New Era Technology Standard Data Sharing Agreement
New Era Technology, (“New Era”) who are the Service Provider.
Customer stated on the Sales Order Form (“The Client”) who are the Data Controller.
The Agreement will commence on the date stated on the Sales Order Form and will continue for the duration of the period that New Era continues to be the Service Provider unless otherwise agreed in writing between the Parties.
Data Controller: has the meaning set out in the Data Protection Act Legislation.
Data Processor: has the meaning set out in the Data Protection Legislation.
Data Protection Legislation: Any in-scope and relevant Country or Region-specific legislation lawfully enacted and in force will impact the current and future updates to this policy. Compliance is expected in all Data Privacy processes and procedures.
Personal Data: has the meaning set out in the Data Protection Legislation and, in this
Agreement, relates only to personal data, or any part of such personal data, of which the Client is the Data Controller and in relation to which the Service Provider is providing services under this Agreement, being unique username for the service provided, title (where appropriate), first name, surname, school, year group, class, email, mobile telephone number, family relationship (where appropriate) and unique identifiers depending upon the services to which The Client has subscribed.
Processing and process: have the meaning set out in the Data Protection Act Legislation.
1. Obligations of the Service Provider
1.1 The Client and New Era acknowledge that, for the purposes of the Data Protection Legislation, The Client is the Data Controller and New Era is the Service Provider and the Data Processor of any Personal Data.
1.2 The Service Provider shall comply with all applicable requirements of the Data Protection Legislation and, in particular, shall process the Personal Data only to the extent, and in such a manner, as is necessary for the Purpose and shall not process the Personal Data for any other purpose unless the Service Provider is required by law. Where the Service Provider is legally required to process Personal Data, the Service Provider shall promptly notify The Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Service Provider from so notifying The Client.
1.3 The Client will control and be responsible for amending, transferring, or deleting the Personal Data; the Service Provider will only amend, transfer or delete data at the written request of The Client.
1.4 The Client may transfer data to the Service Provider via secure integration methods, via email using secure password-protected files, or any other means that comply with The Client’s obligations under the Data Protection Legislation.
1.5 The Service Provider will ensure that it has in place appropriate technical and organizational measures, reviewed and approved by The Client if The Client so requires, to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymizing and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it.
1.6 If the Service Provider receives any complaint, notice, or communication which relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with Data Protection Legislation, or becomes aware of any breach of Data Protection Legislation, it shall as soon as reasonably practicably notify The Client and it shall provide The Client with all due co-operation and assistance in relation to any such complaint, notice or communication.
1.7 At The Client‘s request, the Service Provider shall provide to The Client a copy of all Personal Data held by it in the format and on the media reasonably specified by The Client.
1.8 The Service Provider shall only hold the Personal Data on its servers and will not transfer the Personal Data without the prior written consent of The Client.
1.9 The Service Provider will hold the Personal Data only in secure data centers managed by the Service Provider and compliant with Data Protection Legislation.
1.10 The Client agrees that limited Personal Data, comprising contact details, of officially appointed Customer contacts, may be processed in secure data centers outside of Clients primary Country, but within the Service Provider’s global CRM facility. The Service Provider will comply with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is so transferred and processed and ensure that relevant Data Subjects have enforceable rights and effective legal remedies. The Service Provider will comply with reasonable instructions notified to it in advance by The Client with respect to such processing of the Personal Data.
1.11 The Service Provider will ensure Data is securely backed-up to ensure disaster recovery.
1.12 The Service Provider shall promptly and within at least 72 hours inform The Client if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable and, if this is caused by the negligence or breach of obligations of the Service Provider, will restore such Personal Data at its own expense.
2. Obligations of the Customer
2.1 The Client will comply with all applicable requirements of the Data Protection Legislation and will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Service Provider for the duration of this Agreement and the Purpose.
Service Provider’s Employees
The Service Provider shall ensure that access to the Personal Data is limited to:
those employees who need access to the Personal Data to meet the Service
Provider’s obligations under this Agreement; and
in the case of any access by any employee, such part or parts of the Personal Data as is strictly necessary for the performance of that employee’s duties.
The Service Provider shall take reasonable steps to ensure the reliability of any of the Service Provider‘s employees who have access to the Personal Data and shall ensure that all employees who have access to and/or process Personal Data are obliged to keep the Personal Data confidential.
3. Rights of Data Subjects and compliance by The Client
3.1 The Service Provider shall notify The Client within three working days if it receives a request from a Data Subject for access to that person’s Personal Data.
3.2 The Client (as Data Controller) will handle all such requests and notify the Data Subject accordingly. The Service Provider will assist The Client, at The Client’s cost, in responding to any such request from a Data Subject and, generally, in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators.
3.3 The Service Provider shall not disclose the Personal Data to any Data Subject or to a third party other than at the written request of The Client or as provided for in this Agreement.
4. Rights of The Client
4.1 The Client is entitled, on giving at least three working days’ notice to the Service Provider, to inspect or appoint representatives to inspect documents and electronic data relating to the processing of Personal Data by the Service Provider.
4.2 The requirement under clause 4.1 to give notice will not apply if The Client reasonably believes that the Service Provider is in breach of any of its obligations under this Agreement.
4.3 At the written direction of The Client, the Service Provider will delete or return Personal Data and copies thereof to The Client on termination of this Agreement unless required by Applicable Law to store the Personal Data.
5.1 The Service Provider agrees to indemnify and keep indemnified The Client against all costs, claims, damages, or expenses incurred by The Client or for which The Client may become liable due to any failure by the Service Provider or its employees or agents to comply with any of its obligations under this Agreement.
5.2 The Client agrees to indemnify and keep indemnified the Service Provider against all costs, claims, damages, or expenses incurred by the Service Provider or for which the Service Provider may become liable due to any failure by The Client or its employees or agents to comply with any of its obligations under this Agreement.
6. Appointment of sub-contractors
6.1 The Service Provider may only authorize a third party (sub-contractor) to process the Personal Data:
• subject to The Client’s prior written consent where the Service Provider has supplied The Client with full details of such sub-contractor;
• provided that the subcontractor’s contract is on terms which are substantially the same as those set out in this Agreement;
• provided that the subcontractor’s contract terminates automatically on termination of this Agreement for any reason; and
• provided that, as between The Client and the Service Provider, the Service Provider shall remain fully liable for all acts or omissions of any sub-contractor appointed by it pursuant to this clause.
7. Limits of liability
7.1 Neither party’s liability arising out of this Agreement shall exceed the amount paid to the Service Provider under this Agreement.
7.2 Nothing in this Agreement shall exclude either party’s liability for death or personal injury to the extent it results from the negligence of itself, its employees, or its agents, or for fraud or for any other matter in respect of which law prescribes that liability may not be limited or excluded.
Neither party may assign any of its rights or obligations under this Agreement without the prior written consent of the other party.
Any notice served under this Agreement shall be delivered to the appropriate party either by recorded delivery post or by facsimile transmission at its principal place of business, or to such other address as may from time to time be notified in writing by the party concerned, or by electronic mail to the email address as may from time to time be notified in writing by the party concerned. Any notice shall be deemed to be duly served:
9.1 if sent by recorded delivery post, three (3) calendar days after date of posting;
9.2 if sent by facsimile transmission, on receipt of successful facsimile transmission;
9.3 if sent by electronic mail, on the day it is sent provided that a return receipt is received and where the party sending the notice has a contemporaneous record of such return receipt and followed up such notice by recorded delivery post in the event that the electronic mail has not been acknowledged by the other party within twenty-four hours of sending the electronic mail, (unless any such date is a Saturday, Sunday or bank holiday in which case it shall be deemed served on the next working day).
10. No waiver
No failure or delay on the part of either party to this Agreement relating to the exercise of any right, power, privilege, or remedy provided under this Agreement shall operate as a waiver of such right, power, privilege or remedy or as a waiver of any proceedings or succeeding breach by the other party to this Agreement.
11. Entire agreement
This Agreement contains the full and complete understanding between the parties relating to its subject matter and supersedes all prior arrangements and understandings whether written or oral relating to such subject matter and may not be varied except by written agreement signed by both parties.
Any Privacy or Compliance requests, inquires, or notification can be directed to firstname.lastname@example.org. A member of that team will contact you within 3-business days.