FINBOGO DATA SHARING TERMS
1. Definition and Interpretation
1.1 In these Data Sharing Terms:
1.1.1 expressions defined in the Platform Subscription Terms and used in these Data Sharing Terms shall have the meaning set out in the Platform Subscription Terms;
1.1.2 the rules of interpretation set out in the Platform Subscription Terms apply to these Data Sharing Terms; and
1.1.3 unless the context otherwise requires, the definitions as set out in Schedule 1 shall apply.
2. Term
These Data Sharing Terms shall commence on the Subscription Start Date, and remain in full force and effect for the entire duration of the Subscription Term, after which point they shall automatically terminate.
3. Purpose
3.1 These Data Sharing Terms set out the framework for the sharing of Personal Data when one Party (the Data Discloser) discloses Personal Data which it holds in the role of an independent Controller to the other Party (the Data Receiver) in connection with the arrangements contemplated in the Platform Subscription Terms, and on the basis that the Party receiving such Personal Data will hold and process the Personal Data in the role of an independent controller. It defines the principles and procedures that the Parties shall adhere to and the responsibilities the Parties owe to each other.
3.2 The Parties consider this data sharing initiative necessary and proportionate to the Parties shared intention of making the Professional Services available to Clients and any other users of the Platform via Bookings, and improving the services and products which the Parties can make available to customers and end users. It is fair as it will benefit the Parties and the Clients by allowing FinBoGo to facilitate the provision of the Professional Services to the Clients, through Bookings made via the Platform and will not unduly infringe the Data Subjects' fundamental rights and freedoms and interests.
3.3 The Parties agree to only process Shared Personal Data, for the following purposes:
3.3.1 performance of each Party's obligations, and exercise of their rights, under the Platform Subscription Terms;
3.3.2 complying with each Party's obligations under Applicable Data Protection Laws;
3.3.3 improving the services and products which each Party makes available to its customers and end users; and
3.3.4 such other purposes as the Parties communicate to the relevant Data Subjects through their respective privacy notices from time to time;
(the Data Sharing Purposes).
3.4 The Parties shall not process Shared Personal Data in a way that is incompatible with the Data Sharing Purposes.
4. Compliance
4.1 Each Party undertakes to comply with:
4.1.1 Applicable Data Protection Laws; and
4.1.2 the Data Sharing Code;
at all times during the Subscription Term.
4.2 Each Party shall hold and maintain such valid registrations as are required by the Information Commissioner in respect of the intended data sharing pursuant to these Data Sharing Terms.
5. Shared Personal Data
5.1 The following types of Personal Data will be shared between the Parties during the Subscription Term (this shall include where the Professional creates any documents, forms, records or any other media via the Platform or where it uploads the same to the Platform):
5.1.1 Personal Data relating to Clients, including:
(a) contact data including postal address and email address;
(b) identity data including names, date of birth, gender and any digital self-photo; and
(c) Special Categories of Personal Data, as identified in Clause 5.2, in respect of such Clients, contained in medical records held by the Professional, and records (including call records, images, audio, and video recordings) generated by the Professional in the course of providing the Professional Services;
5.1.2 Personal Data relating to employees and other representatives of each Party as required in connection with the administration of the Platform Subscription Terms and the management of the relationship between the Parties (which may include contact data such as postal address and email address and identity data such as names, date of birth, gender and any digital self-photo or images).
5.2 The following types of Special Categories of Personal Data will be shared between the Parties during the Subscription Term (this shall include where the Professional creates any documents, forms, records or any other media via the Platform or where it uploads the same to the Platform):
5.2.1 current and previous health conditions, diagnosis, treatment and medication, identities of general practitioners and other medical professionals, details of next of kin;
5.2.2 racial or ethnic origin;
5.2.3 religious or philosophical beliefs;
5.2.4 genetic or biometric data used to uniquely identify a natural person;
5.2.5 data concerning a natural person's physical or mental health or condition, sex life or sexual orientation.
5.3 Criminal Offence Data will not be shared between the Parties.
5.4 The Shared Personal Data must not be irrelevant or excessive with regard to the Data Sharing Purposes.
6. Lawful, fair and transparent processing
6.1 Each Party shall ensure that it processes the Shared Personal Data fairly and lawfully in accordance with Clause 6.2 during the Subscription Term.
6.2 Each Party shall ensure that it has legitimate grounds under Applicable Data Protection Laws for the processing of Shared Personal Data, and in particular, the Data Discloser shall ensure that it has legitimate grounds for any transfer of Shared Personal Data undertaken in connection with the arrangements envisaged in the Platform Subscription Terms.
6.3 The Parties each agree to provide such assistance as is reasonably required to enable the other Party to comply with Subject Rights Requests within the time limits imposed by the Data Protection Legislation.
6.4 The Professional shall, in respect of Shared Personal Data, ensure that it provides clear and sufficient information to the Data Subjects, in accordance with Applicable Data Protection Laws, of the purposes for which it will process their Personal Data, the legal basis for such purposes and such other information as is required by Applicable Data Protection Laws including:
6.4.1 the fact that the Data Subjects' Personal Data may be shared with FinBoGo in connection with the provision of the Professional Services;
6.4.2 if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable the Data Subject to understand the purpose and risks of such transfer;
6.4.3 if Shared Personal Data will be transferred outside the UK pursuant to Clause 9.3 of these Data Sharing Terms, that fact and sufficient information about such transfer, the purpose of such transfer and the safeguards put in place by each Party to enable the Data Subject to understand the purpose and risks of such transfer.
6.5 The Parties each agree to provide such assistance as is reasonably required to enable the other Party to comply with Subject Rights Requests within the time limits imposed by Applicable Data Protection Legislation.
7. Data subjects' rights
The DP Point of Contact for each Party is responsible for maintaining a record of Subject Rights Requests, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request.
8. Data retention and deletion
8.1 The Data Receiver shall retain or process Shared Personal Data in accordance with its internal data retention policies and procedures, and in any event, for no longer than is necessary to carry out the Data Sharing Purposes [...]
8.2 Notwithstanding Clause 8.1, the Parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and / or industry.
8.3 The Data Receiver shall ensure that any Shared Personal Data which is received from the other Party as Data Discloser is returned to the Data Discloser or destroyed in the following circumstances:
8.3.1 on expiry or termination of the Platform Subscription Terms, and in accordance with the provisions of the Platform Subscription Terms, including those provisions relating to post-termination access;
8.3.2 once processing of the Shared Personal Data is no longer necessary for the purposes it was originally shared for, as set out in Clause 3.3;
provided always, for the avoidance of doubt, that FinBoGo shall be entitled to create an anonymised record of any Shared Personal Data it receives, and retain such anonymised information indefinitely [...]
8.4 Following the deletion of Shared Personal Data in accordance with Clause 8.3, the Data Receiver shall notify the Data Discloser that the Shared Personal Data in question has been deleted.
9. Transfers
9.1 For the purposes of this Clause 9, transfers of Personal Data shall mean any sharing of Personal Data by the Data Receiver with a third party, and shall include the following:
9.1.1 subcontracting the processing of Shared Personal Data;
9.1.2 granting a third-party Controller access to the Shared Personal Data.
9.2 If the Data Receiver appoints a third-party Processor to process the Shared Personal Data it shall comply with the relevant provisions of Applicable Data Protection Laws and shall remain liable to the Data Discloser for the acts and/or omissions of the Processor.
9.3 The Data Receiver may not transfer Shared Personal Data to a third party located outside the UK unless it ensures that:
9.3.1 the transfer is to a country approved under the Applicable Data Protection Laws as providing adequate protection; or
9.3.2 there are appropriate safeguards or binding corporate rules in place pursuant to Applicable Data Protection Laws; or
9.3.3 the transferee otherwise complies with the Data Receiver's obligations under Applicable Data Protection Laws by providing an adequate level of protection to any Shared Personal Data that is transferred; or
9.3.4 one of the derogations for specific situations in Applicable Data Protection Laws applies to the transfer.
10. Security and training
10.1 The Data Discloser shall only provide Shared Personal Data via the Platform, or through such other secure communication systems at the Parties may agree to from time to time.
10.2 The Parties undertake to have in place appropriate technical and organisational security measures to:
10.2.1 prevent:
(a) unauthorised or unlawful processing of the Shared Personal Data; and
(b) the accidental loss or destruction of, or damage to, the Shared Personal Data
10.2.2 ensure a level of security appropriate to:
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and
(b) the nature of the Shared Personal Data to be protected.
10.3 It is the responsibility of each Party to ensure that its staff members are appropriately trained to handle and process the Shared Personal Data in accordance with the technical and organisational security measures referred to in Clause 10.2 together with any other Applicable Data Protection Laws and have entered into confidentiality agreements relating to the processing of Personal Data.
11. Personal data breaches and reporting procedures
11.1 The Parties shall each comply with its obligation to report a Personal Data Breach to the Information Commissioner and (where applicable) Data Subjects under the Applicable Data Protection Laws and shall each inform the other Party of any Personal Data Breach irrespective of whether there is a requirement to notify the Information Commissioner.
11.2 The Parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner.
12. Resolution of disputes with data subjects or the Information Commissioner
12.1 In the event of a dispute, complaint or claim brought by a Data Subject or the Information Commissioner concerning the processing of Shared Personal Data against either or both Parties, the Parties will inform each other in writing about any such disputes, complaints or claims, and will cooperate with a view to settling them amicably in a timely fashion.
13. Warranties
13.1 Each Party warrants and undertakes that:
13.1.1 in respect of any Shared Personal Data which that Party, in the role of Data Discloser, shares with the other Party, it is entitled to provide the Shared Personal Data to the Data Receiver, and it will ensure that the Shared Personal Data is accurate;
13.1.2 in respect of any Shared Personal Data which that Party receives in the role of Data Receiver, it will not disclose or transfer the Shared Personal Data to a third party Controller located outside the UK unless it complies with the obligations set out in Clause 9.3 above.
13.1.3 it shall:
(a) process the Shared Personal Data in compliance with Applicable Data Protection Laws;
(b) respond within a reasonable time and as far as reasonably possible to enquiries from the Information Commissioner in relation to the Shared Personal Data;
(c) respond to Subject Rights Requests in accordance with the Applicable Data Protection Laws, including where necessary (i) advising the other Party of any step(s) it should reasonably take in this regard; and (ii) where the legitimate ground relied upon is a Data Subject's consent, the timely operation of an effective procedure if such consent is withdrawn;
(d) where applicable, maintain registration with the Information Commissioner to process all Shared Personal Data for the Purpose; and
(e) take all appropriate steps to ensure compliance with the security measures set out in Clause 10 above.
13.2 Except as expressly stated in these Data Sharing Terms, all warranties, conditions and terms, whether express or implied by statute, common law or otherwise are hereby excluded to the greatest extent permitted by law.
14. Indemnity
The Professional shall indemnify and hold FinBoGo harmless from any cost, charge, damages, expense or loss which it causes as a result of its breach of any of the provisions of these Data Sharing Terms.
15. Direct marketing
15.1 If FinBoGo processes the Shared Personal Data for the purposes of direct marketing, it shall ensure that:
15.1.1 the appropriate level of consent has been obtained from the relevant Data Subjects to allow the Shared Personal Data to be used for the purposes of direct marketing in compliance with the Applicable Data Protection Laws; and
15.1.2 effective procedures are in place to allow the Data Subject to "opt-out" from having their Shared Personal Data used for such direct marketing purposes.
16. General
16.1 Entire agreement.
16.1.1 Together with the Platform Subscription Terms, these Data Sharing Terms constitutes the entire agreement between the Parties and supersedes and extinguishes all previous and contemporaneous agreements, promises, assurances and understandings between them, whether written or oral, relating to its subject matter.
16.1.2 Each Party acknowledges that in entering into these Data Sharing Terms, it does not rely on, and shall have no remedies in respect of, any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in these Data Sharing Terms.
16.1.3 Each Party agrees that it shall have no claim for innocent or negligent misrepresentation based on any statement in these Data Sharing Terms.
16.2 Notices.
16.2.1 Any notice given to a Party under or in connection with these Data Sharing Terms shall be in writing, addressed to the Party's DP Point of Contact, and shall be:
(a) delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or
(b) sent by email to the DP Point of Contact at the email address specified by the relevant Party from time to time.
16.2.2 Any notice shall be deemed to have been received:
(a) if delivered by hand, at the time the notice is left at the proper address;
(b) in sent by pre-paid first-class UK post or other next Working Day delivery service, at 9.00 am on the second Working Day after posting; or
(c) if sent by email, at the time the transmission, or, if this falls outside of Working Hours in the place of receipt, when Working Hours resume.
16.2.3 This Clause 16.2 does not apply to the service of any proceedings or other documents in any legal action.
16.3 Allocation of cost. Each Party shall perform its obligations under these Data Sharing Terms at its own cost.
16.4 Variation. No variation of these Data Sharing Terms shall be effective unless it is in writing and signed by the Parties (or their authorised representatives).
16.5 Waiver. No failure or delay by a Party to exercise any right or remedy provided under these Data Processing Terms or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
16.6 Third party rights. No one other than a Party to the Platform Subscription Terms, their successors and permitted assignees, shall have any right to enforce any of its provisions.
16.7 Changes to the applicable law. If the Applicable Data Protection Laws change in a way that these Data Processing Terms are no longer adequate for the purpose of governing lawful data sharing exercises, the Parties agree that the DP Points of Contact will negotiate in good faith to review these Data Processing Terms in the light of the changes.
16.8 Further assurance. Each Party shall, and shall use all reasonable endeavours to procure that any necessary third party shall, execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to these Data Sharing Terms.
16.9 Force majeure. Neither Party shall be liable for any delay or failure in the performance of its obligations for so long as and to the extent that such delay or failure results from events, circumstances or causes beyond its reasonable control. In such circumstances the time for performance shall be extended by a period equivalent to the period during which performance of the obligation has been delayed or failed to be performed.
16.10 Rights and remedies. The rights and remedies provided under these Data Sharing Terms are in addition to, and not exclusive of, any rights or remedies provided by law.
16.11 Severance.
16.11.1 If any provision or part-provision of these Data Processing Terms is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of these Data Processing Terms.
16.11.2 If any provision or part-provision of these Data Processing Terms is deemed deleted under Clause 16.11.1, the Parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
16.12 No partnership or agency.
16.12.1 Nothing in these Data Processing Terms is intended to, or shall be deemed to, establish any partnership or joint venture between any of the Parties, constitute any Party the agent of another Party, or authorise any Party to make or enter into any commitments for or on behalf of any other Party.
16.12.2 Each Party confirms it is acting on its own behalf and not for the benefit of any other person.
16.13 Governing law. These Data Sharing Terms and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with them or their subject matter or formation shall be governed by and construed in accordance with the law of England.
16.14 Jurisdiction. Each Party irrevocably agrees that the courts of England shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with these Data Sharing Terms or their subject matter or formation.
Schedule 1 – Definitions and Interpretation
Part 1 – Definitions
Criminal Offence Data means Personal Data relating to criminal convictions and offences or related security measures to be read in accordance with section 11(2) of the DPA 2018 (or other Applicable Data Protection Laws);
Data Discloser has the meaning given to it in Clause 3.1 of these Data Sharing Terms;
Data Receiver has the meaning given to it in Clause 3.1 of these Data Sharing Terms;
Data Sharing Code the Information Commissioner's statutory data sharing code of practice which came into force on 5 October 2021, as updated or amended from time to time;
Data Sharing Purpose has the meaning given to it in Clause 3.3 of these Data Sharing Terms;
DP Point of Contact in relation to:
(a) the Professional, shall be the Professional or the Professional User or such other person as the Professional nominates from time to time; and
(b) FinBoGo, shall be such person as FinBoGo nominates from time to time;
Personal Data Breach a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data;
Platform Subscription Terms the subscription terms in place between the Professional and FinBoGo governing the Professional's access and use of the Platform;
Shared Personal Data the Personal Data and Special Categories of Personal Data to be shared between the Parties under Clause 5 of these Data Sharing Terms, or any other Personal Data transferred by one Party to the other Party in connection with the arrangements contemplated in the Platform Subscription Terms, or otherwise obtained or generated in connection with such arrangements;
Special Categories of Personal Data the categories of Personal Data set out in the Applicable Data Protection Legislation;
Subject Rights Request the exercise by a data subject of their rights under the Applicable Data Protection Legislation.
