Data Sharing Agreement

SHORTLIST.ME DATA SHARING AGREEMENT

Shortlister Solutions Limited (Shortlist.Me) is the owner and provider of the Shortlist.Me Platform which provides students with software which enhances their employability and facilitates pathways to employment opportunities. 

You (School) wish to provide your students and teachers (as well as certain other School staff) with access to the Shortlist.Me Platform pursuant to the Main Agreement (as defined below). To this end, the School needs to share with Shortlist.Me certain personal data relating to such students. 

The School agrees to share the Personal Data with Shortlist.Me on terms set out in the Agreement.

IT IS HEREBY AGREED

1. Interpretation

The following definitions and rules of interpretation apply in this Agreement.

1. Definitions:

Agreed Purpose: means for the purposes of this Agreement or the Main Agreement. 

Agreement: this data sharing agreement

Commencement Date: has the meaning given at the beginning of the Agreement.

Data Protection Legislation: 

1. To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.
2. To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the party is subject, which relates to the protection of personal data.

EU GDPR: the General Data Protection Regulation ((EU) 2016/679).

UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

Main Agreement: means the service terms by which governs the provision of the Shortlist.Me Platform to the School by Shortlist.Me.  

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data.

Shared Personal Data: the Personal Data to be shared between the parties under clause 3 of this Agreement.

Shortlist.Me Platform: means the platform which can be accessed by authorised individuals at https://go.shortlister.com/. 

Shortlist.Me Privacy Policy: means the privacy policy specifying the terms on which Shortlist.Me processes Shared Personal Data, which can be accessed at http://shortlist.me/privacy/data-controller/.

Subject Rights Request: the exercise by a data subject of their rights under the Data Protection Legislation.

Supervisory Authority: the relevant supervisory authority in the territories where the parties to this Agreement are established (other than the Information Commissioner).

Term: This Agreement shall come into effect on the Commencement Date and shall continue for so long as the parties process Shared Personal Data. 

1. Controller, Processor, Information Commissioner, Data Subject and Personal Data, Processing and appropriate technical and organisational measures shall have the meanings given to them in the Data Protection Legislation.
2. In the case of any ambiguity between any provision contained in the body of this Agreement and any provision contained in the Main Agreement, the provision in the body of this Agreement shall take precedence.

1. PURPOSE AND TERM
   1. This Agreement sets out the framework for the sharing of Personal Data when one Controller (the School) discloses Personal Data to another Controller (Shortlist.Me). It defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other and to Data Subjects. 
   2. Each party agrees to process Shared Personal Data only for the Agreed Purposes and for the Term of the Agreement. 
2. SHARED PERSONAL DATA
   1. The parties acknowledge that each is a data Controller in respect of the Personal Data, and further acknowledge that the Personal Data:
      
      1. relates to Data Subjects who are students, teachers and/or other School staff who access and/or use the Shortlist.Me Platform  and, in each case, is further described in the Shortlist.Me Privacy Policy;
      2. as it relates to students, may include, but is not limited to names; email addresses; details of activities undertaken; details of performance feedback; information contained in (or connected with) survey or questionnaire responses;
      3. as it relates to teachers and other School staff, may include, but is not limited to names; email addresses; profile data; and
      4. as it relates to parents, may include, but is not limited to, names and email addresses.
   2. Shortlist.Me shall process the Shared Personal Data for the uses set out in the Shortlist.Me Privacy Policy. 
3. Lawful, fair and transparent processing
   1. Each party shall ensure that it Processes the Shared Personal Data fairly and in accordance with Data Protection Legislation. 
   2. This Agreement is in addition to, and does not relieve, remove or replace any other obligation set out in the Main Agreement or the Data Protection Legislation.  
4. Data subjects’ rights
   1. Each party is responsible for maintaining a record of Subject Rights Requests, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request. 
   2. The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with Subject Rights Requests within the time limits imposed by the Data Protection Legislation. 
5. Transfers
   1. For the purposes of this clause, transfers of Personal Data shall mean any sharing of Personal Data by Shortlist.Me with a third party, and shall include the following:
      1. subcontracting the processing of Shared Personal Data;
      2. granting a third party Controller access to the Shared Personal Data.
   2. If Shortlist.Me appoints a third party Processor to Process the Shared Personal Data: 
      1. the third party Processors shall process the Shared Personal Data in accordance with the documented instructions of Shortlist.Me and with the relevant provisions of the Data Protection Legislation; and
      2. Shortlist.Me shall remain liable to the School for the acts and/or omissions of the Processor.
   3. Shortlist.Me may not transfer Shared Personal Data to a third party located outside the UK unless it;
      1. complies with the provisions of the Data Protection Legislation in the event the third party is a joint controller; and
      2. ensures that (i) the transfer is to a country approved under the applicable Data Protection Legislation as providing adequate protection; or (ii) there are appropriate safeguards or binding corporate rules in place pursuant to the applicable Data Protection Legislation; or (iii) the transferee otherwise complies with Shortlist.Me’s obligations under the applicable Data Protection Legislation by providing an adequate level of protection to any Shared Personal Data that is transferred; or (iv) one of the derogations for specific situations in the applicable Data Protection Legislation  applies to the transfer.
6. Security and training
   1. The parties undertake to have in place throughout the Term of this Agreement appropriate technical and organisational security measures to:
      1. prevent:
         1. unauthorised or unlawful processing of the Shared Personal Data; and
         2. the accidental loss or destruction of, or damage to, the Shared Personal Data;
      2. ensure a level of security appropriate to:
         1. the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and
         2. the nature of the Shared Personal Data to be protected.
   2. It is the responsibility of each party to ensure that its staff members who process the Shared Personal Data have received adequate training on compliance with the data protection obligations set out in this clause 7 and in Data Protection Laws applicable to processing.
7. Personal data breaches and reporting procedures
   1. The parties shall each comply with its obligation to report a Personal Data Breach to the Information Commissioner or appropriate Supervisory Authority and (where applicable) Data Subjects under the Data Protection Legislation and shall each inform the other party of any Personal Data Breach irrespective of whether there is a requirement to notify the Information Commissioner or any Supervisory Authority or Data Subject(s).
   2. The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.
8. Resolution of disputes with data subjects or the Supervisory Authority
   1. In the event of a dispute, complaint or claim brought by a Data Subject or the Information Commissioner or a Supervisory Authority concerning the processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes, complaints or claims, and will cooperate with a view to settling them amicably in a timely fashion.
   2. The parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Information Commissioner or by a Supervisory Authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
   3. Each party shall abide by a decision of a competent court of the School’s country of establishment or of the Information Commissioner or a Supervisory Authority.
9. Third party rights

No one other than a party to this Agreement, their successors and permitted assignees, shall have any right to enforce any of its provisions.

1. Direct marketing
   1. If Shortlist.Me processes the Shared Personal Data for the purposes of direct marketing, each party shall ensure that:
      1. the appropriate level of consent has been obtained from the relevant Data Subjects to allow the Shared Personal Data to be used for the purposes of direct marketing in compliance with the Data Protection Legislation; and
      2. effective procedures are in place to allow the Data Subject to “opt-out” from having their Shared Personal Data used for such direct marketing purposes.
2. Variation

No variation of this Agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).

1. Waiver

No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

1. Severance
   1. If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this Agreement.
   2. If any provision or part-provision of this Agreement is deemed deleted under clause 14.1, the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
2. Changes to the applicable law

If during the Term of this Agreement the Data Protection Legislation change in a way that the Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the parties agree that they will negotiate in good faith to review the Agreement in the light of the changes.

1. No partnership or agency
   1. Nothing in this Agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party.
   2. Each party confirms it is acting on its own behalf and not for the benefit of any other person.
2. Governing law

This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.

1. Jurisdiction

Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this Agreement or its subject matter or formation.