Data Sharing Agreement

Evouchers Limited, trading as ‘HolidayActivities’ (“HolidayActivities”, “we”, “our” or “us”), has created its event booking management software which we operate through our website https://holidayactivities.com/, and associated platforms, collectively known as the HolidayActivities Software (“HolidayActivities Software”) to facilitate the provision of services for the Government’s Holiday, Activities and Food Programme (“HAF”) within our HAF platform (“HolidayActivities Platform”). Our HolidayActivities Platform sits within the HolidayActivities Software. 

To facilitate the data relationship in the HolidayActivities Platform, this data sharing agreement details the agreed terms between HolidayActivities and any buyer (“Buyer”, “you” or “your”) that wishes to access and use the HolidayActivities Platform,  and how each party will collect, use and process any Personal Data in the HolidayActivities Platform. This Agreement is therefore formed between HolidayActivities and you as the Buyer and is legally binding. 

THESE TERMS ARE INCORPORATED INTO ALL APPLICABLE TERMS AND CONDITIONS UNDER WHICH HOLIDAYACTIVITIES HAS AGREED TO PROVIDE ITS SERVICES TO THE BUYER.

With respect to any terms regarding the processing of Personal Data, in the event of a conflict between our terms of service and this Agreement, the provisions of this Agreement shall prevail. 

This Agreement not only contains data sharing and processing terms, but covers any scenario when it may be necessary to share any Personal Data between the parties in the HolidayActivities Platform, when you have access.

1. Definitions
2. In this Agreement the following definitions shall apply:

“Agreement”	means this agreement.
“Authorised Persons”	shall mean the persons or categories of persons that has authorised access to the HolidayActivities Platform.
“Confidential Information”	means all confidential information (however recorded or preserved) disclosed by either party in connection with this Agreement which is either labelled as such or else which could be reasonably considered confidential because of its nature and the manner of its disclosure.
“Data”	has the meaning given in the Data Protection Laws as amended or replaced from time-to-time.
“Data Controller”	shall be interpreted and construed by reference to the term Controller as defined under Data Protection Laws.
“Data Processor”	shall be interpreted and construed by reference to the term Processor as defined under Data Protection Laws.
“Data Protection Laws”	means all applicable data protection and privacy legislation in force from time to time in the UK including the Data Protection Act 2018 (“DPA”) (as amended or replaced from time-to-time), UK GDPR (as defined in the Data Protection Act 2018) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Information Commissioner or other relevant regulatory authority and applicable to a party.
“Effective Date”	means the date upon which you accept these terms.
“HAF”	means the Government’s HAF holiday programme which facilitates the provision of holiday activities and HAF Events for children and eligible participants.
“HAF Event”	shall mean the relevant HAF Event or activity being organised and supplied by the HAF Provider and scheduled in the HolidayActivities Platform.
“HAF Participants”	means the parent / guardian or other third party approved to act on behalf of the eligible child(ren) receiving the benefit and participating in the HAF Event.
“HAF Provider”	means the person or entity approved by the Buyer, who is granted access to the HolidayActivities Platform, and who shall provide and supply the relevant HAF Event to eligible HAF Participants.
“HAF Booking”	means the right to a booking allocated to a HAF Participant upon an order being placed by the Buyer, which will facilitate access to the HolidayActivities Platform and use of the Services to facilitate a booking to any HAF Event.
“HolidayActivities Platform”	shall mean the HolidayActivities Platform which sits within the HolidayActivities Software, but is used to facilitate the booking services and management system for any HAF Event.
“Personal Data”	has the meaning given in Data Protection Laws.
“Personal Data Breach”	has the meaning given in Data Protection Laws but shall include any breach of Personal Data.
“processed” or “processing”	has the meaning given in Data Protection Laws.
“Services”	Means the intermediary services performed by HolidayActivities through the HolidayActivities Platform for the benefit of the Buyer, any HAF Participant and any HAF Provider, all of whom utilise the HolidayActivities Platform to facilitate the provision and booking of the HAF Event,  and a register of attendees, which shall include the collection, use and transfer of selected Personal Data within the HolidayActivities Platform.
“Standard Contractual Clauses (SCC)”	means all Controller to Processor SCCs, any  Controller to Controller SCCs or any other SCCs that may apply and are entered into between the parties as set out by the ICO.
“Sub-Processors”	means any third-party, person or company appointed by or on behalf of HolidayActivities who may process Personal Data to facilitate the provision of the Services in connection with the Agreement.
“UK GDPR”	means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time).

2. A reference to writing or written includes emails and writing in any electronic form.

2. General Provisions 
   1. The Effective Date of this Agreement shall be the date that you accept the terms of this Agreement and you acknowledge that this Agreement shall then be binding on you, and will replace any previously applicable data processing, handling and security terms, which relates to the use of the HolidayActivities Platform.
   2. By granting access and/or receiving (some or all of) the Personal Data to  the HolidayActivities Platform, you as the Buyer agree to the terms of this Agreement.
3. Scope of collection and use of Personal Data
4. Term and Termination
   1. This Agreement applies as of the Effective Date and shall continue until our Services have been completed and/or this Agreement is terminated. When this happens, certain provisions in this Agreement will always remain in force and applicable to you.
   2. You may terminate your access to the HolidayActivities Platform at any time, by deleting your account.
   3. Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of this Agreement, in order to protect the Personal Data, will remain in full force and effect.
5. Transfer of Personal Data
   1. You hereby consent to the HolidayActivities Platform accessing the necessary Personal Data provided to us by you for the purpose of facilitating our Services in HAF.
   2. In circumstances where we transfer or permit you access to Personal Data that is available to you through the HolidayActivities Platform, you agree that you shall process that data fairly and lawfully and only as set out in Schedule 1.
   3. In particular, you acknowledge and agree that you will be solely responsible for (i) complying with all necessary transparency and lawfulness requirements under the Data Protection Laws for the collection and use of the Personal Data; (ii) ensuring you have the right to receive any Personal Data for processing under this Agreement; and (iii) you will comply with applicable laws including the Data Protection Laws.
   4. If you appoint a third party processor to process Personal Data accessed by you in the HolidayActivities Platform, you warrant that you shall comply with Article 28 and Article 30 of the UK GDPR and shall remain liable to us for the acts and/or omissions of such processor. 
6. Confidential Information
   1. Each party agrees to keep all Confidential Information confidential and shall not:-
      1. use any Confidential Information except as contemplated by this Agreement and in the use of the HolidayActivities Platform; or
      2. disclose any Confidential Information in whole or in part to any third party, except as expressly permitted by this Agreement, or as set out in any applicable privacy notice, as required for the purpose of any Services, or to the extent required by law.
   2. Each party shall also ensure that all persons authorised to access the Personal Data are:
      1. informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use the appropriate restrictions in place in respect of preserving the Personal Data; and
      2. have undertaken training on the Data Protection Laws relating to any handling of the Personal Data.
7. Security of the Data
   1. You acknowledge that we shall have no responsibility to maintain the security of any Personal Data to the extent it is held or processed outside of the HolidayActivities Platform or our direct control.
   2. You and us shall both implement appropriate technical and organisational measures as stipulated in Data Protection Laws and/or measures imposed on each party to ensure an appropriate level of security as outlined in Schedule 2, which shall protect against the unauthorised or unlawful processing of, and against the accidental loss or destruction of, or damage to, the Personal Data, having regard to the state of technological development and the cost of implementing any such measures.
8. Sub-Processors and International Transfers by Holiday Activities
   1. You acknowledge and agree that we may use Sub-Processors in the course of our business and to fulfil our Services. We may continue to use such Sub-Processors already engaged by us and a list of our current Sub-Processors may be found at  www.evouchers.com/subprocessors/. We will continue to update this list when required to do so. 
   2. In accordance with clause 8.1, you hereby provide a general authorisation to us to appoint future Sub-Processors for the processing of Personal Data, so long as we carry out due diligence on all potential Sub-Processors, comply with the requirements under the Data Protection Laws and comply with clause 8.3. 
   3. Where we appoint a Sub-Processor pursuant to this clause 8, we shall ensure that the arrangement between us and any Sub-Processor is governed by a written contract including terms which offer at least the same level of protection for the Personal Data as those set out in this Agreement, which meets the requirements of Data Protection Laws.
   4. We shall remain liable for the acts and omissions of any Sub-Processor appointed by us, in respect of the processing of the Personal Data.
   5. You authorise us to transfer or otherwise process the Personal Data outside the UK or the European Economic Area, without obtaining your specific prior written consent, provided that:
      1. the Personal Data is transferred to or processed in a territory which is subject to adequacy regulations under the Data Protection Laws that the territory provides adequate protection for the privacy rights of individuals, including in particular the UK GDPR Articles 44 -47 and sections 17A to 17C of the DPA or in relation to law enforcement, sections 73, 74A, 74B and 75 of the DPA), or one of the derogations in Article 49 of the UK GDPR applies; or
      2. HolidayActivities participates in a valid cross-border transfer mechanism under Data Protection Laws, so that we can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by the UK GDPR; or
      3. ensure any transfer of Personal Data is subject to the Data Protection Laws’s SCCs or other legal basis for such transfer or disclosure; or
      4. the transfer otherwise complies with Data Protection Laws.
   6. If any Personal Data transfer between us and you requires execution of SCCs in order to comply with the Data Protection Laws, the parties shall agree to enter into a further agreement to reflect the further SCCs.
9. Insurance
   1. HolidayActivities maintains a policy of insurance in respect of public and product liability in respect of the Services provided by us in the HolidayActivities Platform and the processing of any Personal Data.
10. Deletion or return of applicable Personal Data
    1. Subject to sub-Clause 10.2, each party shall hold and process the Personal Data only for so long as is necessary to fulfil the Services in the HolidayActivities Platform.
    2. In the event that any statutory or similar retention periods apply to any of the Personal Data, the relevant Personal Data shall be retained by that party.
    3. Otherwise on fulfilment of the Services, each party shall delete (or otherwise dispose of) the Personal Data (or the relevant part thereof) and any and all copies thereof, subject to any legal requirement to retain any applicable Personal Data, in the following circumstances:
       1. upon the termination or expiry of this Agreement; or
       2. once the Services have been fulfilled and it is no longer necessary to retain the Personal Data (or the relevant part thereof) in light of the stated purposes;
       3. whichever is earlier.
11. Monitoring and Audit 
    1. Each party agrees, and shall procure that any applicable Sub-processors shall keep a written record of any processing of the Personal Data it carries out on behalf of each other.
    2. Subject to clauses 11.3, 11.4, you and us shall:
       1. make available to to each other on request, all information reasonably necessary to demonstrate each party’s respective compliance with this Agreement; and
       2. allow for and contribute to audits, including inspections, by each party or any auditor nominated on request, in relation to the processing of the Personal Data.
    3. The information and audit rights of either party under clause 11.2 shall apply only to the extent required by Data Protection Laws.
    4. Each party agrees to give each other reasonable notice of any audit or inspection that may be conducted under clause 11.2, and shall (and shall ensure that any nominated auditor shall) avoid causing (or, if it cannot avoid, minimise) any damage, injury or disruption to any applicable premises, equipment, personnel and business.
12. Data Subject Rights and Associated Matters
    1. The Parties each agree to provide such assistance as is reasonably required to enable the other party to comply with requests from data subjects to exercise their rights.
    2. Each party shall:
       1. promptly notify the other if it or any Sub-Processor receives a request from a data subject under any Data Protection Law in respect of any Personal Data processed through the HolidayActivities Platform; 
       2. notify the other promptly in writing if it receives any complaint or notice that relates directly or indirectly to the processing of the Personal Data and/or to either party’s compliance with the Data Protection Laws; and
       3. not, and shall use all reasonable endeavours to ensure that the Sub-Processor does not, respond to any request from a data subject, except on the relevant party’s written instructions or as required by any applicable laws to which either party is subject to.
13. Notification of any Personal Data Breach
    1. Either party shall notify the other without undue delay upon becoming aware of:
       1. the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data and will restore any Personal Data at their own expense as soon as possible;
       2. any accidental, unauthorised or unlawful processing of the Personal Data; or
       3. any Personal Data Breach.
    2. In the event either party is obliged to communicate a Personal Data Breach to the data subjects, the parties shall assist each other, including the provision, if available, of necessary contact information to the affected data subjects. It may be necessary in this instance to also liaise with the Buyer as to the best approach for notification.
14. Liability
    1. We shall have no liability to you, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, for or in connection with:
       1. loss, interception or corruption of any data; other than to the extent such loss is caused by our negligence;
       2. loss, interception or corruption of any data in the HolidayActivities Platform resulting from any negligence or default by any provider of telecommunications services to us, you, any HAF Provider or HAF Participant;
       3. any loss arising from the default or negligence of any third party in connection with this Agreement;
       4. damage to reputation or goodwill; 
       5. any indirect or consequential loss.
    2. In all other circumstances, our maximum liability to you, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, in connection with the Services or related to this Agreement shall be limited to the face value amount paid by you for the HAF Bookings during the 12 month period preceding the event giving rise to the claim. 
    3. Nothing in this clause shall limit our liability for any death or personal injury caused by our negligence, fraud or fraudulent misrepresentation, or any other matter for which liability cannot be limited or excluded as a matter of law. 
15. Records
    1. Each party agrees to keep detailed, accurate and complete records regarding any processing activities it carries out pursuant to this Agreement, including but not limited to, the access, control and security of the Personal Data.
16. Indemnities
    1. Each party shall be liable to the other and shall indemnify (and keep indemnified) the other party against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demand incurred by the other which arise directly or in connection with a breach of the Data Protection Laws, a breach of this Agreement and any data processing activities which are subject to this Agreement.
17. Miscellaneous Provisions
    1. Save for any statement, licence, representations or assurances, this Agreement and the Schedules to it constitutes the entire agreement and understanding between the parties and with respect to all matters which are referred to and shall supersede any previous agreements between the parties in relation to the matters referred to in this Agreement regarding data protection.
    2. No one other than a party to this Agreement, its successors and permitted assignees shall have any right to enforce any of its terms.
    3. We may vary the terms of this Agreement from time to time by giving notice to you in advance of the variation.
    4. This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual dispute or claims) shall be governed by and construed in accordance with the laws of England and Wales and subject to the exclusive jurisdiction of the courts of England and Wales.
    5. We may transfer, assign or novate our rights and obligations under this Agreement to any member of our group companies to whom we transfer all or substantially all of our business.

SCHEDULE 1 – Processing, Personal Data, and Data Subjects

Subject matter of processing:

The transfer is between HolidayActivities and the Buyer to facilitate the use of the HolidayActivities Platform in the scheduling of the HAF Event and recording attendees and all Services in respect of access to the HolidayActivities Platform.

It is necessary for HolidayActivities to process the Personal Data to enable the Services to be fulfilled and to ensure the HAF Participant is able to book the HAF Event with the HAF Provider and receive the HAF Bookings.

To facilitate these Services, HolidayActivities shall need access to the Personal Data provided by the Buyer. 

Duration of Processing:

For as long as it is necessary to provide the Services and until either HolidayActivities or the Buyer delete their accounts in the HolidayActivities Platform, thereby terminating this Agreement. Personal Data shall only be retained for the duration it is necessary in the provision of the Services. 

Nature of Processing:

The collection, storage, organisation and re-categorisation of the Personal Data in connection with, and for the purpose of, providing the Services in the HolidayActivities Platform. 

Personal Data Categories and Types:

The Personal Data being processed concerns the following categories of Data Subjects:  

Students / Pupil

Relatives, guardians, and associates of the data subject as HAF Participants

Employees of the Buyer creating an account with HolidayActivities

Data Types:

Identifying information – names first and last, dates of birth, reference numbers, personal  pupil number, gender etc

Event information – specific details regarding the HAF Event including location, timings.

Contact information – postal and email addresses (current and former), telephone number

Characteristic data such as dietary requirements.

Special Categories of Personal Data as defined by Data Protection Laws including health information such as allergies, send information, ethnicity.

Photos / Videos in media form

Schedule 2 – Security Measures

The following are the Security Measures referred to in Clause 7:

1. Each party will ensure that in respect of any Personal Data it receives from or processes on behalf of the other, it maintains security measures to a standard appropriate to:

1. the harm that might result from unlawful or unauthorised processing or accidental loss, damage or destruction of the Personal Data; and

2. the nature of Personal Data.

2. Each party shall where possible:

1. have in place and comply with a security policy which:

1. defines security needs based on a risk assessment;
2. allocates responsibility for implementing the policy to a specific individual or members of a team;
3. is available on request;
4. is disseminated to all relevant staff; and
5. provides a mechanism for feedback and review.

2. ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;

3. prevent unauthorised access to the Personal Data;

4. put password protection on computer systems on which Personal Data is stored and ensure that only authorised personnel are given details of the password;

5. take reasonable steps to ensure the reliability of employees or other individuals who have access to the Personal Data;

6. ensure that any employees or other individuals required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Agreement;

7. ensure that none of the employees or other individuals who have access to the Personal Data publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do;

8. have in place methods for detecting and dealing with breaches of security (including loss, damage or destruction of Personal Data) including:

1. the ability to identify which individuals have worked with specific Personal Data;
2. having a proper procedure in place for investigating and remedying breaches of the data protection principles contained in the Data Protection Laws; 
3. notifying all concerned parties as soon as any such security breach occurs; and

9. have a secure procedure for backing up and storing back-ups separately from originals.