Vision Zero training

"Course" means the IOSH produced Vision Zero training course or IOSH approved Vision Zero training course covered by this Contract, as agreed in writing between the parties from time to time.

"Intellectual Property Rights" means all intellectual property rights relating to this Contract throughout the world for the full term of the rights concerned, whether or not registered and whether or not registerable including, without limitation, copyright, database rights, patents, rights in inventions, know-how and technical information, design rights, design patents, registered designs, trademarks (including business and brand names, domain names, devices and logos) and the right to apply for any of the foregoing anywhere in the world.

"Data Protection Legislation" means the General Data Protection Regulation 2016 and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications) and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party.

"IOSH produced Vision Zero training course" means a training course created by IOSH, as updated from time to time.

"IOSH approved Vision Zero training course" means Vision Zero training course created by the Training Provider and approved by ISL for delivery by the Training Provider.

"Delegate" means a delegate on one or more of the courses.

"Licence" means the licence provided to the Training Provider once it has completed the licensing process.

2.1 The Training Provider is not permitted to run courses without a valid Licence from ISL and will not be licensed without complying with the provisions set out in this Contract.

2.2 A Licence will be provided by ISL to the Training Provider once its application meets the Vision Zero criteria, the process is fully completed, and all initial invoices are paid by the Training Provider.

2.3 The Licences are renewable annually (fees apply) and will not be renewed until the Training Provider meets IOSH and ISL criteria and has returned the signed renewal application form and paid all relevant fees to ISL.

2.4 The Training Provider must not use the word 'accredited' in relation to any courses.

2.5 If the Training Provider allows its Licences to expire, it will be required to pay the full Licence fee (rather than the renewal fee) to reinstate the lapsed Licences and also:

• 2.5.1 the full product cost for any IOSH produced Vision Zero training courses; and
• 2.5.2 re-approval fees for any of its own Vision Zero courses that have not been approved by IOSH within the last five years.

2.6 ISL or ISSA does not limit the number of providers in any country, and so does not offer sole provider status. Once licensed, a Training Provider is free to deliver a certified Vision Zero training course anywhere in the world but only the Training Provider's main address will be registered with ISL and the Training Provider agrees that the office at that address will deal with all administration relating to training delivery.

2.7 ISL will provide to the Training Provider appropriate Vision Zero IOSH produced Vision Zero training course materials, will assess and approve (if appropriate) training course materials submitted by the Training Provider including assessments, and will check and approve (if appropriate) standards of training delivery by the Training Provider.

2.8 ISL does not set the price at which IOSH produced Vision Zero training courses or IOSH approved Vision Zero training courses are retailed. This should be determined by the Training Provider based upon its own costs and market trading environment.

2.9 The Training Provider agrees that it will not behave in a manner that will bring ISSA, ISL or IOSH into disrepute when delivering courses or administering the training process.

2.10 The Training Provider will ensure it always has adequate insurance to cover trainers and Delegates and all its training activities, in whichever location, whilst carrying out training under the terms of this Contract. ISSA, IOSH or ISL has no liability in this regard.

2.11 The Training Provider will be responsible for all facilities offered to Delegates, including suitable premises, whilst providing courses.

2.12 The Training Provider will advise ISL within 30 days, in writing, of any changes to its address, its contact details or its trainers.

3.1 The Training Provider will ensure that only Professional accredited Vision Zero trainers deliver The IOSH produced Vision Zero training courses and/or IOSH approved Vision Zero training courses on its behalf. Successful completion of the Vision Zero Train the Trainer course does not automatically confer eligibility to be an accredited trainer.

3.2 The Training Provider will ensure that all of its trainers continue to meet the criteria, as defined by ISSA / ISL from time to time, for the courses being delivered.

3.3 The Training Provider must supply details of any new trainers it wishes to involve in delivering training via a Professional accredited Vision Zero trainer application form. The Training Provider will ensure that the new trainer does not carry out training until that new trainer has been accredited by ISL.

3.4 If the Training Provider applies to deliver additional IOSH courses, ISL trainer criteria may change, dependent on the level of the additional courses.

3.5 The Training Provider must ensure that all of its trainers have access to a complete set of course materials and that all trainers are fully familiar with the delivery of the course materials and the administration of the assessment procedures.

4.1 The Training Provider may advertise a certified Vision Zero training course prior to its application to become a licensed Professional accredited Vision Zero training provider being approved only if it states on any promotional material “pending IOSH approval”.

4.2 Once approved, the Training Provider will be supplied with a logo, which must be displayed in accordance with the ISSA/ISL brand guidelines on course materials and on course promotional materials (including the Training Provider’s website).

4.3 The Training Provider must not use the ISSA, Vision Zero or IOSH corporate identity including the ISSA, Vision Zero or IOSH logos without prior written consent from ISL.

4.4 The Training Provider must not use the word or phrases “ISSA” “Vision Zero” or “IOSH” in any website domain name or email address.

4.5 The Training Provider must not advertise completed Vision Zero assessments/projects on any website.

4.6 If a third party promotes courses on the Training Provider’s behalf, the Training Provider will ensure that the third party does not use any ISSA, Vision Zero or IOSH logo or claim to be licensed to deliver the courses.

5.1 Any IOSH produced Vision Zero training course material must only be used in accordance with the copyright permissions set out in clause 7 and in no other manner whatsoever.

5.2 The Training Provider must only use the IOSH produced Vision Zero training course or IOSH approved Vision Zero training course materials and assessments for all courses; no other materials should be used for this course.

5.3 The Training Provider must use only the most up-to-date versions of the IOSH produced Vision Zero training course and/or IOSH approved Vision Zero training course materials for the courses. The most up to date version will be uploaded to the course management systems and notice of any updates will be communicated.

5.4 The Training Provider accepts that any IOSH produced Vision Zero training course materials are generic and applicable across industry sectors and have not been tailored for the specific needs or requirements of the Training Provider. ISL warrants that the IOSH produced Vision Zero training materials are produced with reasonable skill and care but does not make any warranty, representation or undertaking that the materials are appropriate for the needs of the Training Provider.

5.5 The Training Provider may, without separate approval or fee, add to the course presentation materials in the form of relevant and up to date statistics, policies and risk assessments, photos, slides and videos, as long as the additions do not substantially change the original materials.

5.6 The translation of IOSH produced Vision Zero training materials by the Training Provider is only permitted when ISL does not offer the product in the language required. Such translations and any associated costs of IOSH produced Vision Zero training materials are the responsibility of the Training Provider.

5.7 Where ISL requires a translation into English for audit and verification purposes (including Delegate assessment papers where applicable, both questions and answers), the Training Provider is responsible for any associated costs and translation.

5.8 The Training Provider must provide ISL with a letter from a reputable translator confirming that any translation made is a clear and accurate translation of the original materials.

5.9 Log-ins and access provided for the Training Provider’s personnel or trainers to ISL’s course management systems and training provider portal are not to be shared with any other persons.

5.10 IOSH produced Vision Zero training courses are not transferable or saleable to another party.

5.11 The Training Provider must ensure that its IOSH approved Vision Zero training course materials are kept up to date in terms of both health and safety legislation and learning and development best practice.

5.12 The Training Provider is required to submit its Vision Zero IOSH-approved course materials for re-approval every five years (fees apply).

5.13 Any major alterations to the Training Provider’s Vision Zero IOSH-approved course materials must be resubmitted by the Training Provider for approval (fees apply).

5.14 The Training Provider must provide Delegates with appropriate course materials, including workbooks as set out in clause 6.

6.1 For Vision Zero IOSH-produced courses, an IOSH-produced Vision Zero course workbook must be purchased from ISL. Once the training has been completed the workbook becomes the property of the Delegate.

6.2 Prior to each course you will be required to register your Delegates in order to assign a digital workbook to them.

6.3 All IOSH-produced Vision Zero workbooks must be purchased on a one-to-one Delegate basis. Sharing of workbooks between Delegates is not permitted.

6.4 IOSH-produced Vision Zero workbooks are covered by copyright. The Training Provider must not print or copy them or allow others to print or copy them.

6.5 Once purchased by the Training Provider, IOSH-produced Vision Zero workbooks are non-refundable.

6.6 For Vision Zero IOSH-approved courses, the Training Provider must provide each Delegate with an IOSH-approved Vision Zero workbook.

7.1 “IOSH” and the IOSH logo are registered trademarks belonging to IOSH and may not be reproduced in any format without written consent from IOSH or ISL.

7.2 All Vision Zero IOSH-produced course materials including assessments are covered by copyright. Therefore, the Training Provider must not use or sub-licence them, or copy or authorise copies of them, in whole or in part, in any media or format, except as set out in this Contract.

7.3 During the term of this Contract, the Training Provider may:

• 7.3.1 copy any IOSH produced Vision Zero training materials provided by ISL (with the exception of Delegate workbooks (see clause 6)) to distribute to Delegates on those courses which have been notified to ISL via the training provider portal. Details of all Delegates receiving a copy of any materials must be notified to ISL via the training provider portal;
• 7.3.2 copy any IOSH produced Vision Zero training materials provided by ISL for use by its own trainers in connection with their delivery of the courses with the exception of Delegate workbooks; and
• 7.3.3 adapt any IOSH produced Vision Zero training materials or any IOSH produced Vision Zero course materials for the purposes set out in clauses 7.3.1 and 7.3.2 above by adding to the materials but not by removing any course content, provided always that the adaptations made do not substantially change the objectives of the course and in accordance with sub-clause 5.5.

7.4 No part of any Vision Zero IOSH-produced course materials may be reproduced in any form except as set out above or with written consent from ISL.

7.5 The Intellectual Property Rights in all additional training materials submitted by the Training Provider to ISL for IOSH-approved course approval remain the property of the author and copyright owner, and ISL will not distribute them to other parties.

7.6 Unless IOSH already has a syllabus for a course, ISL reserves the right to produce a syllabus from the material once IOSH has approved it, and insofar as consent from the Training Provider is necessary to do this, the Training Provider duly consents. This syllabus will be shared with other training providers who wish to write materials to deliver it and who meet the approval criteria to deliver the course.

8.1 On confirmation that a face-to-face or virtually delivered course will run, and prior to the course taking place, the Training Provider must register the course via the training provider portal.

8.2 The Training Provider must ensure that the maximum number of Delegates on a face-to-face course does not exceed 20.

8.3 The Training Provider must ensure that all Delegates attending a course are given the IOSH produced Vision Zero end of course assessment.

8.4 The Training Provider will ensure that all of its trainers conduct assessments equitably, allowing for Delegates who have recognised disabilities.

8.5 The Training Provider must ensure that all course assessments are carried out under examination conditions.

8.6 The Training Provider will ensure that papers are marked correctly and fairly by cross marking a sample of assessment papers for accuracy and impartiality of marking.

8.7 To maintain assessment standards, ISL will moderate a proportion of all Delegate assessments, at its discretion. The Training Provider will provide assessment papers and any other information required as part of the moderation process as requested by ISL.

8.8 The Training Provider is required to upload course results via the training provider portal, submit Delegate assessment papers as requested and make payment of all fees to ISL within 12 weeks of completion of all face-to-face training courses. Information received more than 12 weeks after the last date of the course cannot be accepted for assessment and certification without discussion and agreement from the IOSH-allocated Verification and Assessment Officer.

8.9 The Training Provider must ensure that all courses that it runs are declared to ISL via the training provider portal and that a certificate fee is paid for all successful Delegates.

8.10 The Training Provider must ensure, at all times, the security of assessment papers and certificates.

8.11 The Training Provider must retain all course assessment papers for at least 12 months from the end of the course.

9.1 If a Delegate wishes to appeal against the marks the Training Provider has awarded for the Delegate’s assessment, a four-stage process will apply:

• 9.1.1 the Training Provider will give the Delegate a copy of the assessment paper in question;
• 9.1.2 the Training Provider will ask the Delegate to write to IOSH enclosing the end assessment paperwork, explaining the grounds for the appeal;
• 9.1.3 IOSH will moderate (or re-moderate) the assessment paper; and
• 9.1.4 IOSH will advise the Training Provider and the Delegate in writing of its decision, within ten working days of receiving the appeal.

9.2 IOSH’s decision is final.

10.1 Each party agrees to comply with its obligations as set out in the Schedule to this Contract.

10.2 The Schedule being IOSH’s Confidentiality Agreement.

11.1 The Training Provider must collect Delegate feedback from every Delegate attending a course, review the findings of Delegate feedback and continuously improve its course delivery and standards in response to this feedback. The Training Provider will supply ISL with copies of any Delegate feedback as requested.

11.2 IOSH will carry out periodic quality assurance audits of Training Providers to ensure that they conform to IOSH standards of training delivery and to receive feedback from both trainers and Delegates.

11.3 The Training Provider must allow a representative from IOSH, upon reasonable notice, to attend the Training Provider’s premises to carry out a quality assurance audit, including reasonable access to records and documents relating to its organisation, the delivery of training and assessment of courses.

11.4 The Training Provider must allow a representative from IOSH to attend the delivery of any course, sometimes without prior notice, to assess the quality of training delivery.

11.5 Following the audit visit IOSH will send the Training Provider a feedback report from the quality assurance audit. The Training Provider must comply with any requirements set out in the feedback report within the specified timescale.

12.1 A Vision Zero / IOSH certificate must be purchased for each Delegate who has successfully completed a course and assessment (fees apply).

12.2 The Training Provider must not issue any certificates to Delegates attending a course other than official Vision Zero IOSH certificates.

12.3 ISL will not release certificates to the Delegate until all relevant paperwork has been received from the Training Provider and all invoices relating to the course in question have been paid.

13.1 The Training Provider is solely responsible for handling any queries and settling any Delegate complaints, both before and after courses have run, relating to fees, training delivery, certificates and replacement certificates, and any other matter, other than as set out in clause 9 above.

13.2 If the Training Provider has a complaint about ISL or IOSH, in the first instance it should contact the Customer Service Centre. If the Training Provider and the Customer Service Centre cannot resolve the problem, the Customer Service Centre will refer the matter to the relevant Departmental Manager who will respond to the complaint within ten working days.

13.3 IOSH’s decision is final.

14.1 The Training Provider will pay:

14.1.1 a Licence fee for the Vision Zero IOSH course;

• 14.1.2 an annual renewal of the Licence fee for the Vision Zero course;
• 14.1.3 a re-approval fee, payable every five years from the date of initial approval, and when major alterations are made to the training materials, for each IOSH produced Vision Zero training course that it runs;
• 14.1.4 a Delegate workbook fee for all Delegates taking a an IOSH produced Vision Zero training course;
• 14.1.5 a certificate fee for each Delegate who passes a an IOSH produced Vision Zero training course assessment.

14.2 Fees will be at the rates notified to the Training Provider and may be amended from time to time on reasonable notice to the Training Provider. All fees are in GBP.

14.3 Where appropriate, the Training Provider is also responsible for the payment of fees for replacement certificates.

14.4 Fees paid by the Training Provider are not refundable in any circumstances.

14.5 The Training Provider will pay all sums due to ISL by the due date or within 30 days of the date of ISL’s invoice, whichever is the sooner.

14.6 ISL will not invoice third parties. Where payment is due from any third party relating to a course run by the Training Provider, the Training Provider is responsible for invoicing and securing payment in order to submit payment to ISL by the due date.

14.7 ISL reserves the right to withhold its goods and services if payment of any invoice submitted to the Training Provider remains outstanding.

15.1 ISL shall not be liable to the Training Provider in contract, tort (including negligence) and/or breach of statutory duty for any loss or damage which the Training Provider may suffer by reason of any act, omission, neglect or default (including negligence) in the performance of this Contract by ISL in a sum which is greater than the total amount of the fees paid by the Training Provider to ISL during the 12 months immediately preceding the date on which the claim arose.

15.2 ISL shall in no circumstances be liable to the Training Provider for any Consequential Loss (whether arising from breach of this Contract or otherwise). “Consequential Loss” means pure economic loss, loss of profit, loss of business and like loss, whether direct or indirect.

15.3 Nothing in this clause 15 shall operate so as to exclude:

• 15.3.1 ISL’s non-excludable liability for death or personal injury;
• 15.3.2 liability for fraudulent misrepresentation;
• 15.3.3 other liability which cannot be lawfully excluded.

15.4 Except as expressly stated, all conditions, warranties or other terms which might have effect between the parties or be implied or incorporated into this Contract, whether by statute, common law or otherwise, are hereby excluded, including the implied conditions, warranties or other terms as to satisfactory quality, fitness for purpose or the use of reasonable skill and care.

16.1 This Contract shall commence on the date set out above and shall continue in force until terminated by agreement between the parties.

16.2 This Contract will terminate automatically if the Training Provider fails to renew its Licence in accordance with sub-clause 2.3.

16.3 This Contract may be terminated by ISL with immediate effect by notice to the Training Provider if the Training Provider:

• 16.3.1 is in material breach (which may consist of a series of minor breaches) of any of the terms of this Contract and, where the breach is capable of remedy, fails to remedy such breach within one month of service of notice from ISL, specifying the breach and requiring it to be remedied;
• 16.3.2 has a receiver, manager, administrator or administrative receiver appointed over its assets, undertaking or income, has passed a resolution for, or an order is made for, its winding-up, or an equivalent of any of the above occurs in the jurisdiction to which that party is subject;
• 16.3.3 acts in a way, or is found to have acted prior to the commencement of this Contract, in a way deemed by ISL in its discretion to bring, or be likely to bring, ISSA, ISL or IOSH into disrepute or to damage its reputation.

17.1 The terms of this Contract may be varied by ISL on reasonable notice in writing to the Training Provider.

17.2 This Contract shall be governed by and construed in accordance with English law and the parties submit to the jurisdiction of the English courts in respect of any dispute or matter arising out of or connected with it.

17.3 Nothing in this Contract shall constitute or be deemed to constitute a partnership, joint venture or agency between the parties.

17.4 The Training Provider shall not assign, transfer or charge any of its rights or responsibilities under this Contract, nor appoint any sub-contractor with regard to such rights or responsibilities, without the prior written consent of ISL.

No provision of this Contract shall be enforceable by any third party under the Contracts (Rights of Third Parties) Act 1999 or otherwise.

In this Schedule the following definitions shall apply:

“Controller”, “Processor” and “Data Subject” shall have the meaning given to those terms in the applicable Data Protection Laws;

“Data Protection Impact Assessment” means an assessment of the impact of the envisaged Processing operations on the protection of Personal Data, as required by Article 35 of the GDPR;

“Data Protection Laws” means (a) any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) which relates to the protection of individuals with regards to the Processing of Personal Data to which a Party is subject, including the GDPR or, in the event that the UK leaves the European Union, all legislation enacted in the UK in respect of the protection of personal data; as well as the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (b) any code of practice or guidance published by the ICO (or equivalent regulatory body) from time to time;

“Data Processing Particulars” means, in relation to any Processing under this Contract: (a) the subject matter and duration of the Processing; (b) the nature and purpose of the Processing; (c) the type of Personal Data being Processed; and (d) the categories of Data Subjects, as set out in Appendix A;

“Data Subject Request” means an actual or purported request or notice or complaint from or on behalf of a Data Subject exercising his rights under the Data Protection Laws in relation to Personal Data including without limitation: the right of access by the Data Subject, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability and the right to object;

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and repealing Directive 95/46/EC (General Data Protection Regulation);

“ICO” means the UK Information Commissioner’s Office, or any successor or replacement body from time to time;

“ICO Correspondence” means any correspondence or communication (whether written or verbal) from the ICO in relation to the Processing of Personal Data;

“Losses” means all losses, fines, penalties, liabilities, damages, costs, charges, claims, amounts paid in settlement and expenses (including legal fees (on a solicitor/client basis), disbursements, costs of investigation (including forensic investigation), litigation, settlement (including ex gratia payments), judgment, interest and penalties), other professional charges and expenses, disbursements, cost of breach notification including notifications to the data subject, cost of complaints handling (including providing data subjects with credit reference checks, setting up contact centres (e.g. call centres) and making ex gratia payments), all whether arising in contract, tort (including negligence), breach of statutory duty or otherwise;

“Permitted Purpose” means the purpose of the Processing as specified in the Data Processing Particulars in Appendix A;

“Personal Data” means any personal data (as defined in the Data Protection Laws) Processed by either Party in connection with this Contract, and for the purposes of this Contract may include Sensitive Personal Data (such Personal Data is more particularly described in Appendix A);

“Personal Data Breach” has the meaning set out in the Data Protection Laws and, for the avoidance of doubt, includes a breach of Paragraph 1.2.1(c);

“Personnel” means all persons engaged or employed from time to time by the Representative in connection with this Contract, including employees, consultants, contractors and permitted agents;

“Processing” has the meaning set out in the Data Protection Laws (and “Process” and “Processed” shall be construed accordingly);

“Restricted Country” means a country, territory or jurisdiction outside of the European Economic Area which the EU Commission has not deemed to provide adequate protection in accordance with Article 25(2) of the DP Directive and/ or Article 45(1) of the GDPR (as applicable);

“Security Requirements” means the requirements regarding the security of Personal Data, as set out in the Data Protection Laws (including, in particular, the seventh data protection principle of the DPA and/ or the measures set out in Article 32(1) of the GDPR (taking due account of the matters described in Article 32(2) of the GDPR)) as applicable; and

“Sensitive Personal Data” means Personal Data that reveals such special categories of data as are listed in Article 9(1) of the GDPR.

2.1 Arrangement between the parties

2.1.1 The parties shall each Process the Personal Data. The parties acknowledge that the factual arrangements between them dictate the classification of each party in respect of the Data Protection Laws. Notwithstanding the foregoing, the parties anticipate that, in respect of the Personal Data, as between the Training Provider and ISL for the purposes of this Contract, the Training Provider shall act as a Controller and ISL shall, depending on the circumstances of the processing, act as a Controller or a Processor, as follows:

• a The Training Provider shall be a Controller where it is Processing Personal Data in relation to Delegates;
• b ISL shall be a Controller in relation to passing enquiries from potential Delegates to the Training Provider, and related obligations; and
• c ISL shall be a Processor where it is Processing Personal Data in relation to the Permitted Purpose in connection with the performance of its obligations under this Contract.

2.1.2 Each party acknowledges and agrees that Appendix A to this Contract is an accurate description of the Data Processing Particulars.

2.1.3 ISL undertakes to the Training Provider that it will take all necessary steps to ensure that it operates at all times in accordance with the requirements of the Data Protection Laws and ISL will, at its own expense, assist the Training Provider in discharging its obligations under the Data Protection Laws as more particularly detailed in this paragraph 2. ISL shall not, whether by act or omission, cause the Training Provider to breach any of its obligations under the Data Protection Laws.

2.1.4 Each party shall comply with all the obligations imposed on a Controller under the Data Protection Laws.

2.2 Data Processor obligations

2.2.1 To the extent that ISL Processes any Personal Data as a Processor for and on behalf of the Training Provider (as the Controller) it shall:

• a only Process the Personal Data for and on behalf of the Training Provider for the purposes of performing its obligations under this Contract, and only in accordance with the terms of this Contract and any documented instructions from the Training Provider;
• b keep a record of any Processing of the Personal Data it carries out on behalf of the Training Provider;
• c take, implement and maintain appropriate technical and organisational security measures which are sufficient to comply with at least the obligations imposed on the Training Provider by the Security Requirements and where requested provide to the Training Provider evidence of its compliance with such requirements;
• d within thirty (30) calendar days of a request from the Training Provider, allow its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by the Training Provider (and/ or its representatives, including its appointed auditors) in order to ascertain compliance with the terms of this Paragraph 1.2, and provide reasonable information, assistance and co-operation to the Training Provider, including access to relevant Personnel and/ or, on the request of the Training Provider, provide the Training Provider with written evidence of its compliance with the requirements of this Paragraph 1.2;
• e not disclose Personal Data to a third party (including a sub-contractor) in any circumstances without the Training Provider’s prior written consent, save where ISL is prohibited by law or regulation from notifying the Training Provider, in which case it shall use reasonable endeavours to advise the Training Provider in advance of such disclosure and in any event as soon as practicable thereafter;
• f promptly comply with any request from the Training Provider to amend, transfer or delete any Personal Data;
• g notify the Training Provider promptly (and in any event within forty-eight (48) hours) following its receipt of any Data Subject Request or ICO Correspondence and shall:
• i not disclose any Personal Data in response to any Data Subject Request or ICO Correspondence without first consulting with and obtaining the Training Provider’s prior written consent; and
• ii provide the Training Provider with all reasonable co-operation and assistance required by the Training Provider in relation to any such Data Subject Request or ICO Correspondence;
• h notify the Training Provider promptly (and in any event within twenty-four (24) hours) upon becoming aware of any actual or suspected, threatened or “near miss” Personal Data Breach in relation to the Personal Data (and follow-up in writing) and shall:
• i conduct or support the Training Provider in conducting such investigations and analysis that the Training Provider reasonably requires in respect of such Personal Data Breach;
• ii implement any actions or remedial measures necessary to restore the security of compromised Personal Data; and
• iii assist the Training Provider to make any notifications to the ICO and affected Data Subjects;
• i comply with the obligations imposed upon a Processor under the Data Protection Laws;
• j use all reasonable endeavours to assist the Training Provider to comply with the obligations imposed on the Training Provider by the Data Protection Laws, including:
• i compliance with the Security Requirements;
• ii obligations relating to notifications required by the Data Protection Laws to the ICO and/ or any relevant Data Subjects;
• iii undertaking any Data Protection Impact Assessments (and, where required by the Data Protection Laws, consulting with the ICO and/or any equivalent regulatory body in respect of any such Data Protection Impact Assessments); and
• iv without undue delay and where feasible not later than 72 hours after having become aware of it notify Personal Data Breaches to the ICO and/ or any equivalent regulatory body unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons;
• k upon the earlier of:
• i the receipt of a written direction of the Training Provider;
• ii termination or expiry of this Contract (as applicable); and
• iii the date on which Personal Data is no longer relevant to, or necessary for, the Permitted Purpose, ISL shall cease Processing all Personal Data and return and/or permanently and securely destroy so that it is no longer retrievable (as directed in writing by the Training Provider) all Personal Data and all copies in its possession or control and, where requested by the Training Provider, certify that such destruction has taken place except to the extent required by any applicable law to retain the Personal Data;
• l not make (nor instruct or permit a third party to make) a transfer of any Personal Data to a Restricted Country except with the prior written consent of the Training Provider and in accordance with any terms the Training Provider may impose on such transfer as the Training Provider deems necessary to satisfy the requirements to ensure that transfers of Personal Data outside of the EEA have adequate protections in place as set out in the Data Protection Laws;
• m maintain complete and accurate records and information to demonstrate its compliance with this paragraph 1.2.

2.3 ISL Personnel

2.3.1 ISL shall only disclose Personal Data to its Personnel that are required by ISL to assist it in meeting its obligations under this Contract and shall ensure that such Personnel shall have entered into appropriate contractually-binding confidentiality undertakings.

2.4 Appointing sub-contractors

2.4.1 ISL shall not be permitted to appoint a sub-contractor as a third-party processor of Personal Data under this Contract without the Training Provider’s prior written consent. Where such consent is given by the Training Provider, ISL confirms that it will enter into a written agreement with the third-party processor incorporating terms which are substantially similar to those set out in this paragraph 2.

2.4.2 Notwithstanding any consent given by the Training Provider under paragraph 2.4.1, ISL shall remain primarily liable to the Training Provider for the acts, errors and omissions of any sub-contractor to whom it discloses Personal Data, and shall be responsible to the Training Provider for the acts, errors and omissions of such sub-contractor as if they were ISL’s own acts, errors and omissions to the extent that ISL would be liable to the Training Provider under this Contract for those acts, errors and omissions.

3.1 ISL shall indemnify on demand and keep indemnified the Training Provider from and against:

3.1.1 any monetary penalties or fines levied by the ICO and/ or any equivalent regulatory body on the Training Provider;

• 3.1.2 the costs of an investigative, corrective or compensatory action required by the ICO and/or any equivalent regulatory body, or of defending proposed or actual enforcement taken by the ICO and/or any equivalent regulatory body;
• 3.1.3 any Losses suffered or incurred by, awarded against, or agreed to be paid by, the Training Provider pursuant to a claim, action or challenge made by a third party against the Training Provider (including by a Data Subject); and
• 3.1.4 any Losses suffered or incurred, awarded against, or agreed to be paid by, the Training Provider, in each case to the extent arising as a result of a breach by ISL (or its subcontractors) of this Contract and/or their respective obligations under the Data Protection Laws.

3.2 Nothing in this Contract will exclude, limit or restrict ISL’s liability under the indemnity set out in paragraph 3.1.