Data sharing agreement

DATA SHARING AGREEMENT – JOINT CONTROLLERS

1. Introduction

1.1 Under Article 26 of the General Data Protection Regulation (GDPR), where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. The parties being joint data controllers for all personal data processed in relation to the joint activity.

1.2 This agreement sets out the distribution of responsibilities among the Data Controllers in connection with the provision of marketing services. The Data Controllers are at all times obliged to inform each other about the establishment of new offices, subsidiaries, etc., where these may impact this agreement or where personal data are transferred to new third countries under this agreement.

2. Definitions

For the purposes of this agreement:

    ‘Personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC.

    ‘The sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions.

    ‘The applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals.

    ‘Technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access.

    ‘Anonymisation’, ‘Data Controller’, ‘Data Subject’, ‘Personal Data’, ‘Personal Data Breach’, ‘Processing’, ‘Pseudonymisation’ shall have the meanings given to them by Article 4 of the GDPR.

3. Joint Controller Responsibilities

3.1 The Data Controllers agree that in connection with the subject services, they are joint data controllers. Both parties are responsible for determining the purpose or processing, the data collected, and how the data is processed.

3.2 This agreement has been drawn up to ensure that the Data Controllers can comply with the requirements relating to joint data controllers as laid down in Article 26 of the GDPR.

4. Data Retention

4.1 Data will be stored by the joint controllers as defined in their respective Data Retention policies. Data retention will be for a default maximum duration of 2 years post SOC. Removal of specific or all data may be requested at any time by written request from the Client.

5. Main Purpose of Data Processing

5.1 The data processing shall be limited to the use of Data to conduct lead generation, prospecting, and/or marketing activity on behalf of the Client and in accordance with the instructions provided by the Client as defined in the SOC.

6. Data Held

6.1 Supplier may store public business information together with other Personally Identifiable Information (PII) as required to conduct targeted marketing communications on behalf of the Client. The data held and means of processing will be determined by the Supplier.

7. General Distribution of Responsibilities

7.1 Each party must designate a contact point for data subjects to ensure that data subjects can exercise their rights under the GDPR individual data controller.

7.2 The Data Controller must inform the data subject of the processing of personal data and the rights of the data subject; ensure the necessary authority exists for the processing of the registered data; and that data are erased when they are no longer necessary.

7.3 The Data Controller who obtains specific data from sources other than the data subject is responsible for informing the data subject accordingly.

8. Rights of the Data Subjects

8.1 Each Data Controller is responsible for ensuring the rights of the data subjects in accordance with the GDPR, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object to processing.

8.2 Data subjects have a range of rights under the GDPR, and both parties have agreed to procedures to allow data subjects to exercise these rights.

8.3 If one of the Data Controllers receives a request or inquiry from a data subject regarding matters covered by another Data Controller's responsibilities, the request is forwarded to such Data Controller without undue delay.

8.4 The parties are responsible for assisting each other to the extent relevant and necessary to comply with their obligations to the data subjects.

9. Security of Processing and Proof of Compliance

9.1 Each Data Controller must implement appropriate technical and organisational measures to ensure and demonstrate that processing is performed in accordance with the GDPR. Those measures must be reviewed and updated where necessary.

9.2 Each Data Controller is responsible for compliance with the provision on data protection by design and by default in Article 25 of the GDPR.

9.3 Each Data Controller is responsible for compliance with the requirement for security of processing in Article 32 of the GDPR.

10. Use of Data Processors and Sub-Processors

10.1 Supplier will only engage a processor with the prior consent of the Client and a written contract supporting the engagement. Client acknowledges that Success with Systems Ltd may engage processors in providing the services and that these processors will comply with the provisions of the GDPR.

10.2 If any data processors and/or sub-processors are used, each Data Controller is responsible for compliance with the requirements of Article 28 of the GDPR.

11. Records

11.1 Each Data Controller is responsible for compliance with the requirement for records of processing activities in Article 30 of the GDPR.

12. Notification of a Personal Data Breach

12.1 Each Data Controller is responsible for compliance with Article 33 of the GDPR on notification of a personal data breach to the supervisory authority.

12.2 The Data Controller with whom a personal data breach was committed is responsible for notifying the personal data breach to the supervisory authority.

13. Communication of a Personal Data Breach to the Data Subject

13.1 Each Data Controller is responsible for compliance with Article 34 of the GDPR on communication of a personal data breach to the data subject.

14. Data Protection Impact Assessment and Prior Consultation

14.1 Each Data Controller is responsible for compliance with the requirement in Article 35 of the GDPR on data protection impact assessment and Article 36 on prior consultation of the supervisory authority.

15. Transfers of Personal Data to Third Countries

15.1 The Data Controllers may decide that personal data can be transferred to third countries or international organisations. Each Data Controller is responsible for its own personal data transfers to third countries, including ensuring a legal basis for transfer exists and the GDPR has been observed.

16. Complaints

16.1 Each Data Controller is responsible for the handling of any complaints from data subjects if the complaints relate to the infringement of provisions in the GDPR for which the Data Controller is responsible according to this agreement.

17. Providing Information to the Other Parties

17.1 The Data Controllers inform each other about all matters relating to the joint processing and this agreement.

18. Nature of Processing

18.1 Supplier provides marketing activities on behalf of their clients. With respect to provision of the Services, Supplier and Client are Joint Controllers.

18.2 The data processing shall be limited to the use of Data to conduct marketing activity on behalf of Client.

19. Subject Matter and Categories of Data Subject

19.1 Supplier may store public business information together with Personally Identifiable Information (PII) as required to conduct targeted marketing communications on behalf of Client. Data categories shall not include sensitive data.

20. Details of Personally Identifiable Data that May Be Processed

20.1 Supplier may process various types of data, including Business Profile Data, Correspondence Data, Public Data, and Legal Claims Data, for purposes related to the services provided to the Client.

21. Privacy Policy

21.1 Supplier and Client shall post and comply with a privacy policy on all online properties associated with the Services at all times. The privacy policy shall comply with all applicable laws and shall not contain any terms that are inconsistent with or would otherwise restrict Supplier from performing its obligations hereunder.

22. Lawful Bases for Processing Suppliers’ Data

22.1 Supplier and Client are responsible for determining and documenting their own lawful basis for processing.

23. Legitimate Interest

23.1 Supplier may also process personal data in Suppliers' own Legitimate Interests or where such processing is necessary for compliance with a legal obligation to which Supplier is subject.

24. Duration of Processing

24.1 Data will be stored for an appropriate period with a default maximum storage duration of 2 years post use. Removal of specific or all data may be requested at any time by written request from Client.

25. Type of Personal Data

25.1 Personal Data processed will include Name, Email, Job Title, Employer, and other basic information pertaining to an individual’s professional status.

26. Data Storage & Data Security

26.1 Supplier warrants that private data processed under this agreement will be hosted in appropriately secure, tier 1 EU data centres; data shall be encrypted both at rest and in transit; and hosted database access will be secured by both username and password and IP address.

27. Deletion

27.1 Supplier will delete all personal data, either as requested or at a time appropriate to the context of its use, such as upon termination of the contract.

28. Additional Warranties

28.1 In accordance with the GDPR, Supplier warrants that it will meet its obligations as Joint Controller; not use a sub-processor without the prior written authorisation of the controller; co-operate with supervisory authorities; ensure the security of its processing; keep records of its processing activities; notify any personal data breaches to the controller; employ a data protection officer if required; and appoint a representative within the European Union if required.

29. Awareness and Consequence

29.1 Supplier confirms awareness of the UK ICO's statements on the GDPR and acknowledges that failure to meet GDPR obligations may result in administrative fines, penalties, and the necessity

30. Liability and Indemnification

30.1 Client Responsibility: The Client is responsible for ensuring that any data provided to Supplier for processing has been collected in compliance with GDPR and all other applicable data protection laws. The Client shall indemnify and hold harmless Supplier against any claims, losses, or damages arising from the Client's failure to comply with such laws.

30.2 Indemnification: The Client agrees to indemnify, defend, and hold harmless Supplier, its officers, directors, employees, and agents, from and against any and all claims, liabilities, damages, losses, and expenses, including legal fees, arising out of or in any way connected with the processing of personal data under this agreement, except to the extent that such liabilities arise from Supplier's breach of this agreement or violation of applicable laws.

31. Data Minimization and Purpose Limitation

31.1 Data Minimization: The Client will ensure that only the minimum amount of personal data necessary for the specified purposes is provided to Supplier.

31.2 Purpose Limitation: Supplier shall process personal data solely for the purposes explicitly defined by the Client and in accordance with the Client’s instructions.

32. Record-Keeping Obligations

32.1 Supplier Obligations: Supplier shall maintain accurate records of all processing activities carried out on behalf of the Client, including the nature of the processing, categories of data subjects, types of personal data processed, and any transfers of personal data to third countries.

32.2 Client Obligations: The Client shall provide Supplier with all necessary information to maintain accurate records of processing activities, including any changes to the nature of processing or categories of data subjects.

33. Data Protection Officer (DPO)

33.1 Supplier DPO: If Supplier is required to appoint a Data Protection Officer under Article 37 of the GDPR, Supplier shall provide the Client with the DPO’s contact details.

33.2 Client DPO: If the Client is required to appoint a Data Protection Officer, the Client shall provide Supplier with the DPO’s contact details and ensure that the DPO is informed about the data processing activities carried out by Supplier.

34. Data Subject Rights Management

34.1 Request Handling: Both parties shall promptly inform each other of any data subject rights requests received. The Client is responsible for providing the necessary information to Supplier to enable the handling of such requests within the legal timeframes.

34.2 Cooperation: Supplier and Client agree to cooperate fully to ensure that data subject rights requests are handled in accordance with GDPR requirements. This includes providing access to relevant data, making necessary corrections, and deleting data when required.

35. Audit Rights

35.1 Right to Audit: The Client reserves the right to conduct periodic audits of Supplier’s data processing activities to ensure compliance with this agreement and applicable data protection laws. Such audits shall be conducted with reasonable prior notice and during regular business hours.

35.2 Audit Cooperation: Supplier agrees to cooperate with any audits conducted by the Client, providing access to relevant records, systems, and personnel as necessary.

36. Breach Notification Timing

36.1 Immediate Notification: Supplier shall notify the Client without undue delay, and in any event within 24 hours, upon becoming aware of a personal data breach.

36.2 Subsequent Information: Following the initial notification, Supplier shall provide the Client with timely updates and any information required to meet breach notification obligations to the supervisory authority and data subjects.

37. International Transfers and SCCs

37.1 Standard Contractual Clauses: If personal data is transferred to third countries, Supplier and Client agree to enter into Standard Contractual Clauses (SCCs) or other approved transfer mechanisms to ensure adequate protection of personal data.

37.2 Post-Brexit Transfers: In the event the United Kingdom leaves the EU without an adequacy decision, the parties shall execute SCCs to govern data transfers between the EU and the UK.

38. Governing Law and Jurisdiction

38.1 This Agreement shall be governed by and construed in accordance with the laws of United Kingdom. Any disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of United Kingdom.

39. Confidentiality

39.1 Both parties agree to treat all personal data and proprietary information as confidential and not to disclose it to third parties except as required by law or as necessary to perform their obligations under this Agreement.

40. Termination and Survival

40.1 This Agreement may be terminated by either party with 30 days’ written notice. The obligations in Sections 3, 6, 9, 11, 13, 17, 30, 38, and 39 shall survive the termination of this Agreement.

41. Amendments

41.1 This Agreement may only be amended in writing and signed by both parties.

42. Entire Agreement

42.1 This Agreement constitutes the entire agreement between the parties regarding data sharing and supersedes all prior agreements and understandings, whether written or oral, relating to its subject matter.