top of page

Data sharing agreement

DATA SHARING AGREEMENT – JOINT CONTROLLERS 

1.Under Article 26 of the General Data Protection Regulation (GDPR), where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. The parties being joint data controllers for all personal data processed in relation to the joint activity.  

1.1.This agreement sets out the distribution of responsibilities among the Data Controllers in connection with  the provision of marketing services.  

The Data Controllers are at all times obliged to inform each other about the establishment of new offices,  subsidiaries, etc. where these may impact this agreement or where personal data are transferred to new  third countries under this agreement.  

1.2.Definitions  

For the purposes of the Clauses  

‘Personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’  shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the  protection of individuals with regard to the processing of personal data and on the free movement of such data.  

‘The sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who  agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended  for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the  terms of the Clauses and the terms of the written subcontract;  

‘The applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in  particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State  in which the data exporter is established;  

‘Technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the  transmission of data over a network, and against all other unlawful forms of processing.  

In respect to this Data Sharing Agreement – the following terms also apply:  

‘Anonymisation’, means the processing of personal data in such a manner that the personal data can no longer be attributed to a  specific data subject.  

‘Data Controller’, has the meaning given to it by Article 4 of the GDPR, which is the natural or legal person, public authority, agency  or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the  purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its  nomination may be provided for by Union or Member State law.  

‘Data Subject’, has the meaning given to it by Article 4 of the GDPR, which is an identified or identifiable natural person, for the  purposes of this agreement is an applicant to the CAO.  

‘Personal Data’, has the meaning given to it by Article 4 of the GDPR, which is any information relating to a data subject.  

‘Personal Data Breach’, has the meaning given to it by Article 4 of the GDPR, which is a breach of security leading to the accidental  or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise  processed.  

‘Processing’, has the meaning given to it by Article 4 of the GDPR, which is any operation or set of operations which is performed on  personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation,  structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise  making available, alignment or combination, restriction, erasure or destruction. 

‘Pseudonymisation’, has the meaning given to it by Article 4 of the GDPR, which is the processing of personal data in such a manner  that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that  such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal  data are not attributed to an identified or identifiable natural person  

1.3.Requirement  

Article 26 of the General Data Protection Regulation (GDPR) states that where two or more data controllers jointly determine the  purposes and means of processing, they are joint data controllers.  

In the event of joint data controllers, the joint data controllers must in a transparent manner determine their respective responsibilities for compliance with the obligations under the GDPR, in particular as regards the exercising of the rights of the data  subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the data controllers are determined by Union or Member  State law to which the data controllers are subject.  

Pursuant to Article 26(2), the arrangement must duly reflect the respective roles and relationships of the joint data controllers relating to data subjects. The essence of the arrangement must be made available to the data subjects.  

Irrespective of the terms of the arrangement, the data subject may exercise his or her rights under the GDPR in respect of and against each of the data controllers.  

The internal distribution of responsibilities in the joint data controller agreement does not prevent the supervisory authority from exercising its powers against each of the Data Controllers.  

The Data Controllers agree that in connection with the subject services, they are joint data controllers. The assessment has taken into account that both parties are responsible for determining the purpose or processing, the data collected, and how the data is  processed.  

1.4.This agreement has been drawn up to ensure that the Data Controllers can comply with the requirements relating to joint data  controllers as laid down in Article 26 of the GDPR. The agreement determines the Data Controllers’ respective responsibilities for  compliance with the obligations under the GDPR, in particular as regards the exercising of the rights of the data subject and their  respective duties to provide the information referred to in Articles 13 and 14.  

1.5.Retention of Data  

Data will be stored by the joint controllers as defined in their respective Data Retention policies. Data retention will be for a default  maximum duration being 2 years post SOC. Removal of specific or all data, may be requested at any time by written request from  Client.  

1.6.Main Purpose of Data Processing  

The data processing shall be limited to the use of Data to conduct lead generation, prospecting, and/or marketing activity on behalf  of Client and in accordance with the instructions provided by the Client as defined in the SOC.  

1.7.Data Held Supplier may store public business information together with other Personally Identifiable Information (PII) as  required to conduct targeted marketing communications on behalf of Client. The data held and means of processing will be  determined by Supplier.  

2.General distribution of responsibilities  

2.1.Each party must designate a contact point for data subjects, to ensure that data subjects can exercise their rights under the  GDPR individual data controller. In addition, the Data Controllers are individually responsible for the data subjects where they act  as sole Data Controller.  

2.2.The Data Controller must inform the data subject of the processing of personal data and the rights of the data subject; to ensure  that the necessary authority exists for the processing of the registered data, including the obtaining of consent where applicable;  and that data are erased when they are no longer necessary.  

2.3.The Data Controller who obtains specific data from sources other than the data subject is responsible for informing the data  subject accordingly.  

3.Rights of the data subjects 

3.1.Each Data Controller is responsible for ensuring the rights of the data subjects in accordance with the below provisions of the  GDPR:  

• duty of disclosure when collecting personal data from the data subject;  

• duty of disclosure if personal data are not collected from the data subject;  

• right of access by the data subject;  

• right to rectification; 

• right to erasure (the right to be forgotten);  

• right to restriction of processing;  

• notification obligation regarding rectification or erasure of personal data or restriction of processing;  

• right to data portability (but not for public authorities); and  

• right to object to processing.  

3.2.Data subjects have a range of rights under the GDPR, both parties have agreed the following procedures to allow data subjects to exercise these rights. It should be noted that a data subject is not obliged to follow these procedures and a data subject may  exercise his or her rights against each of the controllers as stated in Article 26.3 of the GDPR.  

3.3.If one of the Data Controllers receives a request or inquiry from a data subject regarding matters covered by another Data  Controller's responsibilities, the request is forwarded to such Data Controller without undue delay.  

3.4.The parties are responsible for assisting each other to the extent this is relevant and necessary in order for both parties to  comply with their obligations to the data subjects.  

• Right of Accessing Personal Data  

Both Controllers agree to provide the data subject with a copy of personal data undergoing processing as required under article 15  of the GDPR.  

• Right of Rectification of Personal Data Provided by Data Subject 

A data subject may request the rectification of any inaccurate personal data held by either joint controller under article 16 of the  GDPR. Both Controllers agree to correct any inaccurate data and make available to the other.  

• Right of Rectification of Personal Data Not Provided Directly by Data Subject  

Where the personal data is that provided by a third party any request must be actioned as requested by the data subject.  

• Right of Erasure of Personal Data  

A data subject may request the erasure of personal data held by the joint controller under article 17 of the GDPR. If this request is  made both Controllers agree to delete the data and inform others of the request who will delete any data on their system.  

• Right of Restriction of Processing  

Both Controllers agree to administer requests to restrict processing under Article 18 of the GDPR and should restriction of  processing proceed  

• Right of Data Portability  

Both Controllers agree to administer any requests for data portability under Article 20 of the GDPR.  

• Provision of Information Regarding Processing  

Both Controllers agree to provide the data subject with information required under articles 13 and 14 of the GDPR.  4.Security of processing and proof of compliance with the GDPR  

4.1.Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity  for the rights and freedoms of natural persons, each Data Controller must implement appropriate technical and organisational  measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR. Those measures  must be reviewed and updated where necessary (Article 24 of the GDPR). Common procedures will be prepared for the handling  of security breaches, requests for access and compliance with the duty of disclosure.  

4.2.Appropriate data protection policies are prepared, which each Data Controller is responsible for implementing in its own company.  

4.3.The Data Controllers are responsible for compliance with the provision on data protection by design and by default in Article 25  of the GDPR. 

4.4.Each Data Controller is responsible for compliance with the requirement for security of processing in Article 32 of the GDPR. This  involves that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of  processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controllers  must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.  

5.Use of data processors and sub-processors  

5.1.Permission to Appoint a Processor  

Supplier will only engage a processor with the prior consent of the Client and a written contract supporting the engagement. Client acknowledges the Service Order as appropriate written instruction that Success with Systems Ltd may in providing the Services,  engage it’s Processors in which it uses to provide such services that are as part of this contract. Success with Systems Ltd warrants that any such third-party data processor shall be required in contract to comply in all respects with the provisions of the GDPR.   Client also acknowledges the Service Order as appropriate written instruction that Success with Systems Ltd. may in providing the Services,  engage other Processor's, companies and/or contractors in which they outsource work to and the client agrees that Success with Systems has full authority to choose and work with those companies and/contractors. All contractors or companies that Success with Systems work with will also be shared this agreement to understand the terms of engagement.

5.2.If any data processors and/or sub-processors are used, each Data Controller is responsible for compliance with the requirements of Article 28 of the GDPR. The Data Controller is obliged, amongst other things to:  

• use only data processors providing sufficient guarantees to implement appropriate technical and organisational measures in such  a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject;  

• ensure that a valid data processing agreement has been made between the Data Controllers and the data processor; and  • ensure that a valid sub-processing agreement has been made between the data processor and any sub-processor.  

6.Records  

6.1.Each Data Controller is responsible for compliance with the requirement for records of processing activities in Article 30 of the  GDPR. Each Data Controller prepares records of the processing activities, for which the parties are joint data controllers.  

6.2.The Data Controllers inform each other about the contents of the above records.  

6.3.On the basis of the contents of each other’s records, the Data Controllers prepare their own records of the processing activities  covered by the agreement.  

7.Notification of a personal data breach to the supervisory authority  

7.1.Each Data Controller is responsible for compliance with Article 33 of the GDPR on notification of a personal data breach to the  supervisory authority.  

7.2.The Data Controller with whom a personal data breach was committed or from whom the reason for the breach originates is responsible for notifying the personal data breach to the supervisory authority.  

7.3.Immediately after having become aware of a personal data breach, the Data Controller must inform the other Data Controllers  of the breach. The other Data Controllers must be kept informed of the process after the discovery of the personal data breach and  will receive a copy of the notification to the supervisory authority.  

7.4.If the reason for the breach is not immediately attributable to one of the Data Controllers, Supplier is responsible for notifying  the personal data breach to the supervisory authority.  

8.Communication of a personal data breach to the data subject  

8.1.Each Data Controller is responsible for compliance with Article 34 of the GDPR on communication of a personal data breach to  the data subject. 

8.2.If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller with  whom the personal data breach was committed, or from whom the reason for the breach originates is responsible for  communicating the personal data breach to the data subjects affected.  

8.3.If the reason for a personal data breach is not directly attributable to one of the Data Controllers, and the breach is likely to  result in a high risk to the rights and freedoms of natural persons, Supplier is responsible for communicating the personal data  breach to data subjects affected.  

9.Data protection impact assessment and prior consultation  

9.1.Each Data Controller is responsible for compliance with the requirement in Article 35 of the GDPR on data protection impact  assessment. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context  and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controllers  must, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of  personal data.  

9.2.Likewise, the Data Controllers are obliged to comply with the requirement in Article 36 of the GDPR on prior consultation of the  supervisory authority when this is relevant.  

9.3.Consequently, each Data Controller must make (and be able to document) a Data Protection Impact Assessment, and  subsequently implement measures to mitigate the risks identified.  

10.Transfers of personal data to third countries or international organisations  

10.1.The Data Controllers may decide that personal data can be transferred to third countries or international organisations.  

10.2.The Data Controllers are responsible for compliance with the requirements in the GDPR if personal data are transferred to third  countries or international organisations. 10.3.Each Data Controller is responsible for its own personal data transfers to third  countries, including for ensuring that a legal basis for transfer exists and the GDPR has been observed.  

10.4.If the United Kingdom leaves the EU, and if the United Kingdom has not been declared as adequate by the European  Commission through an Adequate Decision, the Data Controller shall as well conclude Standard Contractual Clauses adopted by the  European Commission with the United Kingdom as a supplement to this agreement to ensure sufficient protection of personal data.  

11.Complaints  

11.1.Each Data Controller is responsible for the handling of any complaints from data subjects if the complaints relate to the  infringement of provisions in the GDPR, for which the Data Controller is responsible according to this agreement.  

11.2.If one of the Data Controllers receives a complaint which should rightfully be handled by one of the other Data Controllers, the  complaint is forwarded to such Data Controller without undue delay.  

11.3.In connection with the forwarding of a complaint or part of a complaint to the other Data Controllers, the data subject must be  notified about the essence of this agreement.  

11.4.Generally, the Data Controllers inform each other about all complaints received.  

12.Providing Information to the other parties  

12.1.The Data Controllers inform each other about all matters relating to the joint processing and this agreement.  13.Nature of Processing.  

Supplier provides marketing activities on behalf of their clients.  

13.1.Nature of Processing  

With respect to provision of the Services Supplier and Client are Joint Controllers.  

13.2.Purpose of Processing  

The data processing shall be limited to the use of Data to conduct marketing activity on behalf of Client. 

13.3.Subject Matter and Categories of data subject  

Supplier may store public business information together with Personally Identifiable Information (PII) as required to conduct  targeted marketing communications on behalf of Client. Data categories shall not include racial or ethnic origin, political opinions,  religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health related data or data concerning a  natural person’s sex life or sexual orientation.  

13.4.Details of Personally identifiable data that may be processed relating to our Prospecting Services  13.4.1.Business Profile Data  

• Supplier may process Business Profile Data (“Business Profile Data”). The Business Profile Data  

may include name, employer and email address.  

• The source of the Business Profile Data is publicly listed social profiles.  

• The Account Data may be processed for the purposes of providing Our services, maintaining back 

ups of Our databases and communicating with necessary parties.  

• The legal basis for this processing is the performance of a contract.  

13.4.2.Correspondence Data  

  

• Supplier may process information contained in or relating to any communication sent to Us (“Correspondence Data”).  

• The Correspondence Data may include name, email address and the communication content and metadata associated with the  communication. Our website will generate the metadata associated with communications made using the website contact forms.  

• The Correspondence Data may be processed for the purposes of communicating and record- keeping.  

• The legal basis for this processing is Our legitimate interests, namely the proper administration of Our website and business and  communications with users.  

13.4.3.Public Data  

• Supplier may process information found on public social networking profiles (“Public Data”).  

•This data may include name and job title.  

• Public Data may be processed for the purposes of offering, marketing and selling relevant goods and/or services.  

• The legal basis for this processing is Our legitimate interests, namely proper administration of Our business.  

13.4.4.Legal Claims Data  

• Supplier may process personal data identified in this policy where necessary for the establishment, exercise or defence of legal  claims, whether in court proceedings or in an administrative or out-of-court procedure (“Legal Claims Data”).  

• The legal basis for this processing is Our legitimate interests, namely the protection and assertion of Our legal rights, Your legal  rights and the legal rights of others.  

13.4.5.Privacy Policy  

Supplier and Client shall post and comply with a privacy policy on all online properties associated with the Services at all times. The  privacy policy shall comply with all applicable laws and shall not contain any terms that are inconsistent with or would otherwise  restrict Supplier from performing its obligations hereunder. In addition, to the extent that Client’s websites collect personally  identifiable information, Client’s privacy policy must permit the transmission of such information to Supplier to the extent required  to execute the Services. Online properties are defined as websites.  

13.4.6.Lawful Bases for Processing Suppliers’ Data 

Supplier and Client are responsible for determining and documenting their own lawful basis for processing. Suppliers’ lawful basis in  relation to the services offered to Client is legitimate interests of the supplier, for example to operate, promote and develop our  business.  

13.4.7.Legitimate Interest  

In addition to the specific purposes for which Supplier may process personal data, Supplier may also process personal data in  Suppliers own Legitimate Interests or where such processing is necessary for compliance with a legal obligation to which Supplier is  subject.  

13.4.8.Duration of Processing  

Data will be stored for an appropriate period with a default maximum storage duration being 2 years post use. Removal of specific  or all data, may be requested at any time by written request from Client.  

13.4.9.Type of Personal Data  

Personal Data processed will include Name, Email, Job Title, Employer and other basic information pertaining to an individual’s  professional status, employment history, education, background, and other pertinent personal information.  

13.4.10.Categories of Data Subject  

Data subjects shall be business professionals.  

Data categories shall not include racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union  membership, genetic data, biometric data, health related data or data concerning a natural person’s sex life or sexual orientation.  

13.4.11.Data Storage & Data Security Supplier warrants, with respect to private data processed under this agreement, that;  

•Databases will be hosted in appropriately secure, tier 1 EU data centres;  

• Data shall be encrypted both a rest and in transit.  

• Hosted database access will be secured by both username and password and IP address.  

• No passwords shall be stored in clear text.  

• All users with any kind of access shall be issued with and shall have agreed to the subject party’s appropriate Data and IT Security  Policy.  

• Databases shall reside in an isolated environment, behind a firewall with all connections restricted by default.  

• Where appropriate and possible the parties shall implement automated anomalous threat detection systems to monitor and secure activity.  

• Incremental rest encrypted backups shall be maintained to ensure the ability to securely rollback each database to any point  within the past 48 hours.  

13.4.12.Backup Restore  

In the event of a backup restore, RTE (Right to Erase) data removals shall be automatically re-removed during the backup restore  process.  

13.4.13.Deletion  

Supplier will delete all personal data, either as requested or at a time appropriate to the context of its use. I.e. on Termination of the  contract.  

13.4.14.Additional Warranties  

In accordance with the GDPR Supplier warrants that it will  

• Meet our obligations as Joint Controller (Article 26);  

• not use a sub-processor without the prior written authorisation of the controller (Article 28.2);  

  

• co-operate with supervisory authorities (such as the ICO) in accordance with Article 31;  

• ensure the security of its processing in accordance with Article 32; 

• keep records of its processing activities in accordance with Article 30.2;  

• notify any personal data breaches to the controller in accordance with Article 33;  

• employ a data protection officer if required in accordance with Article 37; and  

• appoint (in writing) a representative within the European Union if required in accordance with Article  13.4.15.Awareness and Consequence  

Supplier confirms awareness of the UK ICOs statements on the GDPR, stating a company should be aware that:  

• it may be subject to investigative and corrective powers of supervisory authorities (such as the ICO)  

• under Article 58 of the GDPR;  

• if it fails to meet its obligations, it may be subject to an administrative fine under Article 83 of the GDPR;  

• if it fails to meet its GDPR obligations it may be subject to a penalty under Article 84 of the GDPR; and  

• if it fails to meet its GDPR obligations it may have to pay compensation under Article 82 of the GDPR.  

bottom of page