1.  SCHOOL (the data controller, joint controller or The School) and
  2. I-GTM Ltd. (the data controller or joint controller)     

Both parties commit to compliance with all relevant and applicable requirements of the Data Protection Act 2018 and any subsequent amendments of this.

  1. Personal data to be processed by The School

The School will share with I-GTM the name, age, gender, mobile phone number, house, account number (if applicable), parent or guardian contact details and travel plans of all pupils.

  1. Personal data to be processed by I-GTM

I-GTM will share with The School the name, age, gender, mobile phone number, house, account number (if applicable), parent or guardian contact details and travel plans of the School’s pupils. 

  1. Lawful basis

The School’s pupil travel data will be lawfully obtained and shared by or with I-GTM on the basis of legitimate interest to provide record keeping and travel logistic services and to assist the School with their legal duty to safeguard the wellbeing of pupils in their care.

  1. Data use by I-GTM

I-GTM will only use the shared data 

  • for the purposes of record keeping, 
  • reporting to the School, their assignees or other authorities (and then only with the express written consent of the School), 
  • communication with Parents, Guardians, Pupils or the School in connection with pupil transport arrangements, or for 
  • making transport arrangements for those pupils requesting such arranged transport, and for 
  • contacting those pupils, their parents, guardian or School, solely in connection with these arrangements. 

It is the duty of the School to establish that those pupils expected to undertake international or other unaccompanied travel appear to have made suitable arrangements to do so, however i-gtm software will prompt all parents, guardians and pupils for such information and will notify the School if such information has not been received. 

I-GTM staff in receipt of this data are bound to process it securely in accordance with the I-GTM’s Data Protection Policy. The pupil data in 1. and 2. above will be circulated to I-GTM staff as needed to carry out their duties. 

The names provided will be used to identify absent (expected) names and the travel arrangements of these individuals will be queried individually and directly with the School house parents, parents or guardians.

  1. Data sharing by I-GTM

I-GTM will not share the shared data with any party outside their organisation, except that they may share a list of names, telephone numbers, houses and other selected information of those travelling with an outsourced transport department or third party company acting as an outsourced transport department operating on behalf of the School, or a coach or private hire company contracted to carry out the transport of those pupils, where such a list of names is essential for the safe operation of the service. Any such list will contain limited information and is considered low risk.

  1. Data transfer to I-GTM

The School will share data with I-GTM. The data will be exchanged either via I-GTM (via a securely-accessed online dashboard or mobile device app) or via a shared spreadsheet or document, stored in either the School’s data cloud or I-GTM’s data cloud. For the purpose of clarity, this will be one single copy of the data in either a Google or Microsoft format (G Sheet or Excel), stored in Google Drive, Microsoft Sharepoint, One Drive, Dropbox, etc, subject to the School’s data storage policy. Personal data will be contained within this document and it is considered a high risk data transfer.

  1. Data storage by I-GTM

I-GTM confirms it has adequate measures in place to ensure the secure storage of School data. These measures include adequate cyber security systems, suitable document disposal arrangements, data protection policies and procedures and staff data protection training.

  1. Data retention by I-GTM

The documents containing pupil names received by I-GTM will be retained for the time needed to achieve the stated purpose. A sanitised copy of the document may be retained in a secure archive storage for auditing purposes. All documents and pupil data will be permanently erased on request from the School. I-GTM takes real-time data from the School’s MIS and as such does not retain any personally identifiable data that is not held by the School, however I-GTM will request a list of pupils who have left the school from time to time and where these records may exist they will be permanently erased. 

  1. Data subject rights

To withdraw consent or raise a Subject Access Request (SAR), or invoke any other data subject right, applicable to travel information obtained by either party and processed by I-GTM, a request should be made to I-GTM by email to Both parties must inform the other of any such request received within three working days. Both parties are to act immediately on any such request directed to it by the other party . In the case of a SAR, the School will be the responding party.

  1. Review and termination

This agreement will be formally reviewed by the School’s Data Protection Officer or International Student Liaison Officer at any time of service supply contract review. Otherwise, if the agreement remains valid for current data sharing activities, it shall continue to stand. It can be terminated by either party for any reason at any time.

  1. Data breach incidents

In respect of any Data Breach (or any information security incident) involving the Data, GTM shall notify The School without delay, and provide The School with full assistance to investigate and manage the incident. In the case of a Data Breach, the School will be the party responsible for notifying the Information Commissioner (if necessary).


On behalf of GTMatrix





On behalf of SCHOOL