DATA SHARING AGREEMENT
This agreement is part of the IDP Connect Terms and Conditions (the “Agreement”) and should be read in line with those Terms and Conditions. This agreement governs the provision of sharing personal data between the Parties and explains the purposes and legal basis of the sharing arrangements.
- IDP Connect: IDP Connect Limited, a company Registered in England, Company Number: 02471319 whose registered office is at First Floor, Bedford House, Fulham Green, 69-79 Fulham High Street, London SW6 3JW and
- Advertiser: any educational institution, organisation, or company using IDP Connect services to expand their student reach via promoting learning opportunities and engaging with prospective students through IDP Connect platforms, monitoring student engagements by cross-matching enrolments, using IQ Services to get data and information on student preferences and trends or using other IDP Connect services.
Party means the Advertiser, IDP Connect and/or the Advertiser that has agreed to the IDP Connect Terms and Conditions, or, together The Parties.
- The parties have entered into agreement (IDP Connect T&C) for IDP Connect to assist the Advertiser with: 1) expanding their reach by promoting learning opportunities on IDP Connect owned or affiliated websites, 2) engage with prospective students by enabling enquiries, information requests and marketing subscriptions when part of the Services, 3) monitoring student engagements using an enrolment matching tool, 4) understanding data and trends in the educational sector, 5) any other services provided by IDP Connect as described in the Order (the Services).
Depending on the package the Advertiser has requested, the Services may cover the provision of platforms for:
- An online service for prospective students enabling them to find relevant courses, make informative choices, make enquiries, subscribe to marketing updates or book open days;
- A management tool to manage course inventory, editorial content, privacy related content and view and download a list of prospective students that have made an enquiry or subscribed to marketing updates;
- Enrolment matching tool for checking referrals from IDP Connect- against the Advertiser’s own data;
- Data and intelligence services to monitor trends in educational demand and student user behaviour
- In order to deliver the Service, IDP Connect is required to collect, process and share Personal Data from prospective students with the Advertiser. Some Personal data will be shared for billing purposes also.
- IDP Connect will develop secure applications and services based on privacy by design and privacy by default principles
- IDP Connect will use this information to 1) help prospective students find applicable courses, make an enquiry or subscribe to the Advertiser marketing updates 2) help the Advertiser run reports on student referrals received from IDP Connect in order to fulfil their contractual obligation to the Advertiser
- The Advertiser will use this information for a compatible purpose only and will ensure data is processed in line with applicable law. The Advertiser will not sell or share this data.
- The Parties agree that they both act as Data Controllers in relation to the Personal Data collected in the provision of the Service and will fulfil their Data Controllers’ responsibilities as required by the DP Law.
- In this Data Sharing Agreement, the following terms shall have the following meanings:
“Data Controller” means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Processor” means any natural or legal person, public authority, agency or other body which processes Personal Data on behalf of a Data Controller.
“Joint Controllers” means two or more controllers jointly determining the purposes and means of processing.
“Processing” means every operation, or set of operations, which is performed with regards to Personal Data, including, without limitation, the collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, combining, linking to other data, blocking, erasure or destruction of Personal Data.
“Details of Processing” means those details set out in Annex 1.
“Website”– the IDP Connect website that the Advertiser advertises with.
“Management tool”– is an IDP Connect product that enables the Advertiser to access, add, amend course, advertising and privacy related content; view and download enrolment data.
“EMT” –Enrolment Matching Tool is an IDP Connect product that enables enrolment matching.
“DP Law” means (i) the Data Protection Act 2018, (ii) until the GDPR is no longer directly applicable in the UK, the GDPR and any national implementing measure or secondary legislation from time to time applicable, in the UK, then (iii) any successor legislation to the GDPR and/or the Data Protection Act 2018.
“GDPR” means the General Data Protection Regulation.
“Personal Data” means any information that can identify a person as defined in the DP Law.
“Prospective Students” – means any data subject using the online application service on IDP Connect platforms.
“Employee”– means any freelancer, director or officer, permanent, temporary, full time or part time data subject employed by IDP Connect or the Advertiser.
“Purpose” means the instructions under which the Parties can process personal data [details of the service].
“Agreement” means IDP Connect T&C and these terms.
“Services” means the services provided by the IDP Connect under the Agreement.
“Working Day” means a day other than a Saturday, Sunday or a public holiday in England when banks in London are closed for business.
- The Parties agree the Details of Processing and that both, IDP Connect and the Advertiser, are Data Controllers in their own right in respect of Personal Data processed in the provision of the Services and shall both be responsible for the storage, processing, transmission and protection of any Personal Data that it collects or otherwise acquires in connection with this agreement.
- Each Party shall be responsible for determining the purposes and means of such data Processing, and shall have the duties, responsibilities and liabilities of a Data Controller in respect of that Processing and shall be liable for any penalties or enforcement action imposed by a supervisory authority, in respect of its responsibilities as a Data Controller.
- Each Party shall provide and maintain relevant Privacy Notices and inform prospective students of this data sharing agreement.
- No Personal Data will be shared between the Parties which has not been identified to the data subjects by Privacy Notices or similar, unless the sharing is justified by DP Law, or required by other applicable law.
- Any data shared as part of the Services that was rendered anonymous shall remain as such and the Parties shall not try to re-identify it by matching anonymous data with publicly available information, or auxiliary data, in order to discover the individual to whom the data belongs.
- The Parties acknowledge that the Personal Data is confidential information and will be treated with the same degree of care and confidentiality as any of their own confidential information.
- Personal Data that is shared must be relevant and adequate, and not excessive for the purposes of the sharing between the Parties.
- Each Party shall ensure that it has a lawful basis for processing Personal Data and all processing shall be performed in line with the applicable DP Law.
- Each Party shall retain Personal Data for the periods specified in its own retention schedule but will consult with the other Party when retention periods are set in relation to the shared information, to avoid discrepancies which could be detrimental.
- If any request for fulfilment of data subject rights is received by any Party, that Party shall be responsible for responding to the external requests directly (unless the request ought properly to have been addressed to the other Party, in which case the Party receiving the request will promptly pass it to the other Party).
- For complaints relating to the use of Personal Data (whether from a data subject or a regulator) or, if applicable, a request made under the Freedom of Information Act 2000 or Environmental Information Regulations 2004, the Parties will co-operate to ensure that each of them can appropriately investigate and manage any such request or complaint relating to Personal Data in respect of which they are Data Controller. Each party that is the Data Controller in respect of the Personal Data shall respond to the individual or the regulator in respect of that request for access or complaint.
- In order to protect the confidentiality and integrity of the Personal Data, each Party shall implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, including but not limited to:
- ensuring IT equipment, including portable equipment is kept in lockable areas when unattended;
- not leaving portable equipment containing any Personal Data unattended;
- ensuring that staff use appropriate secure passwords for logging into systems or databases containing the Personal Data;
- ensuring that all IT equipment is protected by antivirus software, passwords and suitable encryption devices where appropriate;
- ensuring that any Personal Data is stored and transferred (including where stored or transferred on portable devices or removable media) securely, using appropriate technical and organisational measures to guard against unauthorised or unlawful access to or processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data;
- limiting access to relevant databases and systems including the management tool (accessed via https://my.idp-connect.com ) to those of its Employees,, agents and sub-contractors who need to have access to the Personal Data, and ensuring that measures are in place to prevent inappropriate access when individuals are no longer engaged by the Party;
- conducting regular (not less than annually) threat assessment, if applicable and making the results of these available to the other Party on request;
- ensuring all staff handling Personal Data or having access to the management tool have been made aware of their responsibilities with regards to handling of Personal Data;
- ensuring all Employees with access to the management tool applications are made aware of their responsibility with regards of information security and the application’s access control;
- on request, providing the other Party with a written description of any such technical and organisational measures prior to initial receipt of the Personal Data, and from time to time as required;
- on request by the other Party (in its capacity as Data Controller), provide a copy of all Personal Data relating in any way to the Services, in the format and on the media reasonably specified by the Party; and
- keeping a record of Processing activities in connection with the Services, and if applicable providing the other Party with a copy of the log on request.
- The Parties shall ensure that only those Employees, agents or contractors who need to have access to the Personal Data in receiving the Services do so and shall take reasonable steps to ensure the reliability of such individuals, and ensure that they are informed of, and understand the confidential nature of, the Personal Data, and the obligations set out in these clauses.
- The Parties shall not, in connection with the Services transfer, publish, disclose or divulge any Personal Data to any third party, including any agent or sub-contractor, without disclosing this information to each other and the data subject in the Privacy Notice first, and ensuring there are appropriate data processing and sharing controls in place.
- If any Party transfers Personal Data to a specific agent or sub-contractor (the “sub-processor”), the Party acknowledges that it will be responsible for the relationship with the sub-processor and will be primarily liable for the actions or omissions of the sub-processor. Any such sub-processor must enter into a written agreement with the Party that reflects the terms and obligations set out in this Data Sharing Agreement before any Personal Data is transferred. The sub-processor shall not be allowed to retain or use the Personal Data for any purposes other than the provision of a specific pre-agreed element of the overall Services.
- The Parties may not process or otherwise transfer Personal Data received in the provision of the Services outside (a) the UK (b) the European Economic Area (EEA) or (c) any country not deemed adequate by the European Commission pursuant to Article 45 of REGULATION (EU) 2016/679, without implementing appropriate controls to ensure the adequacy of protection of such Personal Data.
- Each Party will promptly notify the other Party as soon as reasonably practicable (and within 24 hours) if it becomes aware of any security breach, including any inappropriate use of or disclosure of Personal Data received in the provision of the Services. Where applicable, the Parties will cooperate with each other to investigate the cause of and mitigate the effects of any such security breach. The notification will be sent to the contact details asset out in Annex 2 and will include, as a minimum, the categories of data, the number of data subjects affected and the records concerned, as well as the likely consequences of the breach and any steps taken to address or mitigate the effects of the breach.
- Each Party will indemnify and keep indemnified the other Party against all losses, damages, fines, penalties, costs or expenses and other liabilities (including reasonable legal fees) incurred by, awarded against or agreed to be paid by the other Party arising from any breach of its obligations under this Data Sharing Agreement or any applicable DP Law.
- The Parties agree to any reasonable amendment to this Data Sharing Agreement to bring it into line with any amendment to or re-enactment of any DP Law , or to allow each of the Parties to comply with any requirement or recommendation of the Information Commissioner or any other data protection or supervisory authority in relation to the Processing of Personal Data.
- The provisions of this Data Sharing Agreement will survive the termination of any agreement relating to the Services.
Details of Processing
- Scope/nature/purpose: IDP Connect will process prospective students’ personal information to support online enquiries, open days bookings, marketing subscriptions and enrolment matching. The processing will involve passing Personal Data to and from the Advertiser.
- The Advertiser will use this data to assist prospective students with their enquiries or to send marketing content if the prospective student has given consent.
- IDP Connect will use personal data loaded into the EMT by the Advertiser to produce aggregate reports for the Advertiser and where relevant to charge fees to the Advertiser for number of students that IDP Connect has matched in the EMT.
- Duration: for the duration of this agreement.
- Types of Personal Data:
Student Name (first and last)
Telephone Number, if provided;
Full Postal Address, if provided;
Nationality of student;
Year of intake
- Categories of data subject:
Personal, but not special category, information for prospective students
In event of a data breach affecting Personal Data shared as part of the Services, please contact email@example.com without undue delay and in no longer than 24 hours.
For the right to be forgotten, please contact the above address within 5 days from receiving a request from a data subject whose Personal Data was shared as part of the Services.
Dated: May 2020