Terms and Conditions
Terms and Conditions - Evaluation Tools
These Terms and Conditions supersede the previous version dated (May 2019) and shall apply to your use of the Careers and Enterprise Company website https://www.careersandenterprise.co.uk/careers-leaders/tools-resources/ (“Site”) and commissioning of any Service with effect from 15th July 2021. Use of the Site includes accessing, browsing, or registering to use the Site.
The Site is operated, and the Applications are provided, by the Careers and Enterprise Company Limited (“we/our/us/CEC”). We are registered in England and Wales under company number 09432724 and our registered office is 120 Aldersgate St, Barbican, London, EC1A 4JQ. Any reference to “you” or “your” means the school, college or other such organisation (including a multi-academy trust or local authority) that uses or has used the Site, Application(s) and/or submitted Data to us.
Please read these Terms and Conditions and the Privacy Notice carefully before you start to use the Site or you request Service from us.
By using and/or uploading Data through the Site and/or accessing it via the Application(s), you are indicating that you accept these Terms and Conditions and that you agree to abide by them. If you do not agree with or accept any of these Terms and Conditions, you must not use our Site or provide any Data to us.
“Administrator” means a user authorised by you to manage Authorised User access to the Service and act as point of contact in relation to compliance of these Terms and Conditions.
“Application(s)” means the Compass, Compass+ and Tracker applications (as applicable).
“Authorised User” means any individual to whom you grant access authorisation to use the Service that is your employee, agent, or contractor.
“CEC Research” means research, analytics and analysis carried out by us using anonymised, pseudonymised or de-identified instances of the Data you submit which may be shared with third party organisations including funders of CEC.
“Compass” means the Compass web application accessed via the Site, as further described in the Documentation.
“Compass+” means the Compass+ web application accessed via the Site, as further described in the Documentation.
“Data” means any data received by us from you, including Personal Data (as defined in Schedule 1).
“Documentation” means the description of the Service as further described on the Site.
“Pupil Data” means Personal Data about pupils from your school or college supplied by you in connection with your use of the Service.
“Reports” means the reports or analysis produced from time to time through the Applications.
“Service” means (as appropriate) your access to the Site, the Applications, the Documentation and any additional advice, training or any other services that may be provided by us to you.
“Tracker” means the Tracker web application accessed via the Site, as further described in the Documentation.
2. Changes to these terms
2.1. We reserve the right to amend these Terms and Conditions at any time without notice to you. The latest version of these Terms and Conditions is published on the Site. If you continue to use the Service after the effective date of each amendment, you will be conclusively deemed to have accepted such amended version of these Terms and Conditions. It is your responsibility to check these Terms and Conditions from time to time to verify such variations.
3. Reports and Service
3.1. You agree that by providing Data to us (either by providing us with access to the Data or by using the Service to upload the Data to the Applications) you are permitting us to analyse the Data and to enable you to run Reports. You may request access to the Applications via the Site and we are only obligated to deliver the Service once your request has been accepted.
3.2. We reserve the right to update, vary or amend the format of the Reports and the Service we provide.
3.3. You shall be unable to run Reports (a) if, after making reasonable requests to you, we do not receive all required information from you, or (b) where you have breached these Terms and Conditions or, (c) in our reasonable opinion, you have not acted in good faith at any time
4. Our Obligations
4.1. We will provide the Service:
4.1.1. in substantial conformance with the Documentation;
4.1.2. in compliance with applicable laws including without limitation as required by the Data Sharing Schedule.
5. Your Obligations
5.1. You warrant that:
5.1.1. you will comply with all applicable laws including without limitation as required by under the Data Sharing Schedule;
5.1.2. your Administrators have the authority to bind any organisation on whose behalf any of them uses the Site to request access to the Applications;
5.1.3. you have the right to upload the Data and to grant us a right to make an anonymised, pseudonymised or de-identified copy of the same for the purpose of the CEC Research;
5.1.4. you will obtain and at all times maintain all necessary licences and consents necessary for the provision of the Service; and
5.1.5. you will comply with all our reasonable instructions regarding your use of the Service in order to preserve the security of your Data including the Reports.
5.2. The Reports and other information relating specifically to you and displayed in the Application(s) are reliant on you providing up to date and accurate Data. You are responsible for ensuring the accuracy and completeness of the Data that you provide to us as this will form the basis of the provision of the Service.
5.3. You must not:
5.3.1 make the Service available to anyone other than Authorised Users;
5.3.2 upload any Data or other content which is unsuitable, offensive, defamatory, or breaches any laws or any rights of third parties and we reserve the right to delete any Data or other content determined by us to be so and to suspend or terminate your access to and use of the Service;
5.4 You will be responsible for Authorised Users’ compliance with the Terms and Conditions and will use commercially reasonable efforts to prevent unauthorised access to or use of the Service and notify us promptly of any such unauthorised access or use.
5.5 Any use of the Service in breach of these Terms and Conditions by you or Authorised Users that in our judgment threatens the functionality, security, integrity or availability of the Service or any content, data or applications in the Service, may result in our immediate suspension of your use of the Service. We will use reasonable efforts to re-establish the Service promptly after determining that the issue causing the suspension has been resolved.
6. Intellectual Property Rights
6.1. We (or our licensors) shall at all times retain ownership of all intellectual property rights in and to the Service. Nothing in these Terms and Conditions grants you any legal rights in the Service other than as necessary to enable you to access the Site and use the Applications.
6.2. We shall at all times retain ownership of all copyright and other intellectual property rights in all and any Reports and analysis generated, any deliverables relating to the Service, and any advice or training given as part of the provision of the Service and, subject to paragraph 6.3, nothing shall be deemed as a release, transfer, assignment or other disposal of our rights.
6.3. We grant you a non-exclusive, non-transferable, revocable licence to reproduce extracts of, and otherwise use the Reports (including any hardcopy and/or electronic contents) for the purposes of:
(i) analysing your Data to identify areas of strengths and weaknesses and improving standards, and
(ii) other internal purposes that relate to your use of the Service.
6.4. If you breach any provisions of this paragraph 6, we are entitled to suspend or terminate your access to the Service.
7.1. We may update the Service from time to time and may change the content or functionality at any time. However, we give no warranties, express or implied, that the (a) content of any part of the Service is accurate, complete or up to date or (b) that the functionality will remain the same or similar, and, whilst we will use our reasonable efforts to update the information on the Site we are under no obligation to do so.
7.2. We do not guarantee that the Service, any element of it or any content on it, will be free from errors or omissions.
8. Use and access to the Service
8.1. We shall use reasonable endeavours to make the Service available to you. From time to time, it will be necessary for us to carry out maintenance in respect of the Service which may result in occasional periods of downtime. Although we will use reasonable endeavours to minimise such downtime, we make no representations or warranties to you in respect of the availability of the Service.
8.2. We do not warrant that the Service will meet your requirements or that the operation of the Service will be uninterrupted or error-free or that defects in the Service will be corrected.
9. Your account and password
9.1. An account on the Site to make use of the Application(s) can be created by your Administrator for any Authorised User forming part of your staff or governing body through input of information including: personal details (first and last name), institution role, and email address. The Authorised User can then set their password. The correct use of accounts details, codes and passwords is an important part of the technical and organisational measures we provide to maintain the security of Data during processing by us.
9.2. You agree to notify us immediately if you have lost or compromised your account details, or if any unauthorised activity has taken place using your account details. If you know or suspect that anyone other than you knows the login or password or has otherwise been given access to the Application(s), you must immediately notify us by email or telephone using the contact details in the 'contact us' section of the Site.
9.3. We reserve the right to monitor usage of the Service by all Authorised Users (by way of audits or otherwise) for the purpose of (among others) ensuring compliance with these Terms and Conditions. We reserve the right to suspend or terminate any User’s account or your account at any time if, in our reasonable opinion, you or any User have failed to comply with any of the provisions of these Terms and Conditions or for any reason related to breach of security or breach of applicable law.
9.4. If you decide to no longer use the Service, or we choose to suspend or terminate your account in accordance with paragraph 9.3, you will no longer be able to access any part of the Service.
10. Use of the Service
10.1. Nothing in these Terms and Conditions grants you any legal rights to the Service other than as necessary for your internal business and educational purposes only.
10.2. You and any Authorised Users are not permitted:
10.2.1. to use the Service on behalf of any other school, educational institution or other organisation without our prior approval;
10.2.2. except as expressly permitted by these Terms and Conditions and save to the extent and in the circumstances expressly permitted by law, to rent, lease, sub-license, loan, copy, modify, adapt, merge, translate, reverse engineer, decompile, disassemble or create derivative works based on the whole or any part of the Service (or any associated documentation of these) or use, reproduce or deal in the Service (or any part thereof of these) in any way;
10.2.3. to transfer the Service (or any associated documentation) or the benefit of these Terms and Conditions to another person unless you have our prior written agreement;
10.2.4. modify, adapt, edit, abstract, create derivative works of, sell or in any way commercially exploit any part of the Service;
10.2.5. to frame or mirror any part of the Service without our express written consent;
10.2.6. use the Service to provide outsourced services to third parties or make it available to any third party or allow or permit a third party to do so; or
10.2.7. combine, merge or otherwise permit the Service to become incorporated in any other program, or arrange or create derivative works based on it.
10.3. We do not warrant that any element of the Service will meet your requirements or that the operation of the Service will be uninterrupted or error-free or that defects in the Service will be corrected. We are not liable for any failure of the Service to provide any functions not specified in its instructions or associated documentation.
11. Uploading Data
11.1. Whenever you use the Service to upload Data, you must do so in compliance with these Terms and Conditions. You may not use the Site or Applications in any way which may interfere with or prevent the proper working of the Service.
11.2. Where you upload Data or provide us access to the Data via our own or third-party integrations to your management information systems, you grant us a royalty-free, non-transferable, non-exclusive licence:
(i) for the term of our agreement to use the Data to the extent necessary to perform the Service; and
(ii) to use anonymised, psuedonymised or de-identified information extracted from the Data for CEC Research.
11.3. You warrant that any Data provided by you complies with these Terms and Conditions and will not infringe any third party’s intellectual property rights and you will be liable to us and indemnify and keep indemnified and hold us harmless against any claims, losses, costs or expenses incurred by us for any breach of this warranty.
11.4. We shall have the right to disclose your identity to any third party who is claiming that any content posted, or Data uploaded by you, through the use of the Service constitutes a violation of their intellectual property rights, or of their right to privacy.
11.5. We will not be responsible, or liable to any third party, for the content or accuracy of any content posted by you or any other user of the Service.
12.1. We do not guarantee that the Service will be free from errors, interruptions, bugs or viruses.
12.2. You are responsible for configuring your information technology, computer programmes and platform to access the Service. You should use your own virus protection software.
12.3. You must not misuse the Service by introducing any software viruses or other malware (including any bugs, trojans, worms, logic bombs or any other self-propagating or other such program or material which is malicious or technologically harmful) that may infect or cause damage to the Service. You must not attempt to gain unauthorised access to the Service, the server on which the Service is stored, or any server, computer or database connected to the Service. You must not attack the Service via a denial-of-service attack or a distributed denial-of service attack. By breaching this provision, you would commit a criminal offence under the Computer Misuse Act 1990. We will report any such breach to the relevant law enforcement authorities, and we will co-operate with those authorities by disclosing your identity to them. In the event of such a breach, your right to use the Service will cease immediately.
12.4. We will not be liable for any loss or damage caused by a distributed denial-of-service attack, viruses or other technologically harmful material that may infect your computer equipment, computer programs, Data or other proprietary material due to your use of the Service or to your downloading of any material posted on it, or on any website linked to it.
13. Linking to the Site
13.1. You may link to our Site, provided you do so in a way that is fair and legal and does not damage our reputation or take advantage of it.
13.2. You must not establish a link in such a way as to suggest any form of association, approval or endorsement on our part where none exists.
13.3. You must not establish a link to the Site in any website that is not owned by you, nor may you create a link to any part of the Site other than the home page.
13.4. We reserve the right to withdraw linking permission without notice.
14. Third Party Links
15.1. These Terms and Conditions are effective until:
15.1.1. you notify us in writing that you no longer wish to use the Service;
15.1.2. we terminate your account where you have materially failed to abide by these Terms and Conditions (where such failure is not remediable or has not been remedied within 14 days of written notice from us of such failure); or
15.1.3. we withdraw the Service from use.
15.2. Termination of these Terms and Conditions is without prejudice to any rights and remedies which may have accrued up to the date of termination.
15.3. Upon termination or expiry, your right to access any part of the Service shall terminate immediately. We will delete any Data uploaded via the Service in accordance with Schedule 1. For the avoidance of doubt, anonymized, pseudonymised or de-identified data used in the course of CEC Research, which does not include any Personal Data, may continue to be used after the date of termination.
16. Limitation of Our Liability
16.1. Nothing in these Terms and Conditions excludes or limits our liability for death or personal injury arising from our negligence, or our fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited by English law.
16.2. To the extent permitted by law, we exclude all conditions, warranties, representations or other terms which may apply to the Service, whether express or implied.
16.3. We will not be liable for any:
16.3.1 loss of profits, sales, business, or revenue;
16.3.2 loss of business interruption or anticipated savings;
16.3.3 loss of business opportunity, goodwill or reputation;
16.3.4 loss or corruption of data; or
16.3.5 indirect or consequential loss or damage.
16.4 Subject to clauses 16.1 and 16.3 in no event shall our liability exceed £50,000 in respect of all claims in any 12 month period.
17. Entire Agreement
17.1. These Terms and Conditions (including the Schedule and the documents referred to herein) constitute the entire agreement between you and us in relation to their subject matter. You acknowledge that you have not relied on any statement, representation or promise made or given by or on behalf of us which is not set out in these Terms and Conditions or any document referred to within them.
17.2. These Terms and Conditions apply to the exclusion of any other terms and conditions that you may seek to impose or incorporate, or which are implied by trade, custom, practice or course of dealing.
18. Waiver of Remedies
18.1. The failure of either party to insist upon strict performance of any provision of these Terms and Conditions or exercise any right or remedy to which it is entitled under these Terms and Conditions shall not constitute a waiver thereof and will not prejudice or restrict the rights of that party and no waiver of any such rights or of any breach of any contractual terms will be deemed to be a waiver of any other right or of any later breach.
19. Applicable Law
19.1. These Terms and Conditions (and any non-contractual obligations arising out of or in connection with them) shall be governed by and construed in accordance with English law and each party agrees to submit to the exclusive jurisdiction of the courts of England and Wales.
20. Events Outside Our Control
20.1. We will not be liable or responsible for any failure to perform, or delay in performance of, any of our obligations under these Terms and Conditions that is caused by an Event Outside Our Control. An “Event Outside Our Control” is defined below in clause 20.2.
20.2. An “Event Outside Our Control” means any act or event beyond our reasonable control, including without limitation strikes, lock-outs or other industrial action by third parties, civil commotion, riot, invasion, terrorist attack or threat of terrorist attack, war (whether declared or not) or threat or preparation for war, fire, explosion, storm, flood, earthquake, subsidence, epidemic or other natural disaster, or failure of public or private telecommunications networks.
20.3. If an Event Outside Our Control takes place that affects the performance of our obligations under these Terms and Conditions:
20.3.1 we will contact you as soon as reasonably possible to notify you; and
20.3.2 our obligations under these Terms and Conditions will be suspended and the time for performance of our obligations will be extended for the duration of the Event Outside Our Control. Where the Event Outside Our Control affects our delivery of Service to you, we will arrange a new delivery date with you after the Event Outside Our Control is over.
21. Rights of Third Parties
21.1. Except where specifically provided for, a person who is not a party to these Terms and Conditions has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any of the Terms and Conditions, but this does not affect any right or remedy of a third party which exists or is available otherwise than pursuant to that Act.
22.1. For the purposes of this clause 22 the expressions “adequate procedures” and “associated with” shall be construed in accordance with the Bribery Laws. “Bribery Laws” means the Bribery Act 2010 and associated guidance published by the Secretary of State for Justice under the Bribery Act 2010.
22.2. Each of us and you shall comply with applicable Bribery Laws including ensuring that each party has in place adequate procedures to prevent bribery and use all reasonable endeavours to ensure that:
22.2.1 all of that party’s personnel;
22.2.2 all others associated with that party; and
22.2.3 all of that party’s subcontractors; involved in the performance of these Terms and Conditions so comply.
22.3. Without limitation to clause 22.2, neither we nor you shall make or receive any bribe (as defined in the Bribery Act 2010) or other improper payment or allow any such to be made or received on our or your behalf, either in the United Kingdom or elsewhere, and shall implement and maintain adequate procedures to ensure that such bribes or payments are not made or received directly or indirectly on our or your behalf.
22.4. We or you shall immediately notify the other party upon becoming aware of a breach of any of the requirements in this clause 22.
23. Freedom of Information
23.1. We agree to provide you all necessary assistance as reasonably requested by you to enable you to respond to a request for information under the Freedom of Information Act 2000 (“FOIA”).
23.2. You shall, before responding to any request for information pursuant to FOIA, notify us, and we shall both agree whether any information designated by us as commercially sensitive information and/or any other information is exempt from disclosure in accordance with the provisions of FOIA and act accordingly.
24.1. We may transfer our rights and obligations under these Terms and Conditions to another organisation, but this will not affect your rights or our obligations under these Terms and Conditions. We will always notify you in writing or by posting on the Site if this happens.
24.2. You may only transfer your rights or your obligations under these Terms and Conditions to another person if we agree in writing.
24.3. Each of the clauses of these Terms and Conditions operates separately. If any court or relevant authority decides that any of them are unlawful or unenforceable, the remaining clauses will remain in full force and effect.
Updated July 2021
Schedule 1 - Data Sharing Schedule
In this Schedule the following terms shall have the meanings set out below:
1.1 “Contact Point” means the person designated as the first contact points for third parties in relation to Data Subject Access Requests and Communications and any other matter relating to the Shared Personal Data. Each party’s respective Contact Point shall have overall internal responsibility within their respective party for appropriately addressing and responding to Data Subject Requests and Communications within the scope of that party’s obligations under this Schedule.
1.2 “Communications” means a complaint, enquiry, notice, request or other communication (but excluding any Data Subject Access Requests) relating to either party’s obligations under any Data Protection Laws in connection with this Schedule and/or the Processing of any of the Shared Personal Data, including any compensation claim from a Data Subject or any notice, investigation or other action from a Data Protection Supervisory Authority relating to any of the foregoing.
1.3 “Data Protection Laws” shall mean:
1.3.1 the Data Protection Act 2018;
1.3.2 the General Data Protection Regulation ((EU) 2016/679) (GDPR), as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time);
1.3.3 the Privacy and Electronic Communications (EC Directive) Regulations 2003; and
1.3.4 all applicable laws and regulations relating to processing of Personal Data and privacy, including where applicable the guidance and codes of practice issued by the Data Protection Supervisory Authority including any amending or replacement legislation in force from time to time.
1.4 Data Controller, Data Processor, Data Subject, Data Subject Access Request, Data Protection Impact Assessment (or DPIA), Data Protection Supervisory Authority, Personal Data, Sensitive or Special Category Data, Personal Data Breach, Profiling, Processor or processing and appropriate technical and organisational measures shall have the meanings given to them in the Data Protection Laws.
1.5 “Disclosing Party” means each party to the extent it (or any person acting on its behalf) discloses or otherwise makes accessible any Shared Personal Data to the other party (or any person acting on the other party’s behalf);
1.6 “Lawful Safeguard” means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time;
1.7 “Permitted Lawful Basis” means the permitted lawful basis described in the DPIA developed in accordance with paragraph 11 below;
1.8 “Permitted Purpose” means the purposes of using Personal Data to enable:
1.8.1 CEC to provide the Service and to Process Personal Data as a joint controller;
1.8.2 For the school to use the Service and Process Data also as a joint controller;
1.8.3 for the purpose of helping the school and its careers leaders to improve careers support provision to the school and its individual students, including to:
produce Reports in accordance with these Terms and Conditions;
organise, facilitate or request provision of careers services by or on behalf third parties;
produce anonymised, pseudonymised or de-identified information for the purposes of carrying out CEC Research; and
help schools’ careers leaders to plan, review, and improve careers provision at school and student levels.
1.9 “Permitted Recipients” means the following who need access to the Received Personal Data for the Permitted Purpose:
1.9.1 the relevant Receiving Party’s employees; and
1.9.2 the relevant Receiving Party’s contractors and sub-contractors’ (together with their employees);
1.10 “Received Personal Data” means Shared Personal Data in respect of which the relevant party is the Receiving Party;
1.11 “Receiving Party” means each party to the extent it (or any person acting on its behalf) receives or accesses any Shared Personal Data disclosed or made available by the other party (or any person acting on the other party’s behalf);
1.12 “Shared Personal Data” means Personal Data received by or on behalf of one party from or on behalf of the other party, or otherwise made available by one party to the other for the Permitted Purpose;
1.13 “Sub Processor” means a Processor engaged by one party or by any other Sub-Processor for carrying out processing activities in respect of the Personal Data on behalf of that party; and
1.14 “UK Law” means applicable law of the United Kingdom or of a part of the United Kingdom.
2. Status of this Schedule
2.1 Each party shall be a Joint Controller of the Shared Personal Data. If the parties share the Shared Personal Data, it shall be shared and managed in accordance with the terms of this Schedule.
2.2 For the purposes of this Schedule, we both acknowledge and agree that in any, and all circumstances, and in respect of all Pupil Data only, you shall be the Disclosing Party and we shall be the Receiving Party.
3. Compliance with Data Protection Laws
3.1 This Schedule allocates certain rights and responsibilities among the parties as enforceable contractual obligations between themselves, however nothing in this Schedule is intended to limit or exclude either party’s responsibilities or liabilities under Data Protection Laws.
3.2 We each agree to comply with the Data Protection Laws in connection with the exercise and performance of our respective rights and obligations under these Terms and Conditions.
4. Agreed basis for sharing
4.1 We each have determined that it is necessary to share the Shared Personal Data in order to achieve the Permitted Purpose.
4.2 You agree to share with us in the format instructed by us from time to time (acting reasonably) the Shared Personal Data.
5. General Obligations
5.1 We each agree that in respect of the Shared Personal Data, the Disclosing Party:
5.1.1 warrants that the Shared Personal Data is Processed on the basis of one or more of the legal grounds set out in Article 6 and where applicable Article 9 of the GDPR or as otherwise provided for in the Data Protection Laws;
5.1.2 warrants that it has provided all necessary fair processing notices to all Data Subjects as legally required that are clear and that comply with the Data Protection Laws, in relation to the Processing for the Permitted Purpose and to enable the sharing of the Shared Personal Data, including with the third parties listed in the Terms and Conditions;
5.1.3 shall ensure that the Shared Personal Data has been collected, Processed and transferred in accordance with the Data Protection Laws as applicable to that data at all times prior to the receipt of that data by the Receiving Party (or any person acting on its behalf);
5.1.4 is, as between the parties and subject to paragraphs 5.2 and 8.1, the primary point of contact for Data Subjects;
5.1.5 subject to paragraphs 5.2 and 8.1, shall direct Data Subjects to its Contact Point in connection with the exercise of their rights as Data Subjects and for any enquiries concerning the Shared Personal Data and identify its Contact Point in all information referred to in paragraphs 5.1.10 and 5.1.11 as the Contact Point for all Data Subject Requests or other Communications from Data Subjects regarding the sharing or other Processing of such Shared Personal Data;
5.1.6 shall ensure that the Shared Personal Data has been collected, Processed and transferred in accordance with the Data Protection Laws as applicable to that data at all times prior to the receipt of that data by the Receiving Party (or any person acting on its behalf);
5.1.7 shall ensure the Shared Personal Data is accurate and up-to-date when disclosed or made accessible to the relevant Receiving Party and shall promptly notify the Receiving Party if such Shared Personal Data becomes inaccurate or out of date;
5.1.8 is solely responsible for both parties’ compliance with all duties to provide information to Data Subjects under Articles 5(1)(a), 13 and 14 of the GDPR or any similar Data Protection Laws, including as required for all Processing of Shared Personal Data by or on behalf of the Receiving Party for the Permitted Purpose on the Permitted Lawful Basis in accordance with these Terms and Conditions;
5.1.9 without prejudice to its other obligations, shall ensure that it is entitled to transfer the Shared Personal Data to the Receiving Party and that the Receiving Party (and each of the Receiving Party’s Permitted Recipients) is entitled under all applicable laws and legal theories to Process the Shared Personal Data for the Permitted Purpose in accordance with these Terms and Conditions;
5.1.10 is solely responsible for ensuring that where the Shared Personal Data was received by the Disclosing Party from a third party, or has been Processed by a third party on behalf of the Disclosing Party, it has in place arrangements with those third parties:
as required by all Data Protection Laws (including, where applicable, Articles 26, 28 and 32 of the GDPR);
which are adequate to permit the Disclosing Party to share the Shared Personal Data with the Receiving Party (and its Permitted Recipients) under all Data Protection Laws; and
as required for the Receiving Party (and its Permitted Recipients) to Process such data in accordance with these Terms and Conditions.
5.1.11 shall make available to Data Subjects the essence of this Schedule (and notify them of any changes to it).
5.2 Notwithstanding the terms of this Schedule, the parties acknowledge that a Data Subject has the right to exercise their legal rights under the Data Protection Laws against any relevant party as Controller.
5.3 Each party shall use its reasonable endeavours to assist the other to comply with any obligations under all Data Protection Laws in connection with these Terms and Conditions and shall not perform its obligations under this Schedule in such a way as to cause the other party to breach any of the other party’s obligations under applicable Data Protection Laws to the extent it is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations.
6. Technical and organisation measures
6.1 Both parties shall at all times:
6.1.1 put in place and maintain appropriate technical and organisational measures as required by Data Protection Laws;
6.1.2 implement and maintain appropriate technical and organisational measures to protect the Shared Personal Data in its possession or control against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access, taking into account:
the nature of the data to be protected;
the harm that might result from any failure to so protect the Received Personal Data;
the state of technological development; and
the cost of implementing any measures;
and will take such technical and organisational measures as may be appropriate (including using modern and best practice encryption technologies such as Secure Socket Layers (SSL/TLS) for encrypted data transfer and encryption of all data at rest), and promptly provide such information to Receiving Party as it may reasonably require, to enable both parties to protect the Received Personal Data in its possession or control against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.
7. International Transfers
7.1 Subject to paragraph 7.2, the Receiving Party will not transfer Received Personal Data to any country or territory outside the United Kingdom or to any international organisation (as defined in the GDPR), except to the extent required by UK Law or with the Disclosing Party’s express prior written consent. For the purposes of this paragraph 7 ‘transfer’ bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR.
7.2 You hereby authorise us (or any Sub-Processor) to transfer Shared Personal Data, provided all transfers of Shared Personal Data by us shall be affected by way of the Lawful Safeguards.
8. Data Subject Access requests
8.1 Except for any Shared Personal Data identified in a relevant DPIA as being Shared Personal Data that we are responsible for collecting, processing, sharing and storing, you shall be responsible for Communication or complying with all Data Subject Requests.
8.2 If either party receives a Communication relating to the Shared Personal Data Processed by (or on behalf of) the other party, it shall to the extent lawful under UK Law:
8.2.1 promptly (and in any event within two days of receipt) notify the Contact Point at the other party; and
8.2.2 consult with the other party in advance of giving any response, to the extent reasonably practicable.
8.3 Without prejudice to paragraph 8.1, if a party receives a Data Subject Request it believes relates to Processing of Shared Personal Data, it shall promptly (and in any event within two days of receipt) notify the other party’s Contact Point and provide them with full details (to the extent lawful under UK Law).
8.4 Each party shall use all reasonable endeavours to provide the other party with full and prompt co-operation and assistance in relation to any Data Subject Request or Communication made to enable the other party to comply with the relevant timescales set out in Data Protection Laws and to find an efficient, timely and amicable solution to any issues arising out of any Data Subject Request or Communication. Without prejudice to the generality of the foregoing, the other party shall respond to any request for co-operation or assistance under this paragraph 8.4 within five days.
9. Third party Processing
9.1 Each party undertakes not to disclose or transfer Received Personal Data in respect of which it is the Receiving Party to any third party other than to a Permitted Recipient where necessary for the Permitted Purpose. Each party transferring or disclosing Received Personal Data in respect of which it is the Receiving Party shall ensure it is transferred and disclosed subject to equivalent and legally binding obligations which are no less onerous than those applicable to the Receiving Party under this Schedule. This paragraph 9.1 is without prejudice to any disclosure or transfer required by UK Law.
9.2 In respect of any Processing of Received Personal Data performed by a Processor on behalf of a Receiving Party, that Receiving Party shall:
9.2.1 carry out adequate due diligence on such Processor to ensure that it is capable of providing the level of protection for the Received Personal Data as is required by these Terms and Conditions and Data Protection Laws; and
9.2.2 ensure that suitable written agreements are at all times in place with each Processor as required under all Data Protection Laws (including Articles 28 and 32 of the GDPR).
9.3 The relevant Receiving Party shall be liable to the Disclosing Party for all acts and omissions of each of its Permitted Recipients in connection with Received Personal Data. Each obligation in this Schedule on a party to do, or refrain from doing, anything shall include an obligation on that party to ensure all its Permitted Recipients do, or refrain from doing, such thing
10. Personal Data Breaches
10.1 Each party shall promptly (and in any event within 24 hours) notify the Disclosing Party if it suspects or becomes aware of any actual or threatened occurrence of any Personal Data Breach in respect of any Received Personal Data which it (or any person acting on its behalf) Processes as Receiving Party. In such circumstances, the relevant Receiving Party shall promptly provide (to the extent permitted by UK Law):
10.1.1 sufficient information as the Disclosing Party (or its advisors) reasonably require to meet any obligations to report a Personal Data Breach under Data Protection Laws (in a timescale which facilitates such compliance);
10.1.2 the Data Protection Supervisory Authorities investigating the Personal Data Breach with complete information as requested by those Data Protection Supervisory Authorities from time to time;
10.1.3 all reasonable assistance the Disclosing Party (or its advisors) requires, including:
11. Data protection impact assessments
11.1 The parties have completed a Data Protection Impact Assessment in respect of the planned sharing of the Shared Personal Data under these Terms and Conditions which identifies the:
11.1.1 subject matter of the Shared Personal Data;
11.1.2 type of Personal Data to be shared;
11.1.3 categories of Data Subjects;
11.1.4 the retention period to be applied to the Personal Data; and
11.1.5 the Permitted Lawful Basis.
and have agreed that this Schedule will assist with mitigating certain risks that have been identified.
11.2 Where a party considers that:
11.2.1 a Data Protection Impact Assessment is necessary for compliance with Data Protection Law; or
11.2.2 the risks identified by a previous Data Protection Impact Assessment may have changed in respect of the sharing or other Processing activities conducted under or in connection with these Terms and Conditions, the other party shall provide such reasonable assistance as that party may reasonably require.
11.3 The assistance referred to in paragraph 11.2 may include:
11.3.1 a systematic description of the envisaged Processing operations and Permitted Purpose of the Processing of the Shared Personal Data;
11.3.2 an assessment of the necessity and proportionality of the Processing operations;
11.3.3 an assessment of the risks to the rights and freedoms of Data Subjects;
11.3.4 the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of the Shared Personal Data; and
11.3.5 any prior consultation with the relevant Data Protection Supervisory Authority which may be necessary.
Each party shall maintain complete, accurate and up to date written records of all of its Processing of the Shared Personal Data and as necessary to demonstrate its compliance with this Schedule and all Data Protection Laws.
13.1 Each party shall (and shall ensure all its Permitted Recipients shall) promptly:
13.1.1 make available to the other party such information as is reasonably required to demonstrate that party’s compliance with its obligations under this Schedule; and
13.1.2 not more than once in any 12 month period, upon reasonable prior notice allow for, permit and contribute to audits, including inspections, by the other party (or another auditor mandated by the other party) during normal business hours to the extent necessary to verify the audited party’s compliance with its obligations under this Schedule.
13.2 Each party shall allow the other to exercise its rights at paragraph 13.1 in the period up to three years after the termination or expiry of these Terms and Conditions.
13.3 When conducting audits and inspections, the relevant party conducting the audit or inspection shall comply with the other party’s reasonable directions in order to minimise disruption to the other party’s business and to safeguard the confidentiality of the other party’s Confidential Information. The party subject to the audit or inspection may require any third parties conducting such audit or inspection to enter into direct confidentiality undertakings with it.
14.1 Subject to paragraph 14.2 and except as required by UK Law, each party shall retain the Received Personal Data in accordance with the retention periods identified for the specific element of the Shared Personal Data in accordance with paragraph 11.1 (DPIA) of this Schedule.
14.2 Except as required by UK Law, the parties shall, to the extent they are Receiving Party:
14.2.1 subject to paragraphs 14.2.2 to 14.2.3 (inclusive), Process all Received Personal Data for no longer than such Processing is necessary for the Permitted Purpose and compliant with this Schedule and all Data Protection Laws;
14.2.2 cease to Process all Received Personal Data on the earlier of termination or expiry of this Agreement; and
14.2.3 immediately, confidentially and securely destroy or dispose of all Received Personal Data (and all copies) in its possession or control that can no longer be Processed in accordance with this Schedule.