Terms and conditions for the DPO service for schools 

Key definitions: 

‘You’: the individual or entity purchasing products or services from us, whether on a website or offline. 

‘Us’: the GRC International Group plc company that operates this website, any GRC International Group plc group company whose products or services you purchase, as well as GRC International Group plc itself. 

‘Contract’: a formal contractual relationship in respect of any transaction only exists between you and us from the point at which we accept your order. This acceptance may be automated, where fulfilment is automated, or it may be manual and occur only when manual fulfilment is initiated. 

Our Terms and Conditions 

These terms and conditions together with our Privacy Notice and our Acceptable Use Policy (together, the ‘Terms’) provide you with information about us and apply to any contract between you and us. Please read these Terms and our Standard Terms and Conditions carefully and make sure you understand them before ordering anything from us. We will also notify you, at the point of purchase if there are any additional terms and conditions that may apply to any specific contract made between us. 


  • Our prices are as set out on our website, do not include packaging, shipping, insurance or travel costs, and are subject to the addition of applicable VAT or other state or national tax in line with any relevant regulations. 
  • We may vary our prices from time to time, which we will do by updating our website. Price changes will not be retrospective. 


Refer to our Terms and Conditions for buying goods and services on our website for our cancellation policy. 

Recurring Payment Authority 

  • This product is sold on, and our deliverables are provided on a recurring or cyclical basis. 
  • This is an annual subscription period. 
  • Where your initial subscription is made online by means of an invoice or payment card, you enter into a Recurring Payment Authority (‘RPA’) that authorises us to collect recurring payments from you until you formally cancel the RPA. 
  • The RPA can be cancelled in your billings area of the GDPR.co.uk software at any time; cancelling the RPA will cancel all access to the relevant service at the end of the billing period for which we have received payment. 
  • Unless and until you cancel your contract for a recurring or cyclical deliverable, we will automatically invoice and/or collect payment in line with the subscription period you selected when entering the contract. 
  • You agree to keep your billing or payment card details current and valid throughout the subscription period and agree to meet any and all additional costs we may incur as a result of your failure to keep these details current. 
  • Where your initial subscription is made by means of a purchase order, you agree that subsequent invoices for the recurring deliverables will be paid on your standard agreed credit terms until you formally cancel the contract. 
  • We will notify you at least 28 days in advance of any changes in price or of deliverable so that you can decide whether or not you wish to cancel the RPA at its next renewal date. 
  • On cancellation of an RPA, we will cancel access to digital products and remove any related certifications with effect from the end of the subscription period for which you have paid. 

Online credit purchasing agreements 

Refer to Terms and Conditions for buying goods and services on our website for credit agreements. 

DPO as a service to schools – specific terms 

Scope of Work  

  • You agree that you will be solely responsible for obtaining appropriate legal advice on any matters on which you need legal advice and that you will be solely responsible for agreeing and settling any legal fees arising in respect of that advice.
  • We rely on you to ensure that all your governors, senior leaders and authorised officers fully understand these Terms and that any instructions or questions on the Terms from such individuals are authorised by you. 
  • You agree to provide us with appropriate resources and access to relevant data and processes in order for us to provide the Services.  
  • You will make available a representative to whom we can report in respect of the Services.  
  • In order for us to perform the role of your data protection officer, you agree to provide the information we require in the format and timescales requested by us.  


  • You agree that you alone are responsible for your compliance with the GDPR and any other relevant laws and regulations, not limited to those relating to personal data.  
  • You agree that the Services are provided by us, and not by any employees of ours, and that our liability in respect of the Services is limited to us.
  • You agree that you will under no circumstances seek to bring any form of action, legal or otherwise, against any employee of ours in relation to the Services.
  • We will not be liable for any delay in providing advice or guidance within the scope of the Services where this is caused by circumstances beyond our reasonable control.  
  • We will not be liable for failure or delay in performance by you in respect of advice, guidance or instructions given within the scope of the Services where this is due to causes beyond our reasonable control. Where the Services require us to deal with third parties on behalf of you, we do not accept any liability in relation to such third parties.  
  • If there are other advisers or third parties involved in any matter on which we are also engaged, the extent to which any loss or damage will be recoverable by you from us will be limited, without prejudice, in proportion to the overall fault for such loss or damage or as agreed in advance with the other parties. If our ability to claim a contribution to our costs under these circumstances from a third party is prejudiced by any limitation of liability agreed by you with that third party, we will not be liable to you for any amount that we would have been able to recover from that third party but for that limitation of liability.  
  • In respect of obtaining advice on any issue that is within scope of the Services, it is your responsibility to engage with us in a timely manner.  We will not be held liable for any delay in you engaging the Services and any associated delay in us delivering the Services.  
  • It is your responsibility to follow the advice provided by us within the scope of the Services.  Should you not follow the advice provided by us, we will not be held liable for any consequences, financial or otherwise, experienced by you as a result.  If you fail to follow any advice provided by us within the scope of the Services, we will be entitled to terminate this Agreement with immediate effect and without any obligation to make any refund of any fees already paid under the Agreement.
  • Unless otherwise agreed in writing, we are not responsible for reminding you of key dates or other time-sensitive actions or information.  

People responsible for delivering on behalf of the Company 

  • We undertake to ensure that those of our employees who are deployed to provide the Services have the necessary skills, knowledge and experience. You agree that we alone will determine what skills, knowledge and experience are necessary in relation to the Services.  
  • The Services will be carried out by a team of our employees and the contact details for the team will be provided in the Agreement.   
  • We will identify a lead manager within the team who has ultimate responsibility for delivery of our Services to you.  If we change the lead manager for any reason, we will notify you as quickly as possible.  

Processes and Procedures  

GDPR and UK DPA 2018 advice and guidance 

  • We will provide email and telephone advice only to nominated contacts of yours, such nominations to be made in writing.   
  • We will record and track all requests for advice or guidance or other types of calls received from you.  

Review of GDPR and UK DPA 2018 policies  

  • You will provide us with copies of all your policies and procedures that relate to data protection and compliance with EU data protection legislation.  
  • We will review all documents provided in relation to their compliance with applicable laws and regulations.  We will provide written feedback to you, highlighting areas that are in breach of GDPR requirements, as soon as possible.  

GDPR and UK DPA 2018 audit  

Annual audits will be compiled by you in a format that we request and from this information and that which you had added to the GDPR.co.uk platform, we will develop an action plan. It is your responsibility to supply this information that informs plan. 

GDPR and UK DPA 2018 updates  

  • We will provide your nominated contacts with updates on issues critical to data protection compliance.  
  • The copyright in all the updates (whether text, graphics, designs, guidance notes, or information of any kind) may belong to us or to other third parties.   
  • You may distribute internally any update material to which we own the copyright, but you are hereby notified that any third- party material may have different copyright restrictions and that you are solely responsible for complying with any restrictions in respect of such third- party material.   

Availability of Services  

  • We will provide the Services between the hours of 9:00 am and 5:00 pm in the United Kingdom, on a day, other than a Saturday, Sunday or bank holiday, on which clearing banks are open for non-automated commercial business in the City of London.  
  • Calls received outside of the standard hours of service will go through to an answerphone service and will not be accessed by us until the next working day.  
  • Emails received outside of the standard hours of service will be received by our server, but no action will be taken by us until the next working day.  

Data Protection 

Refer to our Terms and Conditions for buying goods and services on our website document about how we protect your data. 

Outline of the service 

The service outline is as follows. 

Element of service 


Named DPO 

The DPO will be named as GRCI Law 

Data protection guidance 

Queries and issues that can be resolved within 10 minutes or by accessing our common questions database. 

Gap analysis 

To be supplied by you in a format as requested by us. 

Initial call and review 

To establish your current compliance and to discuss any previous audits, action plans and issues. 

GDPR compliance portal 

We will supply the GDPR.co.uk compliance portal for you to manage and share your compliance with us. It is your responsibility to complete the elements of the software that we request in order to support our understanding of your compliance and for us to better support you. 

Breach and/or SARs support 

During the annual contract, we will support up to two data breaches and/or subject access requests that take up to one hour each to support. Details of these are to be logged by you within the GDPR.co.uk software. 

Annual audit and recommendations 

Based on the information you supply us and log within the GDPR.co.uk software, we will review your annual compliance and make recommendations.