DATA SHARING AGREEMENT

This Data Sharing Agreement is made between:

PARTIES

  • Flourish Learning Limited incorporated and registered in England and Wales with company number 14785354 and whose registered office is at Switch House, Suite B2, Northern Perimeter Road, Bootle, United Kingdom, L30 7PT and
  • The customer entity identified in Flourish Invoice for access to the product

The date of this Data Sharing Agreement in respect of each Party shall be the date on the Contract between the parties which will be formed upon Flourish accepting your purchase of access to the Product (as defined below) by issuing you with the first Invoice we send you.

BACKGROUND

  1. The Parties work closely together and wish to transfer (and/or grant or permit access to) Personal Data for various internal business purposes.
  2. Each Party has agreed that Personal Data which it transfers to, or receives from, the other Party may be subject to data protection legislation and that therefore such data will be transferred subject to and in accordance with the conditions set out in this Agreement.
  3. This Agreement sets out the responsibilities of each Party in areas relating to the protection, security, sharing and processing of Personal Data that the Parties require in order to conduct their individual or shared objectives and activities. It does not address other commercial or operational issues.

IT IS AGREED as follows:

  1. Definitions and Interpretation
    • In this Data Sharing Agreement, unless the context otherwise requires, the following expressions have the following meanings:

 

“Data Protection Legislation”means all applicable data protection and privacy legislation in force from time to time in the UK including the UK General Data Protection Regulation (“UK GDPR”); the Data Protection Act 2018 (“DPA 2018”); and the Privacy and Electronic Communications Regulations 2003 (“PECR”) as amended;
“Controller”

“Processor”

“Data Subject”

“Personal Data”

“Process”

“Processing”

“Processor”

“Personal Data Breach”

“Special Category Personal Data”

 

“ICO”

 

shall have the meanings ascribed thereto in the Data Protection Legislation;

 

 

 

 

 

 

 

 

 

Means the Information Commissioner’s Office, the supervisory authority for the UK;

“IDTA”

 

 

 

“a Party or the Parties”

 

 

“Representatives”

means the International Data Transfer Agreement, VERSION A1.0, in force 21 March 2022, issued by the Information Commissioner’s Office;

 

means the parties to this Data Sharing Agreement;

 

means, in relation to either Party, its officers and employees, professional advisers or consultants engaged to advise that Party, contractors or sub-contractors engaged by that Party;

“Shared Personal Data”

 

means the Personal Data and Special Category Personal Data to be shared between the Parties under this Data Sharing Agreement as set out in Appendix 2;

 

“Stated Purposes”means the purposes set out in Appendix 2 for which the Shared Personal Data is to be shared;
“Term”means the term of this Data Sharing Agreement, as set out in Clause 6.

 

  • Unless the context otherwise requires, each reference in this Data Sharing Agreement to:
    • “writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;
    • a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
    • “this Data Sharing Agreement” is a reference to this Data Sharing Agreement and the Appendices as amended or supplemented at the relevant time;
    • An Appendix is an Appendix to this Data Sharing Agreement; and
    • a Clause or paragraph is a reference to a Clause of this Data Sharing Agreement (other than an Appendix) or a paragraph of the relevant Appendix.
  • The headings used in this Data Sharing Agreement are for convenience only and shall have no effect upon the interpretation of this Data Sharing Agreement.
  • Words imparting the singular number shall include the plural and vice versa.
  • References to any gender shall include the other gender.
  • References to persons shall include corporations.
  1. Basis for Sharing
    • The Parties agree that for the Shared Personal Data the Parties to this Data Sharing Agreement shall be independent Controllers.
    • The Parties have determined that it is necessary to share the Shared Personal Data to achieve the Stated Purposes.
    • The Parties agree that this Data Sharing Agreement relates to the ongoing and routine sharing of the Shared Personal Data.
    • Subject to the terms of this Data Sharing Agreement, any of the Parties may Disclose (the “Disclosing Party”) the Shared Personal Data to another Party (the “Receiving Party”) in connection with the Stated Purposes. Any of the Parties may Disclose the Shared Personal Data in their capacity as a Disclosing Party or receive the Shared Personal Data in their capacity as a Receiving Party.
    • This Data Sharing Agreement establishes the framework for the sharing of the Shared Personal Data between the Parties.
    • The Parties shall not Process the Shared Personal Data for any purpose or in any way that is incompatible with the Stated Purposes as set out in Appendix 2.
  1. Data Protection Compliance
    • Each Party shall appoint a data protection manager (“DPM”) or a Single Point of Contact (“SPC”) for all issues relating to the sharing of the Shared Personal Data and the Data Protection Legislation (including, but not limited to, compliance, training, and the handling of Personal Data Breaches).
    • The contact details for the Parties’ appointed points of contact are set out in Appendix 1.
    • Both Parties shall at all times during the Term of this Data Sharing Agreement comply with their obligations as Controllers, the rights of Data Subjects, and all other applicable requirements under the Data Protection Legislation. This Data Sharing Agreement is in addition to, and does not relieve, remove, or replace either Party’s obligations under the Data Protection Legislation.
  1. Each Party’s Obligations
    • Each Party warrants and undertakes that it will:
      • at all times during the term of this Data Sharing Agreement process the Shared Personal Data fairly and lawfully;
      • ensure that it has legitimate grounds for processing the Shared Personal Data under the Data Protection Legislation;
      • ensure that it has in place all required notices and consents in order to enable the sharing of the Shared Personal Data under this Data Sharing Agreement. In particular, before disclosing any Personal Data, the Disclosing Party shall ensure that Data Subjects are provided with Privacy Notices written in clear and plain language and containing sufficient information about the following:
        • the identity and contact details of the Disclosing Party and its Data Protection Officer (if it has one);
        • the purposes for which the Shared Personal Data is to be Processed and shared;
        • the legal basis upon which it is relying for such purposes (including what its legitimate interests are, if relying on the legitimate interests as its legal basis);
        • sufficient detail about who the Shared Personal Data will be shared with to enable the Data Subject to understand the purpose of the transfer and any associated risks;
        • in the event that the Shared Personal Data is to be transferred to a third country, the fact that such a transfer is to take place and sufficient detail about the transfer to enable the Data Subject to understand the purpose of the transfer and any associated risks;
        • how long the Shared Personal Data will be Processed for;
        • the Data Subjects’ rights under the UK GDPR and;
        • all other information required under Article 13 of the UK GDPR;
      • facilitate the rights of Data Subjects in accordance with the Data Protection Legislation and notify the other Party promptly if it receives a request from a Data Subject to exercise their rights, or is the subject of a Data Subject complaint;
      • maintain records of all Data Subject requests received, the decisions made in response, and any information provided to the Data Subject(s) concerned;
      • implement appropriate technical and organisational measures and take all steps necessary to protect the Shared Personal Data against the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data (see Appendix 3 for further details);
      • ensure that any and all their Representatives by whom the Shared Personal Data is to be handled and Processed are appropriately trained to do so in accordance with the Data Protection Legislation;
      • ensure that any of its Representatives to whom the Shared Personal Data is to be disclosed are subject to contractual obligations in relation to confidentiality and data protection that bind those Representatives;
      • in the event of a notifiable Personal Data Breach, promptly notify the other Party and comply with its obligations to report such a breach to the ICO and, if applicable, to the affected Data Subjects in accordance with Articles 33 and 34 of the UK GDPR;
      • only disclose as much of the Shared Personal Data as is necessary for the Stated Purposes;
      • take reasonable steps to ensure that the Shared Personal Data is accurate and, where necessary, up to date, before disclosing it;
      • hold and Process the Shared Personal Data only for so long as is necessary for the fulfilment of the Stated Purposes;
      • only transfer the Shared Personal Data to a third party Processor, if it complies with the provisions of Article 28 of the UK GDPR;
      • only transfer the Shared Personal Data to a third country:
    • if that country has an adequacy regulation, pursuant to Article 45 of the UK GDPR or
    • if it enters into an IDTA, (and implements additional measures, where necessary) pursuant to Article 46 of the UK GDPR or
    • one of the derogations for specific situations set out in Article 49 of the UK GDPR applies.
      • Both Parties warrant and undertake that it will maintain the integrity and confidentiality of the Shared Personal Data.
  1. Lawful Bases
    • The Parties agree that their lawful basis for Processing the Shared Personal Data is legitimate interests. It is in the legitimate interests of the Parties to share the Shared Personal Data for the Stated Purposes in order to deliver their services to their respective clients. It is also in the legitimate interests of the Data Subjects concerned, as they will benefit from the delivery of the services.
    • In the event that the Parties Process Special Category Personal Data, the Disclosing Party shall ensure that it obtains explicit consent from the Data Subject before making the disclosure or shall ensure that it is otherwise lawful to do so.
  1. Term, Review, and Termination
    • This Data Sharing Agreement shall come into force on the date of this Data Sharing Agreement. The Parties shall review the sharing of the Shared Personal Data under this Data Sharing Agreement periodically, in light of the Stated Purposes and based upon the outcome of such a review, the Parties shall continue, amend, or terminate this Data Sharing Agreement.
    • Either of the Parties may terminate this Data Sharing Agreement by giving not less than one month’s written notice to the other.
    • Any material breach of the Data Protection Legislation by either Party shall, if not remedied within 30 days of written notice from the other Party, give the other Party grounds to terminate this Data Sharing Agreement with immediate effect.

 

  1. Resolution of Disputes with Data Subjects or the ICO
    • In the event of a dispute or claim brought by a Data Subject or the ICO concerning the Processing of Shared Personal Data against any of the Parties, the Parties will inform each other about any such disputes or claims and will cooperate with a view to settling them within a reasonable time.
  1. Indemnity
    • Subject to the provisions of sub-Clause 9.1, each Party shall indemnify the other against any cost, charge, damages, expense, or loss, suffered or incurred by the indemnified Party arising out of or in connection with the indemnifying Party’s (or its Representatives’) breach of the Data Protection Legislation or this Data Sharing Agreement, provided that the indemnified Party provides the indemnifying Party with prompt notice of any such claim, full information about the circumstances giving rise to the claim, reasonable assistance in dealing with the claim, and the sole authority to manage, defend, and/or settle the claim.
  1. Limitation of Liability
    • Subject to sub-Clause 9.2, neither Party shall be liable, whether in contract, tort (including negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution, or otherwise, for any direct or indirect loss of profits, business, business opportunity, revenue, turnover, reputation, or goodwill; any direct or indirect loss of anticipated savings or wasted expenditure; or any direct or indirect loss or liability under or in relation to any other contract.
    • Neither Party shall exclude its liability to the other Party for fraud or fraudulent misrepresentation, death or personal injury resulting from negligence, a breach of any obligations implied by Section 12 of the Sale of Goods Act 1979 or Section 2 of the Supply of Goods and Services Act 1982, or any other matter for which it would be unlawful for either Party to exclude liability.
    • Nothing in sub-Clause 9.1 shall prevent claims for direct financial loss that are not excluded under any of the categories set out therein or for tangible property or physical damage.
  1. No Partnership or Agency
    • Nothing in this Data Sharing Agreement shall establish any partnership or joint venture between the Parties, constitute either Party the agent of the other Party, or authorise either Party to make or enter into any commitments for or on behalf of the other Party.
    • Each Party hereby confirms that it is acting on its own behalf and not for the benefit of any other person.
  1. Non-Assignment of Agreement
    • Neither Party may assign, transfer, sub-contract, or in any other manner make available to any third party the benefit and/or burden of this Data Sharing Agreement without the prior written consent of the other Party, such consent not to be unreasonably withheld.
  1. Entire Agreement
    • This Data Sharing Agreement contains the entire agreement between the Parties with respect to its subject matter and may not be modified except by an instrument in writing signed by the duly authorised Representatives of the Parties.
  1. Variation

No variation of or addition to this Data Sharing Agreement shall be effective unless in writing signed by each of the Parties or by a duly authorised person on its behalf.

  1. No Waiver
    • No failure or delay by either Party in exercising any of its rights under this Data Sharing Agreement shall be deemed to be a waiver of that right, and no waiver by either Party of a breach of any provision of this Data Sharing Agreement shall be deemed to be a waiver of any subsequent breach of the same or any other provision.
  1. Severance
    • The Parties agree that, in the event that one or more of the provisions of this Data Sharing Agreement is found to be unlawful, invalid, or otherwise unenforceable, that or those provisions shall be deemed severed from the remainder of this Data Sharing Agreement. The remainder of this Data Sharing Agreement shall be valid and enforceable.
  1. Communication
    • All notices under this Data Sharing Agreement shall be in writing and be deemed duly given if signed by the Party giving the notice or by a duly authorised officer thereof, as appropriate.
    • Notices shall be deemed to have been duly given:
      • when delivered, if delivered by courier or other messenger (including registered mail) during the normal business hours of the recipient; or
      • when sent, if transmitted by facsimile or email and a successful transmission report or return receipt is generated; or
      • on the fifth business day following mailing, if mailed by national ordinary mail, postage prepaid; or
      • on the tenth business day following mailing, if mailed by airmail, postage prepaid.
    • All notices under this Data Sharing Agreement shall be addressed to the most recent address, facsimile number, or email address notified to the other Party.
  1. Third Party Rights
    • Unless expressly stated otherwise, this Data Sharing Agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Data Sharing Agreement.
  1. Law and Jurisdiction
    • This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with the laws of England and Wales.
    • Any dispute, controversy, proceedings or claim between the Parties relating to this Data Sharing Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.

Appendix 1

Flourish Details

 

Company NameRegistered Office AddressRegistration NumberPoint of Contact
Flourish Learning LimitedSwitch House, Suite B2, Northern Perimeter Road, Bootle, United Kingdom, L30 7PT14785354Data Protection Officer, Evalian Limited dpos@evalian.co.uk

Managing Director, Rachel Houlden

dataprotection@flourish.co.uk

 

Appendix 2

 

The Stated Purposes, Categories of Data Subjects and Shared Personal Data

 

DescriptionDetails
Stated Purposes 

We collect and use personal data as set out in our privacy policy.

 

Categories of Data Subjects

 

We do not process any personal data that qualifies as sensitive/special category data or criminal offence/conviction data under data protection laws, nor do we knowingly collect personal data from children. If we do so in the future, our use of such information will be described in a supplementary policy that we provide to you.
Shared Personal Data

 

 

 

The Shared Personal Data will include the following:

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Contact Data including email address, residential address and telephone numbers.
  • Identity Data including your first name, last name, any previous names, username (or similar identifier) and password, title, date of birth and gender and information relating to your employer.
  • Profile Data including your employment history, interests and preferences (including in relation to marketing you wish to receive from us and our third party partners, and your communication preferences generally), and feedback and survey responses, as well user accounts falling within your administration group where you are an administrator.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access the Website.
  • Training Data includes details about training courses completed or ongoing with us, including course name, type, completion date, progress status, and results, certifications and awards.
  • Transactional Data includes details of purchases and payments made by you including those you make on behalf of your employer.
  • Usage Data includes information about how you interact with and use our Website, training products and services.

 

Appendix 3 – Appropriate Technical and Organisational Measures

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Party shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Each Party shall implement the following, as appropriate:
  2. the pseudonymisation and encryption of the Shared Personal Data;
  3. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  4. the ability to restore the availability and access to Shared Personal Data in a timely manner in the event of a physical or technical incident; and
  5. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
  6. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data transmitted, stored or otherwise processed.
  7. The Parties shall also implement the items set out below.

 

Organisational Measures

The Parties shall implement the following policies:

  • Data Protection Policy
  • Information Security Policy
  • Data Subjects’ Rights Policy
  • Personal Data Breach Policy
  • Retention and Disposal Policy

The Parties shall ensure that all personnel that process and/or have access to Personal Data have data protection awareness training upon induction and regular refresher training thereafter.

Technical Measures

The Parties shall implement the following measures, as appropriate:

The following are examples. Please add / amend / delete as appropriate

  • Firewalls
  • Anti-malware
  • Encryption of Personal Data
  • Access controls
  • Penetration testing
  • Vulnerability scanning