Separate Controller Data Sharing Schedule
This Schedule forms part of the Agreement entered into between **** and ICAEW, effective from the Commencement Date (the “Agreement”).
Pursuant to the terms of the Agreement each Party wishes to share certain Personal Data (as hereafter defined). Each Party wishes to ensure that the other Party complies with its legal obligation in connection with such Personal Data and otherwise agrees the responsibilities set out in this Schedule. Accordingly, in consideration of the benefits of the Parties of the sharing of Personal Data, the Parties agree to comply with the following terms.
1. DEFINITIONS AND INTERPRETATIONAny words defined in the Agreement and used in this Schedule shall have the meaning given in the Agreement. Otherwise, in this Schedule, unless the context otherwise requires, the following words and expressions shall have the following meanings:
|"Data Controller"||has the meaning given in Data Protection Legislation.|
|"Data Processor"||has the meaning given in Data Protection Legislation.|
|“Data Subject”||has the meaning given in Data Protection Legislation.|
|"Data Protection Legislation"||means all applicable data protection and privacy legislation, regulations and guidance including the Privacy and Electronic Communications (EC Directive) Regulations and any guidance or codes of practice issued by the European Data Protection Board or the Information Commissioner from time to time, together with: (a) prior to 25 May 2018, the Data Protection Act 1998; and (b) from 25 May 2018 onwards Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR"), as amended by the UK Data Protection Bill (in each case, all as amended, updated or re-enacted from time to time);|
||means a Party to this Agreement which discloses or makes available directly or indirectly Personal Data.|
|"Effective Date"||means the Commencement Date.|
|“Party”||means a Party to the Agreement and “Parties” shall be construed accordingly.|
|“Personal Data”||has the meaning given in Data Protection Legislation.|
|“Personnel”||means any employee, officer or director, or an individual working as a consultant, independent contractor or agent, and/or temporary worker of a Party.|
|“Process” or “Processes” or “Processing”||has the meaning given in Data Protection Legislation.|
|“Regulator”||means the UK Information Commissioner’s Office and the European Data Protection Board or any successor body to either regulator from time to time and any other supervisory authority with jurisdiction over either Party.|
|"Security"||means a Party’s technological, physical, administrative, organizational and procedural safeguards, including, without limitation, policies, procedures, guidelines, practices, standards, controls, hardware, software, firmware and physical security measures, the function or purpose of which is, in whole or part, to: (a) protect the confidentiality, integrity or availability of Personal Data; (b) prevent the unauthorized use of or unauthorized access to Personal Data; (c) prevent the loss, theft or damage of Personal Data; or (d) comply with Data Protection Legislation.|
|"Security Breach"||means any actual, threatened, or reasonably suspected: (a) unauthorized use of, or unauthorized access to Personal Data, damage to, or inability to access, Personal Data due to a malicious use, attack or exploit of such Personal Data; (b) unauthorized access to, theft of or loss of Personal Data; (c) unauthorized use of Personal Data for purposes of actual, reasonably suspected or attempted theft, fraud, identity theft or other misuse; (d) unauthorized disclosure of Personal Data.|
|"Shared Data"||means Personal Data held by one Party as a Data Controller, which is provided to the other Party as a Data Controller under this Agreement.
|“Working Day”||means any day other than a Saturday, Sunday or public holiday in England and Wales.|
1.1 Clause headings shall not affect the interpretation of this Schedule
1.2 A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
1.3 Unless the context otherwise requires, words in the singular shall include the plural and in the plural include the singular.
1.4 A reference to a statute or statutory provision is a reference to it as it is in force for the time being, taking account of any amendment, extension, or re-enactment, and includes any subordinate legislation for the time being in force made under it.
1.5 Any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
1.6 Any obligation in this Schedule on a person not to do something includes an obligation not to agree or allow that thing to be done.
2. DATA SHARING
2.1 The Parties shall each comply with their respective obligations under the Data Protection Legislation when Processing Shared Data pursuant to the terms of this Schedule.
2.2 Appendix A of this Schedule sets out a description of Shared Data for illustrative purposes and is set out without limitation to the generality of Shared Data that may be Processed pursuant to the terms of this Schedule.
2.3 For the purposes of this Clause 2, the Parties acknowledge that in respect of Shared Data Processed pursuant to the terms of this Schedule and the Agreement Parties are separate Data Controllers. Depending on circumstances of a specific transfer of Personal Data, one Party will be the Recipient and the other the Discloser.
2.4 Both Parties shall at all times remain responsible for the acts and omissions pursuant to this Schedule of their respective Personnel and suppliers, contractors and agents.
2.5 The Parties shall only Process Shared Data for the purpose or purposes set out in their respective privacy notices, copies of which shall be provided to the other Party upon request.
2.6 Each Party shall comply with its own obligations under this Clause at its own cost.
3.1 The Discloser represents, warrants and covenants during the term of the Agreement that, in relation to the Shared Data:
- 3.1.1 the Shared Data has been obtained by the Discloser in accordance with the Data Protection Legislation;
- 3.1.2 privacy notices provided to Data Subjects are compliant with, and have been provided to the Data Subject in a manner which is compliant with, the Data Protection Legislation;
- 3.1.3 there are no circumstances of which the Discloser is aware which are likely to give rise to breach of the Data Protection Legislation in the future (including any unauthorised disclosure) or any notice, complaint, claim or notification from a Data Subject or Regulator; and
- 3.1.4 transferring the Shared Data to the Recipient in accordance with this Schedule will not constitute a breach of the Data Protection Legislation.
4.1 Both Parties shall implement appropriate technical and organisational measures to ensure a level of Security appropriate to the risk involved under this Schedule to:
- 4.1.1 protect all Shared Data from unauthorized use, alteration, access or disclosure, and loss, theft, and damage, and to protect and ensure the confidentiality, integrity and availability of Shared Data; and
- 4.1.2 prevent a Security Breach.
4.2 Both Parties shall keep accurate records of the Security measures which they have in place and shall make such records available to the other Party upon request.
4.3 Security measures shall be regularly tested by each Party to assess the effectiveness of the measures in ensuring the security, confidentiality, integrity, availability and resilience of Shared Data, and the Party's compliance with this Schedule and the Party's obligations under the Data Protection Legislation. Both Parties shall maintain records of the testing.
4.4 In the event of a Security Breach, the Recipient shall notify the Discloser’s Representative without undue delay and in any event within twenty four (24) hours after the Recipient, or its suppliers, contractors and or agents discovered such Security Breach.
4.5 Following the notification referred to in Clause 4.4 of this Schedule above, the Recipient shall provide assistance and co-operation with the Discloser to mitigate the Security Breach, including to:
- 4.5.1 immediately conduct a reasonable investigation of the reasons for and circumstances of such Security Breach;
- 4.5.2 take all necessary actions to prevent, contain, and mitigate the impact of, such Security Breach, and remediate such Security Breach, without delay;
- 4.5.3 remediate the effects of a Security Breach;
- 4.5.4 promptly produce a written report setting out all relevant details concerning such Security Breach, including without limitation any security, risk or compliance assessment and security control audit reports; and
- 4.5.5 provide regular updates to the Discloser following a Security Breach.
5. RECORDS, NOTIFICATION AND ASSISTANCE
5.1 Both Parties shall at their own cost:
- 5.1.1 keep a record of any Processing of Shared Data it carries out;
- 5.1.2 notify the other Party promptly (but in any event within 24 hours) should it; receive any Data Subject access request or complaint or any information notice, enforcement notice or other correspondence from a Regulator, individual or third Party in respect of Shared Data; or become aware of any circumstance which may cause either Party to breach this Schedule or which may cause either Party to breach the Data Protection Legislation; and
- 5.1.3 reasonably cooperate and coordinate with the other Party concerning the other Party's compliance with Data Protection Legislation.
6. RESERVATION OF RIGHTS AND ACKNOWLEDGEMENT
6.1 All Shared Data shall remain the property of the relevant Disclosing Party where such proprietary rights arise at law. Each Party reserves all rights in its Shared Data. No rights, including intellectual property rights, in respect of a Party's Shared Data are granted to the other Party and no obligations are imposed on the Disclosing Party other than those expressly stated in this Schedule.
6.2 Except as expressly stated in this Schedule, no Party makes any express or implied warranty or representations concerning its Shared Data, or the accuracy or completeness of the Shared Data.