between
The Azets entity defined in the Engagement Letter (“Azets”)
and
The customer defined in the Engagement Letter (“Customer”)
(each a “Party” and together the “Parties”).
Wheras
Azets and Customer intend that this Data Sharing Agreement forms the basis of the data sharing arrangements between the parties (the “Data Sharing Agreement”); and
the intention of the Parties is that they shall each be joint Controllers in respect of the Data that they process under this Data Sharing Agreement; and
in the context of joint controllership, the competence and responsibility of each party result from Part 1. This regulates the main responsibilities with regard to the joint controllership according to GDPR Article. 26; and
the parties agree to support each other to the necessary and reasonable extent in fulfilling the provisions arising from this Data Sharing Agreement and legal obligations; and
in case a data subject asserts his/her rights, the party contacted shall only provide the data subject with the information as set out in Part 1 of this Data Sharing Agreement. Inquiries from data subjects that go beyond this responsibility shall be coordinated with the other party immediately; and
nothing in this Data Sharing Agreement shall alter, supersede, or in any other way affect the terms of the Engagement Letter.
Now therefore it is agreed as follows:
Definitions
In construing this Data Sharing Agreement, capitalised words and expressions shall have the meaning set out below:
“Business Day” means any day which is not a Saturday, a Sunday or a bank or public holiday throughout England and Wales;
“Data” means the information which contains Personal Data and Special Category Personal Data (both of which have the definition ascribed to them in Data Protection Legislation) described in Part 1;
“Commissioner” means the Information Commissioner and any successor;
“Controller” has the meaning set out in Data Protection Legislation;
“Data Protection Legislation” means, as applicable, (a) European Data Protection Legislation, and (b) Non-European Data Protection Legislation, which applies to the Processing of Personal Data;
“Data Recipient” means the party (being either Azets or Customer, as appropriate) to whom Data is disclosed;
“Data Sharing Agreement” means this Data Sharing Agreement, as amended from time to time in accordance with its terms, including the Schedules;
“Data Subject” means any identifiable individual to whom any Personal Data relates: and the categories of data subjects within the scope of this Data Sharing Agreement as listed in Part 1;
“Data Subject Request” means a request to either party as Controller by or on behalf of a Data Subject to exercise any rights conferred by Data Protection Legislation in relation to the Data or the activities of the parties contemplated by this Data Sharing Agreement;
“Disclosing Party” means the party (being either Azets or Customer, as appropriate) disclosing Data to the Data Recipient (or on behalf of whom Data is disclosed to the Data Recipient);
“European Data Protection Legislation” means, as applicable, data protection and privacy legislation in force inside the European Economic Area, including the General Data Protection Regulation and any national Laws implementing such legislation;
“General Data Protection Regulation” or “GDPR” means Regulation (EU) 2016/679 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data;
“Law” means any statute, directive, other legislation, law or regulation in whatever form, delegated act (under any of the foregoing), rule, order of any court having valid jurisdiction or other binding restriction, decision or guidance in force from time to time;
“Lawful Basis” means in relation to either Party, the lawful basis for sharing the Data as described in clause 2 below and as documented in Schedule Part 2;
“ Non-European Data Protection Legislation” means data protection or privacy legislation in force outside the European Economic Area, including without limitation such legislation as is in force in the UK (including the UK GDPR and the Data Protection Act 2018) and national implementing legislation;
“Purpose” means the purpose referred to in Part 2;
“Representatives” means, as the context requires, the representative of Azets and/or the representative of Customer as documented in Part 4. The same may be changed from time to time on notice in writing by the relevant Party to the other Party;
“Schedule” means the Schedule in 4 Parts annexed to this Data Sharing Agreement and a reference to a “Part” is to a Part of the Schedule;
“Security Measures” has the meaning given to that term in clause 3.1.5 below;
“UK GDPR” means the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
1.1 In this Data Sharing Agreement unless the context otherwise requires:
1.1.1 words and expressions defined in Data Protection Legislation shall have the same meanings in this Data Sharing Agreement so that, in the case of Data Protection Legislation, words and expressions shall be interpreted in accordance with, as applicable:
1.1.1.1 Non-European Data Protection Legislation; and
1.1.1.2 European Data Protection Legislation.
1.1.2 more generally, references to statutory provisions include those statutory provisions as amended, replaced, re-enacted for the time being in force and shall include any byelaws, statutory instruments, rules, regulations, orders, notices, codes of practice, directions, consents or permissions and guidelines (together with any conditions attached to the foregoing) made thereunder.
2 Data Sharing – Purpose and Lawful Basis
2.1 The Parties agree to share the Data for the Purpose in accordance with the provisions of Part 2 of the Schedule.
2.2 Save as provided for in this Data Sharing Agreement, the Parties agree not to use any Data disclosed in terms of this Data Sharing Agreement in a way that is incompatible with the Purpose.
2.3 Each Party shall ensure that it processes the Data fairly and lawfully in accordance with Data Protection Legislation and each Party as Disclosing Party warrants to the other Party in relation to any Data disclosed, that such disclosure is justified by a Lawful Basis.
3 Relationship of the Parties
3.1 The Parties agree that the relationship between them is such that any processing of the Data shall be on a Controller to Controller basis. The Data Recipient agrees that:
3.1.1 the Parties are Joint Controllers in respect of the Data processed under this Data Sharing Agreement;
3.1.2 it is responsible for complying with the obligations incumbent on it as a Controller under Data Protection Legislation (including responding to any Data Subject Request);
3.1.3 it shall not transfer any of the Data outside the United Kingdom and / or European Economic Area except to the extent agreed by the Disclosing Party;
3.1.4 Provided that where the Data has been transferred outside the United Kingdom and / or the European Economic Area, the Disclosing Party may require that the Data are transferred back to within the United Kingdom and / or European Economic Area:
3.1.4.1 on giving not less than 3 months’ notice in writing to that effect; or
3.1.4.2 at any time in the event of a change in Law which makes it unlawful for the Data to be processed in the jurisdiction outside the United Kingdom and / or the European Economic Area where it is being processed; and
3.1.5 it shall implement appropriate technical and organisational measures including the security measures (“Security Measures”), so as to ensure an appropriate level of security is adopted to mitigate the risks associated with its processing of the Data, including against unauthorised or unlawful processing, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or damage or access to such Data.
3.2 The Disclosing Party undertakes to notify in writing to the other as soon as practicable if an error is discovered in Data which has been provided to the Data Recipient, to ensure that the Data Recipient is then able to correct its records. This may happen whether the error is discovered through existing Data quality initiatives or is flagged up through some other route (such as the existence of errors being directly notified to the Disclosing Party by the Data Subjects themselves).
4 Transferring Data
4.1 Subject to the Data Recipient’s compliance with the terms of this Data Sharing Agreement, the Disclosing Party undertakes to endeavour to provide the Data to the Data Recipient on a non-exclusive basis in accordance with the transfer arrangements documented in Schedule Part 3.
5 Duration, Review and Amendment
5.1 This Data Sharing Agreement shall come into force immediately on the execution of a relevant Engagement Letter and continue for the duration of the relevant Engagement Letter between the Parties unless terminated earlier by the Disclosing Party in accordance with clause 5.5.2 below.
5.2 This Data Sharing Agreement shall be reviewed one year after it comes into force and every two years thereafter until termination or expiry in accordance with its terms.
5.3 In addition to these scheduled reviews and without prejudice to clause 5.5.2 the Parties shall also review this Data Sharing Agreement and the operational arrangements which give effect to it, if any of the following events takes place:
5.3.1 the terms of this Data Sharing Agreement have been breached in any material aspect, including any security breach or data loss in respect of Data which is subject to this Data Sharing Agreement; or
5.3.2 the Commissioner or any of his or her authorised staff recommends that the Data Sharing Agreement be reviewed.
5.4 Any amendments to this Data Sharing Agreement shall only be effective when contained within a formal amendment document which is formally executed in writing by both Parties.
5.5 In the event that the Disclosing Party has any reason to believe that the Data Recipient is in breach of any of its obligations under this Data Sharing Agreement, the Disclosing Party may at its sole discretion:
5.5.1 suspend the sharing of Data until such time as the Disclosing Party is reasonably satisfied that the breach shall not re-occur; and/or;
5.5.2 terminate this Data Sharing Agreement immediately by written notice to the Data Recipient if the Data Recipient commits a material breach of this Data Sharing Agreement which (in the case of a breach capable of a remedy) it does not remedy within five (5) Business Days of receiving written notice of the breach.
5.6 Where the Disclosing Party exercises its rights under clause 5.5.2 above it may request the return of the Data in which case the Data Recipient shall, no later than fourteen (14) days after receipt of such a written request from the Disclosing Party, at the Disclosing Party’s option, return or permanently erase/destroy all materials held by or under the control of the Data Recipient which contain or reflect the Data and shall not retain any copies, extracts or other reproductions of the Data either in whole or in part and shall confirm having done so to the other Party in writing), save that the Data Recipient shall be permitted to retain one copy for the purpose of complying with, and for so long as required by, any law or judicial or administrative process or for its legitimate internal compliance and/or record keeping requirements.
6 Liability
6.1 Nothing in this Data Sharing Agreement limits or excludes the liability of either Party for:
6.1.1 death or personal injury resulting from its negligence; or
6.1.2 any damage or liability incurred as a result of fraud by its personnel; or
6.1.3 any other matter to the extent that the exclusion or limitation of liability for that matter is not permitted by law.
6.2 To the fullest extent permitted by Law, any claims brought under this Data Sharing Agreement shall be subject to the Terms of Business, including but not limited to, any applicable exclusions and limitations set forth therein. For the sake of clarity, Azets’ aggregate liability arising out of this Data Sharing Agreement shall in no event exceed the limitations set forth in the Terms of Business.
7 Dispute Resolution
7.1 The Parties hereby agree to act in good faith at all times to attempt to resolve any dispute or difference relating to the subject matter of, and arising under, this Data Sharing Agreement.
7.2 If the Representatives dealing with a dispute or difference are unable to resolve this themselves within twenty (20) Business Days of the issue arising, the matter shall be escalated to the individuals documented in Schedule Part 4 identified as escalation points who shall endeavour to resolve the issue in good faith.
7.3 In the event that the Parties are unable to resolve the dispute amicably within a period of twenty (20) Business Days from date on which the dispute or difference was escalated in terms of clause 7.2 above, the matter may be referred to a mutually agreed mediator.
7.4 If mediation fails to resolve the dispute or if the chosen mediator indicates that the dispute is not suitable for mediation, and the Parties remain unable to resolve any dispute or difference in accordance with clauses 7.2 to 7.3, then either Party may, by notice in writing to the other Party, refer the dispute for determination by the courts in accordance with clause 9 below.
7.5 The provisions of clauses 7.1 to 7.4 do not prevent either Party from applying for an interim court order whilst the Parties attempt to resolve a dispute.
8 Notices
8.1 Any Notices to be provided in terms of this Data Sharing Agreement shall be provided in writing and addressed to the relevant Party in accordance with the contact details noted in Part 4, and shall be deemed to have been received (i) if delivered personally, on the day of delivery; (ii) if sent by first class post or other next working day delivery, the second day after posting; (iii) if by courier, the date and time the courier’s delivery receipt if signed; (iv) if by fax, the date and time of the fax receipt; or, if sent by email, the date of the sending of the email.
9 Governing Law
9.1 This Data Sharing Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) (a “Dispute”) shall, in all respects, be governed by and construed in accordance with the law of England and Wales. The Parties agree that the Courts of England and Wales shall have exclusive jurisdiction in relation to any Dispute.
This is the Schedule referred to in the foregoing Data Sharing Agreement between Azets and Customer
Schedule Part 1 – Responsibilities and Obligations of the Parties
Responsibility and obligations according to the General Data Protection Regulation
Categories of data subjects
Customer:
The categories of Data Subjects whose Personal Data may be Processed in connection with the Services are determined and controlled by Customer in its sole discretion and may include but are not limited to: Customer’s representatives and end users, such as employees, contractors, collaborators, clients, prospects, and customers; and employees or contractors of Customer’s clients, prospects, and customers.
Responsibility for the processing activity
Azets:
Azets shall process Data and deliver the services defined in the Engagement Letter.
Customer:
Customer shall provide the Data necessary for Azets to deliver the services defined in the Engagement Letter.
Information of data subjects according to Art. 12 et seq. GDPR
Customer:
Customer shall provide transparent information and communication to data subjects concerning their rights.
Obtaining necessary consent, Art. 6 para. 1 lit. a GDPR
Customer:
Customer shall establish a lawful basis for its collection, disclosure to Azets and any other form of processing of Data under this Data Sharing Agreement and communicate that to affected data subjects pursuant to GDPR Article 12 et seq.
Request for information / right of access, Art. 15 GDPR
Azets:
Azets shall assist Customer by providing to Customer the personal data necessary to satisfy a data subject access request.
Azets shall refer any data subject access requests received directly from data subjects to Customer.
Customer:
Customer shall respond to data subjects concerning any data subject access requests.
Rectification, Art. 16 GDPR
Azets:
Azets shall assist Customer by performing any rectification requested by Customer on behalf of a data subject to the extent permissible by law.
Azets shall refer any rectification requests received directly from data subjects to Customer.
Customer:
Customer shall respond to data subjects concerning any rectification requests pursuant to GDPR Article 19
Erasure / right to be forgotten, Art. 17 GDPR
Azets:
Azets shall refer any erasure requests received directly from data subjects to Customer.
Customer:
Customer shall respond to data subjects concerning any erasure requests pursuant to GDPR Article 19
Restriction of processing, Art. 18 GDPR
Azets:
Azets shall assist Customer by performing any restriction of processing requested by Customer on behalf of a data subject to the extent permissible by law.
Azets shall refer any restriction requests received directly from data subjects to Customer.
Customer:
Customer shall respond to data subjects concerning any restriction of processing requests pursuant to GDPR Article 19
Data portability, Art. 20 GDPR
Azets:
Azets shall assist Customer by performing any data portability requested by Customer on behalf of a data subject to the extent permissible by law.
Azets shall refer any data portability requests received directly from data subjects to Customer.
Customer:
Customer shall respond to data subjects concerning any data portability requests.
Right to object, Art. 21 GDPR
Azets:
Azets shall refer any objection to processing requests received directly from data subjects to Customer.
Customer:
Customer shall respond to data subjects concerning any objection to processing requests.
Provision of technical and organisational measures, Art. 32 GDPR
Azets:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Azets shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Customer:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Conclusion of data processing agreements with processors and sub-processors and associated obligations, Art. 28 GDPR
Azets:
To the extent that it engages any processors for processing subject to this Data Sharing Agreement Azets shall satisfy all obligations pursuant to GDPR Article 28.
Customer:
To the extent that it engages any processors for processing subject to this Data Sharing Agreement Customer shall satisfy all obligations pursuant to GDPR Article 28.
Maintaining records of processing activities, Art. 30 GDPR
Azets:
Azets shall maintain records of processing activities pursuant to GDPR Article 30.
Customer:
Should it employ more than 250 employees Customer shall maintain records of processing activities pursuant to GDPR Article 30.
Ensuring the obligations arising from Art. 33 and 34 GDPR – general
Azets:
In the case of a personal data breach, concerning personal data of data subjects being processed under this Data Sharing Agreement, Azets shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to Customer.
Customer:
In the case of a personal data breach, concerning personal data of data subjects being processed under this Data Sharing Agreement, Customer shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to Azets.
Ensuring the obligations arising from Art. 33 GDPR – Notification of a personal data breach to the Commissioner
Customer:
In the case of a personal data breach, concerning personal data of data subjects being processed under this Data Sharing Agreement, Customer shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Commissioner in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the Commissioner is not made within 72 hours, it shall be accompanied by reasons for the delay.
Ensuring the obligations arising from Art. 34 GDPR – Communication of a personal data breach to the data subject
Customer:
When the personal data breach, concerning personal data of data subjects being processed under this Data Sharing Agreement, is likely to result in a high risk to the rights and freedoms of natural persons, Customer shall communicate the personal data breach to the data subject without undue delay.
The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of GDPR Article 33(3).
The communication to the data subject shall not be required if any of the conditions of GDPR Article 34.3 are met.
Ensuring the obligations arising from Art. 35 GDPR
Azets:
Azets shall conduct data protection impact assessments as and when required concerning the processing under this Data Sharing Agreement in pursuance of GDPR article 35.
Customer:
Customer shall conduct data protection impact assessments as and when required concerning the processing under this Data Sharing Agreement in pursuance of GDPR article 35.
Ensuring the obligations arising from Art. 36 GDPR
Azets:
Azets shall consult the Commissioner prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by Azets to mitigate the risk.
Customer:
Customer shall consult the Commissioner prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by Customer to mitigate the risk.
Schedule Part 2: Purpose and Lawful Basis for Processing
Purpose
The Parties shall exchange Data to allow Azets to deliver services as described in the Engagement Letter executed between Azets and Customer.
Lawful Basis
Performance of a contract
Schedule Part 3 – Data Transfer Rules
Information exchange can only work properly in practice if it is provided in a format which the Data Recipient can utilise. It is also important that the Data is disclosed in a manner which ensures that no unauthorised reading, copying, altering or deleting of personal data occurs during electronic transmission or transportation of the Data. The Parties therefore agree that to the extent that data is electronically or physically transferred only a transport mechanism approved and advised from time to time by Azets is used.
Schedule Part 4 – Representatives
Contact Details
Azets
As defined in the Engagement Letter.
Customer
As defined in the Engagement Letter.
Effective January 23 2023