Data sharing agreement
Contents:
- When this Agreement applies
- 1. Definitions
- 2. Shared data and Agreed Purpose
- 3. Your obligations
- 4. Direct marketing
- 5. Security and training
- 6. Reservation of rights
- 7. Restricted Transfers
- 8. Personal Data Breaches
- 9. Indemnity
- 10. Complaints, Data Subject Requests and Third-party Rights
- 11. Data Processors
- 12. Contacting us about this Agreement
- 13. Changes to this Agreement
- 14. Privacy notice
When this Agreement applies
This Data Sharing Agreement (the Agreement) applies when IMEX shares Personal Data with you as a Data Controller (“you"or “the Company”). In consideration of the benefits of us sharing any Personal Data with you, you agree to comply with the following terms.
1. Definitions
Certain words used in this Agreement have the following meanings, unless the context otherwise requires:
- Agreed Purpose: the express purpose for which we share Personal Data with you as set out in the Supplier Agreement
- Data Protection Legislation: the UK Data Protection Legislation and any other European Union legislation relating to Personal Data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications), including but not limited to the General Data Protection Regulation ((EU) 2016/679) (“GDPR”); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended
- Data Controller, Data Processor, Data Subject, Personal Data and Processing: all have the meaning given to them in the UK Data Protection Legislation in force at the time.
- IMEX: Regent Exhibitions Limited or IMEX America Limited (together ”we" or "us") companies incorporated and registered in England and Wales having their registered offices at 113-118 Davigdor Road, Hove, BN3 1RE
- Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Shared Personal Data
- Shared Personal Data: Any information relating to an identified or identifiable person (regardless of form) that is provided by IMEX to you for the Agreed Purpose, and which you are not the Data Controller of in your own right
- Supplier Agreement: the commercial agreement in place between the parties to which this data sharing arrangement relates
- Term: starting from the commencement date of the Supplier Agreement and continuing until the Company is no longer required to process the Shared Personal Data
3. Your obligations
You shall comply with this Agreement and your obligations under Data Protection Legislation in respect of all Shared Personal Data disclosed to you pursuant to this Agreement.
You shall at all times remain responsible for the acts and omissions of your respective personnel and suppliers, contractors and agents in respect of the Shared Personal Data.
You will comply promptly with any IMEX written instructions requiring you to amend, transfer, delete or otherwise process the Shared Personal Data, or to stop, mitigate or remedy any unauthorized Processing.
You will maintain the confidentiality of the Shared Personal Data and will not disclose the Shared Personal Data to third parties unless IMEX specifically authorizes the disclosure, or as required by domestic law, court or regulator.
You agree to only retain and process IMEX Shared Data for as long as necessary to carry out the Agreed Purpose. All IMEX Shared Data should be returned to IMEX or destroyed on expiry or termination of your engagement with IMEX, or at IMEX’s request.
4. Direct marketing
If you intend to process the Shared Personal Data for the purposes of direct marketing, you must ensure that:
- the appropriate level of consent has been obtained from the relevant Data Subjects to allow the Shared Personal Data to be used for the purposes of direct marketing in compliance with the Data Protection Legislation
- effective procedures are in place to allow the Data Subject to "opt-out" from having their Shared Personal Data used for such direct marketing purposes, and for you to notify relevant third parties of such opt-outs
5. Security and training
You shall undertake to have in place throughout the Term of this Agreement appropriate technical and organizational security measures to prevent:
- unauthorized or unlawful Processing of the Shared Personal Data
- the accidental loss or destruction of, or damage to, the Shared Personal Data
And to ensure a level of security appropriate to:
- the harm that might result from such unauthorized or unlawful Processing or accidental loss, destruction or damage
- the nature of the Shared Personal Data to be protected
The parties shall keep such security measures under review and carry out such updates as they agree are appropriate throughout the Term of this Agreement.
You shall regularly test your security measures to assess the effectiveness of the measures in ensuring the security, confidentiality, integrity, availability and resilience of such measures in respect of the Shared Personal Data.
It is your responsibility to ensure that your staff members are appropriately trained to handle and process the Shared Personal Data in accordance with the technical and organizational security measures, together with any other applicable Data Protection Legislation and guidance, and have entered into confidentiality agreements relating to the Processing of Personal Data.
6. Reservation of rights
All Shared Personal Data shall remain the property of IMEX and we reserve all rights in the Shared Personal Data except to the extent expressly granted hereunder. No rights, including intellectual property rights, in respect of the Shared Personal Data are granted to you and no obligations are imposed on IMEX other than those expressly stated in this Agreement.
7. Restricted Transfers
If IMEX are transferring the Shared Personal Data to you, and you are located outside the UK, EEA or a third country to which there is no adequacy decision provided by the UK government or European Union, the transfer of the Shared Personal Data is a restricted transfer.
The Information Commissioners Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses for the transfer of Personal Data to third countries (pursuant to regulation (EU) 2016/679 set out in the Annex to Commission Implementing Decision (EU) 2021/91) have been completed and are attached below. By entering into this Agreement, and receiving the Shared Personal Data, you agree that the Safeguards, are hereby incorporated, into this Agreement to enable the transfer of Shared Personal Data (and the data sharing activities anticipated under this Agreement) to comply with Data Protection Legislation.
You agree that once IMEX has transferred the Shared Personal Data, any onward transfer of the Shared Personal Data must be done by you in compliance with the remainder of this clause below.
If you appoint a third-party processor to process the Shared Personal Data it shall comply with the relevant provisions of the Data Protection Legislation and shall remain liable to IMEX for the acts and/or omissions of the processor, in respect of the Shared Personal Data.
You may not transfer Shared Personal Data to a third party located outside the UK unless you have the consent of IMEX and you:
- comply with the provisions of the Data Protection Legislation in the event the third party is a joint controller
- ensure that (i) the transfer is to a country approved under the applicable Data Protection Legislation as providing adequate protection; or (ii) there are appropriate Safeguards or binding corporate rules in place pursuant to the applicable Data Protection Legislation; or (iii) the transferee otherwise complies with your obligations under the applicable Data Protection Legislation by providing an adequate level of protection to any Shared Personal Data that is transferred; or (iv) one of the derogations for specific situations in the applicable Data Protection Legislation applies to the transfer
EU SCC (controller to controller)
EU Annex SCC (controller to controller)
together with the UK International Data Transfer Addendum (IDTA) apply.
IDTA - Data Sharing - Regent Exhibitions Limited.pdf
IDTA - Data Sharing - IMEX America Limited.pdf
For the purpose of the IDTA linked above, you shall be considered the Data Importer and the Data Importer contact name, job title and contact details shall be as set out in the Supplier Agreement and incorporated into the IDTA accordingly.
8. Personal Data Breaches
You shall notify IMEX without undue delay if you discover or become aware of:
- the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data (the Company will restore such Personal Data at its own expense as soon as possible)
- any accidental, unauthorized or unlawful Processing of the Personal Data
- any Personal Data Breach
Following this notification, you shall provide assistance and co-operation with us to mitigate the Personal Data Breach, including but not limited to:
- immediately conducting a reasonable investigation of the reasons for and circumstances of the Personal Data Breach
- take all necessary actions to prevent, contain, and mitigate the impact of, the Personal Data Breach, and remediate the effects of the Personal Data Breach, without delay
- on our request, promptly produce a written report setting out all relevant details concerning the Personal Data Breach, including without limitation any security, risk or compliance assessment and security control audit reports
- provide regular updates to us following the Personal Data Breach
Nothing in this Agreement shall impose or imply any obligation or liability on IMEX in respect of a Security Breach for which you are responsible.
You will not inform any third party of any accidental, unauthorized or unlawful Processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining IMEX's written consent, except when required to do so by domestic law.
You will cover all reasonable expenses, and reimburse IMEX for actual, reasonable expenses we incur, associated with the performance of the obligations under this clause, unless the matter arose from IMEX's specific written instructions, negligence, wilful default or breach of this Agreement, in which case IMEX will cover all reasonable expenses.
9. Indemnity
You agree to indemnify, keep indemnified and defend at your own expense IMEX against all costs, claims, damages or expenses incurred by IMEX or for which IMEX may become liable due to any failure by you or your employees, subcontractors or agents to comply with any of your obligations under this Agreement or the Data Protection Legislation.
Any limitation of liability set forth in the Supplier Agreement will not apply to this Agreement's indemnity or reimbursement obligations.
10. Complaints, Data Subject Requests and Third-party Rights
You must notify IMEX immediately in writing if you receive any complaint, notice or communication that relates directly or indirectly to the Processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.
You will give IMEX, at no additional cost to IMEX, your full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
You must not disclose the Personal Data to any Data Subject or to a third party other than in accordance with IMEX's written instructions, or as required by domestic law.
11. Data Processors
This Agreement does not apply to situations in which we share Personal Data with third parties acting as our Data Processor, in which case our Data Processor Agreement shall apply, unless otherwise agreed.
12. Contacting us about this Agreement
If you have any questions or comments about data protection contact us at [email protected] or by post using our registered office address. For any other questions or comments, contact us.
13. Changes to this Agreement
We’ll regularly review and update this Agreement. Changes to it shall become effective when published on our website and shall apply to all further sharing of Shared Personal Data from such date.
This Agreement applies from May 25, 2018.
This Agreement was last updated June 24, 2024.
14. Privacy notice
View here