and the measures to be taken
    • security measures, including the use of the security standards and guidelines discussed in the Platform.

Article 5: Purposes of the Processing in the context of the Agreement

  1. The Processing of Personal Data with the aid of Learning Resources and Tests takes place for the benefit of:
    1. providing and following education and guiding and following Education participants using the Digital Educational Resources, including:
      • the storage of learning and test results;
      • the receipt by the educational institution of learning and test results;
      • the assessment of learning and test results in order to learn material and test material
      • that is tailored to the specific learning needs of a
      • Education participant;
      • analysis and interpretation of learning outcomes;
      • being able to exchange learning and test results between Digital Educational resources.
    2.  the delivery / use of Digital Educational Resources in accordance with the agreements made between the Educational Institution and the Supplier;
    3. gaining access to the Digital Educational Resources offered and external information systems, including identification, authentication and authorization;
    4. the security, control and prevention of abuse and improper use and the prevention of inconsistency and unreliability in the Personal Data Processed with the help of the Digital Educational Resource;
    5. the continuity and proper functioning of the Digital Educational Resources in accordance with the agreements made between the Educational Institution and the Supplier, including having maintenance carried out, making a backup, making improvements after errors or inaccuracies have been identified and support;
    6. research and analysis based on strict conditions, comparable to existing codes of conduct in the field of research and statistics, for the purpose of (optimizing the) learning process or the policy of the educational institution;
    7. the ability of the Educational Institution to make fully anonymised Personal Data
      available for research and analysis purposes in order to improve the quality of education;
    8. making Personal Data available to the extent necessary to be able to comply with the legal requirements set for Digital Educational Resources;
    9. the implementation or application of another law.
  2. The Processing of Personal Data with the help of School and Pupil Information Systems takes place for the purposes of:
    1. the organization, the provision and follow-up of education, the supervision and monitoring of Education participants or the provision of school and study advice, including:
      • the layout and adaptation of schedules;
      • the analysis and interpretation of learning outcomes;
      • keeping a record of the personal (including medical) circumstances of a
      • Participant in education and the consequences thereof for following education;
      • Covenant Digital Educational Resources and Privacy – Version 3.0 – March 2018 Page 5 of 20
      • guiding and supporting teachers and other employees within the Educational Institution;
      • communication with Education participants and parents and employees of the educational institution;
      • financial management;
      • monitoring and accountability, in particular for: (performance) measurements
      • of the educational institution, quality assurance, satisfaction survey, effectiveness survey of education (form) or the support offered to Education participants with appropriate education;
      • handling disputes.
      • Exchanging Personal Data with Third Parties, including:
        • supervisory authorities and healthcare institutions in the context of the performance of their (legal) task;
        • partnerships in the context of appropriate education, regional transitions;
        • parties involved in the implementation of internships or learning / workplaces insofar as necessary and permitted by law;
        • Educational institutions in the event of transfer between educational institutions and in further education.
    2.  the delivery / use of Digital Educational Resources in accordance with the agreements made between the Educational Institution and the Supplier;
    3. gaining access to the Digital Educational Resources offered and external information systems, including identification, authentication and authorization;
    4. the security, control and prevention of abuse and improper use and the prevention of inconsistency and unreliability in the Personal Data Processed with the aid of the Digital Educational Tool;
    5. the continuity and proper functioning of the Digital Educational Resources in accordance with the agreements made between the Educational Institution and the Supplier, including having maintenance carried out, making a backup, making improvements after errors or inaccuracies have been identified and support;
    6. research and analysis based on strict conditions, comparable to existing codes of conduct in the field of research and statistics, for the purpose of (optimizing the) learning process or the policy of the educational institution;
    7. the ability of the Educational Institution to make fully anonymised Personal Data available for research and analysis purposes in order to improve the quality of education;
    8. making Personal Data available to the extent necessary to be able to comply with the legal requirements set for Digital Educational Resources;
    9. the implementation or application of another law.
  3. The Processing of Personal Data with regard to Digital Educational Resources never takes place for advertising purposes or for making unsolicited offers by Suppliers.
  4. Suppliers will not provide Personal Data to Third Parties, unless this exchange takes place on behalf of and with the consent of the Educational Institution or when this is necessary to comply with any deviating EU or Member State law on the basis of which the Supplier is obliged to provide including but not limited to complying with a court order.

Article 6: Data protection by design and by default

  1. The principles of data protection by design and data protection by standard institutions are the starting point for the (further) development of the Digital Educational Resources used by Educational Institutions. Within the Platform, starting points and guidelines are drawn up on how this can be implemented in concrete terms, including the option of using pseudonyms.
  2. Educational institutions and Suppliers, in principle, make use of the iD Chain and the associated Standard Attribute Set in the context of access to and use of Digital Educational Resources. If one of the parties concerned indicates that this cannot reasonably be expected of it, this must be documented with sufficient reasons.
  3. If it is decided by order in council to use a new pseudonym for other cases than those referred to in paragraph 2, the parties will make agreements within the Platform about its use.
  4. The parties are obliged to take appropriate technical and organizational measures to ensure that only Personal Data are processed that are necessary for each specifically agreed purpose of the processing.

Article 7: Legal information obligations

  1. The Educational Institution informs, whether or not with the use of information provided by the Processor as referred to in Article 3 paragraph 2, the (parents of) Education Participants whose Personal Data are Processed in a Digital Educational Resource and what measures have been taken to protect privacy in accordance with to be able to guarantee the agreements in the Covenant.
  2. The (parents of) Education Participants are informed when this information is provided how they can make use of the statutory rights of the Data Subject. To exercise these rights, Data Subjects must turn to the Educational Institution.

Article 8: The Platform

  1. The further shaping of the collaboration between the Initiators, Educational Institutions and Suppliers and the safeguarding of the agreements based on this Covenant takes place within a Platform in which Initiators are members.
  2. In the context of the Platform, the Initiators are jointly responsible for the further design, consultation and implementation of agreements on, among other things:
    • the periodic evaluation of the agreements and the subjects of the Covenant;
    • the supervision of compliance with and enforcement of the Covenant;
    • the progress of the implementation of the Agreement;
    •  sharing information regarding the subjects regulated in the Covenant;
    • the influence of new legislation, technological or other developments on the
      • Covenant and the operation of the Covenant in practice and the need for support or instruments in this respect, all based on risk analyzes and best practices;
    • the level of information security to be achieved, including security standards, security audits, access to Personal Data and incident handling.
  3. The Initiators are jointly responsible for the continuity and facilitation of the Platform insofar as this relates to agreements as laid down in this covenant.
  4. The Initiators will jointly and in mutual consultation make further agreements about the procedure related to the amendment of the Covenant, as well as about governance, decision-making and powers. These agreements are recorded in Regulations.
  5. Insofar as the decision-making procedure, including the possibility to implement changes, has not yet been regulated by means of the Regulations, decision-making and changes to the Agreement are only made with the consent of all Initiators who are members of the Agreement at the time of decision-making.
  6. The Platform makes a logo available for Suppliers affiliated to the Agreement. The Platform may impose further conditions on the use of this logo.
  7. Insofar as applicable, the Initiators within the Platform represent their members and report on the results of the consultations in the Platform. Educational institutions are in principle represented in the Platform by the PO Council, VO Council and MBO Council.
  8. The PO Council, VO Council and MBO Council are responsible for the management of the activities arising from the Covenant, including the secretariat of the Platform and a register of Covenant Parties.

Article 9: Financing
Agreements are made within the Platform about the financing of the costs associated with the Covenant and for participation in and maintenance of the Platform.

Article 10: Compliance

  1. The Platform establishes a structure for monitoring and checking compliance with the agreements within the Covenant.
  2. The Platform is authorized to act on behalf of the Initiators, Educational Institutions and Suppliers against identified abuse or improper use of the Covenant or Model Processor Agreement. The powers and method assigned to the Platform for this purpose are included in the Regulations.
  3. Educational institutions and Suppliers shall, as far as possible, include agreements with regard to compliance with the Covenant in mutual agreements, contracts – including in the context of tenders – and hold each other to account on this.
  4. Issues or disputes concerning the interpretation or implementation of the provisions in the Covenant will be dealt with in mutual consultation in the Platform or in a manner to be included in the Regulations.
  5. The provisions in the Agreement are not legally enforceable, unless the parties have agreed on this in the processor agreement.

Article 11: Entry into force, entry and resignation

  1. The association GEU, the Association of Digital Education Service Providers, members of the educational section of the cooperative Coöperatieve Koninklijke Boekverkopersbond UA, and the Association of PO Council, VO Council and MBO Council who represent the boards of educational institutions affiliated with them have been signing endorsed the principles and agreements of the Covenant.
  2. The Platform determines new versions of the Covenant and the Model Processor Agreement and makes this known to the Participants of the Covenant.
  3. The date of entry into force of the Covenant and subsequent versions will be determined by the Platform. The new version of the Covenant replaces the previous versions which are deemed to have expired as a result.
  4. Suppliers not yet affiliated to the Covenant and Educational institutions not represented by the PO Council, VO Council and MBO Council can join the Covenant by signing a declaration adopted by the Platform and sending it to the secretariat of the Platform.
  5. The Covenant has been entered into for an indefinite period or until a subsequent version comes into effect.
  6. An Initiator or a Covenant Party can cancel participation in the Covenant. This cancellation will be done in writing and should be addressed to the secretariat of the Platform.

This Covenant was established by Edu-K on March 14, 2018 and will enter into force on April 1, 2018.