GDPR Notice and Compliant Consent Measures
This agreement is valid from the date for your subscription to TripAid.
PARTIES
1) Tripaid Limited incorporated and registered in England and Wales with company number 12200875 whose registered office is at Pear Tree House, Station Road, Foggathorpe YO8 6PS (Data Discloser)
2) By selecting the tick box to agree to this document, you enter into the agreement in the role of Data Receiver.
BACKGROUND
(A) The Data Discloser agrees to share the Personal Data with the Data Receiver in the European Economic Area (EEA) on the terms set out in the Agreement.
(B) The Data Receiver agrees to use the Personal Data within the EEA on the terms set out in this Agreement.
(C) This is a free-standing Agreement that does not incorporate commercial business terms established by the parties under separate commercial arrangements.
AGREED TERMS
1. Interpretation
The following definitions and rules of interpretation apply in this agreement.
1.1. Definitions:
1. Agreed Purpose: has the meaning given to it in clause 2 of this Agreement.
2. Agreement: this Agreement, which is a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.
3. Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
4. Commencement Date: from the date of your subscription for the period of one calendar year
5. Deletion Procedure: has the meaning given to it in clause 8.3 and Schedule 8 to this Agreement.
6. Data Sharing Code: the Information Commissioner’s Data Sharing Code of Practice of May 2011, as updated or amended from time to time.
7. Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended; any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party.
8. Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data.
9. Shared Personal Data: the personal data to be shared between the parties under clause 4 of this Agreement.
10. Subject Access Request: the exercise by a data subject of his or her rights under Article 15 of the GDPR and the DPA 2018.
11. Supervisory Authority: the relevant supervisory authority in the territories where the parties to this Agreement are established.
12. Term: This agreement is valid until the end of your period of subscription
1.2. Controller, Processor, Data Subject and Personal Data, Special Categories of Personal Data, Processing and “appropriate technical and organisational measures” shall have the meanings given to them in the Data Protection Legislation.
1.3. Clause, schedule and paragraph headings shall not affect the interpretation of this Agreement.
1.4. The schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the schedules.
1.5. Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
1.6. A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.7. A reference to a statue or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision.
1.8. References to clauses and Schedules are to the clauses and Schedules of this agreement and references to paragraphs are to paragraphs of the relevant Schedule.
1.9. Any words following the terms including, include, in particular or for example or any similar phrase shall be construed as illustrative and shall not limit the generality of the related general words.
1.10. In the case of any ambiguity between any provision contained in the body of this agreement and any provision contained in the Schedules or appendices, the provision in the body of this agreement shall take precedence.
1.11. A reference to writing or written includes fax and email.
1.12. Unless the context otherwise requires the reference to one gender shall include a reference to the other genders.
2. Purpose
2.1. This agreement sets out the framework for the sharing of Personal Data when one Controller discloses personal data to . It defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other.
2.2. The parties consider this data sharing initiative necessary as To allow the Data Receiver to manage and supervise the running of the TripAid service in the Data Receiver’s subscription. The aim of the data sharing initiative is to Allow the Data Receiver to monitor which teachers and students are using the TripAid service and if necessary remotely supervise the group. It will serve to benefit individuals by Ensuring the safety of teachers and students using the TripAid service and provide information about the use of TripAid service during the Data Receiver’s subscription.
2.3. The parties agree to only process Shared Personal Data, as described in clause 4.1 and clause 4.2, for the following purposes:
(a) To monitor students and teachers on School Trips, enhancing the safety of all on the trip,
(b) To record the use of Tripaid App during school trips,
The parties shall not process Shared Personal Data in a way that is incompatible with the purposes described in this clause (Agreed Purpose).
2.4. Each party shall appoint a single point of contact (SPoC) who will work together to reach an agreement with regards to any issues arising from the data sharing and to actively improve the effectiveness of the data sharing initiative. The points of contact for each of the parties are:
(a) [Tim Lister, Director of Tripaid Limited, tlister@tripaid.co.uk 07740303450]
(b) [Educational Visits Coordinator/Senior member of staff responsible for the oversight of educational visits in the Data receiver school]
3. Compliance with national data protection laws
3.1. Each Party must ensure compliance with applicable national data protection laws at all times during the Term of this agreement.
3.2. In the event the data protection law or approach to compliance of the United Kingdom and any other country conflict, the requirements of the country that necessitates stricter or additional requirements to protect data subjects’ privacy and personal data shall be applied.
3.3. Each party has such valid registrations and paid such fees as are required by its national Supervisory Authority which, by the time that the data sharing is expected to commence, covers the intended data sharing pursuant to this Agreement, unless an exemption applies.
4. Shared Personal Data
4.1. The following types of Personal Data will be shared between the parties during the Term of this agreement:
(a) Name
(b) Location data
(c) Number of messages sent
4.2. Special categories of Personal Data will not be shared between the parties
4.3. Further detail on the Shared Personal Data as described in clause 4.1 and clause 4.2 is set out in Schedule 4 together with any access and processing restrictions as agreed and established by the parties.
4.4. The Shared Personal Data must not be irrelevant or excessive with regard to the Agreed Purposes.
5. Lawful, fair and transparent processing
5.1. Each party shall ensure that it processes the Shared Personal Data fairly and lawfully in accordance with clause 5.2 during the Term of this agreement.
5.2. Each party shall ensure that it has legitimate grounds under the Data Protection Legislation for the processing of Shared Personal Data.
5.3. Shared Personal Data must be limited to the Personal Data described in clause 4.1 and clause 4.2 of this Agreement.
6. Data subjects' rights
6.1. The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with requests from Data Subjects to exercise their rights under the Data Protection Legislation within the time limits imposed by the Data Protection Legislation.
6.2. The SPoC for each party is responsible for maintaining a record of individual requests for information, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request. The SPoC for each party are detailed in clause 2.4.
7. Data retention and deletion
7.1. The Data Receiver shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes.
7.2. Notwithstanding clause 7.1, parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and / or industry.
7.3. The Data Receiver shall ensure that any Shared Personal Data are returned to the Data Discloser or securely destroyed in the following circumstances:
(a) on termination of the Agreement;
(b) on expiry of the Term of the Agreement;
(c) once processing of the Shared Personal Data is no longer necessary for the purposes it was originally shared for, as set out in clause 2.3.
7.4. Following the deletion of Shared Personal Data in accordance with clause 7.3, the Data Receiver shall notify the Data Discloser that the Shared Personal Data in question has been deleted and the method of deletion.
8. Transfers
8.1. For the purposes of this clause, transfers of personal data shall mean any sharing of personal data by the Data Receiver with a third party, and shall include, but is not limited to, the following:
(a) subcontracting the processing of Shared Personal Data;
(b) granting a third party controller access to the Shared Personal Data.
8.2. If the Data Receiver appoints a third party processor to process the Shared Personal Data it shall obtain the written permission of the Data Controller and comply with Article 28 and Article 30 of the GDPR and shall remain liable to the Data Discloser for the acts and/or omissions of the processor.
8.3. The Data Receiver shall not disclose or transfer Shared Personal Data to any third party without the written permission of the Data Discloser. The Data Discloser may require any third party to make a request to be an additional Data Receiver pursuant to clause 11.1 of this agreement.
8.4. The Data Receiver shall not disclose or transfer Shared Personal Data outside the EEA.
9. Security and training
9.1. The Data Receiver undertakes to have in place throughout the Term appropriate technical and organisational security measures to:
(a) prevent:
(i) unauthorised or unlawful processing of the Shared Personal Data; and
(ii) the accidental loss or destruction of, or damage to, the Shared Personal Data
(b) ensure a level of security appropriate to:
(i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and
(ii) the nature of the Shared Personal Data to be protected.
9.2. It is the responsibility of each party to ensure that its staff members are appropriately trained to handle and process the Shared Personal Data in accordance with the technical and organisational security together with any other applicable national data protection laws and guidance and have entered into confidentiality agreements relating to the processing of personal data.
9.3. The level, content and regularity of training referred to in clause 9.3 shall be proportionate to the staff members’ role, responsibility and frequency with respect to their handling and processing of the Shared Personal Data.
10. Personal data breaches and reporting procedures
10.1. The parties shall each comply with its obligation to report a Personal Data Breach to the appropriate Supervisory Authority and (where applicable) data subjects under Article 33 of the GDPR and shall each inform the other party of any Personal Data Breach irrespective of whether there is a requirement to notify any Supervisory Authority or data subject(s).
10.2. The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.
11. Review and termination of agreement
11.1. Any additional Data Receiver that wishes to be part of this data sharing initiative and Agreement shall make a written request. Each party must then provide a written data sharing decision to the other Party. The consent of every party is required in order for the additional party to be included into this Agreement.
11.2. This agreement may be terminated by any Party by given all other parties one month’s written notice.
11.3. In the event that a party terminates the Agreement or a new Data Receiver joins the agreement in accordance with clause 11.1, an amended and updated version of this Agreement will be drafted as soon as practicable and circulated to all other parties.
11.4. Parties shall review the effectiveness of this data sharing initiative every 12 months and on the addition and removal of a party, having consideration to the aims and purposes set out in clause 2.2 and clause 2.3. The parties shall continue, amend or terminate the Agreement depending on the outcome of this review.
11.5. The review of the effectiveness of the data sharing initiative will involve:
(a) assessing whether the purposes for which the Shared Personal Data is being processed are still the ones listed in this Agreement;
(b) assessing whether the Shared Personal Data is still as listed in this Agreement;
(c) assessing whether the legal framework governing data quality, retention, and data subjects’ rights are being complied with; and
(d) assessing whether personal data breaches involving the Shared Personal Data have been handled in accordance with this Agreement and the applicable legal framework.
11.6. Each party reserves its rights to inspect the other party’s arrangements for the processing of Shared Personal Data and to terminate the Agreement where it considers that the other party is not processing the Shared Personal Data in accordance with this agreement.
12. Resolution of disputes with data subjects or the Supervisory Authority
12.1. In the event of a dispute or claim brought by a data subject or the Supervisory Authority concerning the processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
12.2. The parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the Supervisory Authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
12.3. Each party shall abide by a decision of a competent court of the Data Discloser’s country of establishment or of the Supervisory Authority.
13. Language
13.1. This Agreement is drafted in the English language. If this Agreement is translated into any other language, the English language version shall prevail.
13.2. Any notice given under or in connection with this Agreement shall be in English. All other documents provided under or in connection with this Agreement shall be in English, or accompanied by a certified English translation.
13.3. The English language version of this agreement shall prevail if there is a conflict.
14. Warranties
14.1. Each party warrants and undertakes that it will:
(a) Process the Shared Personal Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments that apply to its personal data processing operations.
(b) Make available on request to the data subjects who are third party beneficiaries a copy of this Agreement, unless the Clause contains confidential information.
(c) Respond within a reasonable time and as far as reasonably possible to enquiries from the relevant Supervisory Authority in relation to the Shared Personal Data.
(d) Respond to Subject Access Requests in accordance with the Data Protection Legislation.
(e) Where applicable, maintain registration and pay the appropriate fees with all relevant Supervisory Authorities to process all Shared Personal Data for the Agreed Purpose.
(f) Take all appropriate steps to ensure compliance with the security measures set out in clause 9. above.
14.2. The Data Discloser warrants and undertakes that it is entitled to provide the Shared Personal Data to the Data Receiver and it will ensure that the Shared Personal Data are accurate.
14.3. The Data Recipient warrants and undertakes that it will not disclose or transfer Shared Personal Data outside the EEA.
14.4. Except as expressly stated in this Agreement, all warranties, conditions and terms, whether express or implied by statute, common law or otherwise are hereby excluded to the extent permitted by law.
15. Indemnity
15.1. The Data Receiver undertakes to indemnify the Data Discloser and hold them harmless from any cost, charge, damages, expense or loss which they cause to the Data Discloser as a result of their breach of any of the provisions of this Agreement
16. Limitation of liability
16.1. Neither party excludes or limits liability to the other party for:
(a) fraud or fraudulent misrepresentation;
(b) death or personal injury caused by negligence;
(c) a breach of any obligations implied by section 12 of the Sale of Goods Act 1979 or section 2 of the Supply of Goods and Services Act 1982; or
(d) any matter for which it would be unlawful for the parties to exclude liability.
16.2. Subject to clause 16.1, neither party shall in any circumstances be liable whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, for:
(a) any loss (whether direct or indirect) of profits, business, business opportunities, revenue, turnover, reputation or goodwill;
(b) loss (whether direct or indirect) of anticipated savings or wasted expenditure (including management time); or
(c) any loss or liability (whether direct or indirect) under or in relation to any other contract.
16.3. clause 16.2 shall not prevent claims, for:
(a) direct financial loss that are not excluded under any of the categories set out in clause 16.2(a); or
(b) tangible property or physical damage.
17. Third party rights
17.1. Except as expressly provided in clause 6 (data subjects rights) a person who is not a party to this Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.
17.2. The rights of the parties to terminate, rescind or agree any variation, waiver or settlement under this Agreement are not subject to the consent of any other person.
Variation
No variation of this agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
18. Waiver
No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
19. Severance
19.1. If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement.
19.2. If any provision or part-provision of this agreement is deemed deleted under clause 23.1, the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
20. Changes to the applicable law
If during the Term the Data Protection Legislation change in a way that the Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the Parties agree that the SPoCs will negotiate in good faith to review the Agreement in the light of the new legislation.
21. No partnership or agency
21.1. Nothing in this agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party..
21.2. Each party confirms it is acting on its own behalf and not for the benefit of any other person.
22. Entire agreement
22.1. This Agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
22.2. Each party acknowledges that in entering into this Agreement it does not rely on, and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement.
22.3. Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misrepresentation based on any statement in this Agreement.
23. Further assurance
At its own expense, each party shall, and shall use all reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this agreement.
24. Force majeure
Neither party shall be in breach of this Agreement nor liable for delay in performing, or failure to perform, any of its obligations under this agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances the time for performance shall be extended by a period equivalent to the period during which performance of the obligation has been delayed or failed to be performed. If the period of delay or non-performance continues for 4 weeks, the party not affected may terminate this agreement by giving 7 days’ written notice to the affected party.
25. Rights and remedies
The rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
26. Notice
26.1. Any notice or other communication given to a party under or in connection with this agreement shall be in writing, addressed to the SPoCs and shall be:
(a) delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or
(b) sent by email to the SPoC.
26.2. Any notice or communication shall be deemed to have been received:
(a) if delivered by hand, on signature of a delivery receipt or at the time the notice is left at the proper address; and
(b) if sent by pre-paid first-class post or other next working day delivery service, at 9.00 am on the second Business Day after posting or at the time recorded by the delivery service; and
(c) if sent by email, at the time of transmission, or if this time falls outside business hours in the place of receipt, when business hours resume. In this clause 272(c), business hours means 9:00 am to 5:00 pm Monday to Friday on a day that is not a public holiday in the place of receipt.
26.3. This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution
27. Governing law
This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
28. Jurisdiction
Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this Agreement or its subject matter or formation.
This agreement has been entered into on the date stated at the beginning of it.