RollCall

DPA — United Kingdom

Last Updated: March 2026
Back to Data Processing Agreement

1. Applicability

This United Kingdom-specific addendum supplements the global Data Processing Agreement and applies where the Controller is a UK educational institution or where Personal Data of UK residents is processed. This addendum addresses obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. UK GDPR Compliance

RollCall commits to processing Personal Data in accordance with the UK GDPR, including:

  • Article 5 (Principles): Processing Personal Data lawfully, fairly, and transparently, with data minimisation and accuracy
  • Article 28 (Processor obligations): Processing only on documented instructions from the Controller
  • Article 32 (Security): Implementing appropriate technical and organisational measures to ensure data security
  • Article 33 (Breach notification): Notifying the Controller without undue delay upon discovering a personal data breach
  • Article 35 (DPIA): Assisting the Controller in carrying out Data Protection Impact Assessments where required

3. Lawful Basis for Processing

RollCall processes Personal Data on behalf of the Controller. The Controller is responsible for determining and documenting the lawful basis for processing under Article 6 of the UK GDPR. Common lawful bases for the processing of student transport data include:

  • Public task (Article 6(1)(e)): Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority (applicable to maintained schools and academies)
  • Legitimate interests (Article 6(1)(f)): Processing necessary for the legitimate interests of safeguarding and student welfare (applicable to independent schools)
  • Contract (Article 6(1)(b)): Processing necessary for the performance of a contract with the data subject or parent/guardian

4. Data Breach Notification

In compliance with Articles 33 and 34 of the UK GDPR, RollCall shall:

  • Notify the Controller without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach
  • Provide sufficient information for the Controller to assess whether notification to the Information Commissioner's Office (ICO) is required
  • Assist the Controller in notifying affected data subjects where the breach is likely to result in a high risk to their rights and freedoms
  • Document all breaches, including facts, effects, and remedial action taken

5. Data Storage Location

Personal Data of UK data subjects is stored in the AWS Europe (London) region (eu-west-2). RollCall does not transfer UK Personal Data outside the United Kingdom except in accordance with Chapter V of the UK GDPR, using appropriate safeguards such as:

  • UK adequacy regulations (for transfers to countries with adequate data protection)
  • International Data Transfer Agreement (UK IDTA) or UK Addendum to the EU SCCs
  • Binding Corporate Rules, where applicable

6. Children's Data and Safeguarding

RollCall recognises the heightened protections afforded to children's data under the UK GDPR and the Age Appropriate Design Code (Children's Code). We implement additional safeguards including:

  • Strict access controls limiting who can view student information
  • No use of student data for marketing, profiling, or commercial purposes
  • Compliance with the Department for Education's data protection toolkit for schools
  • Support for schools' obligations under Keeping Children Safe in Education (KCSIE) statutory guidance
  • Immediate deletion of student records upon school request or service termination

7. Data Protection Officer

Where required under Article 37 of the UK GDPR, RollCall has designated a data protection contact who can be reached at privacy@rollcall.com.au. Controllers who are required to appoint a DPO should ensure their DPO is informed of this DPA and the processing activities conducted by RollCall.

8. Records of Processing Activities

In accordance with Article 30 of the UK GDPR, RollCall maintains records of processing activities carried out on behalf of the Controller. These records are available for inspection by the Controller and the ICO upon request.

9. Governing Law

This addendum is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales for any disputes arising under this addendum.

10. Contact

For enquiries regarding this DPA addendum, contact the RollCall Privacy Officer:

Email: privacy@rollcall.com.au
Phone: 1300 821 116
Address: 1/146-148 Thistlethwaite Street, South Melbourne VIC 3205, Australia