iTeachWise
Legal · For EEA, UK & Swiss Educational Institutions

EU & UK Compliance — GDPR, UK GDPR, SCCs & the EU AI Act

How iTeachWise lawfully processes the personal data of teachers, school staff, parents, and (where voluntarily entered) students located in the European Economic Area, the United Kingdom, and Switzerland.

Document: EU & UK Compliance Schedule
Version: 2026.05.1
Effective: 2026-05-09
DPO contact: dpo@iteachwise.com
Email the DPO Read the DPA

1. Lawful basis for processing

For schools and districts in the EEA, UK, and Switzerland, iTeachWise processes personal data on the lawful basis of contract performance (Article 6(1)(b) GDPR) — delivering the iTeachWise platform that the school has contracted for. Special category data (Article 9) is not collected by default; where a teacher voluntarily enters such data (for example, in an IEP-related prompt), the school remains the Controller and is responsible for the appropriate Article 9 condition.

2. International data transfers — SCCs & UK IDTA

iTeachWise's primary infrastructure is in the United States. Transfers of personal data from the EEA, UK, and Switzerland to the US are governed by:

  • EU Standard Contractual Clauses — Commission Implementing Decision (EU) 2021/914, Module Two (Controller-to-Processor), incorporated by reference into the iTeachWise DPA.
  • UK International Data Transfer Addendum (IDTA) — issued by the UK ICO under section 119A of the Data Protection Act 2018, incorporated by reference for UK-origin transfers.
  • Swiss Addendum — recognised supplementary terms applying the SCCs to data transferred from Switzerland under the FADP.

iTeachWise has completed a Transfer Impact Assessment (TIA) supporting these transfers; a copy is available to Districts under DPA on request.

3. Data subject rights

Individuals located in the EEA, UK, or Switzerland may exercise the following rights by contacting dpo@iteachwise.com:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure / "right to be forgotten" (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)
  • Right to lodge a complaint with a supervisory authority (Article 77)

iTeachWise responds to verified requests within 30 days, extendable by a further 60 days for complex requests with notice to the data subject.

4. Data Protection Officer (DPO)

iTeachWise has designated a Data Protection Officer reachable at dpo@iteachwise.com. The DPO operates with the independence required by Article 38 GDPR, reports directly to executive leadership, and may not be dismissed or penalised for performance of DPO duties. Postal correspondence may be sent to the DPO care of iTeachWise's primary US business address (provided on request).

5. EU representative (Article 27)

iTeachWise is in the process of appointing a representative inside the European Union under Article 27 GDPR to act as the contact point for supervisory authorities and EU/EEA data subjects. The appointment will be published on this page once finalised. Until appointment, all communications should be sent to dpo@iteachwise.com.

6. The EU AI Act

iTeachWise classifies its product under the EU Artificial Intelligence Act (Regulation (EU) 2024/1689) as a limited-risk generative AI system used by a qualified human professional (the teacher) who reviews and authorises every output before it reaches a student.

Transparency obligations under Article 50:

  • iTeachWise clearly labels AI-generated content in the product UI and in this transparency disclosure.
  • Teachers are informed at point of use that they are interacting with an AI system.
  • Synthetic media (text, images, audio narration) is marked as AI-generated where Article 50(2) applies.

iTeachWise does not currently operate any feature that would qualify as a high-risk AI system under Annex III of the EU AI Act (no autonomous student grading, no admissions decisions, no essential public-service determinations). Should any future feature trigger high-risk classification, iTeachWise will publish — before launch — the conformity assessment, data-governance summary (Article 10), risk management documentation (Article 9), human-oversight design (Article 14), and post-market monitoring plan (Article 72) required by the Act.

EU AI Act timing: the bulk of the AI Act's obligations on general-purpose and limited-risk systems begin to apply on 2 August 2026. iTeachWise's transparency obligations are met today and will be re-confirmed before that date.

7. UK GDPR & the Data Protection Act 2018

For UK-resident teachers and parents, iTeachWise applies the UK GDPR and the Data Protection Act 2018. UK personal data transferred to the US is governed by the UK IDTA (referenced above). Complaints may be lodged with the UK Information Commissioner's Office at ico.org.uk.

8. Swiss FADP

For data subjects in Switzerland, iTeachWise applies the revised Federal Act on Data Protection (revFADP). The SCCs with the Swiss Addendum provide the lawful basis for transfer to the US. Complaints may be lodged with the Federal Data Protection and Information Commissioner (FDPIC).

Frequently asked questions

Can our school in the EU or UK legally use iTeachWise?

Yes. iTeachWise serves EEA, UK, and Swiss customers under the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK International Data Transfer Addendum (IDTA). These mechanisms provide a lawful basis for cross-border transfer of personal data to iTeachWise's US infrastructure under Article 46 GDPR.

Who is iTeachWise's Data Protection Officer?

Privacy and data-protection inquiries from EU, UK, or Swiss residents and authorities should be sent to dpo@iteachwise.com. The DPO function reports to iTeachWise's executive team and operates with the independence required by Article 38 GDPR.

Does iTeachWise have an EU representative under Article 27 GDPR?

iTeachWise is in the process of appointing an Article 27 representative inside the EEA to receive regulator and data-subject communications. Until appointed, all such inquiries should be sent to dpo@iteachwise.com and will be handled within statutory deadlines.

How does iTeachWise comply with the EU AI Act?

iTeachWise classifies its product under the EU AI Act as a 'limited risk' generative-AI tool used by a human professional (the teacher) who reviews every output. Disclosure obligations under Article 50 (transparency for generative AI) are met by clearly labeling AI-generated content in the product UI and on this Transparency page. Should any iTeachWise feature be classified as 'high risk' in the future (for example, an automated student-grading feature operating without teacher review), iTeachWise will publish the conformity assessment, data-governance summary, and human-oversight documentation required by Articles 9–15 before any such feature ships.

How do EU/UK individuals exercise their data rights?

EU/UK residents may exercise their access, rectification, erasure, restriction, portability, and objection rights by emailing dpo@iteachwise.com from the email address on the iTeachWise account. iTeachWise responds to verified requests within 30 days as required by Article 12(3) GDPR and the UK GDPR.

Where can we get the signed SCCs for our records?

When a District or school in the EEA, UK, or Switzerland signs the iTeachWise DPA, the SCCs (Module Two) and UK IDTA are incorporated by reference and an executed copy is countersigned and returned within 5 business days. Email district-compliance@iteachwise.com to begin.

Email the DPO View Sub-Processors