ICAEW.com works better with JavaScript enabled.

Controller to processor data sharing schedule

Internal ICAEW policy

Published: 12 Jan 2018 Updated: 08 Mar 2021 Update History

This Schedule forms part of the Processor Agreement entered into between the Processor and ICAEW, effective from the Commencement Date (the “Agreement”).


For the purpose of this Schedule, the following definitions shall apply:

Applicable Laws

means the laws of England and Wales, the laws of the European Union so long as these apply in England and Wales, and any other laws or regulations, regulatory policies, guidelines or industry codes which apply to the provision of the Services;


means a complaint or request relating to either party’s obligations under Data Protection Laws relevant to this Agreement, including any compensation claim from a Data Subject or any notice, investigation or other action from a Supervisory Authority;


means the natural or legal person which, alone or jointly with others, determines the purposes and means of processing of Protected Data;

Data Protection Laws

means any Applicable Law relating to the processing, privacy, and use of Personal Data, as applicable to ICAEW, the Supplier and/or the Services, including:

(a) in the United Kingdom:

  • (i) the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426, and any laws or regulations implementing Directive 2002/58/EC (ePrivacy Directive); and/or
  • (ii) the General Data Protection Regulation (EU) 2016/679 (GDPR), and/or any corresponding or equivalent national laws or regulations implemented in the UK following the exit of the United Kingdom from the European Union (UK GDPR);

(b) in member states of the European Union: the GDPR and the ePrivacy Directive, and all relevant member state laws or regulations giving effect to or corresponding with any of them; and

any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority;

Data Protection Losses

means all liabilities and other amounts, including all:

(a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage);

(b) loss or damage to reputation, brand or goodwill;

(c) to the extent permitted by Applicable Law:

  • (i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
  • (ii) compensation paid to a Data Subject (including compensation to protect goodwill and ex gratia payments); and
  • (iii) costs of compliance with investigations by a Supervisory Authority; and

the costs of loading ICAEW Data and any other associated losses, to the extent the same are lost, damaged or destroyed, and any loss or corruption of ICAEW Data (including the costs of rectification or restoration of ICAEW Data);

Data Subject

means a natural person to whom Personal Data relates;

Data Subject Request

means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;

International Organisation

means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;

International Recipient

has the meaning given to that term in clause 6.1;

Personal Data

means any information relating to an identified or identifiable natural person;

Personal Data Breach

means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;


means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, including (without limitation) collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, combining, restricting, erasing or destroying (and related terms such as process have corresponding meanings);

Processing Instructions

has the meaning given to that term in clause 2.1.1;

Processor means a natural or legal person which processes Personal Data on behalf of others;

Protected Data

means Personal Data received from or on behalf of ICAEW, or otherwise obtained in connection with the performance of the Supplier’s obligations under this Agreement;

Standard Contract Clauses

means contract clauses that have been approved by the UK Government and/or the European Commission (as applicable) as providing adequate safeguards for the transfer of Protected Data to overseas jurisdictions;


means any agent, subcontractor or other third party engaged by the Supplier (or by any other Sub-Processor) to carry out any processing activities in respect of the Protected Data on behalf of the Supplier;

Supplier Personnel

means employees of the Supplier;

Supervisory Authority

means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws;

Valid Adequacy Mechanism

means a mechanism to protect Personal Data that is recognised by the UK government and/or European Commission (as applicable) as providing adequate safeguards for Personal Data transferred outside the UK and/or European Union (as applicable).

Specific interpretive provisions

In clauses 1 to 10 (inclusive)

  1. references to any Applicable Laws (including to the Data Protection Laws and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including particularly the GDPR and/or the Revised UK DP Law) and the equivalent terms defined in such Applicable Laws, once in force and applicable;
  2. a reference to a law includes all subordinate legislation made under that law; and
  3. clauses 1 to 10 (inclusive) shall survive termination (for any reason) or expiry of this Agreement (or of any of the Services).

Data processing provisions

1. Data Processor and Data Controller

1.1 The parties agree that, for the Protected Data, ICAEW shall be the Data Controller and the Supplier shall be the Data Processor. The details of such processing are set out in the Work Statement.

1.2 The Supplier shall comply with all Data Protection Laws in connection with the processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under this Agreement and shall not by any act or omission cause ICAEW (or any other person) to be in breach of any Data Protection Laws.

1.3 ICAEW shall comply with all Data Protection Laws in respect of the performance of its obligations under this Agreement.

2. Instructions and details of processing

2.1 Insofar as the Supplier processes Protected Data on behalf of ICAEW, the Supplier:

2.1.1 unless required to do otherwise by Applicable Law, shall (and shall ensure each person acting under its authority shall) process the Protected Data only on and in accordance with ICAEW’s documented instructions as set out in this clause 2 and the Work Statement (Data Processing Activities), and as updated from time to time by the written agreement of the parties (Processing Instructions); and

2.1.2 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify ICAEW of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest).

2.2 The Supplier shall immediately inform ICAEW in writing if, in the Supplier’s opinion, a Processing Instruction infringes the Data Protection Laws or any other Applicable Laws relating to data protection and explain the reasons for its opinion, provided that this shall be without prejudice to clause 1.2.

2.3 The processing to be carried out by the Supplier under this Agreement shall comprise the processing set out in the Work Statement (Data Processing Activities), and such other processing as agreed by the parties in writing from time to time. 

3 Technical and organisational measures

3.1 The Supplier shall implement and maintain, at its cost and expense, appropriate technical and organisational measures in relation to the processing of Protected Data by the Supplier:

3.1.1 such that the processing will meet the requirements of Data Protection Laws and ensure the protection of the rights of Data Subjects;

3.1.2 so as to ensure a level of security in respect of Protected Data processed by it that is appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Protected Data transmitted, stored or otherwise processed; and

3.1.3 without prejudice to clause 5.1, insofar as is possible, to assist ICAEW in the fulfilment of ICAEW’s obligations to respond to Data Subject Requests relating to Protected Data.

3.2 Without prejudice to clause 3.1, the Supplier shall, in respect of the Protected Data processed by it under this Agreement comply with the requirements regarding security of processing set out in Data Protection Laws (as applicable to Data Processors), all relevant ICAEW Policies and in this Agreement.

4. Using Sub-Processors and Personnel

4.1 The Supplier shall not provide access or permit any processing of Protected Data by any Sub-Processor without the prior specific written authorisation of that Sub-Processor by ICAEW.  

4.2 Where authorisation has been granted by ICAEW to the Supplier to engage any Sub-Processor in accordance with clause 4.1, the Supplier shall, prior to the Sub-Processor carrying out any processing activities in respect of the Protected Data;

4.2.1 undertake due diligence on the Sub-Processor to ensure the Sub-Processor has all appropriate technical and organisational measures in place as are required to enable compliance with the requirements of Data Protection Laws and the terms of this Agreement; and

4.2.2 Appoint the Sub-Processor under a binding written contract, with enforceable data protection obligations on the same terms as apply to the Supplier under this Agreement. 

4.3 Clause 4.2 includes an obligation on the Supplier to ensure that the contract with a  Sub-Processor requires that the Sub-Processor at all times:

  1. processes Protected Data only on and in accordance with the Processing Instructions and complies with the same obligations as the Supplier (as amended from time to time and including, without limitation, all obligations relating to security, audits, compliance with Applicable Laws, notifications, keeping of records and the destruction or deletion of Protected Data)
  2. provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing of the Protected Data will meet the requirements of Data Protection Laws; and
  3. is obliged to obtain the specific prior written consent of ICAEW and comply with the conditions referred to in this clause 4.3 for engaging another Processor (including any replacement).

4.4 The Supplier shall promptly upon request by ICAEW provide the relevant details of any such Sub-Processor to ICAEW.

4.5 The Supplier shall immediately cease using a Sub-Processor upon receiving written notice from ICAEW requesting that the Sub-Processor ceases processing Protected Data for security reasons or concerns about the Sub-Processor’s ability to carry out the relevant processing in compliance with Data Protection Laws or this Agreement.

4.6 The Supplier shall, and shall procure that each Sub-Processor that has access to Protected Data shall, comply with the Supplier’s obligations under clauses 1 to 10 (inclusive) (including that all obligations and responsibilities relating to Supplier Personnel shall apply to employees, agents or representatives of each Sub-Processor (Sub-Processor Personnel)). The Supplier shall, where that Sub-Processor fails to fulfil its obligations in accordance with any Sub- Processor Contract, remain fully liable to ICAEW for the performance of that Sub-Processor’s obligations. The acts or omissions of any Sub-Processor or Sub-Processor Personnel in connection with the processing of Protected Data shall be deemed the act or omission of the Supplier.

4.7 The Supplier shall ensure that the Supplier Personnel and all other persons authorised by it, or by any person acting on its behalf (including by any Sub-Processor pursuant to clause 4.1), to process Protected Data are subject to a binding written contractual obligation with the Supplier or with the Sub-Processor that has engaged them to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case the Supplier shall, where practicable and not prohibited by Applicable Law, notify ICAEW of any such requirement before such disclosure).

4.8 Without prejudice to any other provision of clauses 1 to 10 (inclusive), the Supplier shall ensure that the Supplier Personnel processing Protected Data are reliable and have received adequate training on compliance with clauses 1 to 10 (inclusive) and the Data Protection Laws applicable to the processing.

4.9 The Supplier shall ensure that access to Protected Data is limited to the authorised persons who need access to it to supply the Services.

4.10 The Supplier remains fully liable to ICAEW under this Agreement for all the acts and omissions of each Sub-Processor and each of the Supplier Personnel as if they were its own

5. Assistance with ICAEW’s compliance and Data Subject rights

5.1 The Supplier shall (at no cost to ICAEW):

5.1.1 promptly record and then refer all Data Subject Requests it receives to ICAEW within two Business Days of receipt of the request;

5.1.2 provide such information and cooperation and take such action as ICAEW reasonably requests in relation to each Data Subject Request, within the timescales reasonably required by ICAEW; and

5.1.3not respond to any Data Subject Request or Complaint without ICAEW’s prior written approval.

5.2 Without prejudice to clause 2.1, the Supplier shall, at its cost and expense, provide such information, co-operation and other assistance to ICAEW as ICAEW reasonably  requires (taking into account the nature of processing and the information available to the Supplier) to ensure compliance with ICAEW’s obligations under Data Protection Laws, including with respect to:

5.2.1 security of processing;

5.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);

5.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and

5.2.4 any remedial action and/or notifications to be taken in response to any Personal Data Breach and/or Complaint, including (subject in each case to ICAEW's prior written authorisation) regarding any notification of the Personal Data Breach to Supervisory Authorities and/or communication to any affected Data Subjects.

6. International data transfers

6.1 The Supplier shall not transfer any Protected Data to any country outside the United Kingdom and/or European Economic Area or to any International Organisation without ICAEW’s prior written consent.

7 Records, information and audit

7.1 The Supplier shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of ICAEW, containing such information as ICAEW may reasonably require, including:

7.1.1 the name and contact details of the Supplier’s representative and data protection officer (if any); 7.1.2 the categories of processing carried out on behalf of ICAEW;

7.1.3 where applicable, details of transfers of Protected Data to an International Recipient; and

7.1.4 a general description of the technical and organisational security measures referred to in clause 3.1.

7.2 The Supplier shall make available to ICAEW on request in a timely manner (and in any event within three Business Days):

7.2.1 copies of the records under clause 7.1; and

7.2.2 such other information as  ICAEW reasonably requires to demonstrate the Supplier’s and  ICAEW’s compliance with their respective obligations under Data Protection Laws and this Agreement.

7.3 The Supplier shall at no cost to ICAEW:

7.3.1 allow for and contribute to audits, including inspections, conducted by  ICAEW or another auditor mandated by ICAEW for the purpose of demonstrating compliance by the Supplier and ICAEW with their respective obligations under Data Protection Laws and under clauses 1 to 10 (inclusive); and

7.3.2 provide (and procure) reasonable access for ICAEW or such other auditor (where practicable, during normal business hours) to:

  1. the facilities, equipment, premises and sites on which Protected Data and/or the records referred to in clause 7.1 are held, and to any other equipment or facilities used in the provision of the Services (in each case whether or not owned or controlled by the Supplier); and
  2. to the Supplier Personnel,

provided that ICAEW gives the Supplier reasonable prior notice of such audit and/or inspection.

7.4 If any audit or inspection reveals a material non-compliance by the Supplier with its obligations under Data Protection Laws or a breach by the Supplier of any of clauses 1 to 10 (inclusive), the Supplier shall pay the reasonable costs of ICAEW or its mandated auditors, of the audit or inspection.

7.5 The Supplier shall promptly resolve, at its own cost and expense, all data protection and security issues discovered by  ICAEW and reported to the Supplier that reveal a breach or potential breach by the Supplier of its obligations under any of clauses 1 to 10 (inclusive).

7.6 If the Supplier is in breach of its obligations under any of clauses 1 to 10 (inclusive) or clause 7.5, ICAEW may suspend the transfer of Protected Data to the Supplier until the breach is remedied.

7.7 ICAEW shall be entitled to share any notification, details, records or information provided by or on behalf of the Supplier under any of clauses 1 to 10 (inclusive) (including under clauses 7 or 8) with its professional advisors and/or the Supervisory Authority(ies).

8 Breach notification

8.1 In respect of any Personal Data Breach, the Supplier shall:

8.1.1 notify ICAEW of the Personal Data Breach without undue delay (but in no event later than 12 hours after becoming aware of the Personal Data Breach); and

8.1.2 provide ICAEW without undue delay (wherever possible, no later than 24 hours after becoming aware of the Personal Data Breach) with such details as ICAEW reasonably requires regarding: provided that, (without prejudice to the above obligations) if the Supplier cannot provide all these details within the timeframes set out in this clause 8.1.2, it shall (before the end of such timeframes) provide ICAEW with reasons for the delay and when it expects to be able to provide the relevant details (which may be phased), and give ICAEW regular updates on these matters.

  1. the nature of the Personal Data Breach, including the categories and approximate numbers of Data Subjects and Protected Data records concerned;
  2. any investigations into such Personal Data Breach;
  3. the likely consequences of the Personal Data Breach; and
  4. any measures taken, or that the Supplier recommends, to address the Personal Data Breach, including to mitigate its possible adverse effects,

8.2 In the event of a Personal Data Breach, ICAEW shall at its sole discretion determine whether to provide notification to the Data Subject, any third party or Supervisory Authority(ies) and the Supplier shall not notify the Data Subject, any third party or Supervisory Authority(ies) unless such disclosure by the Supplier is required by law or is otherwise approved by ICAEW. ICAEW shall approve all notifications to Data Subjects, third parties or Supervisory Authority(ies) which it determines are required or appropriate.  

9. Deletion or return of Protected Data and copies

9.1 The Supplier shall (and shall ensure that all Sub-Processors and all Supplier Personnel shall) immediately (and in any event within 3 days), at ICAEW’s written request, either securely delete or securely return all the Protected Data to ICAEW in such form as ICAEW reasonably requests after the earlier of:

9.1.1 the end of the provision of the relevant Services related to processing of such Protected Data; or

9.1.2 once processing by the Supplier of any Protected Data is no longer required for the purpose of the Supplier’s performance of its relevant obligations under this Agreement,

and securely delete existing copies (unless storage of any data is required by Applicable Law and, if so, the Supplier shall inform ICAEW of any such requirement).

9.2 The Supplier shall provide written confirmation to ICAEW of its compliance with clause 9.1.

10 Liability and indemnities

10.1 The Supplier shall indemnify and keep indemnified ICAEW in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, ICAEW arising from or in connection with:

10.1.1 any breach by the Supplier of any of its obligations under clauses 1 to 9 (inclusive); or

10.1.2 the Supplier (or any person acting on its behalf) acting outside or contrary to the lawful Processing Instructions of ICAEW in respect of the processing of Protected Data.

10.2 This clause 10 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:

10.2.1 permitted by Applicable Law (including Data Protection Laws); and

10.2.2 that it does not affect the liability of either party to any Data Subject.

11. Conflicts

11.1 Unless otherwise expressly stated in this Agreement:

11.1.1 the Supplier’s obligations and ICAEW’s rights and remedies under clauses 1 to 10 (inclusive) are cumulative with, and additional to, any other provisions of this Agreement

11.1.2 agreement relieves the Supplier of any responsibilities or liabilities under any Data Protection Laws; and

11.1.3 clauses 1 to 10 (inclusive) shall prevail over any other provision of this Agreement in the event of any conflict.