Data Sharing Agreement
We are TRP Recruitment Limited Company number 8196517 (throughout “we”, “us”, “our” and “ours”) of 30 City Road, London EC1Y 2AB including, for the purposes of this Agreement, our branch offices and our subsidiary companies (as defined by s.1159 Companies Act 2006) or our associated bodies corporate (as defined by s.256 Companies Act 2006).
You are; a Client This Agreement will be taken as accepted by agreement to the TRP Terms of Agreement either by signature or continuation of instructing TRP Recruitment
A. We are in the business of providing recruitment services and wish to enter into or have already entered into a commercial arrangement with you relating to services that you offer, in terms set out in the Contract
B. The provision of your services to us may require us to share information relating to individuals (referred to as ‘Data’) the types and categories of which are indicated in Schedule 1
C. This Agreement is intended to record the basis upon which we agree to share that Data in order to meet our respective obligations under the Data Protection Laws.
In consideration of the premises, it is agreed as follows.
1. You are appointed to act as Data Processor on our behalf in accordance with the terms of this Agreement, which shall commence on the date hereof and shall continue until such time as you cease to Process any Shared Data.
2. Our sharing of Data with you is limited solely to your purpose of your provision of services to us as set out in the Contract (TRP Terms of Business)
Capacity & instructions
3. We are a Data Controller in respect of all Data held by us and this Agreement applies to all Shared Data.
4. Where the Contract does not allow for the provision of your services to Data Subjects, to the extent that you come into possession of Data directly or indirectly, for example where you access Data merely as a consequence of the service you provide to us, you shall only process that Data strictly for the purpose, if any, of the provision of your services to us, and specifically you may not approach any Data Subject whether directly or indirectly for any other purpose.
5. Where the Contract allows for the provision of your services to Data Subjects
(a) to the extent that we share Data with you, you agree to limit your Processing of that Shared Data to those steps that are necessary for the purposes of first contacting the Data Subject and not further or otherwise, such steps to be undertaken in your capacity as Data Processor
(b) any step other than one taken under paragraph 5(a) may be permitted by the Contract, but shall not be taken by you as authorised under this Agreement which solely addresses your responsibility as Data Processor; specifically you are not authorised by us under this Agreement
(i) to Process the Shared Data for any purpose save as provided for in the Contract, or authorised herein
(ii) to include the Shared Data in any datasets created for profiling or other purposes
(iii) to approach a Data Subject whose Data we have shared with you to offer services other than those that may be referred to in the Contract.
6. Where a Data Subject referred to in paragraph 5 wishes to use your services in accordance with the purpose of the Contract, any step you take beyond the Processing described in paragraph 5 shall be undertaken in your capacity as a Data Controller, and we accept no responsibility or liability for any action taken by you in that regard which shall be your sole responsibility.
7. Subject as otherwise provided for in this Agreement, in respect of all Shared Data
(a) you may not share the Data with any third person, including any other business in which you have an interest or is a Related Business, unless we have agreed in writing in advance that you may disclose the Data to that person, and for the avoidance of doubt
(i) reference to a third person includes any person engaged or proposed to be engaged to undertake Processing of data to which this Agreement relates (“Sub-Processor”), in any circumstances, or any business interested in purchasing or sharing or taking control of your business
(ii) a request for our agreement must be in writing and disclose all relevant information including the purpose of the proposed sharing
(iii) we may withhold our agreement in this respect for any cause, whether reasonable or not
(iv) our agreement shall in all cases be conditional upon the requirement that the Sub-Processor shall be engaged on contract terms that include terms requiring adequate protection of the Shared Data consistent with the provisions and intention herein, and you agree to provide us with a copy of such terms upon our request
(b) you agree not to commercially exploit the Shared Data for marketing of, or promotion of, or similar purposes related to, your business or any Related Business
(c) subject to paragraph 7(d), you may Process the Shared Data for any regulatory purpose or other purpose for which you are required to Process that Data pursuant to this Agreement, or for the purpose of Court proceedings to which you are party and which are commenced before the Purposes have ceased
(d) upon our request you will cease Processing of Shared Data (whether of all or part of the Shared Data) and destroy and/or return the Shared Data as specified by us.
8. You agree to take appropriate technical and organisational measures to protect against the unauthorised or unlawful Processing of Data and against the accidental loss or destruction of, or damage to, Data and as part of your obligation in this regard
(a) you shall ensure that Personnel you use for Processing are either engaged on suitable written contract of employment or contract for services that requires compliance with appropriate instructions and restrictions that reflect the provisions herein
(b) you shall not directly or indirectly permit, without our prior written consent, the Shared Data to be transferred outside of the EEA, for example to a computer or electronic system located in a jurisdiction outside the EEA (whether directly or indirectly, as a backup, or otherwise), save where strictly required by UK law, and where required by UK law to notify us of that requirement unless UK law prohibits disclosure
(c) any request for prior written consent under paragraph (b) must include the Transfer Information and we reserve the right to refuse consent on any grounds, whether reasonable or not
(d) you warrant that you have measures in place, and undertake to maintain and update such measures in line with contemporary change, in order to meet the requirements of Articles 28 and 32 of the GDPR; for the avoidance of doubt such measures shall include, but are not limited to, those which
(i) protect the Shared Data against accidental or unlawful loss, destruction or damage, theft, use or unauthorised disclosure
(ii) ensure the ongoing confidentiality, integrity, availability and resilience of your Processing system
(iii) enable the restoration of the availability and access to Data in a timely manner in the event of a physical or technical incident
(iv) allow for regular testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
9. To enable us to meet our obligations and to monitor compliance with this Agreement you agree
(a) to comply with the Data Protection Laws
(b) to co-operate with us and upon our request to provide us with full details, including copies of relevant documentation, of the measures referred to within paragraph 8
(c) to co-operate with us in regards to the exercise by a Data Subject of their rights under the Data Protection Laws
(d) immediately to inform us
(i) if asked by any person including our staff to do anything that would involve an infringement of the Data Protection Law or this Agreement
(ii) if you need to undertake Processing activity which may fall outside the context of this Agreement
(iii) of any change in your processes which may either necessitate a change in our instructions, a change in Processing activity, systems or security, or Shared Data to be transferred outside the EEA
(iv) with details of any complaint or allegation raised by any Data Subject in respect of your Processing of Shared Data
(v) of any action, omission or event, or failure to carry out any reasonable step, which may prejudice the security of Shared Data, whether or not it amounts to a breach of the Data Protection Laws of which you become aware, in each case with full details of the matter concerned
(e) we may authorise additional Processing following any matter raised pursuant to paragraph 9 by giving written authorisation
(f) to fully comply with and co-operate with us in relation to any complaint and any audits and inspections regarding your use and Processing of Shared Data, whether such audit or inspection is by the ICO, us or a third party appointed by us for the purpose.
10. The following shall apply to record keeping:
(a) to enable us to address a complaint or issue raised by the Data Subject or ICO relevant to this Agreement you agree to preserve records of your Processing on our behalf for the longer of 6 years after the Contract terminates (“the Default Expiry Date”) or such other reasonable period as we may specify in advance of the Default Expiry Date
(b) nothing in this clause shall require you to delete or erase records you may require for your own regulatory compliance purposes
(c) for the avoidance of doubt records of Processing retained under this paragraph may not include Shared Data.
11. You shall be liable for and shall indemnify us and keep us indemnified against all claims and direct, indirect and consequential losses, including, but not limited to, fines, penalties, legal costs and disbursements, arising from or incurred by reason of, or as a result of, or in connection with
(a) any wrongful Processing of any Shared Data by you, or any person on your behalf
(b) a breach by you of any provision under this Agreement.
12. We shall indemnify you and keep you indemnified against claims or direct losses, including, but not limited to, fines, penalties, legal costs and disbursements, arising from a breach by us of our obligations or warranties under this Agreement.
13. It is further agreed as follows:
(a) nothing in this Agreement, including the appointment of a Sub-Processor, shall relieve you of your own responsibilities and liabilities hereunder or under any part of the Data Protection Laws
(b) for the avoidance of doubt the provision by us to you of Shared Data is conditional upon your agreement herein and you agree that our willingness to provide you with Shared Data on this basis is adequate consideration for all purposes of this Agreement and its enforcement
(c) no failure or delay by a party hereto to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy, and no single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy
(d) you shall not acquire any rights in respect of the Shared Data which shall at all times remain our property (subject only to the rights of the relevant Data Subject)
(e) no variation of this Agreement shall be effective unless it is in writing and signed by both the parties hereto, signature in the case of us being by a director of ours
(f) in the event of a conflict between the terms of this Agreement and the terms of the Contract the terms of this Agreement shall prevail
(g) the laws of England and Wales govern this Agreement and the English Courts shall have sole jurisdiction.
14. Definitions that apply to this Agreement are as follows:
Agreement – means this agreement including any annexe or schedule hereto
Contract – The agreement or proposed agreement between you and us for the provision of services to us and references to Contract shall include any amendment to the Contract as agreed with us from time to time
Data – means any information defined as ‘personal data’ within Article 4(1) of the GDPR
Data Controller – means a ‘controller’ as defined in Article 4(7) of the GDPR
Data Processor – means a ‘processor’ as defined in Article 4(8) of the GDPR
Data Protection Laws – means GDPR and any data protection legislation applicable from time to time in the UK, or jurisdictions in which the services are provided
Data Subject – means any individual to whom Data relates, relevant to the provision of your services under the Contract
EEA – means the European Economic Area
GDPR – means EU Regulation 2016/679 (General Data Protection Regulation)
ICO – means Information Commissioners Office or any other regulatory body appointed for the purpose of monitoring or enforcing data protection in the UK
Personnel – means any individual within your organisation who is required by you to Process Shared Data
Processing – means any operation or set of operations which is performed on Data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, and ‘Process’ shall have corresponding meaning
Purposes – means regulatory or contractual compliance purposes relevant to the use and retention of records of Processing and/or steps taken
Related Business - means
(a) a subsidiary company (as defined by s.1159 Companies Act 2006) or associated bodies corporate (as defined by s.256 Companies Act 2006) of yours, or
(b) a business (whether corporate or unincorporated)
(i) which is a member of, director of, or partner in, your company or business, or
(ii) of which you are a member, or director or partner, or
(iii) for which either you, or a representative of yours is authorised by you (whether expressly or impliedly), to undertake work
(iv) which has a director or shareholder in common with you
Sensitive Data – means special categories of Data as referred to in Article 9.1 of the GDPR
Shared Data- means Data we share with you, namely provided to you or, if applicable, to which you have
access via our systems or premises, or which you collect on our behalf.
Transfer Information – means the organisation to which it is proposed to send the Shared Data, the nature of the Data proposed to be sent including any limitations on the Data (whether it will comprise all the Data, or some part of it, and whether it will include Sensitive Data), the location of the proposed recipient, the function of the recipient, the purpose for which the Data is to be sent, and the protections in place to secure the Data including whether the jurisdiction is one in respect of which the EU has approved protections.
Categories of Data Subject
(a) Individuals to whom we provide or propose to provide a work finding service
(b) Individual internal staff of ours deployed as part of our services to (a)
(c) All internal staff
(d) Other individuals, e.g. business contacts working for third parties, necessary for our work finding services, or our administration
Types of Data
Personal contact details
Information relating to suitability
Where applicable sensitive personal information
Feedback and opinion related to an individual
Information relevant to referees
Business contact details
Tax and National Insurance information
Time worked records
Employment or engagement records