DATA SHARING AGREEMENT

PARTIES

The parties as set in the Master Services Agreement

DEFINITIONS

Controller, processor, data subject, personal data, personal data breach, processing, and appropriate technical and organisational measures: as set out in the UK Data Protection Legislation in force at the time.

UK Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the United Kingdom General Data Protection Regulation (UKGDPR), the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

Data Protection Legislation: the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications)

Permitted Recipients: the parties to this agreement, the employees of each party, any third parties engaged to perform obligations in connection with this agreement.

Shared Personal Data: the personal data to be shared between the parties under clause 1.1 of this agreement. Shared Personal Data shall be confined to the following categories of information relevant to the following categories of data subject:

1. name
2. email address
3. telephone number

DATA PROTECTION

Shared Personal Data: This sets out the framework for the sharing of personal data between the parties as controllers.

Effect of non-compliance with UK Data Protection Legislation: Each party shall comply with all the obligations imposed on a controller under the UK Data Protection Legislation, and any material breach of the UK Data Protection Legislation by one party shall, if not remedied within 30 days of written notice from the other party, give grounds to the other party to terminate this agreement with immediate effect.

Particular obligations relating to data sharing: Each Party shall be individually and separately responsible for complying with the obligations that apply to it as a Data Controller under any applicable Data Protection Laws in relation to the personal

Data Processed under the original Agreement: Each Party is a Controller of the Personal Data it discloses or makes available to the other Party and will process that Personal Data as separate and independent Data Controllers for the Agreed purposes. The parties process the Personal Data as Data Controllers in common and not jointly as joint Data Controllers.

Each party shall:

(a)  ensure that it has all necessary notices and consents in place to enable lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes.

(b)  give full information to any data subject whose personal data may be processed under this agreement of the nature such processing. This includes giving notice that, on the termination of this agreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Permitted Recipients, their successors and assignees.

(c)  process the Shared Personal Data only for the Agreed Purposes.

(d)  not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients.

(e)  ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this agreement.

(f)  ensure that it has in place appropriate technical and organisational measures, reviewed, and approved by the other party, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

(g)  not transfer any personal data received from the Data Discloser outside the EEA unless the transferor:

(h)  complies with the provisions of Articles 26 of the GDPR (in the event the third party is a joint controller); and

(I)  ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 of the GDPR; or (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or (iii) Binding corporate rules are in place or (iv) one of the derogations for specific situations in Article 49 GDPR applies to the transfer.

Mutual assistance: Each party shall assist the other in complying with all applicable requirements of the UK Data Protection Legislation. In particular, each party shall:

(a)  consult with the other party about any notices given to data subjects in relation to the Shared Personal Data.

(b)  promptly inform the other party about the receipt of any data subject access request.    

(c)  provide the other party with reasonable assistance in complying with any data subject access request.

(d)  notify the other party without undue delay on becoming aware of any breach of the UK Data Protection Legislation.

(e)  provide the other party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the UK Data Protection Legislation, including the procedures to be followed in the event of a data security breach.