This Schedule forms part of the Agreement entered into between **** and ICAEW, effective from the Commencement Date (the “Agreement”).
Pursuant to the terms of the Agreement each Party wishes to share certain Personal Data (as hereafter defined). Each Party wishes to ensure that the other Party complies with its legal obligation in connection with such Personal Data and otherwise agrees the responsibilities set out in this Schedule. Accordingly, in consideration of the benefits of the Parties of the sharing of Personal Data, the Parties agree to comply with the following terms.
|"Data Controller"||has the meaning given in Data Protection Legislation.|
|"Data Processor"||has the meaning given in Data Protection Legislation.|
|“Data Subject”||has the meaning given in Data Protection Legislation.|
|"Data Protection Legislation"||means all applicable data protection and privacy legislation, regulations and guidance including the Privacy and Electronic Communications (EC Directive) Regulations and any guidance or codes of practice issued by the European Data Protection Board or the Information Commissioner from time to time, together with: (a) prior to 25 May 2018, the Data Protection Act 1998; and (b) from 25 May 2018 onwards Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR"), as amended by the UK Data Protection Bill (in each case, all as amended, updated or re-enacted from time to time);|
||means a Party to this Agreement which discloses or makes available directly or indirectly Personal Data.|
|"Effective Date"||means the Commencement Date.|
|“Party”||means a Party to the Agreement and “Parties” shall be construed accordingly.|
|“Personal Data”||has the meaning given in Data Protection Legislation.|
|“Personnel”||means any employee, officer or director, or an individual working as a consultant, independent contractor or agent, and/or temporary worker of a Party.|
|“Process” or “Processes” or “Processing”||has the meaning given in Data Protection Legislation.|
|“Regulator”||means the UK Information Commissioner’s Office and the European Data Protection Board or any successor body to either regulator from time to time and any other supervisory authority with jurisdiction over either Party.|
|"Security"||means a Party’s technological, physical, administrative, organizational and procedural safeguards, including, without limitation, policies, procedures, guidelines, practices, standards, controls, hardware, software, firmware and physical security measures, the function or purpose of which is, in whole or part, to: (a) protect the confidentiality, integrity or availability of Personal Data; (b) prevent the unauthorized use of or unauthorized access to Personal Data; (c) prevent the loss, theft or damage of Personal Data; or (d) comply with Data Protection Legislation.|
|"Security Breach"||means any actual, threatened, or reasonably suspected: (a) unauthorized use of, or unauthorized access to Personal Data, damage to, or inability to access, Personal Data due to a malicious use, attack or exploit of such Personal Data; (b) unauthorized access to, theft of or loss of Personal Data; (c) unauthorized use of Personal Data for purposes of actual, reasonably suspected or attempted theft, fraud, identity theft or other misuse; (d) unauthorized disclosure of Personal Data.|
|"Shared Data"||means Personal Data held by one Party as a Data Controller, which is provided to the other Party as a Data Controller under this Agreement.
|“Working Day”||means any day other than a Saturday, Sunday or public holiday in England and Wales.|
1.1 Clause headings shall not affect the interpretation of this Schedule
1.2 A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
1.3 Unless the context otherwise requires, words in the singular shall include the plural and in the plural include the singular.
1.4 A reference to a statute or statutory provision is a reference to it as it is in force for the time being, taking account of any amendment, extension, or re-enactment, and includes any subordinate legislation for the time being in force made under it.
1.5 Any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
1.6 Any obligation in this Schedule on a person not to do something includes an obligation not to agree or allow that thing to be done.
2.1 The Parties shall each comply with their respective obligations under the Data Protection Legislation when Processing Shared Data pursuant to the terms of this Schedule.
2.2 Appendix A of this Schedule sets out a description of Shared Data for illustrative purposes and is set out without limitation to the generality of Shared Data that may be Processed pursuant to the terms of this Schedule.
2.3 For the purposes of this Clause 2, the Parties acknowledge that in respect of Shared Data Processed pursuant to the terms of this Schedule and the Agreement Parties are separate Data Controllers. Depending on circumstances of a specific transfer of Personal Data, one Party will be the Recipient and the other the Discloser.
2.4 Both Parties shall at all times remain responsible for the acts and omissions pursuant to this Schedule of their respective Personnel and suppliers, contractors and agents.
2.5 The Parties shall only Process Shared Data for the purpose or purposes set out in their respective privacy notices, copies of which shall be provided to the other Party upon request.
2.6 Each Party shall comply with its own obligations under this Clause at its own cost.
3.1 The Discloser represents, warrants and covenants during the term of the Agreement that, in relation to the Shared Data:
4.1 Both Parties shall implement appropriate technical and organisational measures to ensure a level of Security appropriate to the risk involved under this Schedule to:
4.2 Both Parties shall keep accurate records of the Security measures which they have in place and shall make such records available to the other Party upon request.
4.3 Security measures shall be regularly tested by each Party to assess the effectiveness of the measures in ensuring the security, confidentiality, integrity, availability and resilience of Shared Data, and the Party's compliance with this Schedule and the Party's obligations under the Data Protection Legislation. Both Parties shall maintain records of the testing.
4.4 In the event of a Security Breach, the Recipient shall notify the Discloser’s Representative without undue delay and in any event within twenty four (24) hours after the Recipient, or its suppliers, contractors and or agents discovered such Security Breach.
4.5 Following the notification referred to in Clause 4.4 of this Schedule above, the Recipient shall provide assistance and co-operation with the Discloser to mitigate the Security Breach, including to:
5.1 Both Parties shall at their own cost:
6.1 All Shared Data shall remain the property of the relevant Disclosing Party where such proprietary rights arise at law. Each Party reserves all rights in its Shared Data. No rights, including intellectual property rights, in respect of a Party's Shared Data are granted to the other Party and no obligations are imposed on the Disclosing Party other than those expressly stated in this Schedule.
6.2 Except as expressly stated in this Schedule, no Party makes any express or implied warranty or representations concerning its Shared Data, or the accuracy or completeness of the Shared Data.