Evolve Rehabilitation Limited

Data Sharing Agreement

 

DEFINITIONS

Agreed Purposes: data on end users is held for the following purposes:

  1. To register users on the platform
  2. To provide access to the platform for the purposes of:
  1. collecting and storing user information including health data
  2. making that data accessible to end users
  3. allowing end users to share their data with personal trainers for the purpose of assisting in the preparation of personal training plans, setting training objectives and monitoring performance
  4. allowing end users to share their data with other third parties of their choosing
  1. To manage our relationships with the end user which may include notifying users about changes to terms and conditions or privacy policies:
  2. To administer and protect business interests and the platform (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
  3. To deliver relevant content
  4. To use data analytics to improve the services provided, marketing, customer relationships and experiences
  5. To make suggestions and recommendations to end users about goods and services that may be of interest

Controller, processor, data subject, personal data, personal data breach, processing and appropriate technical and organizational measures: as set out in the UK Data Protection Legislation in force at the time.

Data Discloser: a party that discloses Shared Personal Data to the other party.

UK Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

Data Protection Legislation: the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); [and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a party].

Permitted Recipients: the parties to this agreement, the employees of each party, any third parties engaged to perform obligations in connection with the service provided as set out in the Privacy Policy for each party.

 

Shared Personal Data: the personal data to be shared between the parties under clause 1.1 of this agreement. Shared Personal Data shall be confined to the following categories of information relevant to the data subject:

  • Identity Data includes first name, last name, username or similar identifier, marital status, title, date of birth and gender.
  • Contact Data includes billing address, correspondence/delivery address, email address and telephone numbers.
  • Financial Data includes bank account and payment card details.
  • Transaction Data includes details about payments to and from the data subject and other details of products and services the data subject has purchased from us.
  • Technical Data includes internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices used to access the platform.
  • Profile Data includes usernames and passwords, records of purchases or orders made, interests, preferences, feedback and survey responses.
  • Usage Data includes information about how the platform, website, products and services are used.
  • Marketing and Communications Data includes data subject preferences in receiving marketing from us and our third parties and communication preferences
  • Health Data includes information provided about the data subject’s height, weight, blood pressure, diet, medical conditions and may include diet plans, exercise plans, health targets and records of how data subjects are performing against those targets. This may also include photographs or videos of data subjects to be used as a training tool and a measure of progress.
  1. DATA PROTECTION

1.1. Shared Personal Data. This clause sets out the framework for the sharing of personal data between the parties as controllers. Each party acknowledges that one party (referred to in this clause as the Data Discloser) will regularly disclose to the other party Shared Personal Data collected by the Data Discloser for the Agreed Purposes.

1.2. Effect of non-compliance with UK Data Protection Legislation. Each party shall comply with all the obligations imposed on a controller under the UK Data Protection Legislation, and any material breach of the UK Data Protection Legislation by one party shall, if not remedied within 30 days of written notice from the other party, give grounds to the other party to terminate this agreement with immediate effect.

1.3. Particular obligations relating to data sharing. Each party shall:

  1. ensure that it has all necessary notices and consents in place to enable lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes;
  2. give full information to any data subject whose personal data may be processed under this agreement of the nature such processing. This includes giving notice that, on the termination of this agreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Permitted Recipients, their successors and assignees;
  3. process the Shared Personal Data only for the Agreed Purposes;
  4. not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients;
  5. ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this agreement;
  6. ensure that it has in place appropriate technical and organizational measures, reviewed and approved by the other party, to protect against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  7. not transfer any personal data received from the Data Discloser outside the EEA unless the transferor:
  1. complies with the provisions of Articles 26 of the GDPR (in the event the third party is a joint controller); and
  2. ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 of the GDPR; or (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or (iii) Binding corporate rules are in place or (iv) one of the derogations for specific situations in Article 49 GDPR applies to the transfer.



1.4. Mutual assistance. Each party shall assist the other in complying with all applicable requirements of the UK Data Protection Legislation. In particular, each party shall:

  1. consult with the other party about any notices given to data subjects in relation to the Shared Personal Data;
  2. promptly inform the other party about the receipt of any data subject access request;
  3. provide the other party with reasonable assistance in complying with any data subject access request;
  4. not disclose or release any Shared Personal Data in response to a data subject access request without first consulting the other party wherever possible;
  5. assist the other party, at the cost of the other party, in responding to any request from a data subject and in ensuring compliance with its obligations under the UK Data Protection Legislation with respect to security, personal data breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators;
  6. notify the other party without undue delay on becoming aware of any breach of the UK Data Protection Legislation;
  7. at the written direction of the Data Discloser, delete or return Shared Personal Data and copies thereof to the Data Discloser on termination of this agreement unless required by law to store the personal data;
  8. use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers;
  9. maintain complete and accurate records and information to demonstrate its compliance with this clause 1.4; and
  10. provide the other party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the UK Data Protection Legislation, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the parties' compliance with the UK Data Protection Legislation.

 

1.5. Indemnity. Each party shall indemnify the other against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by the indemnified party arising out of or in connection with the breach of the UK Data Protection Legislation by the indemnifying party, its employees or agents, provided that the indemnified party gives to the

indemnifier prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and sole authority to manage, defend and/or settle it.