Data Sharing Agreement

For the sharing of personal data and special category personal data; between Fresh Minds Talent Limited and a second data controller

Contents

  1. Interpretation

  2. Purpose

  3. Compliance with national data protection laws

  4. Shared Personal Data

  5. Lawful, fair and transparent processing

  6. Data quality

  7. Data subjects’ rights

  8. Data retention and deletion

  9. Transfers

  10. Security and training

  11. Personal data breaches and reporting procedures

  12. Review and termination of this agreement

  13. Resolution of disputes with data subjects or the Supervisory Authority

  14. Language

  15. Warranties

  16. Indemnity

  17. Limitation of liability

  18. Direct marketing

  19. Variation

  20. Waiver

  21. Severance

  22. Changes to the applicable law

  23. No partnership or agency

  24. Entire agreement

  25. Further assurance

  26. Force majeure

  27. Rights and remedies

  28. Notice

  29. Governing law and Jurisdiction

  30. Schedule 1

This Agreement is made on 2022

Parties

(1)                      Fresh Minds Talent Limited incorporated and registered in England and Wales with company number 08662856 whose registered office is at Kingsbourne House, 229-231 High Holborn, London, WC1V 7DA (“Fresh Minds”).

(2)                      [FULL COMPANY NAME] incorporated and registered in England and Wales with company number [NUMBER] whose registered office is at [REGISTERED OFFICE ADDRESS] (the Data Receiver).

Background

(1)                      Fresh Minds agrees to share the Personal Data with the Data Receiver in the UK, the EEA or the US on terms set out in the Agreement.

(2)                      The Data Receiver agrees to use the Personal Data on the terms set out in this agreement.

(3)                      This is a free-standing Agreement that does not incorporate commercial business terms established by the parties under separate commercial arrangements.

The parties agree:

1                         Interpretation

The following definitions and rules of interpretation apply in this agreement.

1.1                    Definitions:

“Agreed Purpose” has the meaning given to it in clause 2 of this agreement.

“Agreement” this agreement, which is a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.

“Business Day” a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.

“Commencement Date” [DATE]

“Criminal Offence Data” means Personal Data relating to criminal convictions and offences or related security measures to be read in accordance with section 11(2) of the DPA 2018 (or other applicable Data Protection Legislation).

“Data Protection Legislation

(a)            To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.

(b)            To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the party is subject, which relates to the protection of personal data.

“EU GDPR” the General Data Protection Regulation ((EU) 2016/679).

“UK GDPR” the EUGDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

“Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data.

“Shared Personal Data” the Personal Data and Special Category Personal Data to be shared between the parties under clause 4 of this agreement.

“Special Category Personal Data” the categories of Personal Data set out in the Data Protection Legislation.

“Subject Rights Request” the exercise by a data subject of their rights under the Data Protection Legislation.

“Supervisory Authority” the relevant supervisory authority in the territories where the parties to this agreement are established (other than the Information Commissioner).

“Term” [AGREED LENGTH OF DATA SHARING INITIATIVE – this may be a period of time or a one-off transfer]

1.2                    Controller, Processor, Information Commissioner, Data Subject and Personal Data, Processing and appropriate technical and organisational measures shall have the meanings given to them in the Data Protection Legislation.

Clause, Schedule and paragraph headings shall not affect the interpretation of this agreement.

1.3                    The Schedule forms part of this agreement and shall have effect as if set out in full in the body of this agreement. Any reference to this agreement includes the Schedule.

Unless the context otherwise, requires, words in the singular shall include the plural and in the plural shall include the singular.

1.4                    A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

Any words following the terms including, include, in particular or for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

1.5                    In the case of any ambiguity between any provision contained in the body of this agreement and any provision contained in the Schedule, the provision in the body of this agreement shall take precedence.

A reference to writing or written includes email.

1.6                    Unless the context otherwise requires the reference to one gender shall include a reference to the other genders.

2                         Purpose

2.1                    This agreement sets out the framework for the sharing of Personal Data when one Controller (Fresh Minds) discloses Personal Data to another Controller (the Data Receiver). It defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other.

The parties consider this data sharing initiative necessary and proportionate as the Personal Data shared is Personal Data processed by Fresh Minds in the capacity of Controller, in the normal conduct of its business as an employment agency, and the Personal Data will be shared with Data Receiver for the purpose of considering the data subject for employment. The Data Receiver will process the Personal data as a second Data Controller, as the Data Receiver will define their own needs for processing which may result in offering employment to the data subject The aim of the data sharing initiative is to enable the agency to share the Personal data of individual data subjects seeking new employmentwith potential employers. It is fair as it will benefit the individual data subjects and the parties by enabling the individual data subjects to find employment as well as enabling the Fresh Minds and the Data Receiver to pursue their commercial and business purposes and not unduly infringe the Data Subjects’ fundamental rights and freedoms and interests.

2.2                    The parties agree to only Process Shared Personal Data for the following purposes:

2.2.1               Providing Personal data about Data Subjects who are seeking new employment to enable potential employers to consider and evaluate the Data Subjects as candidates;

Providing Personal Data to enable potential employers to conduct interviews of the Data Subjects; and

2.2.2               Providing Personal Data to potential employers to enable them to make job offers to the Data Subjects.

The parties shall not Process Shared Personal Data including for the purposes of solely automated decision making producing legal effects or similarly significant effects, or otherwise in a way that is incompatible with the purposes described in this clause (“Agreed Purpose”).

3                         Compliance with national data protection laws

3.1                    Each party must ensure compliance with applicable Data Protection Legislationat all times during the Term of this agreement.

In the event the data protection law or approach to compliance of the UK and [EEA/ US ] conflict, the requirements of the country that necessitates stricter or additional requirements to protect data subjects’ privacy and Shared Personal Data shall be applied.

3.2                    Each party has such valid registrations as are required by the Information Commissioner or other national Supervisory Authority which, by the time that the data sharing is expected to commence, covers the intended data sharing pursuant to this agreement, unless an exemption applies.

4                         Shared Personal Data

4.1                    The following types of Personal Data will be shared between the parties during the Term of this agreement:

4.1.1               First and second name, email address, telephone number (“Contact Details”);

Full home address, Employer/ employment name and location, Job Title (“Candidate Data”); and

4.1.2               Detailed CV, and health or other Special Category Personal Data (“CV Personal Data”);

4.2                    Special Categories of Personal Data are not the focus of this data sharing, however it is likely that some Special Category Personal Data will be shared between the parties, relating for example to racial or ethnic origin, data concerning a natural person’s physical or mental health or condition, sex life or sexual orientation.

Criminal Offence Data will not be shared between the parties.

4.3                    The Shared Personal Data shall not be irrelevant or excessive with regard to the Agreed Purpose.

5                         Lawful, fair and transparent processing

5.1                    Each party shall ensure that it Processes the Shared Personal Data fairly and lawfully in accordance with clause 0 during the Term of this agreement.

Each party shall ensure that it has legitimate grounds under the Data Protection Legislation for the Processing of Shared Personal Data.

5.2                    The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with Subject Rights Requests within the time limits imposed by the Data Protection Legislation.

Fresh Minds shall, in respect of Shared Personal Data, ensure that it provides clear and sufficient information to the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will process their Personal Data, the legal basis for such purposes and such other information as is required by the Data Protection Legislation including:

5.2.1               if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable the Data Subject to understand the purpose and risks of such transfer; and

if Shared Personal Data will be transferred outside the UK or EEA pursuant to clause 0 of this agreement, that fact and sufficient information about such transfer, the purpose of such transfer and the safeguards put in place by the Controller to enable the Data Subject to understand the purpose and risks of such transfer.

6                         Data quality

6.1                    Fresh Minds shall ensure that before the Commencement Date, Shared Personal Data is accurate and that it has appropriate internal procedures in place for the Data Receiver to sample Shared Personal Data prior to the Commencement Date and it will update the same if required prior to transferring the Shared Personal Data.

Shared Personal Data must be limited to the Personal Data described in this agreement.

7                         Data subjects’ rights

Each party is responsible for maintaining a record of Subject Rights Requests, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request..

8                         Data retention and deletion

8.1                    The Data Receiver shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purpose.

Notwithstanding clause 8.1, parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and industry.

8.2                    The Data Receiver shall ensure that any Shared Personal is securely destroyed in the following circumstances:

8.2.1               on termination of its involvement in this agreement;

on expiry of the Term of this agreement; or

8.2.2               once Processing of the Shared Personal Data is no longer necessary for the Agreed Purposes it was originally shared for.

9                         Transfers

9.1                    For the purposes of this clause, transfers of Personal Data shall mean any sharing of Personal Data by the Data Receiver with a third party, and shall include the following:

9.1.1               subcontracting the processing of Shared Personal Data;

granting a third party Controller access to the Shared Personal Data.

9.2                    If the Data Receiver appoints a third party Processor to Process the Shared Personal Data it shall comply with the relevant provisions of the Data Protection Legislation and shall remain liable as a Controller under Data Protection Legislation as well as to Fresh Minds for the acts and/or omissions of the Processor and any non-compliance by the Data Receiver with the obligations set out in this agreement.

The Data Receiver may not transfer Shared Personal Data to a third party located outside the UK or the EEA unless it;

9.2.1               complies with the provisions of the Data Protection Legislation in the event the third party is a joint controller; and

ensures that (i) the transfer is to a country approved under the applicable Data Protection Legislation as providing adequate protection; or (ii) there are appropriate safeguards or binding corporate rules in place pursuant to the applicable Data Protection Legislation; or (iii) the transferee otherwise complies with the Data Receiver’s obligations under the applicable Data Protection Legislation by providing an adequate level of protection to any Shared Personal Data that is transferred; or (iv) one of the derogations for specific situations in the applicable Data Protection Legislationapplies to the transfer.

10                      Security and training

10.1                 Fresh Minds shall only provide the Shared Personal Data to the Data Receiver by using secure methods.

The parties undertake to have in place throughout the Term of this agreement appropriate technical and organisational security measures to:

10.1.1           prevent:

10.1.1.1      unauthorised or unlawful processing of the Shared Personal Data; and

the accidental loss or destruction of, or damage to, the Shared Personal Data

10.1.2           ensure a level of security appropriate to:

10.1.2.1      the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and

the nature of the Shared Personal Data to be protected.

10.2                 The level of technical and organisational measures agreed by the parties as appropriate as at the Commencement Date shall have regard to the state of technological development and the cost of implementing such measures. The parties shall keep such security measures under review and shall update the security measures as required by changing circumstances throughout the Term of this agreement.

It is the responsibility of each party to ensure that its staff members are appropriately trained to handle and process the Shared Personal Data in accordance with the technical and organisational security measures and have entered into confidentiality agreements relating to the Processing of Personal Data.

10.3                 The level, content and regularity of training referred to in clause 0shall be proportionate to the staff members’ role, responsibility and frequency with respect to their handling and Processing of the Shared Personal Data.

11                      Personal data breaches and reporting procedures

11.1                 The parties shall each comply with its obligation to report a Personal Data Breach to the Information Commissioner or appropriate Supervisory Authority and (where applicable) Data Subjects under the Data Protection Legislation and the Data Receiver shall inform Fresh Minds of any Personal Data Breach irrespective of whether there is a requirement to notify the Information Commissioner or any Supervisory Authority or Data Subject(s).

12                      Review and termination of this agreement

12.1                 The parties shall review the effectiveness of this data sharing initiative every [twelve] months, having consideration to the aims and purposes set out in clause 0 and clause 2.2. The parties shall continue, amend or terminate this agreement depending on the outcome of this review.

The review of the effectiveness of the data sharing initiative will involve:

12.1.1           assessing whether the purposes for which the Shared Personal Data is being processed are still the Agreed Purposes defined in this agreement;

assessing whether the Shared Personal Data is still as defined in this agreement;

12.1.2           assessing whether the legal framework governing data quality, retention, and data subjects’ rights are being complied with; and

assessing whether Personal Data Breaches involving the Shared Personal Data have been handled in accordance with this agreement and the applicable legal framework.

13                      Resolution of disputes with data subjects or the Supervisory Authority

13.1                 In the event of a dispute, complaint or claim brought by a Data Subject or the Information Commissioner or other Supervisory Authority, concerning the processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes, complaints or claims, and will cooperate with a view to settling them amicably in a timely fashion.

The parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Information Commissioner or other Supervisory Authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.

13.2                 Each party shall abide by a decision of a competent court of England and Wales or of the Information Commissioner or other Supervisory Authority.

14                      Language

14.1                 This agreement is drafted in the English language. If this agreement is translated into any other language, the English language version shall prevail.

Any notice given under or in connection with this agreement shall be in English. All other documents provided under or in connection with this agreement shall be in English or accompanied by a certified English translation.

14.2                 The English language version of this agreement and any notice or other document relating to this agreement shall prevail if there is a conflict.

15                      Warranties

15.1                 Each party warrants and undertakes that it will:

15.1.1           Process the Shared Personal Data in compliance with Data Protection Legislation.

Respond within a reasonable time and as far as reasonably possible to enquiries from the Information Commissioner or relevant Supervisory Authority in relation to the Shared Personal Data.

15.1.2           Respond to Subject Rights Requests in accordance with the Data Protection Legislation, including where necessary (i) advising the other party of any step(s) it should reasonably take in this regard; and (ii) where the legitimate ground relied upon is a Data Subject’s consent, the timely operation of an effective procedure if such consent is withdrawn.

Where applicable, maintain registration with the Information Commissioner and all relevant Supervisory Authorities to process all Shared Personal Data for the Agreed Purpose.

15.1.3           Take all appropriate steps to ensure compliance with the security measures set out in clause 10 above.

15.2                 Except as expressly stated in this agreement, all warranties, conditions and terms, whether express or implied by statute, common law or otherwise are hereby excluded to the greatest extent permitted by law.

16                      Indemnity

16.1                 Data Receiver undertakes to indemnify Fresh Minds hold Fresh Minds harmless from any cost, charge, damages, expense or loss which they cause Fresh Minds as a result of their breach of any of the provisions of this agreement.

17                      Limitation of liability

17.1                 Neither party excludes or limits liability to the other party for:

17.1.1           fraud or fraudulent misrepresentation;

death or personal injury caused by negligence;

17.1.2           any matter for which it would be unlawful for the parties to exclude liability.

17.2                 Subject to clause 17.1, Fresh Minds shall in no circumstances be liable to Data Receiver whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, for:

17.2.1           any loss (whether direct or indirect) of profits, business, business opportunities, revenue, turnover, reputation or goodwill;

loss (whether direct or indirect) of anticipated savings or wasted expenditure (including management time); or

17.2.2           any loss or liability (whether direct or indirect) under or in relation to any other contract.

18                      Direct marketing

18.1                 If the Data Receiver processes the Shared Personal Data for the purposes of direct marketing, the Data Receiver shall ensure that:

18.1.1           It first obtains the appropriate level of consent from the relevant Data Subjects to allow the Shared Personal Data to be used for the purposes of direct marketing in compliance with the Data Protection Legislation; and

effective procedures are in place to allow the Data Subject to “opt-out” from having their Shared Personal Data used for such direct marketing purposes.

19                      Variation

No variation of this agreement shall be effective unless it is in writing and signed by the parties (or their representatives).

20                      Waiver

No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

21                      Severance

21.1                 If any provision or part-provision of this agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement.

If any provision or part-provision of this agreement is deemed deleted under clause 21.1, the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

22                      Changes to the applicable law

If during the Term of this agreement the Data Protection Legislation change in a way that the Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the parties agree to negotiate in good faith to review the Agreement in the light of the changes, however neither party shall be obliged to enter into a varied data sharing agreement.

23                      No partnership or agency

23.1                 Nothing in this agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party.

Each party confirms it is acting on its own behalf and not for the benefit of any other person.

24                      Entire agreement

24.1                 This agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.

Each party acknowledges that in entering into this agreement it does not rely on, and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this agreement.

24.2                 Each party agrees that it shall have no claim for innocent or negligent misrepresentation based on any statement in this agreement.

25                      Further assurance

The Data Receiver shall, and shall use all reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this agreement.

26                      Force majeure

Neither party shall be in breach of this agreement nor liable for delay in performing, or failure to perform, any of its obligations under this agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances the time for performance shall be extended by a period equivalent to the period during which performance of the obligation has been delayed or failed to be performed. If the period of delay or non-performance continues for three months, the party not affected may terminate its involvement this agreement by giving thirty written notice to the affected party.

27                      Rights and remedies

The rights and remedies provided under this agreement are in addition to, and not exclusive of, any rights or remedies provided by law.

28                      Notice

28.1                 Any notice given to a party under or in connection with this agreement shall be in writing and shall be:

28.1.1           delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or

sent by email to each party’s usual email address;

28.2                 This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution

29                      Governing law and Jurisdiction

This agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales and the parties agree that the courts of England and Wales shall have exclusive jurisdiction.

This agreement has been entered into on the date stated at the beginning of it.

Schedule 1 

Technical and organisational security measures

Signed by [NAME ]

 

……………….………….…….….

Authorised signatory for and on behalf of Fresh Minds Talent Limited

 

 

Signed by [NAME]

 

……………….………….…….….

Authorised signatory for and on behalf of [Data Receiver]

 

 

 

This site is not supported by Internet Explorer. Please use Chrome, Firefox, Safari or another browser to fully view and utilise.