(1) Grapevine Europe Limited incorporated and registered in England and Wales with company number 07046823 whose registered office is at 76 Grantham Road, Radcliffe-On-Trent, Nottingham NG12 2HY (Data Discloser).
(2) You are the Data Receiver.
(A) The Data Discloser agrees to share the Personal Data with the Data Receiver in the European Economic Area (EEA) on terms set out in the Agreement.
(B) The Data Receiver agrees to use the Personal Data within the EEA on the terms set out in this Agreement.
(C) This is a free-standing Agreement that does not incorporate commercial business terms established by the parties under separate commercial arrangements.
The following definitions and rules of interpretation apply in this agreement.
Agreed Purpose: has the meaning given to it in clause 2 of this Agreement.
Agreement: this Agreement, which is a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.
Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
Data Protection Authority: the relevant data protection authority in the territories where the parties to this Agreement are established.
Data Protection Directive: EU Data Protection Directive (95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Data Security Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data.
Data Sharing Code: the Information Commissioner’s Data Sharing Code of Practice of May 2011.
Privacy and Data Protection Requirements: the Data Protection Act 1998 (the DPA), the Data Protection Directive (95/46/EC), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) (as amended) and all applicable laws and regulations relating to the processing of the personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner or any other national data protection authority, and the equivalent of any of the foregoing in any relevant jurisdiction.
Shared Personal Data: the personal data to be shared between the parties under clause 4 of this Agreement.
Subject Access Request: has the same meaning as “Right of access to personal data” in section 7 of the DPA.
Term: beginning on the Commencement Date and ending on the earlier of:
(a) The termination of the contract of even date with this agreement, to become an Associate of the Data Discloser, between the Data Discloser and the Data Receiver (Primary Contract); or
(b) The last day of any period of 6 months of inactivity by the Data Receiver under the Primary Contract.
1.2 Data Controller, Data Processor, Data Subject and Personal Data, Sensitive Personal Data, processing and appropriate technical and organisational measures shall have the meanings given to them in the DPA.
1.3 Clause, schedule and paragraph headings shall not affect the interpretation of this Agreement.
1.4 The schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the schedules.
1.5 Unless the context otherwise, requires, words in the singular shall include the plural and in the plural shall include the singular.
1.6 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.7 A reference to a statue or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision.
1.8 References to clauses and Schedules are to the clauses and Schedules of this agreement and references to paragraphs are to paragraphs of the relevant Schedule.
1.9 Any words following the terms including, include, in particular or for example or any similar phrase shall be construed as illustrative and shall not limit the generality of the related general words.
1.10 In the case of any ambiguity between any provision contained in the body of this agreement and any provision contained in the Schedules or appendices, the provision in the body of this agreement shall take precedence.
1.11 A reference to writing or written does not include fax but does include email.
1.12 Unless the context otherwise requires the reference to one gender shall include a reference to the other genders.
2.1 In consideration of the Data Discloser entering into the Primary Contract the Receiver has agreed to enter into this agreement.
2.2 This agreement sets out the framework for the sharing of Personal Data between the parties as Data Controllers. It defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other.
2.3 The parties consider this data sharing initiative necessary as the Data Receiver needs the data to provide a valuation to the Data Subject, the Data Receiver will also need the data to contact the Data Subject. The aim of the data sharing initiative is to provide a service to the Data Subject. It will serve to benefit the Data Subjects by saving them time and making it easier for them to sell their vehicle as the Data Receiver shall contact them and arrange for the sale of their vehicle.
2.4 The parties agree to only process Shared Personal Data, as described in clause 4.1, for the following purposes:
(a) To provide a valuation of a vehicle to the Data Discloser’s customers;
(b) To contact the Data Discloser’s customers in order to provide them with further information on the valuation;
(c) To contact the Data Discloser’s customers in order to provide them with further valuations; and
(d) To contact the Data Discloser’s customers in order to purchase or arrange for the purchase of the Data Discloser’s customers’ vehicle.
The parties shall not process Shared Personal Data in a way that is incompatible with the purposes described in this clause (the Agreed Purpose).
2.5 Each party shall appoint a single point of contact (SPoC) who will work together to reach an agreement with regards to any issues arising from the data sharing and to actively improve the effectiveness of the data sharing initiative. The points of contact for each of the parties are:
(a) Data Discloser’s SPoC – Andrew King, Director, firstname.lastname@example.org
(b) Data Receiver’s SPoC – the person you nominated on the ‘Associate form’ (www.jamjar.com/associates/apply)
3. Compliance with national data protection laws
3.1 Each Party must ensure compliance with applicable national data protection laws at all times during the Term of this agreement.
3.2 Each party has a valid registration with its national Data Protection Authority which, by the time that the data sharing is expected to commence, covers the intended data sharing pursuant to this Agreement, unless an exemption applies. Grapevine Europe Limited’s registration number is ZA280219.
4. Shared personal data
4.1 The following types of Personal Data will be shared between the parties during the Term of this agreement:
(a) Name of Data Subject;
(b) Contact details including telephone numbers, address and email of Data Subject; and
(c) Details of vehicle(s) owned by the Data Subject.
4.2 Sensitive Personal Data will not be shared between the parties.
4.3 The Shared Personal Data must not be irrelevant or excessive with regard to the Agreed Purposes.
5. Fair and lawful processing
5.1 Each party shall ensure that it processes the Shared Personal Data fairly and lawfully in accordance with clause 5.2 during the Term of this agreement.
5.2 Each party shall ensure that it processes Shared Personal Data on the basis of one or more of the following legal grounds:
(a) Data Subject has unambiguously given his or her consent;
(b) processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
(c) processing is necessary in order to protect the vital interests of the Data Subject; or
(d) processing is necessary for the purposes of the legitimate interests pursued by the parties except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the Data Subject.
5.3 The Data Discloser shall, in respect of Shared Personal Data, ensure that their privacy notices are clear and provide sufficient information to the data subjects for them to understand what of their personal data the Data Discloser is sharing with the Data Receiver, the circumstances in which it will be shared, the purposes for the data sharing and either the identity of the Data Receiver or a description of the type of organisation that will receive the personal data.
5.4 The Data Receiver undertakes to inform the Data Subjects, in accordance with its own applicable data protection law, of the purposes for which it will process their personal data and provide all of the information that it must provide, in accordance with its own applicable laws, to ensure that the Data Subjects understand how their personal data will be processed by the Data Receiver.
6. Data subjects’ rights
6.1 Data Subjects have the right to obtain certain information about the processing of their Personal Data through a Subject Access Request. In circumstances where the processing of a Data Subject’s personal data is not in compliance with applicable national data protection laws. Data Subjects may also request rectification, erasure or blocking of their personal data.
6.2 SPoCs are responsible for maintaining a record of individual requests for information, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request. The points of contact for each party are detailed in clause 2.5.
6.3 The parties agree to provide reasonable assistance as is necessary to each other to enable them to comply with Subject Access Requests and to respond to any other queries or complaints from Data Subjects.
7. Data retention and deletion
7.1 The Data Receiver shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes.
7.2 Notwithstanding clause 7.1, parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and / or industry.
7.3 The Data Receiver shall ensure that any Shared Personal Data are returned to the Data Discloser, or destroyed, or deleted so that the Shared Personal Data is erased irretrievably from computer and communications systems and devices owned or used by the Data Receiver, including such systems and data storage services provided by third parties, in the following circumstances:
(a) on termination of the Agreement;
(b) on expiry of the Term of the Agreement;
(c) once processing of the Shared Personal Data is no longer necessary for the purposes it were originally shared for, as set out in clause 2.4.
7.4 Following the deletion of Shared Personal Data in accordance with clause 7.3, the Data Receiver shall notify the Data Discloser that the Shared Personal Data in question has been deleted in accordance with clause 7.3.
8.1 For the purposes of this clause, transfers of personal data shall mean any sharing of personal data by the Data Receiver with a third party, and shall include, but is not limited to, the following:
(a) storing Shared Personal Data on servers outside the EEA.
(b) subcontracting the processing of Shared Personal Data to data processors located outside the EEA.
(c) granting third parties located outside the EEA access rights to the Shared Personal Data.
8.2 The Data Receiver shall not disclose or transfer Shared Personal Data outside the European Economic Area (EEA).
8.3 Clause 8.2 will not apply to any data transfers carried out by the Data Discloser in respect of Shared Personal Data.
9. Security and training
9.1 The Data Discloser shall only provide the Shared Personal Data to the Data Receiver by using secure methods as agreed and set out in Schedule 2.
9.2 Having regard to the state of technological development and the cost of implementing such measures, the parties have in place appropriate technical and organisational security measures as set out in Schedule 2 in order to:
(i) unauthorised or unlawful processing of the Shared Personal Data; and
(ii) the accidental loss or destruction of, or damage to, the Shared Personal Data
(b) ensure a level of security appropriate to:
(i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and
(ii) the nature of the Shared Personal Data to be protected.
9.3 It is the responsibility of each party to ensure that its staff members are appropriately trained to handle and process the Shared Personal Data in accordance with the technical and organisational security measures set out in Schedule 2 together with any other applicable national data protection laws and guidance.
9.4 The level, content and regularity of training referred to in clause 9.3 shall be proportionate to the staff members’ role, responsibility and frequency with respect to their handling and processing of the Shared Personal Data.
10. Data security breaches and reporting procedures
10.1 Having considered the applicable national data protection laws and guidance, the parties have in place their own guidance that must be followed in the event of a Data Security Breach.
10.2 Parties are under a strict obligation to notify any potential or actual losses of the Shared Personal Data to each and every SPoC as soon as possible and, in any event, within 5 Working Days of identification of any potential or actual loss to enable the Parties to consider what action is required in order to resolve the issue in accordance with the applicable national data protection laws and guidance.
10.3 Clause 10.1 also applies to any breaches of security which may compromise the security of the Shared Personal Data.
10.4 The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Data Security breach in an expeditious and compliant manner.
11. Review and termination of agreement
11.1 Parties shall review the effectiveness of this data sharing initiative every 6 months having consideration to the aims and purposes set out in clause 2.3 and clause 2.4. The parties shall continue, amend or terminate the Agreement depending on the outcome of this review.
11.2 The review of the effectiveness of the data sharing initiative will involve:
(a) Assessing whether the purposes for which the Shared Personal Data is being processed are still the ones listed in clause 2.3 of this Agreement;
(b) Assessing whether the Shared Personal Data is still as listed in clause 4.1 of this Agreement;
(c) Assessing whether the legal framework governing data quality, retention, and data subjects’ rights are being complied with; and
(d) Assessing whether personal data breaches involving the Shared Personal Data have been handled in accordance with this Agreement and the applicable legal framework.
11.3 Each party reserves its rights to inspect the other party’s arrangements for the processing of Shared Personal Data and to terminate the Agreement where it considers that the other party is not processing the Shared Personal Data in accordance with this agreement.
11.4 Clauses 6, 7, 12, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 27, 28, 29, 30 and this clause 11.3 shall survive termination of this agreement.
12. Resolution of disputes with data subjects or the Data Protection Authority
12.1 In the event of a dispute or claim brought by a data subject or the Data Protection Authority concerning the processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
12.2 The parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Data Protection Authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
12.3 Each party shall abide by a decision of a competent court of the Data Discloser’s country of establishment or of the Data Protection Authority which is final and against which no further appeal is possible.
13.1 Each party warrants and undertakes that it will:
(a) Process the Shared Personal Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments that apply to its personal data processing operations.
(b) Make available upon request to the Data Subjects who are third party beneficiaries a copy of this Agreement, unless the Clause contains confidential information.
(c) Respond within a reasonable time and as far as reasonably possible to enquiries from the relevant Data Protection Authority in relation to the Shared Personal Data.
(d) Respond to Subject Access Requests in accordance with the Privacy and Data Protection Requirements.
(e) Where applicable, maintain registration with all relevant Data Protection Authorities to process all Shared Personal Data for the Agreed Purpose.
(f) Take all appropriate steps to ensure compliance with the security measures set out in clause 9 above.
13.2 The Data Receiver warrants and undertakes that it will not disclose or transfer Shared Personal Data outside the European Economic Area (EEA).
13.3 Except as expressly stated in this Agreement, all warranties, conditions and terms, whether express or implied by statute, common law or otherwise are hereby excluded to the extent permitted by law
14.1 The Data Receiver undertakes to indemnify the Data Discloser and hold the Data Discloser harmless from any cost, charge, damages, expense or loss which the Data Receiver causes the Data Discloser as a result of its breach of any of the provisions of this Agreement, except to the extent that any such liability is excluded under clause 16.2.
15. Allocation of cost
Each party shall perform its obligations under this Agreement at its own cost.
16. Limitation of liability
16.1 Neither party excludes or limits liability to the other party for:
(a) fraud or fraudulent misrepresentation;
(b) death or personal injury caused by negligence;
(c) a breach of any obligations implied by section 12 of the Sale of Goods Act 1979 or section 2 of the Supply of Goods and Services Act 1982; or
(d) any matter for which it would be unlawful for the parties to exclude liability.
16.2 Subject to clause 16.1, the Data Discloser shall not in any circumstances be liable whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, for:
(a) any loss (whether direct or indirect) of profits, business, business opportunities, revenue, turnover, reputation or goodwill;
(b) loss (whether direct or indirect) of anticipated savings or wasted expenditure (including management time); or
(c) any loss or liability (whether direct or indirect) under or in relation to any other contract.
16.3 Clause 16.2 shall not prevent claims, for:
(a) direct financial loss that are not excluded under any of the categories set out in clause 16.2(a); or
(b) tangible property or physical damage.
17. Third party rights
17.1 Except as expressly provided in clause 6 (data subjects rights) a person who is not a party to this Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.
17.2 The rights of the parties to terminate, rescind or agree any variation, waiver or settlement under this Agreement are not subject to the consent of any other person.
18. Direct marketing
If the Data Receiver processes the Shared Data for the purposes of direct marketing, each party shall ensure that:
(a) effective procedures are in place to allow the Data Subject to “opt-out” from having their Shared Personal Data used for such direct marketing purposes; and
(b) the appropriate explicit consent has been obtained from the relevant Data Subjects to allow the Shared Data to be used for the purposes of direct marketing in compliance with the Privacy and Data Protection Requirements.
No variation of this agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
21.1 If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this agreement.
21.2 If one party gives notice to the other of the possibility that any provision or part-provision of this agreement is invalid, illegal or unenforceable, the parties shall negotiate in good faith to amend such provision so that, as amended, it is legal, valid and enforceable, and, to the greatest extent possible, achieves the intended commercial result of the original provision.
22. Changes to the applicable law
In case the applicable data protection and ancillary laws change in a way that the Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the Parties agree that the SPoCs will negotiate in good faith to review the Agreement in light of the new legislation.
23. No partnership or agency
23.1 Nothing in this agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party.
23.2 Each party confirms it is acting on its own behalf and not for the benefit of any other person.
24. Entire agreement
24.1 This Agreement and the Primary Contract constitute the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
24.2 Each party acknowledges that in entering into this Agreement it does not rely on, and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement.
24.3 Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misrepresentation based on any statement in this Agreement.
25. Further assurance
At its own expense, each party shall, and shall use all reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this agreement.
26. Force majeure
Neither party shall be in breach of this Agreement nor liable for delay in performing, or failure to perform, any of its obligations under this agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances the time for performance shall be extended by a period equivalent to the period during which performance of the obligation has been delayed or failed to be performed. If the period of delay or non-performance continues for 4 weeks, the party not affected may terminate this agreement by giving 14 days’ written notice to the affected party.
27. Rights and remedies
The rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
28.1 Any notice or other communication given to a party under or in connection with this agreement shall be in writing, addressed to the SPoCs and shall be:
(a) delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or
(b) sent by email to the SPoC.
28.2 Any notice or communication shall be deemed to have been received:
(a) if delivered by hand, on signature of a delivery receipt or at the time the notice is left at the proper address;
(b) if sent by pre-paid first-class post or other next working day delivery service, at 9.00 am on the second Business Day after posting or at the time recorded by the delivery service.
(c) if sent by email, at 9.00 am on the next Business Day after transmission.
28.3 This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution
29. Governing law
This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims).arising out of or in connection with this agreement or its subject matter or formation.
Key legislative provisions and authoritative guidance
• Data Protection Act 1998 (as amended by subsequent legislation)
• Data Protection Directive 95/46/EEC
• General Data Protection Regulation
• Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (as amended by subsequent legislation)
• Information Commissioner’s Data sharing code of practice dated May 2011
Appropriate technical and organisational security measures
• The Shared Data will be supplied on the Data Discloser’s Website in the Data Receiver’s online account. This account can only be accessed with a username (unique to the Data Receiver) and password (chosen by the Data Receiver).
• The Data Receiver shall use a secure password, keep it confidential and change it every 4 weeks.
• The Data Receiver shall not provide the password to or allow any other person or organisation to use their username and password, except to employees of the Data Receiver that need to access the Shared Personal Data in order to carry out the obligations under this agreement or the Primary Contract.
• If the Data Receiver makes a copy of the Shared Personal Data the transfer, if made by electronic means shall be made via an encrypted method, or if made by manually copying the Shared Personal Data the document should be stored in a secure area (e.g. locked desk/cupboard) that is only accessible to the employees of the Data Receiver that need to have access to the Shared Personal Data in order to carry out the obligations under this agreement or the Primary Contract
• The Data Receiver will only make as many copies as are strictly necessary to carry out the obligations under this agreement or the Primary Contract
• All Shared Personal Data provided to the Data Receiver shall be treated in accordance with policies and procedures the Data Receiver has for its own personal data
• The Data Receiver shall not take or transfer the Shared Personal Data outside of the Data Receiver’s place of business