Last Updated: July 1, 2023
This Data Controller Agreement forms part of the agreement between the following Parties: Videu (Limited) and Customer, together and hereinafter referred to as ‘the Parties’. It covers Videu’s delivery of lead generation Services to Customer (as defined below).
The following Agreement between the Parties reflects the arrangements that they have agreed to put in place to facilitate the sharing of Personal Data relating to lead generation between the Parties acting as joint Data Controllers and explains the Agreed Purposes for which that Personal Data may be used.
1. Agreed terms
Interpretation
The following definitions and rules of interpretation apply in this Agreement.
1.1 Definitions:
Data Protection Laws mean the governing data protection laws of the UK from time to time.
Personal Data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric/genetic data. This data is not processed.
Shared Personal Data means the Personal Data to be shared and processed between the Parties. Shared Personal Data shall be confined to the following categories of information relevant to the following categories of data subject:
a) General Personal Data
Controller, data controller, processor, data processor, data subject as set out in the relevant Data Protection Laws in force at the time.
Data Discloser means the party transferring the Personal Data to the Data Receiver. Either party may be a Data Discloser.
Data Receiver means the party receiving the Personal Data from the Data Discloser. Either party may be a Data Receiver.
Permitted Recipients means the parties to this Agreement, the directors and employees of each party, and any third parties engaged to perform obligations in connection with this Agreement.
Process/Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Written notice means any notice given to a party under or in connection with this Agreement and shall be:
- Delivered by hand or by pre-paid first-class post or other next working day delivery service at its principal place of business.
Written notice shall be deemed received:
- If delivered by hand, on signature of a delivery receipt or at the time the notice is left at the proper address; and
- If sent by pre-paid first-class post or other next working day delivery service, at 9.00 am on the second day after posting.
2. Agreed Purposes
2.1 The Parties consider the sharing of Personal Data is necessary to support the following agreed purposes of the Parties:
a) to enable Videu to deliver on its contractual obligations to Customer.
b) processing for the purpose of lead generation pursued by Customer.
3. Data Protection
3.1 Each party acknowledges that the Data Controller (as the Data Discloser) will, as necessary, disclose to the Data Controller (as the Data Recipient) Shared Personal Data collected by the Data Controller for the Agreed Purposes.
3.2 Each party shall comply with all the obligations imposed on a controller under the Data Protection Laws in the performance of its obligations under this Agreement and any other agreement between the parties which pertains to Shared Personal Data (“Relevant
Agreements”), and any material breach of the Data Protection Laws in respect of a Relevant Agreement by one party shall, if not remedied within 30 days of written notice from the other party, give grounds to the other party to terminate this Agreement with immediate effect.
4. Data Protection Obligations
4.1 Each party shall:
a) be responsible for the creation and publication of their own privacy notices.
b) ensure that such privacy notices are clear and provide sufficient information to Data Subjects in order for them to understand what of their Personal Data is being shared between the Parties, the circumstances in which it will be shared, the purposes for the Data Sharing and either the identity with whom the data is shared or a description of the type of organisation that will receive the Personal Data, as well as how Data Subjects can make a Data Subject Access request;
c) ensure it has all necessary notices in place to enable lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes.
d) give full information to any data subject whose Personal Data may be processed under this Agreement of the nature of such processing. This includes giving notice that, on the termination of this Agreement, Personal Data relating to them may be retained by or, as the case may be, transferred to one or more of the Permitted Recipients, their successors or assignees. Such information shall be contained within the Privacy Notice of each party.
e) process the Shared Personal Data only for the Agreed Purposes; not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients.
f) ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous that those imposed by this Agreement.
g) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, personal data.
h) not transfer any Personal Data outside the EEA.
5. Mutual Assistance
5.1 Each party shall provide reasonable assistance to the other in complying with all applicable requirements of the Data Protection Laws insofar as they pertain to Relevant Agreements. In particular, each party shall:
a) consult with the other party about any notices given to data subjects in relation to the Shared Personal Data.
b) promptly inform the other party about the receipt of any data subject access requests.
c) provide the other party with reasonable assistance in complying with any data subject access request.
d) not disclose or release any Shared Personal Data in response to a data subject access request without first consulting the other party wherever possible.
e) assist the other party, at the cost of the other party, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities and regulators.
f) notify the other party without undue delay on becoming aware of any breach of the Data Protection Laws.
g) use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers.
h) maintain complete and accurate records and information to demonstrate its compliance with this agreement; and
i) provide the other party with contact details of at least one employee as point of contact and responsible officer for all issues arising out of the Data Protection Laws, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the parties’ compliance with the Data Protection Laws.
6. Data Retention
6.1 The parties shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes.
6.2 The parties shall publish details of their respective retention schedules on their websites.
6.3 On termination of this Agreement for whatever reason Customer will return or destroy any shared data unless they are required to keep the data by legislation.
7. Indemnity
7.1 Each party shall indemnify the other against all liabilities, costs, expenses, damages and losses (including any direct or indirect losses and all interest, penalties and reasonable legal costs (calculated on a full indemnity basis and all other reasonable professional costs and expenses), but not including consequential losses, loss of profit or loss of reputation) suffered or incurred by the indemnified party caused by the breach of Data Protection Laws in respect of a Relevant Agreement by the indemnifying party, its employees or agents, provided that the indemnified party gives to the indemnifier prompt notice of such claim, full information about the circumstances giving rise to it and reasonable assistance in dealing with the claim.
8. Publication
8.1 This Agreement is published on the website of Videu to demonstrate an open and transparent approach to data sharing.
9. Variation and Review
9.1 No variation of this Agreement shall be effective unless it is in writing and signed by the Parties.
9.2 The effectiveness of the Agreement shall be reviewed alongside any contractual renewal between the Parties.
9.3 In the event of a data breach this Agreement shall be reviewed immediately to determine what, if any, amendments are required to ensure that no further breaches take place.
10. Entire Agreement
10.1 This Agreement constitutes the entire agreement between the Parties in relation to the sharing of Personal Data, and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
10.2 The Parties acknowledge that in entering into this Agreement they do not rely on and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement.
10.3 The Parties agree that they shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in this Agreement.
10.4 Nothing in this Agreement shall limit or exclude any liability for fraud.
11. Governing Law and Jurisdiction
11.1 This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
11.2 The Parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Agreement or its subject matter or formation.
12. Counterparts
12.1 This Agreement may be executed in any number of counterparts, each of which when executed and delivered shall constitute a duplicate original, but all the counterparts shall
together constitute the one agreement. No counterpart shall be effective until each Party has executed and delivered at least one counterpart.
This agreement is entered into on the date stated on the Customer’s Service contract.