Principles of & Agreement for the Sharing of Data
The Parties
This Agreement is made between:
I Want That Ltd t/a TPS Services and TPS Checker, Unit A, 5 Colville Road, Acton, London, W3 8BL (the “Company”); and
The entity stated in the Order Form that has ordered a Service from the Company (the “Customer”)
Background
Under the General Data Protection Regulation (EU) 2016/679 (GDPR) it is imperative that businesses be clearer about the precise purpose and use of a Data Subjects information as it is transferred from one Data Controller to another Data Controller. This means that the specific nature of what Data can or cannot be used and what that Data can or cannot be used for must be outlined in order to prevent misuse and in order to inform the Data Subject in advance what their Data will be used for, by whom and by what methods they will be contacted at the point they provide their Data.
The Customer wishes to share Data with the Company of records requiring to be screened against one or more combinations of the following:
- The Telephone Preference Service (TPS)
- The Corporate Telephone Preference Service (CTPS)
- The Fax Preference Service (FPS)
- A service to check the validity of a given mobile number; or (HLR)
- A service to check the validity of a given landline number (LLV)
The Company will ensure at all times that Data is only shared where necessary and where Data previously shared no longer becomes relevant i.e. the process for which it was shared is completed, then the Company will ensure that it expunges within 60 days any information relating to the Data Subject provided by the Customer (directly or indirectly) from their systems.
Introduction
The Customer may require to screen Data records against the TPS, CTPS and / or FPS registers or alternatively screen a given set of mobile or landline telephone numbers against our connectivity checking services.
As part of the screening process, the Customer may need to share information it holds of Data Subjects with the Company. The Company may in turn, need to share some or all of that information with it Service Providers.
Both parties consider that any Data shared is done so on a Data Controller-to-Data Controller basis.
This document is designed to regulate the sharing of this information, and to ensure that it is utilised in accordance with the Governing Principle. This states that Data is shared ONLY for the purpose of the provision of the Services and no other purpose without the prior consent of the Customer.
Clause headings are included for convenience only and shall not affect the interpretation of this Agreement.
In this Agreement use of the singular includes the plural and vice versa.
Any reference to times of the day shall be to United Kingdom time.
Any obligation in this Agreement on a person not to do something includes an obligation not to agree, allow, permit or acquiesce to that thing being done.
A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
Definitions
API – a set of functions and procedures that allow the creation and integration of applications which access the features or Data of our Services.
Confidential Information – any and all information provided to the Company under this Agreement including, but not limited to, any information relating to Data Subjects that may be shared for the purposes of providing the Services.
Data – Information relating to an individual or business that may include names, addresses, contact information, financial and other information relating to the Data Subjects.
Data Subjects - means the individuals identified by the Data.
The Data Controller means a person who (either alone or jointly with others) determines the purposes and the manner in which any personal Data are or are to be processed, as defined by Article 4(7) of the GDPR.
Commencement Date – the date of this Agreement.
Services – the provision of a service to check:
i) whether any given telephone number is matched against the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS) registers.
ii) whether any given fax number is matched against the Fax Preference Service (FPS) register
iii) the connectivity status of any given mobile or landline telephone number.
Service Provider – an organisation, business or individual who provides any part of the Services to the Company.
Term – this Agreement shall enter into force between the parties as of the Effective Date and shall continue for a period of one (1) Year unless terminated earlier by one of the parties as provided herein.
Web Interface – A user interface that is implemented in the form of a Web page and can be navigated using a standard Web browser and is located at www.tpschecker.co.uk and www.tpsservices.co.uk.
Application of Principles
It is the intention of both parties that all entities which utilise and / or share the Data undertake to abide by the Principles. Contracts between the Company, the entities with which it shares the Data and in turn the entities with whom they share the Data must reflect this requirement for compliance. In addition, it is expected that Data will only be shared with other companies in accordance with the Principles.
Each entity with whom Data is shared has the responsibility of ensuring their internal compliance with the Principles, and should implement appropriate security and self-audit processes. Within each organisation, it is expected that the following departments, as a minimum, will have a working knowledge of the Principles: -
- Marketing
- Management
- Operations
- Accounts
- Legal & Compliance
- Audit
1. The Principles
1.1 Governing Principle
Data is shared only for the purpose, intention and provision of the Services and will not be used, sold, exchanged or in any way provided to any third party for any other purpose without the prior written consent of the Customer.
1.2 General Principles of Sharing Data
Data provided for sharing purposes must meet all legal and regulatory requirements before provision and in use. The Company must use the Data only for purposes for which the required form of permission has been given i.e. the performance of the Services.
Data may be used or made available by the parties only in ways permitted by these Principles.
Processed Lawfully – Data must be processed lawfully, fairly and in a transparent manner in relation to individuals;
Purpose Limitation (Minimal Processing) – Data collected must only be used for the specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
Data Minimisation – Data will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
Data Accuracy – Data will be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal Data that is inaccurate, having regard to the purposes for which it is being processed, is erased or rectified without delay;
Storage Limitation – Data will be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal Data is processed;
Integrity and Confidentiality - Data shall be processed in a manner that ensures appropriate security of the personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
1.3 Adherence to the Principles
The Company has the responsibility for regular monitoring to ensure compliance with the Principles, and the quality, completeness and accuracy of the Services. Active steps must be taken to address any shortcomings.
2. Principles of Sharing - Definitions
2.1 Why Data may be shared
The Customer may share Data with the Company for the purposes of screening it against one or more preference service register or to ascertain the connectivity status of any given telephone number.
2.2 Access to shared Data
The Company will ensure that only relevant staff within the Company have access to the Data.
2.3 How will Data be shared
Data can be shared either via the Web Interface or API using SSL (Secure Sockets Layer) which is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all Data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.
2.4 When the Company may share your Data
The Company cannot use the Data for any other purpose other than for the provision of the Services. Data may only be shared with the Customer’s permission and in line with this Agreement.
The Company may share some of the Data with its Service Providers where a particular aspect of the Services is outsourced.
The following Services may be outsourced:
Mobile Number Validation – Where Data is shared by the Customer with the Company for the purposes of screening for mobile number connectivity the Company will share the minimum amount of Data necessary to affect the provision of the Services which in the case of Mobile Number Validation will be a mobile telephone number.
Landline Number Validation – Where Data is shared by the Customer with the Company for the purposes of screening for landline number connectivity the Company will share the minimum amount of Data necessary to affect the provision of the Services which in the case of Landline Number Validation will be a landline telephone number.
2.5 How Data may be shared
The Company shall implement appropriate technical and organisational measures to protect the Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, use or disclosure, and shall ensure that any agreement to share the Data with any Service Providers shall occur only if the Service Provider agrees to be bound by obligations which are no less restrictive than those in this Agreement.
2.6 Removal of shared Data
The Customer may request of the Company at any time to expunge any Data it holds that may have been shared with it by the Customer provided at all times that such a request does not override the Company’s own legitimate interests and provided that the Customer accepts that such a request may render the Company unable to offer any information regarding the Services it has performed that relate to the Data.
3. Right of access
It is recognised that Data Subjects have rights under Data Protection Laws. If at any time a Data Subject shall seek to engage any of these rights that also requires action by the Company then the Company shall inform the Customer. The Company shall respect the rights of the Data Subject and take the appropriate action.
4. Termination
4.1 The Term
This Agreement shall commence on the Commencement Date and shall remain in force for one (1) year (the “Term”). The Term shall be automatically renewed for a further term of one year, unless it is terminated in accordance with the provisions within this Agreement.
4.2 When will termination occur?
Either party may terminate this Agreement on thirty (30) calendar days written notice, or if prior to such action, the other party materially breaches any of its representations, warranties or obligations under this Agreement.
4.3 The effects of termination
Upon termination the Company must:
- immediately cease to use the Data;
- Immediately cease sharing the Data; and
- ensure that the Data is appropriately expunged from its systems
- ensure that the Data is appropriately expunged from the systems of any entities with whom the Company had shared the Data.
5. Indemnity and Limits of Liability
5.1 The Company shall indemnify the Customer on demand and hold harmless from and against any and all losses (including loss of profits, loss of business, revenue, goodwill or Data), demands, claims, damages, costs and expenses including reasonable legal costs and expenses and VAT thereon and liabilities suffered or incurred, directly or indirectly, by the Customer in consequence of any breach of confidentiality, fraud, misuse or theft of Data supplied by the Customer.
5.2 Nothing in this clause 5 shall limit either party's liability:
(a) for death or personal injury resulting from its negligence;
(b) or for fraud or fraudulent misrepresentation
5.3 Subject to clauses 5.1, 5.2 and 5.3, neither party will be liable to the other for any damages resulting from lost profits or loss of anticipated savings (in each case whether direct or indirect), nor for any damages that are an indirect or secondary consequence of any act or omission of the other whether such damages were reasonably foreseeable or actually foreseen.
6. Intellectual Property and Confidentiality
6.1 Subject to clause 6.2, the Company agrees that all right, title and interest of whatsoever nature in:
(a) the intellectual property rights (“IPR”) in the Customer’s systems including, but without limitation, all software (including any third party rights therein), all patents, trademarks, registered designs (and any applications for any of the foregoing), copyright (including rights in software – object code and source code), semi-conductor topography rights, database right, unregistered design right, rights in and to trade names, business names, domain names, product names and logos, databases, inventions, discoveries, rights in know-how, processes and procedures and any other intellectual or industrial property rights in each and every part of the world together with all applications, renewals, revisions and extensions; and
(b) any confidential or proprietary knowledge, Data or information of or relating to the Customer (“Confidential Information”) which may be in tangible or intangible form, whether expressed orally, in writing, in electronic or any other form (whether or not marked confidential) including, but not limited to business and financial information, marketing information, technical information, third party relationships (including suppliers and customers), processes, know-how, scientific methods, concepts, inventions, discoveries, processes and diagrams, formulae, techniques, products, computer programs, databases, database structures and manuals; is reserved to and shall belong absolutely to the Customer (as applicable).
6.2 The Company expressly agrees that it will treat as strictly confidential all information received or obtained as a result of entering into or performing this Agreement and, in particular, which relates to the provisions of this Agreement and it undertakes to keep all Confidential Information secure and protected against theft, damage, loss or unauthorised access, and will not at any time, whether during the Term of this Agreement or at any time thereafter, without the prior written consent of the Customer, directly or indirectly, use or authorise or permit the use of any Confidential Information other than as necessary for the sole purpose of the performance of its rights and obligations under this Agreement.
6.3 All materials (including any Confidential Information) provided by the Customer to the Company or generated by the Company for the Customer in accordance with this Agreement, shall at all times, remain the exclusive property of the Customer, but shall be held by the Company in safe custody at its own risk and maintained and kept in good condition by the Company until returned to the Customer. The Company shall not dispose of or use any materials other than in accordance with the Customer’s written instructions or authorisation.
6.4 The restrictions and obligations contained in this clause will continue to apply after the termination or expiry of this Agreement.
6.5 The Company shall execute any further documents and carry out any further acts necessary to give effect to the intentions set out in this Clause 6.
6.7 The Company acknowledges that any breach by it of the obligations set out in this clause 6 may cause serious harm and that damages may be insufficient to constitute an adequate remedy and the Customer shall be entitled, in addition to all other rights provided by law or by this Agreement, including monetary damages, to seek an injunction to prevent such a breach.
7. Data Protection
7.1 In the course of this Agreement, if the Customer transfers Data to the Company for the Company to process in the course of providing the Services, the parties intend that each party be a Data Controller in their own right in relation to the Data.
7.2 The Company shall process the Data only to the extent, and in such a manner, as is necessary for the purposes of providing the Services under this Agreement and in accordance with the Customer’s instructions from time to time and the Company shall not process the Data for any other purpose. The Company shall promptly comply with any request from the Customer requiring the Company to amend, transfer or delete the Data.
7.3 The Company warrants and represents that, to the extent it processes any Data on behalf of the Customer:
(a) it shall act only on instructions from the Customer;
(b) it has in place appropriate technical and organisational security measures against unauthorised or unlawful processing of Data and against accidental loss or destruction of, or damage to, Data;
(c) it will process the Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments
(d) it will keep a record of any processing of Data it carries out in its capacity as Data Controller;
(e) it shall notify the Customer immediately if it becomes aware of:
(i) any unauthorised or unlawful processing, loss of, damage to or destruction of the Data;
(ii) any advance in technology and methods of working which mean that the Customer should revise its security measures.
(f) it shall not transfer the Data outside the European Economic Area (EEA) without the prior written consent of the Customer;
7.4 If the Company receives any complaint, notice or communication which relates directly or indirectly to the processing of the Data or to either party's compliance with Data Protection legislation and the Data Protection principles set out therein, it shall immediately notify the Customer and it shall provide the Customer with full co-operation and assistance in relation to any such complaint, notice or communication.
7.5 The Company shall ensure that access to the Data is limited to:
(a) those employees who need access to the Data to meet the Company's obligations under this Agreement; and
(b) in the case of any access by any employee, such part or parts of the Data as is strictly necessary for performance of that employee's duties.
7.6 The Company shall ensure that all its employees:
(a) are informed of the confidential nature of the Data;
(b) have undertaken training in the laws relating to handling Data; and
(c) are aware both of the Company’s duties and their personal duties and obligations under such laws and this Agreement.
7.7 The Company shall take reasonable steps to ensure the reliability of any of its employees who have access to the Data.
7.8 If the Company further transfers the Data to any Service Provider, they warrant that they have an Agreement in place to restrict the usage of the Data, and that the relevant clauses within that Agreement are no less restrictive than this Clause 7.
8. General
8.1 Each party acknowledges that, in entering into this Agreement, it has not relied on, and shall have no right or remedy in respect of, any statement, representation, assurance or warranty (whether made negligently or innocently) other than as expressly set out in this Agreement. Nothing in this clause shall limit or exclude any liability for fraud.
8.2 Nothing in this Agreement shall create or be deemed to create a partnership or joint venture relationship between the parties and neither party shall have authority to bind the other in any way.
8.3 This Agreement may be executed in any number of counterparts and by the parties to it on separate counterparts, each of which shall be an original, but all of which together shall constitute one and the same instrument. The Agreement is not effective until each party has executed at least one counterpart.
8.4 If any provision of this Agreement (or part of any provision) is found by any court or other authority of competent jurisdiction to be invalid, illegal or unenforceable, that provision or part-provision shall, to the extent required, apply with the minimum modification necessary to make it legal, valid and enforceable.
8.5 Except insofar as this Agreement expressly provides that a third party may in his own right enforce a term of this Agreement, a person who is not a party to this Agreement has no right under the Contracts (Rights of Third Parties) Act 1999 to rely upon or enforce any term of this Agreement but this does not affect any right or remedy of a third party which exists or is available apart from that Act.
8.6 This Agreement constitutes the entire agreement and understanding of the parties and supersedes all previous agreements or arrangements between the parties relating to the subject matter of this Agreement.
8.7 This Agreement may only be varied with the written consent of both parties.
8.7 All notices which are required to be given under this Agreement shall be in writing and shall be sent to the registered office from time to time of the party whom the notice is to be served. Any such notice may be delivered personally, by first class prepaid post, facsimile transmission or by email and shall be deemed to have been served if by hand when delivered, if by first class post within 48 hours, if by facsimile transmission when despatched and if by email, 24 hours after it was sent.
9. Law
This Agreement, and any dispute or claim arising out of or in connection with it or its subject matter or formation, (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales and each party irrevocably submits to the non-exclusive jurisdiction of the courts of England and Wales in respect of any matter arising under or in connection with this Agreement.