Terms and Conditions

Data Recipient

This is the name of the Company that will be receiving data from the Data Discloser.

The Consumer Helpline, part of the TCHGroup (Company Number 09881508) whose registered office is The Refinery, Atlantic Close, Swansea Enterprise Park, Swansea SA7 9FJ. 

TCHGroup is comprised of 4 companies. The Consumer Helpline, The Business Helpline, The Money Saving Helpline and TCH South Africa. 

each company listed above is either a "Party" and together named as "Parties".

Whereas

The Parties, in the course of their respective operations, provide certain Shared Personal Data (as defined below) to each other and acknowledge and agree that there is a need to ensure that any Shared Personal Data is shared in accordance with best practice in information governance and the Data Protection Legislation (as defined below).

In consideration of the Parties respective obligations set out in this Agreement, the Parties have agreed to enter into this Agreement.

The Terms and Conditions

1. DEFINITIONS

• The following definitions and rules of interpretation apply in this Agreement:
• Agreed Purposes: The Data Discloser will provide contact information to The Data Recipient for the purposes of contacting the data subject via telephony, email, SMS and any other contact method as set out in the scope of works, for the purpose of sales, promotional awareness, customer service, data cleansing and any other activity set out in the scope of works.                     

• Controller, data controller, processor, data processor, data subject, personal data, processing and appropriate technical and organisational measures: as set out in the Data Protection Legislation in force at the time.
• Data Protection Legislation: (i) the General Data Protection Regulation ((EU) 2016/679) ("GDPR") and any national implementing laws, regulations and secondary legislation, for so long as the GDPR is effective in the UK, in particular the Data Protection Bill 2017-2019, once it becomes law and (ii) any successor legislation to the GDPR and the Data Protection Bill 2017-2019, once it becomes law.
• Data Sharing Code: the Information Commissioner's Data Sharing Code of Practice of May 2011 (and as may be amended or replaced from time to time).
• FOIA: the Freedom of Information Act 2000.
• Permitted Recipients: The Parties to this Agreement, the employees of each Party, any third parties engaged to perform obligations in connection with this Agreement, and any agreed sub-contractors under the contract.
• Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data.
• Shared Personal Data: the personal data to be shared between the Parties under this Agreement. Shared Personal Data shall be confined to the following categories of information relevant to the following categories of data subject:
  
  
  1. Name
  2. Address
  3. Date of Birth
  4. Contact Information (Phone, Email)
  5. Previous purchase information (eg. tickets, hospitality, season tickets)

2. DATA PROTECTION

2.1 Shared Personal Data. This clause sets out the framework for the sharing of personal data between the Parties as data controllers. Each Party acknowledges that one Party (the "Data Discloser") will regularly disclose to the other Party (the "Data Recipient") Shared Personal Data collected by the Data Discloser for the Agreed Purposes.

2.2 The Data Discloser shall be responsible for ensuring that the Shared Personal Data is accurate and correct at the point of sharing the personal data with the Data Recipient.

2.3 Effect of non-compliance with Data Protection Legislation. Each Party shall comply with all the obligations imposed on a controller under the Data Protection Legislation, and any material breach of the Data Protection Legislation by one Party shall, if not remedied within 30 days of written notice from the other Party, give grounds to the other Party to terminate this Agreement with immediate effect.

2.4 Particular obligations relating to data sharing. Each Party shall:

-ensure that it has all necessary notices and consents in place to enable the lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes;

- give full information to any Data Subject whose personal data may be processed under this Agreement of the nature of such processing in a compliant privacy or fair processing notice. This includes giving notice that, on the termination of this Agreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Permitted Recipients, their successors and assignees;

- process the Shared Personal Data only for the Agreed Purposes;

- not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients;

- ensure that all Permitted Recipients are subject to written contractual obligations concerning the use of the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this Agreement;

-ensure that it has in place appropriate technical and organisational security measures, reviewed and approved by the other Party (such approval not to be unreasonably withheld or delayed), to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;

- not transfer any personal data outside the EEA unless the transferor;

- complies with the provisions of Article 26 of the GDPR (in the event the third party is a joint controller); and

- ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or (iii) one of the derogations for specific situations in Article 49 GDPR applies to the transfer.

2.5 Mutual assistance. Each Party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, each Party shall:

-consult with the other Party about any notices given to data subjects in relation to the Shared Personal Data;

-promptly inform the other Party about the receipt of any data subject access request;

- provide the other Party with reasonable assistance in complying with any data subject access request;

-not disclose or release any Shared Personal Data in response to a data subject access request without first consulting the other Party wherever possible;

-assist the other Party, at the cost of the other Party, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

-notify the other Party without undue delay on becoming aware of any breach of the Data Protection Legislation;

-at the written direction of the Data Discloser, delete or return Shared Personal Data and copies thereof to the Data Discloser on termination of this Agreement unless required by law to store the personal data;

-use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers;

-maintain complete and accurate records and information to demonstrate its compliance with this clause 2 and allow for audits by the other Party or the other Party's designated auditor; and

-provide the other Party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the parties' compliance with the Data Protection Legislation.

-Indemnity - Each Party shall indemnify the other against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by the indemnified Party arising out of or in connection with the breach of the Data Protection Legislation by the indemnifying Party, its employees or agents, provided that the indemnified Party gives to the indemnifier prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and sole authority to manage, defend and/or settle it.

-Each Party shall perform its obligations under this Agreement at its own cost.

3.2 Each Party shall notify the other Party of any potential or actual losses of the Shared Personal Data as soon as possible and, in any event, within 24 hours of identification of any potential or actual Personal Data Breach, to enable the Parties to consider what action is required in order to resolve the issue in accordance with Data Protection Legislation and guidance.

3.3 Each Party shall provide reasonable assistance (as is necessary) to the other Party to facilitate the handling of any Personal Data Breach in a timely and compliant manner.

4.1 Where a request is made for information under FOIA by a third party, it will be the responsibility of the Party receiving the FOIA request to contact the other Party, if it is likely to be affected by the FOIA request. Each Party must then determine:

-whether FOIA applies to it and if so;

-whether it wishes to rely on any statutory exemption, permitting that Party to withhold disclosure of any of the requested information in accordance with FOIA.

4.2 The final decision on whether any information should be disclosed under FOIA will be made by the Party who received the FOIA request and holds the relevant information.

5. REVIEW AND TERMINATION OF AGREEMENT

5.1 This Agreement can be reviewed at any time and in any event the Parties shall review the effectiveness of this Agreement annually. Any such review shall consider the aims and purposes of this Agreement. The Parties shall continue, amend or terminate the Agreement depending on the outcome of such reviews.

5.2 The review of the effectiveness of the Agreement will involve assessing whether:

- the purpose for which the Shared Personal Data is being processed is still the Agreed Purpose as set out in this Agreement;

- the legal framework governing data quality, retention, and Data Subjects' rights is being complied with; and

- Personal Data Breaches involving the Shared Personal Data have been handled in accordance with this Agreement and the Data Protection Legislation.

5.3 Each Party reserves the right to inspect the other Partners arrangements for the processing of Shared Personal Data and to terminate this Agreement where it reasonably considers that the other Party is not processing the Shared Personal Data in accordance with this Agreement.

5.4 A Party may terminate this Agreement at any time, by providing notice in writing to the other Party. The Agreement shall terminate immediately upon the other Party receiving such written notice.

5.5 In the event that this Agreement is terminated, each Party shall safely and securely delete any Shared Personal Data that has been shared and each Party shall provide written notification to the other Party once the deletion of all Shared Personal Data has taken place.