15. Data Sharing Provisions
In certain circumstances, ResDiary and a Customer may require to share data which includes Personal Data for example (1) to enable Guests to create a profile with ResDiary and thereafter make restaurant bookings with the Customer via the Platform and (2) to improve and enhance a Guests’ dining experience with the Customer and (3) to obtain relevant marketing and other appropriate information from ResDiary.
The Parties shall not process the Shared Personal Data for any purpose or in any way that is incompatible with the Stated Purposes.
The Shared Personal Data shall be disclosed by one Party to another only to the extent reasonably necessary for the Stated Purposes.
15.2 Data Protection Compliance
Each Party shall appoint a data protection officer and/or at least one other of its Representatives as a point of contact for all issues relating to the sharing of the Shared Personal Data and the Privacy Legislation (including, but not limited to, compliance, training, and the handling of personal data breaches).
Both Parties shall at all times during the Term comply with their obligations as Data Controllers, the rights of data subjects, and all other applicable requirements under the Privacy Legislation. These Terms and Conditions are in addition to, and do not relieve, remove, or replace either Party’s obligations under the Privacy Legislation. Any material breach of the Privacy Legislation by either Party shall, if not remedied within 14 days of written notice from the other Party, give the other Party grounds to terminate this Agreement with immediate effect.
15.3 The Shared Personal Data
The extent of the Shared Personal Data, including any applicable restrictions relating to will be agreed between the Parties and set out in writing.
Each Party shall ensure that the Shared Personal Data is accurate and up-to-date prior to its disclosure to the other Party.
The Parties shall use compatible technology for the processing of the Shared Personal Data in order to preserve accuracy.
15.4 Shared Personal Data – Fair and Lawful Processing
Both Parties shall at all times during the Term process the Shared Personal Data fairly and lawfully.
Both Parties shall ensure that they have legitimate grounds for processing the Shared Personal Data under the Privacy Legislation.
Both Parties shall ensure that they have in place all required notices and consents in order to enable the sharing of the Shared Personal Data under this Agreement. In particular, the Parties shall ensure that data subjects are provided with clear and sufficient information about the following:
- the purposes for which their personal data is to be processed;
- the legal basis upon which it is relying for such purposes;
- the fact that their personal data is to be transferred to a third party and sufficient detail about the transfer to enable the data subject to understand the purpose of the transfer and any risks associated therewith; and
- in the event that their personal data is to be transferred outside of the EEA, the fact that such a transfer is to take place and sufficient detail about the transfer to enable the data subject to understand the purpose of the transfer and any risks associated therewith. Details of international personal data transfers can be found in Appendix D; and
- all other information required under the relevant Privacy Legislation.
15.5 The Rights of Data Subjects
The Parties shall assist one another in complying with their respective obligations and the rights of data subjects under the Privacy Legislation. Such assistance shall include, but not be limited to:
- consulting with the other Party with respect to information and notices provided to data subjects relating to the Shared Personal Data;
- informing the other Party about the receipt of data subject access requests and providing reasonable assistance in complying with the same;
- not disclosing or otherwise releasing any Shared Personal Data in response to a data subject access request without prior consultation with the other Party, whenever reasonably possible;
- assisting the other Party at the cost of the other Party in responding to any other data subject request.
Each Party shall maintain records of all data subject requests received, the decisions made in response, and any information provided to the data subject(s) concerned. Such records shall include copies of the request, details of any data accessed and shared, and, if applicable, details of any further correspondence, telephone conversations, or meetings relating to the request.
15.6 Data Retention and Deletion and/or Disposal
Each Party shall hold and process the Shared Personal Data only for so long as is necessary for the fulfilment of the Stated Purposes.
In the event that any statutory or similar retention periods apply to any of the Shared Personal Data, the relevant personal data shall be retained by the relevant Party in accordance therewith.
The Parties shall delete (or otherwise dispose of) or at a Party’s option anonymise the Shared Personal Data (or the relevant part thereof) and any and all copies thereof or, on the written request of the other Party, other than in the case of anonymised data, return it to the other disclosing Party, subject to any legal requirement to retain any applicable personal data, in the following circumstances:
- upon the termination or expiry of this Agreement; or
- once the Stated Purposes have been fulfilled and it is no longer necessary to retain the Shared Personal Data (or the relevant part thereof) in light of the Stated Purposes;
whichever is earlier.
All Shared Personal Data to be deleted or disposed of or anonymised under this Agreement shall be deleted or disposed of using an agreed method.
Following the deletion and/or disposal or anonymisation of the Shared Personal Data (as applicable), the Party deleting or disposing of the data shall notify the other Party of the same in writing, confirming that the Shared Personal Data has been deleted or disposed of or anonymised using the method(s) set out above.
15.7 Shared Personal Data Transfers
For the purposes of this Clause the transfer of Shared Personal Data shall refer to any sharing of the Shared Personal Data by a Party with a third party. Such sharing shall include, but not be limited to, the appointment of a third-party Data Processor and sharing the Shared Personal Data with a third-party Data Controller.
In the event that a Party wishes to appoint a third-party Data Processor, it shall remain liable to the other Party for any acts and/or omissions of the third-party processor and it shall comply with the Privacy Legislation.
Neither Party shall transfer any of the Shared Personal Data outside of the EEA or the United Kingdom in relation to European Union and/or United Kingdom Personal Data), or the Commonwealth of Australia in relation to Australian Personal Data unless:
- that Party complies with the provisions of the relevant Privacy Legislation (where the third party is a joint controller); and
- that Party ensures that the transfer is to a country that offers an adequate level of data protection, pursuant to the relevant Privacy Legislation; there are appropriate safeguards in place pursuant to the relevant Privacy Legislation; or one of the derogations for specific situations set out in the relevant Privacy Legislation applies.
15.8 Shared Personal Data Security
A Party shall transfer the Shared Personal Data to the other Party using a secure method.
Both Parties shall ensure that they have in place appropriate technical and organisational measures as reviewed and approved by the other Party, to protect against the unauthorised or unlawful processing of, and against the accidental loss or destruction of, or damage to, the Shared Personal Data, having regard to the state of technological development and the cost of implementing any such measures.
When putting appropriate technical and organisational measures in place, both Parties shall ensure a level of security appropriate to the nature of the Shared Personal Data which is to be protected, and to the potential harm resulting from the unauthorised or unlawful processing of, the accidental loss or destruction of, or damage to, the Shared Personal Data.
All technical and organisational measures put in place by both Parties shall be reviewed regularly by the respective Party, updating such measures upon the agreement of the other Party as appropriate throughout the Term of this Agreement.
15.9 Training
Both Parties shall ensure that any and all of their Representatives by whom the Shared Personal Data is to be handled and processed are appropriately trained to do so in accordance with the Privacy Legislation and with the requisite technical and organisational measures.
The Parties shall further ensure that any of their respective Representatives to whom the Shared Personal Data is to be disclosed are subject to contractual obligations in relation to confidentiality and data protection that bind those Representatives and that are same as the obligations imposed upon the Parties by this Agreement.
15.10 Resolution of Disputes with Data Subjects or the Supervisory Authority
In the event of a dispute or claim brought by a data subject or the ICO concerning the processing of Shared Personal Data against either or both Parties, the Parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
The Parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the supervisory authority. If they do participate in the proceedings, the Parties may elect to do so remotely (such as by telephone or other electronic means). The Parties also agree to consider participating in any other arbitration, mediation, or other dispute resolution proceedings developed for data protection disputes.