Data sharing agreement

1. Data processing relationship

1.1 The Parties agree and acknowledge that:

1.1.1 the purpose of this Agreement is to set out a framework of data protection provisions that will apply to the Processing of Personal Data in connection with the Data Processing Activities undertaken pursuant to this Agreement;

1.1.2 in relation to the Data Processing Activities to which this Agreement applies, Party 2 is the Data Controller;

1.1.3 depending on the nature of the Data Processing Activities undertaken, VisitScotland will be Processing Personal Data as: (a) a Processor on behalf of Party 2 for the provision of the agreed services; or (b) an independent Controller for the provision of the agreed services;

1.1.4 the table in Schedule Part 1 of this Agreement, as amended from time to time, shall indicate: (i) VisitScotland's and Party 2's status as a Controller or Processor in relation to each of the Data Processing Activities; and (ii) which of the following sections of this Agreement apply with respect to the relevant Data Processing Activity as described below:

Common provisions of this Agreement will apply to all Data Processing Activities carried out by the Parties;
Section A (Controller to Processor) of this Agreement will apply to the Processing of Personal Data where VisitScotland acts as a Processor; and
Section B (Controller to Controller) of this Agreement will apply to the Processing of Personal Data where VisitScotland acts as a Controller.

1.1.5 the table in Schedule Part 2 of this Agreement as amended from time to time shall include detail on the Data Processing Activities undertaken by the Parties.

Common provisions

2. Definitions and interpretation

2.1 In this Agreement the following words and expressions shall have the following meanings:

Term	Meaning
Adequacy Decision	a finding under Article 25(2) of the Data Protection Directive that a country or territory ensures an adequate level of protection within the meaning of Article 25 of the Data Protection Directive, while such finding remains in force pursuant to Article 45(9) of the GDPR, or (as applicable) a finding under Article 45(1) of the GPDR or the UK GDPR that a country, a territory or one or more specified sectors within that country, or the international organisation in question ensures an adequate level of protection within the meaning of Article 45 of the GDPR or (as applicable) the UK GDPR;
Adequacy Regulations	mean the regulations made by the Secretary of State under section 17A of the DPA 2018 and Article 45 UK GDPR to jurisdictions that the Secretary of State has officially declared to have an adequate level of data protection to that of the UK;
Applicable Law	in any jurisdiction in which either Party Processes Personal Data pursuant to this Agreement any and all applicable laws, regulations and industry standards or guidance (including any applicable British Standard) and any applicable and binding judgment of a relevant court of law;
Business Day	a day other than a Saturday, Sunday or public holiday in England;
Commencement Date	see row 1 of the Table in Schedule Part 2;
Data Processing Activity(-ies)/Operation(s)	the Data Processing Operations specified in Schedule Part 2;
Data Protection Directive	Directive 95/46/EC on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data;
Data Protection Law	the UK GDPR, GDPR and any relevant law implementing GDPR, the Data Protection Act 2018, ePrivacy Law, articles 7 and 8 of Charter of Fundamental Rights of the European Union, article 8 of the European Convention on Human Rights, and any other legislation in any applicable jurisdiction concerning the protection and/or Processing of Personal Data, direct marketing, the right to privacy, information security, and the obligation to provide data breach notifications, and including all subordinate legislation, regulations, guidance and codes of practice;
Data Subject Right Request	the exercise by a data subject of his or her rights under Data Protection Law;
EEA	the European Economic Area from time to time;
ePrivacy Law	Directive 2002/58/EC concerning the Processing of Personal Data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC and any relevant law implementing or superseding Directive 2002/58/EC, including the Privacy and Electronic Communication (EC Directive) Regulations 2003 and any superseding law;
GDPR	Regulation (EU) 2016/679 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data;
Group	for a Party, all group undertakings of that Party ("group undertaking" having the meaning given to it under section 1161(5) of the Companies Act 2006) and any reference to a "Group Company" means any such group undertaking;
ICO	the United Kingdom's Information Commissioner's Office (or any equivalent successor body that may be appointed from time to time);
Non-adequate country	a country or territory which is outside the United Kingdom and the EEA/EU and in respect of which there has not been an Adequacy Decision or Adequacy Regulations;
Personnel	in relation to a Party, that Party's officers, employees, agents, subcontractors and other workers;
Portable Copy	a copy of Personal Data in such form as to enable the Controller to comply with its obligations under Article 20 of the UK GDPR;
Privacy Notice	has the meaning given in clause 19;
Shared Data	the VisitScotland Data and Party 2 Data, as set out in the Table in Schedule Part 2;
Sharing Purpose	the purpose for which Shared Data is Processed by the Parties, as set out in in the Table in Schedule Part 2;
SPoC	has the meaning given in clause 3.1;
Term	the term of this Agreement, as determined in the Schedule Part 2; and
UK GDPR	GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time).

2.2 References to "articles" are to articles of the UK GDPR.

2.3 "Controller", "Processor", "Process", "Data Subject", "Personal Data" and "Personal Data Breach" shall have the meanings given in the UK GDPR and "Supervisory Authority" shall have the meaning given in the GDPR.

2.4 References to "clauses" and "schedules" are to the clauses and schedules of this Agreement, unless otherwise indicated.

2.5 The schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to "this Agreement" includes the schedules.

2.6 Headings are included for convenience and shall not affect the construction or interpretation of this Agreement.

2.7 Unless the context otherwise requires, words in the singular shall include the plural and in the plural include the singular.

2.8 Any obligation in this Agreement on a person not to do something includes an obligation not to agree or allow that thing to be done.

2.9 Any words following the terms "including", "include", "in particular", "for example" or any similar expression shall be construed as illustrative and shall not limit the generality of the related general words.

2.10 A reference to a statute or statutory provision or to Data Protection Law:

2.10.1 shall include all subordinate legislation made from time to time under the same; and

2.10.2 is a reference to the same as amended, extended, superseded or consolidated from time to time.

3. General obligations and provisions

3.1 Each Party shall appoint a single point of contact ("SPoC") who will work with the other Party's SPoC to resolve any issues arising from this Agreement and to actively improve its effectiveness. The SPoC for each Party is as set out in the Table in Schedule Part 2.

3.2 Each Party shall maintain such valid registrations and pay such fees as are required by the ICO or (as applicable) its national Supervisory Authority (if any) which, by the time that the Processing contemplated by this Agreement commences, covers that Processing, unless an exemption applies.

3.3 Each Party shall comply with its obligations under Data Protection Law in respect of all Personal Data Processed pursuant to this Agreement.

3.4 The Parties agree to review and (where necessary) revise the provisions of this Agreement to reflect any changes in Data Protection Law, updated guidance, codes of practice or similar issued by the Information Commissioner's Office, the European Data Protection Board or any other relevant Supervisory Authority. At the request of either Party to revise the provisions of this Agreement in accordance with this clause, the Parties shall set up a committee (involving appropriately experienced representatives of both Parties) to discuss and agree the changes that are required, with both Parties acting reasonably and in good faith.

3.5 Each party warrants that it shall where applicable comply with its obligations to appoint and maintain in place throughout the Term a data protection officer as required by articles 37, 38 and 39 and it shall designate a representative in the United Kingdom where required by articles 3(2) and 27 of the UK GDPR and a representative in the EEA/EU where required by articles 3(2) and 27 of the GDPR.

3.6 Neither Party shall assign, subcontract or deal in any way with any of its rights or obligations under this Agreement, except as expressly permitted in this Agreement.

3.7 Failure to exercise, or any delay in exercising, any right or remedy provided under this Agreement or by law shall not constitute a waiver of or preclude or restrict the exercise of that or any other right or remedy, nor shall any single or partial exercise of any right or remedy preclude any further exercise of the same or the exercise of any other right or remedy.

3.8 Nothing in this Agreement is intended to, or shall be deemed to, establish any partnership or joint venture between the Parties, constitute either Party the agent of the other Party, nor authorise either Party to make or enter into any commitments for or on behalf of the other Party.

3.9 If any clause or part of a clause of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant clause shall be deemed deleted. Any modification to or deletion of a clause under this clause shall not affect the validity and enforceability of the rest of this Agreement.

3.10 This Agreement contains all the terms agreed by the Parties and supersedes any and all prior agreements, understandings or arrangements between them, whether oral or in writing, in relation to its subject matter. Neither Party shall have any right or liability in respect of any statement, representation or promise made prior to the date of this Agreement. Each Party acknowledges and accepts that, in entering into this Agreement, it has not relied upon any statement, representation or promise except as set out in this Agreement. Nothing in this Agreement shall exclude or limit either Party's liability for fraudulent misrepresentation.

3.11 No variation of or amendment to this Agreement shall be effective unless made in writing and signed by authorised representatives of the Parties.

3.12 Nothing in this Agreement shall confer any right or benefit upon any person who is not a Party to it.

3.13 This Agreement may be executed in any number of counterparts each of which when executed and delivered shall constitute an original, and all the counterparts together shall constitute a single agreement.

3.14 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with Scottish law.

3.15 The Parties irrevocably agree that the courts of Scotland shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).

4. Confidentiality

4.1 "Confidential Information" means all confidential information (however recorded or preserved) disclosed by or on behalf of a party (the "Disclosing Party") to the other party (the "Recipient"), whether before or after the date of this Agreement in connection with this Agreement.

4.2 Each Party undertakes that it shall not during the Term and for a period of five years after termination of this Agreement, disclose to any person any Confidential Information concerning the business, operations, affairs, customers, clients or suppliers of the other Party or of any Group Company of the other Party, except as permitted by clause 4.3 or clause 5.

4.3 Each Party may disclose the other Party's Confidential Information:

4.3.1 to those of its employees, officers, representatives or advisers who need to know such information for the purposes of exercising the Party's rights or carrying out its obligations under or in connection with this Agreement. Each Party shall ensure that its employees, officers, representatives or advisers to whom it discloses the other Party's confidential information comply with this clause; and

4.3.2 as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.

4.4 Neither Party shall use the other Party's Confidential Information for any purpose other than to exercise its rights and perform its obligations under or in connection with this Agreement.

5. Information laws

5.1 The Parties acknowledge and agree that:

5.1.1 >VisitScotland is subject to the requirements of certain access to information legislation, including the Freedom of Information (Scotland) Act 2002, the Access to Environmental Information (Scotland) Regulations 2004 and the Public Services Reform (Scotland) Act 2010 (the "Information Laws");

5.1.2 >VisitScotland may be obliged under the Information Laws to disclose information relating to the other Party. VisitScotland will take reasonable steps, where appropriate, to give Party 2 advance notice of the proposed disclosure of any of Party 2's commercially sensitive or confidential information, or failing that, to draw the relevant disclosure to Party 2's attention as soon as reasonably practicable after any such disclosure; and

5.1.3 >VisitScotland is responsible for determining in its own absolute discretion whether any information requires to be disclosed in accordance with the provisions of the Information Laws, and that nothing in this Agreement will prevent VisitScotland from disclosing (and VisitScotland will not have any liability to Party 2 in connection with the disclosure of) any information pursuant to the Information Laws.

5.1.4 >If both Parties are subject to Information Laws, the Parties agree to co-operate, where appropriate or necessary, in handling and disposing of any requests made to either of the Parties in accordance with the Information Laws.

6. Notices

6.1 A notice given to a Party under or in connection with this Agreement shall be in writing and sent to that Party's SPoC at the address or email address notified in writing to the other Party for the purpose of that notice.

6.2 Any notice shall be deemed to have been received:

6.2.1 if delivered by hand, on signature of a delivery receipt or, if not signed for, at the time the notice is left at the correct address;

6.2.2 if sent by pre-paid first-class post, at 09:00 on the second Business Day after posting;

6.2.3 if sent by a signed-for next working day delivery service, at the time recorded by the delivery service; and

6.2.4 if sent by email, at 0900 on the next Business Day after transmission, provided that the sender does not receive an error message or out of office message in response to such email.

6.3 This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

Section A (Controller to Processor)

7. General

7.1 The Parties acknowledge and agree that Party 2 is the Controller and VisitScotland is the Processor in respect of all Personal Data Processed pursuant to this Agreement, as set out in Schedule Part 1.

7.2 Party 2 warrants and represents that:

7.2.1 all Personal Data which it transmits to VisitScotland is transmitted in accordance with Applicable Law; and

7.2.2 it has and shall maintain throughout the term of this Agreement all appropriate, lawful bases to use such Personal Data in accordance with this Agreement, including ensuring the provision of appropriate Privacy Notices to any relevant Data Subjects covering the Processing of such Personal Data by VisitScotland pursuant to this Agreement, unless otherwise agreed between the Parties.

7.3 The Party 2 shall ensure that any such instructions comply with the Applicable Law. VisitScotland shall notify the Party 2 if, in VisitScotland's opinion, any instruction given by or on behalf of Party 2 breaches Data Protection Law and may refuse to comply with any such instruction.

7.4 Notwithstanding any provision to the contrary within this Agreement, VisitScotland may take any steps that VisitScotland (acting reasonably and in good faith) determines are necessary in order for it to comply with Data Protection Law. This shall include without limitation VisitScotland having the right to notify the ICO and any relevant Supervisory Authority of any circumstance that has arisen in relation to the Processing of Personal Data under this Agreement to the extent that VisitScotland (acting reasonably and in good faith) believes that this is necessary in order to comply with Data Protection Law.

7.5 VisitScotland shall, and shall procure that its Personnel, Process Personal Data only for the purpose of performing the Data Processing Services during the Term of this Agreement on written instructions that Party 2 may give to VisitScotland from time to time concerning such Processing, which instructions may include without limitation:

7.5.1 the instructions relating to Personal Data Processing set out in this Agreement; and

7.5.2 the provision of explanatory information on Party 2's business, processes, systems and/or controls.

8. Security

8.1 VisitScotland shall maintain appropriate technical and organisational security measures in accordance with Article 32 of the UK GDPR including:

8.1.1 measures which ensure the confidentiality, integrity, availability and resilience of the systems Processing that Personal Data;

8.1.2 measures which enable VisitScotland to restore the availability of and access to the Personal Data in a timely manner in the event of an incident which affects such availability and/or access; and

8.1.3 a process for regularly testing, assessing and evaluating the effectiveness of such technical and organisational measures for ensuring the security of the Processing.

8.2 VisitScotland shall ensure that the measures to be taken pursuant to this clause are appropriate having regard to:

8.2.1 the nature of the Personal Data and the scope, context and purposes of the Processing and the likelihood and severity of the risks to Data Subjects that are presented by the Processing of such Personal Data, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed; and

8.2.1 the state of technological development and the cost of implementing such measures.

9. Record-Keeping & Audits

9.1 VisitScotland shall:

9.1.1 maintain a record of its Processing activities which relate to this Agreement as required by Article 30(2) of the UK GDPR and make such record available upon request to Party 2 and the ICO; and

9.1.2 at any time upon request, and in any event upon termination or expiry of this Agreement, (unless Party 2 agrees otherwise in writing in each case) deliver up all Personal Data Processed pursuant to this Agreement.

9.2 Following such delivery up and in the event of termination or expiry of this Agreement the VisitScotland shall promptly and securely delete or destroy all such Personal Data except for any Personal Data:

9.2.1 which is necessary to enable VisitScotland to comply with any continuing obligations that VisitScotland may have following termination or expiry of this Agreement; or

9.2.2 which Data Protection Law requires to be stored.

9.3 Each Party shall provide the other with such information as such other Party reasonably requests from time to time to enable such other Party to satisfy itself that the Party providing the information is complying with its obligations under this Agreement.

9.4 Each Party may, at its own expense, may inspect the other Party’s compliance with this clause. Due to the confidential and proprietary nature of VisitScotland's operations and to protect the integrity and security of its operations and the nature of systems which may be used to provide the services under this Agreement, VisitScotland reserves the right to reasonably limit the scope of such audits or inspections, and require that such inspections:

9.4.1 must be preceded by advance written request of no less than 30 Working Days prior to the anticipated start date and may occur no more than once in any twelve (12) month period, barring exceptional circumstances, such as the Party 2's reasonable concern of an actual incident or imminent material incident of security, in which case an inspection may be performed in response to such circumstance or concern;

9.4.2 must take place at a time mutually agreed by the Parties;

9.4.3 if to be conducted by a third party, the third party must be:

9.4.3.1 approved in writing by the Parties (such approval not to be unreasonably withheld or delayed);

9.4.3.1 subject to appropriate confidentiality and non-disclosure provisions; and

9.4.4 must not unreasonably disrupt VisitScotland's normal business or IT operations.

10. Data transfers

10.1 VisitScotland may cause or allow Personal Data to be transferred to and/or otherwise Processed in a Non-adequate Country, provided that such transfer or Processing complies with Data Protection Law.

10.2 Party 2 acknowledges and agrees that VisitScotland shall be entitled to use sub-processors to Process Personal Data on VisitScotland's behalf. If VisitScotland wishes to appoint additional or replacement sub-processors during the term of this Agreement, it shall inform Party 2 of such proposed appointment in advance and give Party 2 the opportunity to object to the appointment. VisitScotland shall take into account any objections communicated to VisitScotland by Party 2 when deciding whether to make the appointment, but VisitScotland shall not be bound by such objections.

10.3 VisitScotland shall procure that any sub-processors who have access to Personal Data in connection with this Agreement shall be subject to binding contractual obligations which are substantially similar to the terms of this Agreement and VisitScotland shall be liable for all acts and omissions of such sub-processors in relation to the Processing of such Personal Data.

11. Data Subject Rights

11.1 VisitScotland shall, to the extent reasonably practicable, provide Party 2 at the Party 2's expense with such assistance as Party 2 reasonably requests in order to comply with its obligations and fulfil Data Subjects' rights under Data Protection Law, including:

11.1.1 responding to requests or queries from Data Subjects in respect of their Personal Data (including without limitation the provision of Portable Copies);

11.1.2 cooperating with a legal action in connection with the Personal Data or an investigation in connection with the Personal Data by a regulatory body; or

11.1.3 restoring access to and/or otherwise safeguarding the Personal Data, within any reasonable timescales agreed with the Party 2.

12. Personal Data Breach Notification

12.1 VisitScotland shall notify Party 2 without undue delay if VisitScotland becomes aware of a Personal Data Breach.

13. Costs

13.1 Party 2 shall reimburse VisitScotland for all reasonable costs that VisitScotland incurs in complying with clauses 9 and 14.

14. Miscellaneous

14.1 VisitScotland shall at the Party 2's expense provide reasonable assistance, as requested by Party 2 from time to time, in undertaking any data protection impact assessments and/or consultation with the ICO and/or a relevant Supervisory Authority that Party 2 may reasonably undertake pursuant to Article 35 and/or 36 (as applicable) of the UK GDPR.

14.2 VisitScotland shall ensure that its personnel, to the extent that they are involved in the Processing of Personal Data in connection with this Agreement, shall be subject to appropriate binding obligations to protect the confidentiality of such Personal Data.

14.3 VisitScotland's obligations under this Agreement exclude any Personal Data relating to its personnel engaged in the performance of VisitScotland's obligations under this Agreement generated by VisitScotland solely for the purposes of its internal human resources procedures and records.

Section B (Controller to Controller)

15. General obligations

15.1 The Parties acknowledge and agree that for the purposes of this Agreement VisitScotland and Party 2 are both independent Controllers of the Shared Data, as set out in Schedule Part 1.

15.2 This Agreement shall come into force on the Commencement Date and shall terminate once all Processing Activities have been completed and all Personal Data returned or destroyed in accordance with the provisions of this Agreement, provided that VisitScotland may continue to use the VisitScotland Personal Data for its own purposes and Party 2 may continue to use the Party 2 Data for its own purposes so long as each use complies with Data Protection Law.

15.3 If required, each Party shall maintain a record of its Processing Activities in connection with this Agreement as set out in article 30 UK GDPR. Each Party shall on request provide a copy of the record on request to the other Party within a reasonable period of time after receiving the request.

16. Purpose and review of the data sharing initiative

16.1 The Parties consider the data sharing initiative necessary and beneficial, as detailed in Schedule Part 2.

16.2 The Parties shall review the effectiveness of the data sharing initiative described in this Agreement where necessary, having consideration to the aims and purposes set out in this Agreement. The Parties shall continue, amend or terminate this Agreement depending on the outcome of this review.

16.3 The review of the effectiveness of the data sharing initiative will involve:

16.3.1 assessing whether the Personal Data being shared is still as specified in the Table of Schedule Part 2;

16.3.2 assessing whether the purposes for which the Shared Data is being Processed are still the Agreed Purposes;

16.3.3 assessing whether the legal framework governing data quality, retention, and Data Subjects' Rights are being complied with; and

16.3.4 assessing whether any Personal Data Breaches involving the Shared Data have been handled in accordance with this Agreement and Data Protection Law, and that any appropriate remediation has taken place.

16.4 Each Party shall during the Term and for five (5) years following the termination or expiry of this Agreement allow the other Party, its agents, representatives and external auditors (on reasonable notice and during normal business hours) to its premises and/or any other location where Shared Data is Processed under this Agreement to allow the other Party to audit Party Party's compliance with this Agreement.

16.5 If an audit reveals that either Party is in material breach of this Agreement, it shall pay the other Party's reasonable costs incurred in connection with the audit.

17. Shared Data

17.1 Each Party agrees to comply with the obligations set out in this Agreement in respect of the Shared Data.

18. Lawful Basis

18.1 Both Parties are responsible for ensuring that there is a valid lawful basis for Processing the Shared Data for the Sharing Purpose.

19. Privacy Notice

19.1 VisitScotland and Party 2 shall each provide a privacy notice to each Data Subject as required by Data Protection Law.

19.2 If the parties fail to agree the wording of the Privacy Notice in accordance with the above clause, VisitScotland may solely determine the wording of the Privacy Notice.

19.3 Unless otherwise agreed between the Parties, the Party who initially obtains the Shared Data from a Data Subject shall be responsible for:

19.3.1 the provision of the Privacy Notice to the Data Subject;

19.3.2 obtaining any consents that may be required from the Data Subject;

19.3.3 ensuring that (where applicable) Data Subjects are able to withdraw their consent or object to Processing of their Personal Data at any time (in each case to the extent necessary to comply with Data Protection Law); and

19.3.4 where a Data Subject withdraws their consent or objects to Processing of their Personal Data, informing the other Party promptly.

20. Processing Shared Data

20.1 Each Party shall only Process the Shared Data for the Sharing Purpose (or as otherwise agreed between the Parties in writing from time to time) and always in accordance with their respective obligations under this Agreement and in compliance with Data Protection Law. Nothing in this Agreement shall prevent:

20.1.1 VisitScotland using VisitScotland Data; or

20.1.2 Party 2 using Party 2 Data, for that Party's own purposes so long as it remains compliant with Data Protection Law.

21. Use of Processors to Process Shared Data

21.1 Neither Party shall engage a Processor to Process Shared Data unless that Party first enters into a written contract with that Processor as required by article 28 UK GDPR (or has the benefit of such a contract through a service arrangement). The Party appointing the Processor shall be liable for all acts and omissions of such Processor in relation to the Processing of any Shared Data. The Party appointing the Processor shall on request by the other Party provide a copy of the relevant contract to that other Party.

22. Security: Technical and Organisational Measures

22.1 Each Party shall only provide the Shared Data to the other Party by using secure methods as agreed and set out in Schedule Part 2.

22.2 Each Party shall:

22.2.1 implement and maintain throughout the Term technical and organisational measures to ensure that the Shared Data is Processed in accordance with Data Protection Law, taking into account the state of technical development, the costs of implementation and the nature, scope, context and purpose of the Processing so as to ensure a level of security appropriate to the risk presented by Processing the Shared Data, in particular against accidental or unlawful destruction, loss, alteration and unauthorised disclosure or access, so as to ensure and be able to demonstrate such Processing complies with Data Protection Law, including article 25 UK GDPR (Data protection by design and by default);

22.2.2 review and update these measures where appropriate;

22.2.3 if proportionate to the Processing of the Shared Data for the Sharing Purpose, implement appropriate data protection controls which put into effect the operational and legal requirements of this Agreement; and

22.2.4 perform and document a data protection impact assessment and take appropriate and proportionate measures to mitigate any risks identified.

23. Training

23.1 Each Party shall ensure that its staff members are appropriately trained to Process the Shared Data in accordance with this Agreement and Data Protection Law. The level, content and regularity of training shall be proportionate to each staff member's role, responsibility and frequency with respect to their Processing of the Shared Data.

24. International Transfers of Shared Data

24.1 Either Party may transfer or authorise the transfer of Shared Data to a third country or an international organisation, provided that it ensures that such transfer complies with Data Protection Law and it has been notified to data subjects appropriately in relevant privacy notices.

25. Data Protection Impact Assessments and Prior Consultation

25.1 Where either Party proposes Processing any Shared Data, in particular Processing Shared Data using new technology, in a manner which, taking into account the nature, scope, context and purposes of the Processing, is likely to result in a high risk to the rights and freedoms of the relevant Data Subjects, the parties shall, prior to commencing the Processing, conduct a data protection impact assessment in accordance with article 35 to assess the impact of the proposed Processing on the protection of the Shared Data.

25.2 If a data protection impact assessment conducted pursuant to clause 25.1 indicates that the Processing would result in a high risk to the rights and freedoms of the relevant Data Subjects, the parties shall:

25.2.1 identify and implement appropriate measures to address the risks, including safeguards, security measures and mechanisms to ensure the protection of the Shared Data and demonstrate compliance with Data Protection Law, taking into account the rights and legitimate interests of the Data Subjects and other persons concerned; and

25.2.2 if the data protection impact assessment indicates that the Processing would result in a high risk to the rights and freedoms of Data Subjects which cannot be addressed by measures identified and implemented pursuant to clause 25.2.1, consult the ICO or relevant Supervisory Authority in accordance with article 36 UK GDPR.

26. Retention and Deletion of Shared Data

26.1 Each Party shall only retain the Shared Data provided by the other Party in accordance with Data Protection Law and in accordance with the applicable retention period set out in the table in Schedule Part 2. When Data Protection Law requires either Party to delete any Shared Data, that Party shall promptly securely delete or destroy such Shared Data in accordance with the table in Schedule Part 2.

27. Shared Data - Data Subject Rights and Personal Data Breaches

27.1 Each Party shall perform its obligations under Data Protection Law in respect of any request or query from a Data Subject in respect of Shared Data which is his/her Personal Data, including any:

27.1.1 right of access, to rectification, erasure (the right to be forgotten), restriction of Processing, data portability, to object or in respect of automated decision-making; and

27.1.2 notification obligation regarding rectification or erasure of Personal Data or restriction of Processing.

27.2 Each Party acknowledges that, regardless of this Agreement, a Data Subject may exercise his/her rights in respect of the Shared Data against either Party.

27.3 Each Party agrees to inform the other Party about any data subject right that relates to or has an impact on the other Party without delay.

27.4 The Parties shall co-operate in good faith to reply to data subject rights where needed and in accordance with Data Protection Law.

27.5 If either Party experiences a Personal Data Breach which affects Shared Data, it shall as soon as reasonably possible:

27.5.1 notify the other Party's SPoC of the Personal Data Breach, and in any event within 2 Working Days of becoming aware of the Personal Data Breach, providing all details necessary for that other Party to determine whether it can securely and lawfully continue to share the Shared Data with the Party affected by the Personal Data Breach; and

27.5.2 take reasonable steps to mitigate the risks of the Personal Data Breach and prevent any similar Personal Data Breach occurring in the future.

27.6 Each Party shall comply with its obligations under Data Protection Law in respect of any Personal Data Breach, including notifying the Personal Data Breach to the ICO and/or the relevant Supervisory Authority and communicating the Personal Data Breach to the relevant Data Subject(s).

27.7 Each Party agrees to provide reasonable assistance to the other Party to facilitate the handling of any Personal Data Breach promptly and in compliance with Data Protection Law.

27.8 In the event of a Personal Data Breach affecting the Shared Data, each Party shall not disclose any information about or in connection with the Personal Data Breach, other than:

27.8.1 to the other Party;

27.8.2 with the other Party's express prior written approval; or

27.8.3 as required to be disclosed by Applicable Law or by a regulatory authority (including the ICO, a Supervisory Authority and any relevant securities exchange), or by court order, but only to the extent that and for the purpose for which such disclosure is required and provided that the Party making the disclosure shall provide the other Party with as much notice of any such disclosure as is lawful and reasonable in the circumstances (if any), specifying details of the circumstances and content of the required disclosure. The Party making the disclosure shall upon request and at the other Party's reasonable cost (and if it is lawful to do so) use reasonable endeavours to assist the other Party in resisting or limiting the required disclosure.

28. Shared Data: Complaints

28.1 Each Party is responsible for handling any queries or complaints from Data Subjects which relate to any potential infringement of Data Protection Law for which that Party is responsible under this Agreement.

28.2 If either Party receives a complaint that should be handled by the other Party (in whole or in part) it shall:

28.2.1 forward that complaint (or the relevant part) to the other Party; and

28.2.2 inform the Data Subject of the essence of this Agreement, as soon as reasonably possible.

29. Shared Data: direct marketing

29.1 If the Sharing Purpose includes Processing the Shared Data for direct marketing, each Party shall ensure that:

29.1.1 the appropriate level of consent has been obtained from the relevant Data Subjects to allow the Shared Data to be used for direct marketing in compliance with Data Protection Law, and that each Party can evidence this to the other Party; and

29.1.2 effective procedures are in place to allow the Data Subject to "opt-out" from having their Shared Data used for direct marketing, and that any such "opt-outs" are communicated by each Party to the other Party where applicable.

30. Liability

30.1 Subject to clause 30.2:

30.1.1 each Party excludes all liability for breach of any conditions implied by law (including any conditions of accuracy, security, completeness, satisfactory quality, fitness for purpose, freedom from viruses, worms, trojans or other hostile computer programs, non-infringement of proprietary rights and the use of reasonable care and skill) which but for this Agreement might have effect in relation to the Information;

30.1.2 neither Party shall in any circumstances be liable to the other party for any actions, claims, demands, liabilities, damages, losses, costs, charges and expenses that the other party may suffer or incur in connection with, or arising (directly or indirectly) from, any use of or reliance on the Information; and

30.1.3 use of the Information by both Parties is entirely at their own risk and each party shall make its own decisions based on the Information, notwithstanding that this Clause shall not prevent one party from offering clarification and guidance to the other party as to appropriate interpretation of the Information.

30.2 Nothing in this Agreement shall limit or exclude either Party's liability for:

30.2.1 death or personal injury resulting from negligence

30.2.2 fraud or fraudulent misrepresentation

30.2.3 any loss or damage caused by a deliberate breach of this Agreement; or

30.2.4 any other liability the exclusion or limitation of which is not permitted under Applicable Law.