This Data Sharing Agreement (The “Agreement”) is made on the day on which the THE OPPORTUNITY PARTNER engages to work with UNIVERSITY OF WARWICK through Warwick Volunteers online portal (The “Effective Date”)
BETWEEN:-
- THE UNIVERSITY OF WARWICK of University House, Kirby Corner Road, Coventry CV4 8UW (here in after called the “University”); and
- THE OPPORTUNITY PARTNER (here in after called the “Community Partner”);
(Each a “Party” and together the “Parties”)
1. DEFINITIONS
In this agreement the following definitions shall apply:
"Controller", "Processor", "Data Subject" “Personal Data” and “Sensitive Personal Data/Special Category Data ” |
shall have the meaning given to those terms in the applicable Data Protection Laws; |
Data Protection Laws" |
means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) which relates to the protection of individuals with regards to the Processing of Personal Data to which a Party is subject, including the Data Protection Act 1998, the Data Protection Act 2018 and, the General Data Protection Regulation (“GDPR”) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, 4.5.2016, and all legislation enacted in the UK in respect of the protection of personal data as well as the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) including any relevant replacement/subsequent European and/or UK legislation together with all codes of practice and other guidance on the foregoing issued by any relevant Data Protection Authority, all as amended from time to time; |
"Data Processing Particulars" |
means, in relation to any Processing under this Agreement:
- the subject matter and duration of the Processing;
- the nature and purpose of the Processing;
- the type of Personal Data being Processed; and
- the categories of Data Subjects;
as set out in Appendix 1
- the subject matter and duration of the Processing;
- the nature and purpose of the Processing;
- the type of Personal Data being Processed; and
- the categories of Data Subjects;
as set out in Appendix 1
|
"Data Subject Request" |
means an actual or purported request or notice or complaint from or on behalf of a Data Subject exercising his rights under the Data Protection Laws in relation to Personal Data including without limitation: the right of access by the Data Subject, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability and the right to object; |
"Regulator" |
means the UK Information Commissioner's Office, or any successor or replacement body from time to time; also means the relevant local governmental or other official regulator(s) responsible for enforcement of the Data Protection Legislation from time to time in relation to the University of Warwick |
"Regulator Correspondence" |
means any correspondence or communication (whether written or verbal) from the Regulator in relation to the Processing of Personal Data; |
"Losses" |
means all losses, fines, penalties, liabilities, damages, costs, charges, claims, amounts paid in settlement and expenses (including legal fees (on a solicitor/client basis), disbursements, costs of investigation (including forensic investigation), litigation, settlement (including ex gratia payments), judgment, interest and penalties), other professional charges and expenses, disbursements, cost of breach notification including notifications to the data subject, cost of complaints handling (including providing data subjects with credit reference checks, setting up contact centres (e.g. call centres) and making ex gratia payments), all whether arising in contract, tort (including negligence), breach of statutory duty or otherwise; |
“Permitted Recipients” |
means the third parties to whom each Party is permitted to disclose the Personal Data, as set out in more detail in Appendix 1 (Data Processing Particulars); |
"Personal Data" |
means any personal data (as defined in the Data Protection Laws) Processed by either Party in connection with this Agreement, and for the purposes of this Agreement includes Sensitive Personal Data/Special Category Data (as such Personal Data is more particularly described in Appendix 1 (Data Processing Particulars)); |
"Personal Data Breach" |
has the meaning set out in the Data Protection Laws and includes any actual or suspected, threatened or ‘near miss’ personal data breach in relation to the Personal Data and, for the avoidance of doubt, includes a breach of paragraph 1.2.2(e); |
“Processing” |
means any use of or processing applied to any Personal Data and includes “process” or “processing” as defined in applicable Data Protection Legislation. For the avoidance of doubt, this includes, without limitation, collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying Personal Data |
"Third Country" |
means a country, territory or jurisdiction outside of the European Economic Area which the EU Commission has not deemed to provide adequate protection in accordance with Article 25(6) of the DP Directive and/ or Article 45(1) of the GDPR (as applicable); |
"Security Measures" |
Means the requirements regarding the security of Personal Data, as set out in the Data Protection Laws and the measures set out in Articles 28 and 32 of the GDPR
|
"Services" |
Means the sharing of student Personal Data between the University and the Community Partner to undertake their volunteering programme |
1. DATA PROTECTION
1.1 Nature of the Processing
1.1.1 The Parties acknowledge that the factual arrangements between them dictate the role of each Party in respect of the Data Protection Laws. Notwithstanding the foregoing, each Party agrees that the nature of the Processing under this Agreement will be as follows:
(a) the Parties shall each Process the Personal Data;
(b) each Party shall act as a Controller in respect of the Processing of the Personal Data on its own behalf and in particular each shall be a Controller of the Personal Data acting individually and in common, as follows:
- The University shall be a Controller where it is Processing Personal Data in relation to its status as a public authority and higher education provider and
- The Community Partner shall be a Controller where it is Processing Personal Data in order to fulfil its obligations in allowing the Students at the University to undertake and administer their Volunteers Programme Notwithstanding Paragraph 1.1.1(b), if either Party is deemed to be a joint Controller with the other in relation to the Personal Data, the Parties agree that they shall be jointly responsible for the compliance obligations imposed on a Controller by the Data Protection Laws, and the Parties shall cooperate to do all necessary things to enable performance of such compliance obligations.
1.1.2 Each of the Parties acknowledges and agrees that Appendix 1 (Data Processing Particulars) to this Agreement is an accurate description of the Data Processing Particulars.
1.2 Data Controller Obligations for each Party
1.2.1 Each Party shall in relation to the Processing of the Personal Data comply with its respective obligations under the Data Protection Laws.
1.2.2 Without limiting the generality of the obligation set out in Paragraph 1.2.1, in particular, each Party shall:
- where required to do so make due notification to the Regulator;
- ensure it is not subject to any prohibition or restriction which would:
- prevent or restrict it from disclosing or transferring the Personal Data to the other Party as required under this Agreement;
- prevent or restrict it from granting the other Party access to the Personal Data as required under this Agreement; or
- prevent or restrict either Party from Processing the Personal Data, as envisaged under this Agreement;
- ensure that all privacy notices have been provided (and/or, as applicable, consents obtained) and are sufficient in scope to enable each Party to Process the Personal Data as required in order to obtain the benefit of its rights and to fulfil its obligations under this Agreement in accordance with the Data Protection Laws; For the avoidance of doubt the University does not warrant to the Community Partner that any use of the Personal Data outside the scope of this Agreement shall be compliant with the Data Protection Laws.
- ensure that all Personal Data disclosed or transferred to, or accessed by, the other Party is accurate and up-to-date, as well as adequate, relevant and not excessive to enable either Party to Process the Personal Data as envisaged under this Agreement;
- ensure that appropriate technical and organisational security measures are in place sufficient to comply with at least the obligations imposed on the Controller by the Security Measures; and where requested provide to the University evidence of its compliance with such requirements promptly, and in any event immediately on request;
- notify the other Party immediately on receipt of any Data Subject Request or Regulator Correspondence which relates directly or indirectly to the Processing of Personal Data under, or in connection with, this Agreement and together with such notice, provide a copy of such Data Subject Request or Regulator Correspondence to the other Party and reasonable details of the circumstances giving rise to it. In addition to providing the notice referred to in this Paragraph 1.2.2(f), each Party shall provide the other Party with all co-operation and assistance required by the other Party in relation to any such Data Subject Request or Regulator Correspondence;
- provide a contact point for enquiries to Data Subjects and will make available, upon request, a summary of this Agreement to Data Subjects;
- notify the other Party immediately upon receipt of a Data Subject Request or Regulator Correspondence. Upon notification, the Parties shall determine who shall have sole conduct of the response to any such data subject request or ICO Correspondence, with the other Party providing reasonable co-operation and assistance;
- use reasonable endeavours to notify the other Party if it is obliged to make a disclosure of any of the Personal Data under any statutory requirement, such notification to be made in advance of such disclosure or immediately thereafter unless prohibited by law;
- notify the other Party in writing by following the procedure set out in Appendix 2 immediately upon becoming aware of any actual or suspected Personal Data Breach in relation to the Personal Data received from the other Party and shall, within such timescale to be agreed by the Parties
(i) implement any measures necessary to restore the security of compromised Personal Data; an
(ii) support the other Party to make any required notifications to the Regulator and/or other relevant regulatory body and affected Data Subjects;
(k) not do anything which shall damage the reputation of the other Party or that Party's relationship with the Data Subjects;
(l) not transfer any Personal Data it is processing to a Third Country;
(m) hold the information contained in the Personal Data confidentially and under at least the conditions of confidence as such Party holds Personal Data Processed by it other than the Personal Data; and
(n) not disclose the Personal Data to a third party (including a sub-contractor) in any circumstances without the other Party's prior written consent, save in relation to:
i.disclosures to Permitted Recipients; and
ii. unless that Party is prohibited by law or regulation from notifying the other Party of that disclosure, in which case it shall do so as soon as practicable thereafter (where permitted by law or regulation);
(o) arrange for the prompt and safe return and/or secure permanent of all Personal Data, together with all copies in its possession or control within 30 days and, where requested by the other Party certify that such destruction has taken place.
2. INDEMNITY
2.1 The Community Partner shall indemnify the University on or after tax basis against any:
2.1.1 monetary penalties or fines; and
2.1.2 losses, damage, costs, charges, expenses and liabilities (including reasonable legal fees and disbursements;
in each case incurred or suffered by it or arising out of or in connection with any breach by the Community Partner of this Agreement.
Nothing shall exclude or limit a Party's liability under this Paragraph.
The terms of this Agreement shall commence on the Effective Date and shall remain in effect until terminated by either Party upon (thirty) 30 days' prior written notice; provided, however, that such termination shall not affect or excuse the performance of either Party under any provision of this Agreement and both Parties have fulfilled all of their obligations with respect to such obligations.
APPENDIX 1
DATA PROTECTION PARTICULARS
The subject matter and duration of processing |
Warwick University students volunteering through Warwick Volunteers, duration is start of the Autumn term to end of School Summer term |
The nature and purpose of the Processing |
The purpose of Processing is to facilitate and administer the Warwick Volunteers programme at the University of Warwick. This involves exchanging data to track responses rates to recruitment advertisements, volunteering activity levels of individual students, gather feedback, exchange data for marketing and impact purposes. |
The type of Personal Data being Processed |
Volunteer’s name, University of Warwick student ID number, name of the project they are volunteering for, number of hours logged for volunteering, personal stories or case studies about the volunteer’s activities. |
The categories of Data Subjects |
Students at the University of Warwick |
APPENDIX 2
NOTIFICATION PROCEDURE TO THE CONTROLLER IN THE EVENT OF A DATA BREACH OR
SECURITY INCIDENT
- The Community Partner must contact the Data Protection Officer at the University of Warwick at: Dpo@warwick.ac.uk
- Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
- Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- Describe the likely consequences of the personal data breach;
- Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects; and
- Where it is not possible to provide all the information at the same time, the information should be provided in phases as and when it becomes available, without undue further delay.