Data sharing terms


Data Sharing Terms:

The Parties have agreed to share Personal Data on the terms set out below.

1. Interpretation

The following definitions and rules of interpretation apply in these Data Sharing Terms.

1.1  Definitions:

“Agreed Purpose” has the meaning given to it in clause 2 of these Data Sharing Terms.

“Business Day” a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.

Campaign” is as set out in the Campaign Details.

“Commencement Date” is as set out in the Campaign Details.

“Data Sharing Code” the Information Commissioner’s statutory data sharing code of practice which came into force on 5 October 2021, as updated or amended from time to time.

Data Protection Legislation”

a. to the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.

b. to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the party is subject, which relates to the protection of personal data.

“EU GDPR” the General Data Protection Regulation ((EU) 2016/679).

“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

“Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data.

“Shared Personal Data” the Personal Data to be shared between the parties under clause 4 of these Data Sharing Terms.

“Special Categories of Personal Data” the categories of Personal Data set out in the Data Protection Legislation and described as special categories of data.

“Subject Rights Request” the exercise by a data subject of their rights under the Data Protection Legislation.

“Supervisory Authority” the relevant supervisory authority in the territories where the parties to this Agreement are established (other than the Information Commissioner).

“Term” is as set out in the Campaign Details.

1.2 ControllerProcessorInformation CommissionerData Subject and Personal DataProcessing and appropriate technical and organisational measures shall have the meanings given to them in the Data Protection Legislation.

1.3 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.

1.4 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

1.5 A reference to a legislation or legislative provision shall include all subordinate legislation made from time to time under that legislation or legislative provision.

1.6 Any words following the terms includingincludein particular or for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

1.7 A reference to writing or written includes email but not fax.

2. Purpose

2.1 These Data Sharing Terms set out the framework for the sharing of Personal Data when one Controller (the Company) discloses Personal Data to another Controller (the Client). They define the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other. Unless expressly stated in the Campaign Details Sheet all Personal Data shared under this Agreement shall be shared on a Controller to Controller basis.

2.2 The parties consider this data sharing initiative necessary and proportionate so as to allow consumers to benefit from vouchers, offers and promotions to be offered by the Client or by the Company on the Client’s behalf. It will benefit individuals, by allowing them to access vouchers, offers and promotions and will benefit the parties by allowing them to target their marketing activities and promotions at consumers who are likely to engage with those activities and/or who may have an interest in the products being offered. The Data Subjects consent will be required prior to any Personal Data relating to that Data Subject being shared and accordingly the parties agree that this data sharing shall not unduly infringe the Data Subjects’ fundamental rights and freedoms and interests.

2.3 The Client agrees that it shall  only Process Shared Personal Data, for the purpose of providing the Data Subject with vouchers, offers and/or promotions as part of a Campaign. For the avoidance of any doubt, nothing in this agreement shall restrict the Company from using the Shared Personal Data for its normal business purposes including the running of campaigns with or for the benefit of other third parties provided that it has a lawful basis to do so. The parties shall not Process Shared Personal Data in any way that is incompatible with the purposes described in this clause (Agreed Purpose).

2.4 Each party shall appoint a Representative who will work together to reach an agreement with regards to any issues arising from the data sharing and to improve actively the effectiveness of the data sharing initiative. The parties respective Representatives are set out in the Campaign Details sheet.

3. Compliance with national data protection laws

3.1 Each party must ensure compliance with applicable Data Protection Legislation at all times during the Term of this Agreement.

3.2 In the event the data protection law or approach to compliance of the UK and any country in which the Client is located conflict, the requirements of the country that necessitates stricter or additional requirements to protect data subjects’ privacy and Personal Data shall be applied.

3.3 Each party has such valid registrations and has paid such fees as are required by the Information Commissioner or its national Supervisory Authority which, by the time that the data sharing is expected to commence, covers the intended data sharing pursuant to these Data Sharing Terms, unless an exemption applies.

4. Shared Personal Data

4.1 The types of Personal Data that will be shared between the parties during the Term are as set out in the Campaign Details.

4.2 The Shared Personal Data must not be irrelevant or excessive with regard to the Agreed Purposes.

5. Lawful, fair and transparent processing

5.1 Each party shall ensure that it Processes the Shared Personal Data fairly and lawfully in accordance with clause 5.2 during the Term.

5.2 Each party shall ensure that it has the valid and legally compliant consent of the Data Subject for its Processing of Shared Personal Data.

5.3 The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with Subject Rights Requests within the time limits imposed by the Data Protection Legislation.

5.4 Both parties shall, in respect of Shared Personal Data, ensure that it provides clear and sufficient information to the Data Subjects, in accordance with the Data Protection Legislation and undertake to inform the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will process their Personal Data, the legal basis for such purposes and such other information as is required by the Data Protection Legislation including:

5.4.1 if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable the Data Subject to understand the purpose and risks of such transfer; and

5.4.2 if Shared Personal Data will be transferred outside the UK or EEA pursuant to clause 9 of these terms, that fact and sufficient information about such transfer, the purpose of such transfer and the safeguards put in place by the Controller to enable the Data Subject to understand the purpose and risks of such transfer.

6. Data quality

6.1  The Company shall ensure that all Shared Personal Data is accurate, in that it will accurately reflect the information provided by the consumer.

6.2 Shared Personal Data must be limited to the Personal Data described in the Campaign Details sheet.

7. Data subjects’ rights

7.1 The Representative for each party is responsible for maintaining a record of Subject Rights Requests, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request. The Representatives for each party are detailed in the Campaign Details sheet.

8. Data retention and deletion

8.1 The Client shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purpose and shall delete any such Shared Personal Data once it is no longer required for the Agreed Purpose. The Company shall be entitled to retain and continue processing the Shared Personal Data provided that it is lawful for it to do so and such processing and retention is in accordance with the information it has provided to the relevant Data Subjects and it retention policy.

8.2 Notwithstanding clause 8.1, parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and / or industry.

9. Transfers

9.1 For the purposes of this clause, transfers of Personal Data shall mean any sharing of Personal Data by the Client with a third party, and shall include the following:

9.1.1 subcontracting the processing of Shared Personal Data;

9.1.2 granting a third party Controller access to the Shared Personal Data (whether as a Joint Controller or independent Data Controller).

9.2 If the Client appoints a third party Processor to Process the Shared Personal Data it shall comply with the relevant provisions of the Data Protection Legislation and shall remain liable for the acts and/or omissions of the Processor.

9.3 The Client shall not transfer Shared Personal Data to a third party located outside the UK unless it;

9.3.1 complies with the provisions of the Data Protection Legislation; and

9.3.2  ensures that (i) the transfer is to a country approved under the applicable Data Protection Legislation as providing adequate protection; or (ii) there are appropriate safeguards or binding corporate rules in place pursuant to the applicable Data Protection Legislation; or (iii) the transferee otherwise complies with the Client’s obligations under the applicable Data Protection Legislation by providing an adequate level of protection to any Shared Personal Data that is transferred; or (iv

9.3.3                 ) one of the derogations for specific situations in the applicable Data Protection Legislation  applies to the transfer.

10. Security and training

10.1 The Company shall only share the Shared Personal Data by using secure methods.

10.2 The parties undertake to have in place throughout the Term appropriate technical and organisational security measures to:

10.2.1    prevent:    unauthorised or unlawful processing of the Shared Personal Data; and        the accidental loss or destruction of, or damage to, the Shared Personal Data

10.2.2            ensure a level of security appropriate to:        the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and       the nature of the Shared Personal Data to be protected.

10.3  The level of technical and organisational measures agreed by the parties as appropriate as at the Commencement Date having regard to the state of technological development and the cost of implementing such measures is set out in Schedule A. The parties shall keep such security measures under review and shall carry out such updates as they agree are appropriate throughout the Term of this Agreement.

10.4  It is the responsibility of each party to ensure that its staff members are appropriately trained to handle and process the Shared Personal Data in accordance with all applicable Data Protection Legislation and guidance and have entered into confidentiality agreements relating to the Processing of Personal Data.

10.5 The level, content and regularity of training referred to in clause 10.4 shall be proportionate to the staff members’ role, responsibility and frequency with respect to their handling and Processing of the Shared Personal Data.

11. Personal data breaches and reporting procedures

11.1 The parties shall each comply with their obligation to report a Personal Data Breach to the Information Commissioner or appropriate Supervisory Authority and (where applicable) Data Subjects under the Data Protection Legislation and shall each inform the other party of any Personal Data Breach relating to the Shared Personal Data irrespective of whether there is a requirement to notify the Information Commissioner or any Supervisory Authority or Data Subject(s).

11.2 The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.

12.Review and termination of these Data Sharing Terms

12.1 The parties shall each review the effectiveness of this data sharing initiative annually, having consideration to the aims and purposes set out in clause 2.2 and clause 2.3 and shall notify the other party if they are of the view that it is no longer adequate to allow the lawful sharing of the Shared Personal. The parties shall continue, amend or terminate this Agreement depending on the outcome of this review.

12.2 The review of the effectiveness of the data sharing initiative will involve:

12.2.1  assessing whether the purposes for which the Shared Personal Data is being processed are still the ones listed in clause 2.4 of these Data Sharing Terms;

12.2.2  assessing whether the Shared Personal Data is still as listed in the Campaign Details sheet;

12.2.3 assessing whether the legal framework governing data quality, retention, and data subjects’ rights are being complied with; and

12.2.4 assessing whether Personal Data Breaches involving the Shared Personal Data have been handled in accordance with these Data Sharing Terms and the applicable legal framework.

12.3 The Company reserves its rights to inspect the Client’s arrangements for the Processing of Shared Personal Data and to terminate its involvement in this Agreement where it considers that the Client is not Processing the Shared Personal Data in accordance with these Data Sharing Terms.

13. Resolution of disputes with data subjects or the Supervisory Authority

13.1 In the event of a dispute, complaint or claim brought by a Data Subject or the Information Commissioner or a Supervisory Authority concerning the processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes, complaints or claims, and will cooperate with a view to settling them amicably in a timely fashion.

13.2 The parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Information Commissioner or by a Supervisory Authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.

13.3 Each party shall abide by a decision of a competent court of the Company’s country of establishment or of the Information Commissioner or a Supervisory Authority.

14. Language

14.1 These Data Sharing Terms are drafted in the English language. If these Data Sharing Terms are translated into any other language, the English language version shall prevail.

14.2 Any notice given under or in connection with these Data Sharing Terms shall be in English. All other documents provided under or in connection with these Data Sharing Terms shall be in English or accompanied by a certified English translation.

14.3 The English language version of these Data Sharing Terms shall prevail if there is a conflict.

15. Warranties

15.1  Each party warrants and undertakes that it will:

15.1.1 Process the Shared Personal Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments that apply to its Personal Data processing operations.

15.1.2 Make available on request to the Data Subjects who are third party beneficiaries a copy of these Data Sharing Terms, and an extract of the Campaign Details sheet with all commercially sensitive or confidential matters redacted.

15.1.3  Respond within a reasonable time and as far as reasonably possible to enquiries from the Information Commissioner or relevant Supervisory Authority in relation to the Shared Personal Data.

15.1.4 Respond to Subject Rights Requests in accordance with the Data Protection Legislation, including where necessary (i) advising the other party of any step(s) it should reasonably take in this regard; and (ii) where the legitimate ground relied upon is a Data Subject’s consent, the timely operation of an effective procedure if such consent is withdrawn.

15.1.5 Where applicable, maintain registration with the Information Commissioner and all relevant Supervisory Authorities to process all Shared Personal Data for the Agreed Purpose.

15.1.6 Take all appropriate steps to ensure compliance with the security measures set out in clause 10 above.

15.2 When sharing any Shared Personal Data the sharing party warrants and undertakes that it is entitled to provide the Shared Personal Data to the receiving party and it will ensure that the Shared Personal Data is accurate.

15.3 Except as expressly stated in these Data Sharing Terms, all warranties, conditions and terms, whether express or implied by statute, common law or otherwise are hereby excluded to the greatest extent permitted by law.

16. Indemnity

16.1 The Parties undertake to indemnify each other and hold each other harmless from any cost, charge, damages, expense or loss which they cause each other as a result of their breach of any of the provisions of these Data Sharing Terms, except to the extent that any such liability is excluded under clause 17.2.

16.2 Indemnification is contingent upon:

16.2.1 the party to be indemnified (the indemnified party) promptly notifying the other party (the indemnifying party) of a claim,

16.2.2 the indemnifying party having sole control of the defence and settlement of any such claim, and

16.2.3 the indemnified party providing reasonable co-operation and assistance to the indemnifying party in defence of such claim.

17. Limitation of liability

17.1 Neither party excludes or limits liability to the other party for:

17.1.1  fraud or fraudulent misrepresentation;

17.1.2 death or personal injury caused by negligence;

17.1.3 a breach of any obligations implied by section 12 of the Sale of Goods Act 1979 or section 2 of the Supply of Goods and Services Act 1982; or

17.1.4 any matter for which it would be unlawful for the parties to exclude liability.

17.2 Subject to clause 17.1, neither party shall in any circumstances be liable whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, for:

17.2.1 any loss (whether direct or indirect) of profits, business, business opportunities, revenue, turnover, reputation or goodwill;

17.2.2 loss (whether direct or indirect) of anticipated savings or wasted expenditure (including management time); or

17.2.3 any loss or liability (whether direct or indirect) under or in relation to any other contract.

17.3 Clause 17.2 shall not prevent claims, for:

17.3.1 direct financial loss that are not excluded under any of the categories set out in clause 17.2.1; or

17.3.2 tangible property or physical damage.

18. Third party rights

18.1 Except as expressly provided in clause 7 (data subjects rights) and elsewhere in these terms, a person who is not a party to the Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce of these terms.

19. Direct marketing

19.1 As it is intended that the parties will processes the Shared Personal Data for the purposes of direct marketing, each party shall ensure that:

19.1.1 the appropriate level of consent has been obtained from the relevant Data Subjects to allow the Shared Personal Data to be used for the purposes of direct marketing in compliance with the Data Protection Legislation; and

19.1.2 effective procedures are in place to allow the Data Subject to “opt-out” from having their Shared Personal Data used for such direct marketing purposes.


No variation of these Data Sharing Terms shall be effective unless it is in writing and signed by the parties (or their authorised Representatives).

21. Waiver

No failure or delay by a party to exercise any right or remedy provided under these Data Sharing Terms or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

22. Severance

22.1 If any provision or part-provision of these Data Sharing Terms is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of these Data Sharing Terms.

22.2 If any provision or part-provision of these Data Sharing Terms are deemed deleted under clause 23.1, the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

23. Changes to the applicable law

If during the Term, the Data Protection Legislation change in a way that these Data Sharing Terms is no longer adequate for the purpose of governing lawful data sharing exercises, the parties agree that the Representatives will negotiate in good faith to review these terms in the light of the changes.

24. No partnership or agency

24.1 Nothing in this Agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party.

24.2 Each party confirms it is acting on its own behalf and not for the benefit of any other person.

25. Entire agreement

25.1 These Data Sharing Terms constitute the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to their subject matter.

25.2 Each party acknowledges that in entering into these Data Sharing Terms it does not rely on, and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement.

25.3 Each party agrees that it shall have no claim for innocent or negligent misrepresentation based on any statement in these Data Sharing Terms

26. Force majeure

Neither party shall be in breach of these Data Sharing Terms nor liable for delay in performing, or failure to perform, any of its obligations under these terms if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances the time for performance shall be extended by a period equivalent to the period during which performance of the obligation has been delayed or failed to be performed.

27. Rights and remedies

The rights and remedies provided under these Data Sharing Terms are in addition to, and not exclusive of, any rights or remedies provided by law.

28. Notice

28.1 Any notice or other communication given to a party under or in connection with these Data Sharing Terms shall be in writing, addressed to the Representatives and shall be:

28.1.1 delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or

28.1.2 sent by email to the Representative at the address given in the Campaign Details sheet.

28.2 Any notice or communication shall be deemed to have been received:

28.2.1 if delivered by hand, on signature of a delivery receipt; and

28.2.2 if sent by next working day delivery service, at 9.00 am on the second Business Day after posting and

28.2.3 if sent by email, at the time of transmission, or if this time falls outside business hours in the place of receipt, when business hours resume. In this clause, business hours means 9:00 am to 5:00 pm Monday to Friday on a day that is not a public holiday in the place of receipt.

28.3 This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution

29. Governing law

These Data Sharing Terms and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with them or their subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.

30. Jurisdiction

Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with these Data Sharing Terms or their subject matter or formation.

Schedule A – Technical and Organisational Measures

Organisational measures:

1. The Parties shall implement and maintain:

1.1. security standards, facilities, controls, and procedures appropriate to the nature of the Shared Personal Data to be processed and the harm that would be caused by its loss or disclosure;

1.2 a current data protection policy and shall ensure that all personnel who have access to the Shared Personal Data shall comply with the obligations upon them contained in the data protection policy;

1.3 appropriate password policies which require personnel to use complex alphanumeric passwords of at least 8 characters in order to access the Shared Personnel Data;

1.4 regular training is provided in relation to the need to keep passwords secure;

1.5 an accurate, up to date asset register, including all portable media used to process the Shared Personal Data;

1.6 a policy for the disposal of Personal Data, including the disposal of assets containing Shared Personal Data;

1.7 they establish and maintain adequate data security compliance policies and audits of Personal Data in compliance with its data security policies on a regular basis and in any event annually;

1.8 appropriate systems to ensure the erasure of Shared Personal Data in accordance with their data retention policy;

1.9 appropriate systems to ensure that data subjects are able to effectively exercise their data subject rights

Technical measures:

2. Each party shall ensure that it has in place:

2.1 appropriately configured access rights for its personnel with an appropriate documented process for dealing with joiners and leavers so as to ensure that access rights to the Shared Personal Data are properly managed

2.2 appropriate technical controls are in place to ensure passwords used for accessing the Shared Personal data comply with that parties password policy and are updated at least annually

2.3 appropriate systems to identify the wrongful use of Shared Personal Data, including the monitoring of wrongful access to the Shared Personnel Data;

2.4 appropriate electronic encryption and authentication processes and technology to protect the Shared Personal Data;

2.5 regular automated back ups of the Shared Personal Data and systems to ensure that all back ups are subject to vigorous security procedures as necessary to protect the integrity of the Shared Personal Data;

2.6 appropriate measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

2.7 appropriate anti-virus and other data security systems so as to ensure the integrity of the Shared Personal Data

Physical measures

3. Each party shall ensure that suitable physical security measures are in place commensurate to the harm which may result from the unlawful disclosure or processing of the Shared Personal Data including:

3.1 locked filings cabinets for the storage of any hard copy Shared Personal Data;

3.2 appropriate access controls to all buildings used for the storage or processing of the Shared Personal data