Data sharing agreement

Contents:

  1. When this Agreement applies
  2. 1. Definitions
  3. 2. Shared data and Agreed Purpose
  4. 3. Your obligations
  5. 4. Direct marketing
  6. 5. Security and training
  7. 6. Reservation of rights
  8. 7. Restricted Transfers
  9. 8. Personal Data Breaches
  10. 9. Indemnity
  11. 10. Complaints, Data Subject Requests and Third-party Rights
  12. 11. Data Processors
  13. 12. Contacting us about this Agreement
  14. 13. Changes to this Agreement
  15. 14. Privacy notice

When this Agreement applies

This Data Sharing Agreement (the Agreement) applies when IMEX shares Personal Data with you as a Data Controller (“you"or “the Company”). In consideration of the benefits of us sharing any Personal Data with you, you agree to comply with the following terms.

1. Definitions

Certain words used in this Agreement have the following meanings, unless the context otherwise requires: 

  • Agreed Purpose: the express purpose for which we share Personal Data with you as set out in the Supplier Agreement
  • Data Protection Legislation: the UK Data Protection Legislation and any other European Union legislation relating to Personal Data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications), including but not limited to the General Data Protection Regulation ((EU) 2016/679) (“GDPR”); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended
  • Data Controller, Data Processor, Data Subject, Personal Data and Processing: all have the meaning given to them in the UK Data Protection Legislation in force at the time.
  • IMEX: Regent Exhibitions Limited or IMEX America Limited (together ”we" or "us") companies incorporated and registered in England and Wales having their registered offices at 113-118 Davigdor Road, Hove, BN3 1RE
  • Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Shared Personal Data 
  • Shared Personal Data: Any information relating to an identified or identifiable person (regardless of form) that is provided by IMEX to you for the Agreed Purpose, and which you are not the Data Controller of in your own right
  • Supplier Agreement: the commercial agreement in place between the parties to which this data sharing arrangement relates 
  • Term: starting from the commencement date of the Supplier Agreement and continuing until the Company is no longer required to process the Shared Personal Data

2. Shared data and Agreed Purpose

IMEX is committed to the lawful, fair and transparent use of Personal Data. This Agreement sets out the framework for the lawful transfer of the relevant Personal Data to you as an independent Data Controller and the responsibilities we owe to each other in this regard.

To the extent that we disclose Shared Personal Data to you, you shall process it only for and compatible with the Agreed Purpose and as outlined in our privacy notice: when we share your personal information with others. By entering this Agreement, you agree that the data sharing is necessary and proportionate as to achieve the Agreed Purpose.

3. Your obligations

You shall comply with this Agreement and your obligations under Data Protection Legislation in respect of all Shared Personal Data disclosed to you pursuant to this Agreement. 

You shall at all times remain responsible for the acts and omissions of your respective personnel and suppliers, contractors and agents in respect of the Shared Personal Data. 

You will comply promptly with any IMEX written instructions requiring you to amend, transfer, delete or otherwise process the Shared Personal Data, or to stop, mitigate or remedy any unauthorized Processing.

You will maintain the confidentiality of the Shared Personal Data and will not disclose the Shared Personal Data to third parties unless IMEX specifically authorizes the disclosure, or as required by domestic law, court or regulator.

You agree to only retain and process IMEX Shared Data for as long as necessary to carry out the Agreed Purpose. All IMEX Shared Data should be returned to IMEX or destroyed on expiry or termination of your engagement with IMEX, or at IMEX’s request.

4. Direct marketing

If you intend to process the Shared Personal Data for the purposes of direct marketing, you must ensure that:

  • the appropriate level of consent has been obtained from the relevant Data Subjects to allow the Shared Personal Data to be used for the purposes of direct marketing in compliance with the Data Protection Legislation
  • effective procedures are in place to allow the Data Subject to "opt-out" from having their Shared Personal Data used for such direct marketing purposes, and for you to notify relevant third parties of such opt-outs

5. Security and training

You shall undertake to have in place throughout the Term of this Agreement appropriate technical and organizational security measures to prevent:

  • unauthorized or unlawful Processing of the Shared Personal Data
  • the accidental loss or destruction of, or damage to, the Shared Personal Data

And to ensure a level of security appropriate to:

  • the harm that might result from such unauthorized or unlawful Processing or accidental loss, destruction or damage
  • the nature of the Shared Personal Data to be protected

The parties shall keep such security measures under review and carry out such updates as they agree are appropriate throughout the Term of this Agreement.

You shall regularly test your security measures to assess the effectiveness of the measures in ensuring the security, confidentiality, integrity, availability and resilience of such measures in respect of the Shared Personal Data.

It is your responsibility to ensure that your staff members are appropriately trained to handle and process the Shared Personal Data in accordance with the technical and organizational security measures, together with any other applicable Data Protection Legislation and guidance, and have entered into confidentiality agreements relating to the Processing of Personal Data.

6. Reservation of rights

All Shared Personal Data shall remain the property of IMEX and we reserve all rights in the Shared Personal Data except to the extent expressly granted hereunder. No rights, including intellectual property rights, in respect of the Shared Personal Data are granted to you and no obligations are imposed on IMEX other than those expressly stated in this Agreement.

7. Restricted Transfers

If IMEX are transferring the Shared Personal Data to you, and you are located outside the UK, EEA or a third country to which there is no adequacy decision provided by the UK government or European Union, the transfer of the Shared Personal Data is a restricted transfer.

The Information Commissioners Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses for the transfer of Personal Data to third countries (pursuant to regulation (EU) 2016/679 set out in the Annex to Commission Implementing Decision (EU) 2021/91) have been completed and are attached below. By entering into this Agreement, and receiving the Shared Personal Data, you agree that the Safeguards, are hereby incorporated, into this Agreement to enable the transfer of Shared Personal Data (and the data sharing activities anticipated under this Agreement) to comply with Data Protection Legislation.

You agree that once IMEX has transferred the Shared Personal Data, any onward transfer of the Shared Personal Data must be done by you in compliance with the remainder of this clause below.

If you appoint a third-party processor to process the Shared Personal Data it shall comply with the relevant provisions of the Data Protection Legislation and shall remain liable to IMEX for the acts and/or omissions of the processor, in respect of the Shared Personal Data.

You may not transfer Shared Personal Data to a third party located outside the UK unless you have the consent of IMEX and you:

  • comply with the provisions of the Data Protection Legislation in the event the third party is a joint controller
  • ensure that (i) the transfer is to a country approved under the applicable Data Protection Legislation as providing adequate protection; or (ii) there are appropriate Safeguards or binding corporate rules in place pursuant to the applicable Data Protection Legislation; or (iii) the transferee otherwise complies with your obligations under the applicable Data Protection Legislation by providing an adequate level of protection to any Shared Personal Data that is transferred; or (iv) one of the derogations for specific situations in the applicable Data Protection Legislation applies to the transfer

EU SCC (controller to controller) 

EU Annex SCC (controller to controller) 

together with the UK International Data Transfer Addendum (IDTA) apply.

IDTA - Data Sharing - Regent Exhibitions Limited.pdf

IDTA - Data Sharing - IMEX America Limited.pdf

For the purpose of the IDTA linked above, you shall be considered the Data Importer and the Data Importer contact name, job title and contact details shall be as set out in the Supplier Agreement and incorporated into the IDTA accordingly.

8. Personal Data Breaches

You shall notify IMEX without undue delay if you discover or become aware of:

  • the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data (the Company will restore such Personal Data at its own expense as soon as possible)
  • any accidental, unauthorized or unlawful Processing of the Personal Data
  • any Personal Data Breach

Following this notification, you shall provide assistance and co-operation with us to mitigate the Personal Data Breach, including but not limited to:

  • immediately conducting a reasonable investigation of the reasons for and circumstances of the Personal Data Breach
  • take all necessary actions to prevent, contain, and mitigate the impact of, the Personal Data Breach, and remediate the effects of the Personal Data Breach, without delay
  • on our request, promptly produce a written report setting out all relevant details concerning the Personal Data Breach, including without limitation any security, risk or compliance assessment and security control audit reports
  • provide regular updates to us following the Personal Data Breach

Nothing in this Agreement shall impose or imply any obligation or liability on IMEX in respect of a Security Breach for which you are responsible.

You will not inform any third party of any accidental, unauthorized or unlawful Processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining IMEX's written consent, except when required to do so by domestic law.

You will cover all reasonable expenses, and reimburse IMEX for actual, reasonable expenses we incur, associated with the performance of the obligations under this clause, unless the matter arose from IMEX's specific written instructions, negligence, wilful default or breach of this Agreement, in which case IMEX will cover all reasonable expenses.

9. Indemnity

You agree to indemnify, keep indemnified and defend at your own expense IMEX against all costs, claims, damages or expenses incurred by IMEX or for which IMEX may become liable due to any failure by you or your employees, subcontractors or agents to comply with any of your obligations under this Agreement or the Data Protection Legislation.

Any limitation of liability set forth in the Supplier Agreement will not apply to this Agreement's indemnity or reimbursement obligations.

10. Complaints, Data Subject Requests and Third-party Rights

You must notify IMEX immediately in writing if you receive any complaint, notice or communication that relates directly or indirectly to the Processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.

You will give IMEX, at no additional cost to IMEX, your full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.

You must not disclose the Personal Data to any Data Subject or to a third party other than in accordance with IMEX's written instructions, or as required by domestic law.

11. Data Processors

This Agreement does not apply to situations in which we share Personal Data with third parties acting as our Data Processor, in which case our Data Processor Agreement shall apply, unless otherwise agreed.

12. Contacting us about this Agreement

If you have any questions or comments about data protection contact us at [email protected] or by post using our registered office address. For any other questions or comments, contact us.

13. Changes to this Agreement

We’ll regularly review and update this Agreement. Changes to it shall become effective when published on our website and shall apply to all further sharing of Shared Personal Data from such date.

This Agreement applies from May 25, 2018.

This Agreement was last updated June 24, 2024.

14. Privacy notice

View here