ICAEW.com works better with JavaScript enabled.

Separate Controller Data Sharing Schedule

Internal ICAEW policy

Published: 12 Jan 2018 Updated: 05 Mar 2021 Update History

This Schedule forms part of the Agreement entered into between **** and ICAEW, effective from the Commencement Date (the “Agreement”).

Pursuant to the terms of the Agreement each Party wishes to share certain Personal Data (as hereafter defined).  Each party wishes to ensure that the other party complies with its legal obligations in connection with such Personal Data and otherwise agrees the responsibilities set out in this Schedule. Accordingly, in consideration of the benefits of the parties of the sharing of Personal Data, the parties agree to comply with the following terms.

1. Definitions and interpretations

1.1. Any words defined in the Agreement and used in this Schedule shall have the meaning given in the Agreement. Otherwise, in this Schedule, unless the context otherwise requires, the following words and expressions shall have the following meanings:

"Applicable Laws"

means the laws of England and Wales, the laws of the European Union so long as these apply in England and Wales, and any other laws or regulations, regulatory policies, guidelines or industry codes which apply to data processing carried out in connection with this Agreement.


means the natural or legal person which, alone or jointly with others, determines the purposes and means of processing of Personal Data.

Data Subject

means a natural person to whom Personal Data relates.

"Data Protection Legislation"

means any Applicable Law relating to the processing, privacy, and use of Personal Data, as applicable to ICAEW, the Supplier and/or the Services, including:

  1. in the United Kingdom:
    1. the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426, and any laws or regulations implementing Directive 2002/58/EC (ePrivacy Directive); and/or
    2. the General Data Protection Regulation (EU) 2016/679 (GDPR), and/or any corresponding or equivalent national laws or regulations implemented in the UK following the exit of the United Kingdom from the European Union (UK GDPR);
  2. in member states of the European Union: the GDPR and the ePrivacy Directive, and all relevant member state laws or regulations giving effect to or corresponding with any of them; and
  3. any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.

“Disclosing Party”

means a Party to this Agreement which discloses or makes available directly or indirectly Personal Data.

"Effective Date"

means the Commencement Date.


means a Party to the Agreement and “Parties” shall be construed accordingly.

“Personal Data”

means any information relating to an identified or identifiable natural person.


means any employee, officer or director, or an individual working as a consultant, independent contractor or agent, and/or temporary worker of a Party.


means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, including (without limitation) collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, combining, restricting, erasing or destroying (and related terms such as process have corresponding meanings).


means the UK Information Commissioner’s Office and the European Data Protection Board or any successor body to either regulator from time to time and any other supervisory authority with jurisdiction over either Party.


means a Party’s technological, physical, administrative, organizational and procedural safeguards, including, without limitation, policies, procedures, guidelines, practices, standards, controls, hardware, software, firmware and physical security measures, the function or purpose of which is, in whole or part, to: (a) protect the confidentiality, integrity or availability of Shared Data; (b) prevent the unauthorized use of or unauthorized access to Shared Data; (c) prevent the loss, theft or damage of Shared Data; or (d) comply with Data Protection Legislation.

"Security Breach"

means any actual, threatened, or reasonably suspected: (a) unauthorized use of, or unauthorized access to Shared Data, damage to, or inability to access, Shared Data due to a malicious use, attack or exploit of such Shared Data; (b) unauthorized access to, theft of or loss of Shared Data; (c) unauthorized use of Shared Data for purposes of actual, reasonably suspected or attempted theft, fraud, identity theft or other misuse; (d) unauthorized disclosure of Shared Data.

“Shared Data”

means Personal Data held by one Party as a Controller, which is provided to the other Party as a Controller under this Agreement.

1.2. Clause headings shall not affect the interpretation of this Schedule.

1.3. A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).

1.4. Unless the context otherwise requires, words in the singular shall include the plural and in the plural include the singular.

1.5. A reference to a statute or statutory provision is a reference to it as it is in force for the time being, taking account of any amendment, extension, or re-enactment, and includes any subordinate legislation for the time being in force made under it.

1.6. Any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

1.7. Any obligation in this Schedule on a person not to do something includes an obligation not to agree or allow that thing to be done.

2.1. The parties shall each comply with their respective obligations under the Data Protection Legislation when Processing Shared Data pursuant to the terms of this Schedule.

2.2. The Work Statement sets out a description of Shared Data for illustrative purposes and is set out without limitation to the generality of Shared Data that may be Processed pursuant to the terms of this Schedule.

2.3. For the purposes of this Clause 2, the parties acknowledge that in respect of Shared Data Processed pursuant to the terms of this Schedule and the Agreement the parties are separate Data Controllers. Depending on circumstances of a specific transfer of Personal Data, one party will be the Recipient and the other the Disclosing Party.

2.4. Both parties shall at all times remain responsible for the acts and omissions pursuant to this Schedule of their respective Personnel and suppliers.

2.5. The parties shall only Process Shared Data for the purpose or purposes set out in their respective privacy notices, copies of which shall be provided to the other party upon request.

2.6. Each party shall comply with its own obligations under this Clause at its own cost.

3. Warranties

3.1. The Disclosing Party represents, warrants and covenants during the term of the Agreement that, in relation to the Shared Data:

3.1.1. the Shared Data has been obtained by the Disclosing Party in accordance with the Data Protection Legislation;

3.1.2. privacy notices provided to Data Subjects are compliant with, and have been provided to the Data Subject in a manner which is compliant with, the Data Protection Legislation;

3.1.3. there are no circumstances of which the Disclosing Party is aware which are likely to give rise to breach of the Data Protection Legislation in the future (including any unauthorised disclosure) or any notice, complaint, claim or notification from a Data Subject or Regulator; and

3.1.4. transferring the Shared Data to the Recipient in accordance with this Schedule will not constitute a breach of the Data Protection Legislation.

4. Security

4.1. Both parties shall implement appropriate technical and organisational measures to ensure a level of Security appropriate to the risk involved under this Schedule to:

4.1.1. protect all Shared Data from unauthorized use, alteration, access or disclosure, and loss, theft, and damage, and to protect and ensure the confidentiality, integrity and availability of Shared Data; and

4.1.2. prevent a Security Breach.

4.2. Both parties shall keep accurate records of the Security measures which they have in place and shall make such records available to the other party upon request.

4.3. Security measures shall be regularly tested by each party to assess the effectiveness of the measures in ensuring the security, confidentiality, integrity, availability and resilience of Shared Data, and the party's compliance with this Schedule and the party's obligations under the Data Protection Legislation. Both parties shall maintain records of the testing.

4.4. In the event of a Security Breach, the Recipient shall notify the Disclosing Party’s Representative without undue delay and in any event within twenty four (24) hours after the Recipient or its suppliers, contractors and or agents discovered such Security Breach.

4.5. Following the notification referred to in Clause 4.4 of this Schedule above, each party shall provide assistance and co-operation to the other party to mitigate the Security Breach, including to:

4.5.1. immediately conduct a reasonable investigation of the reasons for and circumstances of such Security Breach;

4.5.2. take all necessary actions to prevent, contain, and mitigate the impact of, such Security Breach, and remediate such Security Breach, without delay;

4.5.3. remediate the effects of a Security Breach;

4.5.4. promptly produce a written report setting out all relevant details concerning such Security Breach, including without limitation any security, risk or compliance assessment and security control audit reports; and

4.5.5. provide regular updates to the other party following a Security Breach.

5. Records, notification and assistance

5.1. Both parties shall at their own cost:

5.1.1. keep a record of any Processing of Shared Data it carries out;

5.1.2. notify the other party promptly (but in any event within 24 hours) should it receive any Data Subject access request or complaint or any information notice, enforcement notice or other correspondence from a Regulator, individual or third party in respect of Shared Data; or become aware of any circumstance which may cause either party to breach this Schedule or which may cause either party to breach the Data Protection Legislation; and

5.1.3. reasonably cooperate and coordinate with the other party concerning the other party's compliance with Data Protection Legislation.

6. Reservation of rights and acknowledgement

6.1. All Shared Data shall remain the property of the relevant Disclosing Party where such proprietary rights arise at law. Each party reserves all rights in its Shared Data. No rights, including intellectual property rights, in respect of a party's Shared Data are granted to the other party and no obligations are imposed on the Disclosing Party other than those expressly stated in this Schedule.

6.2. Except as expressly stated in this Schedule, no party makes any express or implied warranty or representations concerning its Shared Data, or the accuracy or completeness of the Shared Data.