TERMS AND CONDITIONS FOR DATA SHARING
1. Interpretation
The following definitions and rules of interpretation apply in this agreement.
1.1 Definitions:
Agreed Purposes: has the meaning given to it in the Covering Letter.
Agreement: these terms and conditions of data sharing, the Covering Letter and any other document referred to in the Covering Letter.
Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
Commencement Date: the date of commencement of the data sharing as provided by the Covering Letter.
Covering Letter: the letter or email sent by the Data Discloser to the Data Receiver or otherwise agreed by the parties detailing the project or purpose(s) for data sharing.
Data Discloser: the party disclosing the Shared Personal Data.
Data Receiver: the party receiving the Shared Personal Data.
Data Protection Legislation: (i) the Data Protection Act 2018; (ii) the General Data Protection Regulation (GDPR) as enacted into English law and as revised and superseded from time to time; (iii) the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (iv) any other laws and regulations relating to the processing of personal data and privacy which apply to a party and, if applicable, the guidance and codes of practice issued by the relevant data protection or supervisory authority.
Data Sharing Code: the Information Commissioner's Data Sharing Code of Practice.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data.
Shared Personal Data: the personal data to be shared between the parties under clause 3 of this Agreement.
Subject Access Request: the exercise by a data subject of his or her rights under Article 15 of the GDPR.
Supervisory Authority: the Information Commissioner’s Office.
Term: the duration of this Agreement as set out in the Covering Letter.
1.2 Controller, Processor, Data Subject and Personal Data, Special Categories of Personal Data, Processing and "appropriate technical and organisational measures" shall have the meanings given to them in the Data Protection Legislation.
1.3 Clause, schedule and paragraph headings shall not affect the interpretation of this Agreement.
1.4 Unless the context otherwise, requires, words in the singular shall include the plural and in the plural shall include the singular.
1.5 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.6 A reference to a statue or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision.
1.7 References to clauses are to the clauses of this agreement.
1.8 Any words following the terms including, include, in particular or for example or any similar phrase shall be construed as illustrative and shall not limit the generality of the related general words.
1.9 In the case of any ambiguity between any provision contained in the body of this agreement and any provision contained in the Covering Letter, the provision in the Covering Letter shall take precedence.
1.10 A reference to writing or written includes fax and email.
1.11 Unless the context otherwise requires the reference to one gender shall include a reference to the other genders.
2. Purpose
2.1 This Agreement sets out the framework for the sharing of Personal Data between the parties as Controllers. It defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other.
2.2 The necessity and aim(s) of this data sharing initiative are as recorded in the Covering Letter. It will serve to benefit individuals/society as provided in the Covering Letter.
2.3 The parties agree to only process Shared Personal Data, as described in clause 3.1, for the Agreed Purposes. The parties shall not process Shared Personal Data in a way that is incompatible with the Agreed Purposes.
2.4 Each party shall appoint a single point of contact (SPoC) who will work together to reach an agreement with regards to any issues arising from the data sharing and to actively improve the effectiveness of the data sharing initiative. The points of contact for each of the parties are as set out in the Covering Letter.
3. Shared Personal Data
3.1 The types of Personal Data and, where applicable, more sensitive Personal Data which will be shared between the parties during the Term of this agreement are as set out in the Covering Letter
3.2 Further detail on the Shared Personal Data as described in clause 3.1 is set out in the Covering Letter together with any access and processing restrictions as agreed and established by the parties.
3.3 The Shared Personal Data must not be irrelevant or excessive with regard to the Agreed Purposes.
4. Lawful, fair and transparent processing
4.1 Each party shall ensure that it processes the Shared Personal Data fairly and lawfully in accordance with clause 4.2 during the Term of this agreement.
4.2 Each party shall ensure that it has legitimate grounds under the Data Protection Legislation for the processing of Shared Personal Data.
4.3 The Data Discloser shall, in respect of Shared Personal Data, ensure that it provides clear and sufficient information to the data subjects, in accordance with the Data Protection Legislation, of the purposes for which it will process their personal data, the legal basis for such purposes and such other information as is required by Article 13 of the GDPR including if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable the data subject to understand the purpose and risks of such transfer.
4.4 The Data Receiver undertakes to inform the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will process their personal data, the legal basis for such purposes and such other information as is required by Article 14 of the GDPR including if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable the data subject to understand the purpose and risks of such transfer
5. Data quality
5.1 The Data Discloser shall ensure that before the Commencement Date, Shared Personal Data are accurate and that it has appropriate internal procedures in place for the Data Receiver to sample Shared Personal Data prior to the Commencement Date and it will update the same if required prior to transferring the Shared Personal Data.
5.2 Shared Personal Data must be limited to the Personal Data described in the Covering Letter.
6. Data subjects' rights
6.1 The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with requests from Data Subjects to exercise their rights under the Data Protection Legislation within the time limits imposed by the Data Protection Legislation.
6.2 The SPoC for each party is responsible for maintaining a record of individual requests for information, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request. The SPoC for each party are detailed in clause 2.4.
7. Data retention and deletion
7.1 The Data Receiver shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes.
7.2 Notwithstanding clause 7.1, parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and / or industry.
7.3 The Data Receiver shall ensure that any Shared Personal Data are returned to the Data Discloser or destroyed in the following circumstances:
(a) on termination of the Agreement;
(b) on expiry of the Term of the Agreement;
(c) once processing of the Shared Personal Data is no longer necessary for the purposes it were originally shared for, as set out in clause 2.3.
7.4 Following the deletion of Shared Personal Data in accordance with clause 7.3, the Data Receiver shall notify the Data Discloser that the Shared Personal Data in question has been deleted.
8. Transfers
The Data Receiver shall not disclose or transfer Shared Personal Data outside the EEA.
9. Security and training
9.1 The Data Discloser shall only provide the Shared Personal Data to the Data Receiver by using secure methods as agreed and set out in the Covering Letter.
9.2 The parties undertake to have in place throughout the Term appropriate technical and organisational security measures to:
(a) prevent:
(i) unauthorised or unlawful processing of the Shared Personal Data; and
(ii) the accidental loss or destruction of, or damage to, the Shared Personal Data
(b) ensure a level of security appropriate to:
(i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and
(ii) the nature of the Shared Personal Data to be protected.
9.3 The level of technical and organisational measures agreed by the parties as appropriate as at the Commencement Date shall have regard to the state of technological development and the cost of implementing such measures. The parties shall keep such security measures under review and shall carry out such updates as they agree are appropriate throughout the Term.
9.4 It is the responsibility of each party to ensure that its staff members are appropriately trained to handle and process the Shared Personal Data in accordance with appropriate technical and organisational security measures together with any other applicable national data protection laws and guidance and have entered into confidentiality agreements relating to the processing of personal data.
9.5 The level, content and regularity of training referred to in clause 9.3 shall be proportionate to the staff members' role, responsibility and frequency with respect to their handling and processing of the Shared Personal Data.
10. Personal data breaches and reporting procedures
10.1 The parties shall each comply with its obligation to report a Personal Data Breach to the appropriate Supervisory Authority and (where applicable) data subjects under Article 33 of the GDPR and shall each inform the other party of any Personal Data Breach irrespective of whether there is a requirement to notify any Supervisory Authority or data subject(s).
10.2 The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.
11. Review and termination of agreement
11.1 Any additional party that wishes to be part of this data sharing initiative and Agreement shall be required to enter into a data sharing agreement on terms no less onerous than this Agreement. The consent of every party is required in order for the additional party to be included into this Agreement.
11.2 In the event that a party terminates the Agreement or a new Data Receiver joins the agreement in accordance with clause 11.1, an amended and updated version of this Agreement will be drafted as soon as practicable and circulated to all other parties.
11.3 Parties shall review the effectiveness of this data sharing initiative every 6 months and on the addition and removal of a party, having consideration to the aims and purposes set out in clause 2.2 and clause 2.3. The parties shall continue, amend or terminate the Agreement depending on the outcome of this review.
11.4 The review of the effectiveness of the data sharing initiative will involve:
(a) assessing whether the purposes for which the Shared Personal Data is being processed are still the ones referenced in clause 2.3 of this Agreement;
(b) assessing whether the Shared Personal Data is still as referenced in clause 3.1 of this Agreement;
(c) assessing whether the legal framework governing data quality, retention, and data subjects' rights are being complied with; and
(d) assessing whether personal data breaches involving the Shared Personal Data have been handled in accordance with this Agreement and the applicable legal framework.
11.5 Each party reserves its rights to inspect the other party's arrangements for the processing of Shared Personal Data and to terminate the Agreement where it considers that the other party is not processing the Shared Personal Data in accordance with this agreement.
12. Resolution of disputes with data subjects or the Supervisory Authority
12.1 In the event of a dispute or claim brought by a data subject or the Supervisory Authority concerning the processing of Shared Personal Data against any of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
12.2 The parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the Supervisory Authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
12.3 Each party shall abide by a decision of a competent court in England and Wales or of the Supervisory Authority.
13. Warranties
13.1 Each party warrants and undertakes that it will:
(a) Process the Shared Personal Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments that apply to its personal data processing operations.
(b) Make available on request to the data subjects who are third party beneficiaries a copy of this Agreement, unless the clause contains confidential information.
(c) Respond within a reasonable time and as far as reasonably possible to enquiries from the relevant Supervisory Authority in relation to the Shared Personal Data.
(d) Respond to Subject Access Requests in accordance with the Data Protection Legislation.
(e) Where applicable, maintain registration and pay the appropriate fees with all relevant Supervisory Authorities to process all Shared Personal Data for the Agreed Purpose.
(f) Take all appropriate steps to ensure compliance with the security measures set out in clause 9 above.
13.2 The Data Discloser warrants and undertakes that it is entitled to provide the Shared Personal Data to the Data Receiver and it will ensure that the Shared Personal Data are accurate.
13.3 The Data Recipient warrants and undertakes that it will not disclose or transfer Shared Personal Data outside the EEA.
13.4 Except as expressly stated in this Agreement, all warranties, conditions and terms, whether express or implied by statute, common law or otherwise are hereby excluded to the extent permitted by law.
14. Limitation of liability
14.1 Neither party excludes or limits liability to the other party for any matter for which it would be unlawful for the parties to exclude liability.
14.2 Subject to clause 14.1, neither party shall in any circumstances be liable whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, for:
(a) any loss (whether direct or indirect) of profits, business, business opportunities, revenue, turnover, reputation or goodwill;
(b) loss (whether direct or indirect) of anticipated savings or wasted expenditure (including management time); or
(c) any loss or liability (whether direct or indirect) under or in relation to any other contract.
14.3 Clause 14.2 shall not prevent claims, for:
(a) direct financial loss that are not excluded under any of the categories set out in clause 14.2(a); or
(b) tangible property or physical damage.
15. Third party rights
No one other than a party to this Agreement shall have any right to enforce any of its terms.
16. Variation
No variation of this agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
17. Waiver
No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
18. Severance
18.1 If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement.
18.2 If any provision or part-provision of this agreement is deemed deleted under clause 18.1, the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
19. Changes to the applicable law
If during the Term the Data Protection Legislation change in a way that the Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the Parties agree that the SPoCs will negotiate in good faith to review the Agreement in the light of the new legislation.
20. No partnership or agency
20.1 Nothing in this agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party.
20.2 Each party confirms it is acting on its own behalf and not for the benefit of any other person.
21. Entire agreement
21.1 This Agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
21.2 Each party acknowledges that in entering into this Agreement it does not rely on, and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement.
21.3 Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misrepresentation based on any statement in this Agreement.
22. Further assurance
At its own expense, each party shall, and shall use all reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this agreement.
23. Force majeure
Neither party shall be in breach of this Agreement nor liable for delay in performing, or failure to perform, any of its obligations under this agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances the time for performance shall be extended by a period equivalent to the period during which performance of the obligation has been delayed or failed to be performed. If the period of delay or non-performance continues for 3 months, the party not affected may terminate this agreement by giving 7 days' written notice to the affected party.
24. Rights and remedies
The rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
25. Notice
25.1 Any notice given to a party under or in connection with this agreement shall be in writing, addressed to the SPoCs and shall be:
(a) delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or
(b) sent by email to the SPoC.
25.2 Any notice shall be deemed to have been received:
(a) if delivered by hand, on signature of a delivery receipt or at the time the notice is left at the proper address;
(b) if sent by pre-paid first-class post or other next working day delivery service, at 9.00 am on the second Business Day after posting or at the time recorded by the delivery service; and
(c) if sent by email, at the time of transmission, or if this time falls outside business hours in the place of receipt, when business hours resume. In this clause 25.2(c), business hours means 9:00 am to 5:00 pm Monday to Friday on a day that is not a public holiday in the place of receipt.
25.3 This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
26. Governing law
This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
27. Jurisdiction
Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this Agreement or its subject matter or formation.
This agreement has been entered into on the date the Covering Letter was last signed.