For the sharing of personal data and special category personal data; between Fresh Minds Talent Limited and a second data controller
Compliance with national data protection laws
Shared Personal Data
Lawful, fair and transparent processing
Data subjects’ rights
Data retention and deletion
Security and training
Personal data breaches and reporting procedures
Review and termination of this agreement
Resolution of disputes with data subjects or the Supervisory Authority
Limitation of liability
Changes to the applicable law
No partnership or agency
Rights and remedies
Governing law and Jurisdiction
This Agreement is made on 2022
(1) Fresh Minds Talent Limited incorporated and registered in England and Wales with company number 08662856 whose registered office is at Kingsbourne House, 229-231 High Holborn, London, WC1V 7DA (“Fresh Minds”).
The parties agree:
The following definitions and rules of interpretation apply in this agreement.
“Agreed Purpose” has the meaning given to it in clause 2 of this agreement.
“Agreement” this agreement, which is a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.
“Business Day” a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
“Commencement Date” [DATE]
“Criminal Offence Data” means Personal Data relating to criminal convictions and offences or related security measures to be read in accordance with section 11(2) of the DPA 2018 (or other applicable Data Protection Legislation).
“Data Protection Legislation
(a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.
(b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the party is subject, which relates to the protection of personal data.
“EU GDPR” the General Data Protection Regulation ((EU) 2016/679).
“UK GDPR” the EUGDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
“Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data.
“Shared Personal Data” the Personal Data and Special Category Personal Data to be shared between the parties under clause 4 of this agreement.
“Special Category Personal Data” the categories of Personal Data set out in the Data Protection Legislation.
“Subject Rights Request” the exercise by a data subject of their rights under the Data Protection Legislation.
“Supervisory Authority” the relevant supervisory authority in the territories where the parties to this agreement are established (other than the Information Commissioner).
“Term” [AGREED LENGTH OF DATA SHARING INITIATIVE – this may be a period of time or a one-off transfer]
1.2 Controller, Processor, Information Commissioner, Data Subject and Personal Data, Processing and appropriate technical and organisational measures shall have the meanings given to them in the Data Protection Legislation.
Any words following the terms including, include, in particular or for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
1.5 In the case of any ambiguity between any provision contained in the body of this agreement and any provision contained in the Schedule, the provision in the body of this agreement shall take precedence.
2.1 This agreement sets out the framework for the sharing of Personal Data when one Controller (Fresh Minds) discloses Personal Data to another Controller (the Data Receiver). It defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other.
The parties consider this data sharing initiative necessary and proportionate as the Personal Data shared is Personal Data processed by Fresh Minds in the capacity of Controller, in the normal conduct of its business as an employment agency, and the Personal Data will be shared with Data Receiver for the purpose of considering the data subject for employment. The Data Receiver will process the Personal data as a second Data Controller, as the Data Receiver will define their own needs for processing which may result in offering employment to the data subject The aim of the data sharing initiative is to enable the agency to share the Personal data of individual data subjects seeking new employmentwith potential employers. It is fair as it will benefit the individual data subjects and the parties by enabling the individual data subjects to find employment as well as enabling the Fresh Minds and the Data Receiver to pursue their commercial and business purposes and not unduly infringe the Data Subjects’ fundamental rights and freedoms and interests.
The parties shall not Process Shared Personal Data including for the purposes of solely automated decision making producing legal effects or similarly significant effects, or otherwise in a way that is incompatible with the purposes described in this clause (“Agreed Purpose”).
In the event the data protection law or approach to compliance of the UK and [EEA/ US ] conflict, the requirements of the country that necessitates stricter or additional requirements to protect data subjects’ privacy and Shared Personal Data shall be applied.
3.2 Each party has such valid registrations as are required by the Information Commissioner or other national Supervisory Authority which, by the time that the data sharing is expected to commence, covers the intended data sharing pursuant to this agreement, unless an exemption applies.
4.2 Special Categories of Personal Data are not the focus of this data sharing, however it is likely that some Special Category Personal Data will be shared between the parties, relating for example to racial or ethnic origin, data concerning a natural person’s physical or mental health or condition, sex life or sexual orientation.
5.1 Each party shall ensure that it Processes the Shared Personal Data fairly and lawfully in accordance with clause 0 during the Term of this agreement.
5.2 The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with Subject Rights Requests within the time limits imposed by the Data Protection Legislation.
Fresh Minds shall, in respect of Shared Personal Data, ensure that it provides clear and sufficient information to the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will process their Personal Data, the legal basis for such purposes and such other information as is required by the Data Protection Legislation including:
5.2.1 if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable the Data Subject to understand the purpose and risks of such transfer; and
if Shared Personal Data will be transferred outside the UK or EEA pursuant to clause 0 of this agreement, that fact and sufficient information about such transfer, the purpose of such transfer and the safeguards put in place by the Controller to enable the Data Subject to understand the purpose and risks of such transfer.
6.1 Fresh Minds shall ensure that before the Commencement Date, Shared Personal Data is accurate and that it has appropriate internal procedures in place for the Data Receiver to sample Shared Personal Data prior to the Commencement Date and it will update the same if required prior to transferring the Shared Personal Data.
Each party is responsible for maintaining a record of Subject Rights Requests, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request..
Notwithstanding clause 8.1, parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and industry.
9.2 If the Data Receiver appoints a third party Processor to Process the Shared Personal Data it shall comply with the relevant provisions of the Data Protection Legislation and shall remain liable as a Controller under Data Protection Legislation as well as to Fresh Minds for the acts and/or omissions of the Processor and any non-compliance by the Data Receiver with the obligations set out in this agreement.
ensures that (i) the transfer is to a country approved under the applicable Data Protection Legislation as providing adequate protection; or (ii) there are appropriate safeguards or binding corporate rules in place pursuant to the applicable Data Protection Legislation; or (iii) the transferee otherwise complies with the Data Receiver’s obligations under the applicable Data Protection Legislation by providing an adequate level of protection to any Shared Personal Data that is transferred; or (iv) one of the derogations for specific situations in the applicable Data Protection Legislationapplies to the transfer.
10.2 The level of technical and organisational measures agreed by the parties as appropriate as at the Commencement Date shall have regard to the state of technological development and the cost of implementing such measures. The parties shall keep such security measures under review and shall update the security measures as required by changing circumstances throughout the Term of this agreement.
It is the responsibility of each party to ensure that its staff members are appropriately trained to handle and process the Shared Personal Data in accordance with the technical and organisational security measures and have entered into confidentiality agreements relating to the Processing of Personal Data.
10.3 The level, content and regularity of training referred to in clause 0shall be proportionate to the staff members’ role, responsibility and frequency with respect to their handling and Processing of the Shared Personal Data.
11.1 The parties shall each comply with its obligation to report a Personal Data Breach to the Information Commissioner or appropriate Supervisory Authority and (where applicable) Data Subjects under the Data Protection Legislation and the Data Receiver shall inform Fresh Minds of any Personal Data Breach irrespective of whether there is a requirement to notify the Information Commissioner or any Supervisory Authority or Data Subject(s).
12.1 The parties shall review the effectiveness of this data sharing initiative every [twelve] months, having consideration to the aims and purposes set out in clause 0 and clause 2.2. The parties shall continue, amend or terminate this agreement depending on the outcome of this review.
13.1 In the event of a dispute, complaint or claim brought by a Data Subject or the Information Commissioner or other Supervisory Authority, concerning the processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes, complaints or claims, and will cooperate with a view to settling them amicably in a timely fashion.
The parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Information Commissioner or other Supervisory Authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
Any notice given under or in connection with this agreement shall be in English. All other documents provided under or in connection with this agreement shall be in English or accompanied by a certified English translation.
15.1.2 Respond to Subject Rights Requests in accordance with the Data Protection Legislation, including where necessary (i) advising the other party of any step(s) it should reasonably take in this regard; and (ii) where the legitimate ground relied upon is a Data Subject’s consent, the timely operation of an effective procedure if such consent is withdrawn.
15.2 Except as expressly stated in this agreement, all warranties, conditions and terms, whether express or implied by statute, common law or otherwise are hereby excluded to the greatest extent permitted by law.
16.1 Data Receiver undertakes to indemnify Fresh Minds hold Fresh Minds harmless from any cost, charge, damages, expense or loss which they cause Fresh Minds as a result of their breach of any of the provisions of this agreement.
17.2 Subject to clause 17.1, Fresh Minds shall in no circumstances be liable to Data Receiver whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, for:
18.1 If the Data Receiver processes the Shared Personal Data for the purposes of direct marketing, the Data Receiver shall ensure that:
18.1.1 It first obtains the appropriate level of consent from the relevant Data Subjects to allow the Shared Personal Data to be used for the purposes of direct marketing in compliance with the Data Protection Legislation; and
No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
21.1 If any provision or part-provision of this agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement.
If any provision or part-provision of this agreement is deemed deleted under clause 21.1, the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
If during the Term of this agreement the Data Protection Legislation change in a way that the Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the parties agree to negotiate in good faith to review the Agreement in the light of the changes, however neither party shall be obliged to enter into a varied data sharing agreement.
23.1 Nothing in this agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party.
24.1 This agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
Each party acknowledges that in entering into this agreement it does not rely on, and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this agreement.
The Data Receiver shall, and shall use all reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this agreement.
Neither party shall be in breach of this agreement nor liable for delay in performing, or failure to perform, any of its obligations under this agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances the time for performance shall be extended by a period equivalent to the period during which performance of the obligation has been delayed or failed to be performed. If the period of delay or non-performance continues for three months, the party not affected may terminate its involvement this agreement by giving thirty written notice to the affected party.
29 Governing law and Jurisdiction
This agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales and the parties agree that the courts of England and Wales shall have exclusive jurisdiction.
This agreement has been entered into on the date stated at the beginning of it.
Technical and organisational security measures
Signed by [NAME ]
Authorised signatory for and on behalf of Fresh Minds Talent Limited
Signed by [NAME]
Authorised signatory for and on behalf of [Data Receiver]