LESTER ALDRIDGE LLP AND EXTERNAL SERVICE PROVIDER
DATA SHARING TERMS AND CONDITIONS
These terms shall apply to any agreement between LA and a Provider that involves the sharing of Personal Data
|(1)||LA||:||LESTER ALDRIDGE LLP, a limited liability partnership incorporated in England and Wales under registration number OC321318, whose registered office is at Russell House, Oxford Road, Bournemouth BH8 8EX; and|
|(2)||PROVIDER||:||The expert or service provider to whom the Instructions from LA is addressed.|
|Agreed Purposes||:||the provision of the report, advice or other services requested in the Instructions|
|Controller, processor, data subject, personal data, personal data breach, processing and appropriate technical and organisational measures||:||as defined in the Data Protection Legislation;|
|Client||:||the client of LA identified in the Instructions who has instructed LA to provide the Legal Services;|
|Data Discloser||a party that discloses Shared Personal Data to the other party|
|Data Protection Legislation||:||all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018; (DPA 2018) (and regulations made thereunder) the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Information Commissioner or other relevant regulatory authority and applicable to a party;|
|Instructions||:||the letter, email, instructions to counsel or other communication from LA to the Provider for the Agreed Purposes;|
|Permitted Recipients||:||the parties to this agreement, the employees of each party, and any third parties engaged to perform obligations in connection with this agreement;|
|Shared Personal Data||:||the personal data to be shared between the parties under clause 1.1 of this agreement. Shared Personal Data shall be confined to the categories of information relevant to the categories of data subject as identified in the Instructions, but they could include|
a. contact details and personal identifiable data of the Client or third parties connected to the client’s legal services
b. Images or description of appearance
c. Financial information
d. Special category data as identified in the Instructions
e. Any other relevant personal data for the Agreed Purposes.
|UK GDPR||has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018|
1.1 Shared Personal Data. This clause sets out the framework for the sharing of personal data between the parties as controllers. Each party acknowledges that one party (referred to in this clause as the Data Discloser) will regularly disclose to the other party Shared Personal Data collected by the Data Discloser for the Agreed Purposes.
1.2 Effect of non-compliance with Data Protection Legislation. Each party shall comply with all the obligations imposed on a controller under the Data Protection Legislation, and any material breach of the Data Protection Legislation by one party shall, if not remedied within 14 days of written notice from the other party, give grounds to the other party to terminate this agreement with immediate effect.
1.3 Particular obligations relating to data sharing. Each party shall:
(a) ensure that it has all necessary notices and consents and lawful bases in place to enable lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes;
(b) The parties acknowledge that the Shared Personal Data may be subject to one or more of the exemptions set out in Paragraph 5 of Part 1 of Schedule 2 to the Data Protection Act 2018 and that the listed GDPR provisions, as defined in Paragraph 1 of Part 1 of Schedule 2 and the relative principles set out in Article 5 do not apply to it.
The parties agree that they will not waive the exemptions referred to in clause 3.3 unless:
(i) the other party agrees in writing;
(ii) a client of LA instructs LA to waive the exemption.
(c)process the Shared Personal Data only for the Agreed Purposes;
(d) not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients;
(e) ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this agreement;
(f) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
(g) not transfer any personal data received from the Data Discloser outside the UK unless the transferor ensures that (i) the transfer is to a country approved under the applicable Data Protection Legislation as providing adequate protection; or (ii) there are appropriate safeguards or binding corporate rules in place pursuant to the applicable Data Protection Legislation; or (iii) the transferor otherwise complies with its obligations under the applicable Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; or (iv) one of the derogations for specific situations in the applicable Data Protection Legislation applies to the transfer.
1.4 Mutual assistance. Each party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular:
(a) promptly inform LA about the receipt of any data subject rights request;
(b) each party provide reasonable assistance in complying with any data subject rights request;
(c) not disclose, release, amend, delete or block any Shared Personal Data in response to a data subject rights request without first consulting the other party wherever possible;
(d) assist the other party, at the cost of the other party, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, personal data breach notifications, data protection impact assessments and consultations with the Information Commissioner or other regulators;
(e) notify LA without undue delay on becoming aware of any breach of the Data Protection Legislation;
(f) at the written direction of LA, delete or return Shared Personal Data disclosed by LA and copies thereof to LA on termination of this agreement unless required by law to store the Shared Personal Data;
(g) use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers;
(h) maintain complete and accurate records and information to demonstrate its compliance with this clause 1.4 and allow for audits by the other party or the other party’s designated auditor and
(i) provide the other party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the parties’ compliance with the Data Protection Legislation.
1.5 Indemnity. Each party shall indemnify the other against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by the indemnified party arising out of or in connection with the breach of the Data Protection Legislation by the indemnifying party, its employees or agents, provided that the indemnified party gives to the indemnifier prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and sole authority to manage, defend and/or settle it.
GOVERNING LAW AND JURISDICTION
2.1 This Agreed Terms and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
2.2 Each party irrevocably agrees that the courts of England and Wales shall have jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with these Agreed Terms or its subject matter or formation