10,000 Interns Foundation
10,000 Interns Foundation
Menu

Data Sharing Agreement

Parties

(1) The 10,000 Interns Foundation, a charitable company incorporated under the laws of England and Wales with charity number 1199061 and company number 13240146, whose registered address is at Second Home, 68 Hanbury Street, London, E1 5JL (the "Foundation")

(2) You, as the organisation that has agreed to participate in one of the Foundation's Internship Programmes ("you" or the "Partner"), each a party and together the parties.

Background

(A) The Foundation is a charity which provides and facilitates Internship Programmes which enable students of different ethnicities and/or disabled students to take part in paid internships with organisations in the UK.

(B) You, as the Partner, have agreed to participate in, and provide internships to candidates as part of, one of the Foundation's Internship Programmes;

(C) The parties accept and acknowledge that the Foundation and Partner will share personal data between them in order to enable the Partner to review and provide internships to candidates as part of the relevant Foundation Internship Programme;

(D) As such, the parties now enter into this Data Sharing Agreement, to determine their respective obligations in relation to the sharing of personal data.

Agreed Terms

  1. Interpretation
    1. In this Data Sharing Agreement, the following words and phrases shall have the following meanings (unless the context otherwise requires).
      Candidate means an individual who applies for an internship as part of one of the Foundation's Internship Programmes;
      Data Protection Contact(s) means an individual appointed by a party in accordance with clause 10.
      Data Protection Legislation means, as applicable, (i) the UK Data Protection Act 2018, (ii) the General Data Protection Regulation (EU) 2016/679 as saved into UK law through section 3 of the European Union (Withdrawal) Act (UK GDPR) (iii) the Privacy and Electronic Communications Regulations 2003 and (iv) any other applicable enactment or rule of law relating to the processing of personal data and privacy, including statutory instruments (each as amended, updated and superseded from time to time).
      Data Security Breach means a breach or breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Protected Data.
      Data Subject(s) means individuals whose personal data is shared among the parties to this Data Sharing Agreement.
      Data Subject Request means an actual or purported request, notice or complaint made by, or on behalf of, a Data Subject in exercise of their rights under Data Protection Legislation relating to their Protected Data.
      ICO means the UK Information Commissioner's Office.
      Internship Programme means any of the Foundation's internship programmes under which the Partner will provide certain candidates, allocated to the Partner by the Foundation, with internships (including in particular students of different ethnicities and/or disabled students).
      Joint Controller(s) means two or more controllers jointly determining the purpose and means of processing of personal data.
      Particulars means the description of the Protected Data, the Data Subjects and details of the transfer and sharing of the Protected Data amongst the parties, as set out in Schedule 1.
      Protected Data means the personal data to be processed by the parties in relation to this Data Sharing Agreement.
      Purpose has the meaning set out in Schedule 1.
    2. The terms "controller", "processor", "personal data", "processing" and "supervisory authority" shall have the meanings given to them in the Data Protection Legislation.
  2. The Roles of the Parties and Compliance with Laws
    1. The parties acknowledge and understand that each party will act as a controller with respect to the Protected Data. Each party is entering into this Data Sharing Agreement in consideration of the other party complying with their respective obligations under this Data Sharing Agreement.
    2. If the parties consider that, in relation to any particular activity related to this Agreement or the Project, they will act as Joint Controllers under the Data Protection Legislation:
      1. the parties will record this decision in writing; and
      2. the additional terms in clause 9 will apply to any such activity.
    3. Each party will comply with its respective obligations under the Data Protection Legislation.
    4. Each party shall use reasonable endeavours to ensure that it does not act or omit to act in a way as to cause another party to breach any of its obligations under Data Protection Legislation.
  3. Sharing Protected Data
    1. The parties acknowledge that the parties will share the Protected Data in connection with this Agreement. Each party agrees as follows in respect of the Protected Data:
      1. each party will implement appropriate technical and organisational measures to safeguard Protected Data against any Data Security Breach. Such measures shall be proportionate to the harm which might result from any such Data Security Breach (and having regard to the nature of the Protected Data in question);
      2. each party will only access the Protected Data shared between them as necessary for its purposes and in accordance with the Purpose and shall process such Protected Data for the Purpose (and in accordance with this Data Sharing Agreement), except with the prior written agreement of the other party;
      3. each party will use reasonable efforts to ensure the Protected Data is accurate and up to date and transferred using a secure method of transfer;
      4. each party will ensure that its staff are properly trained and are aware of their responsibilities for any Protected Data that they have access to;
      5. each party will promptly notify any other party (within at least two (2) working days) if it receives a complaint or request relating to the other party's obligations under the Data Protection Legislation (other than a Data Subject Request, which is addressed in clause 5);
      6. on receipt of a notice under clause 3.1(e), each party will provide the other party with reasonable co-operation and assistance in relation to any such complaint or request.
    2. The parties will process the Protected Data in accordance with the Particulars set out in Schedule 1.
  4. Data Subject Requests
    1. Each party will ensure that it protects the rights of Data Subjects under the Data Protection Legislation and agrees to promptly notify the other party in writing (within at least two (2) working days) if it receives a Data Subject Request about personal data of a Data Subject that the other party is a controller of.
    2. Each party agrees that:
      1. the Data Subject Request will be dealt with by the party in receipt of the Data Subject Request;
      2. such party will respond to the Data Subject Request adequately and in accordance with the Data Protection Legislation; and
      3. the other party will provide all reasonable co-operation and assistance in relation to any Data Subject Request to enable the party in receipt of the Data Subject Request to comply with it within the relevant timescale set out in the Data Protection Legislation.
  5. Notification of a Data Security Breach
    1. Each party shall notify the other party without undue delay after becoming aware of any Data Security Breach and in any event no later than 24 (twenty-four) hours after becoming aware of the Data Security Breach.
    2. Notices under clause 5.1 will (as far as reasonably possible) include a full description of:
      1. the nature of the Data Security Breach including details of the Protected Data and Data Subjects affected;
      2. the likely consequences of the Data Security Breach; and
      3. the measures taken or proposed to be taken by the affected party to address the Data Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
    3. The party affected by the Data Security Breach will provide regular updates to the other party on the progress of its investigation into the Data Security Breach.
    4. Each party shall provide reasonable assistance to the party affected by the Data Security Breach in the event that the affected party is required to notify the ICO or other relevant supervisory authority, other regulator and/ or affected Data Subjects.
    5. Where a Data Security Breach affects both parties, the parties will cooperate to agree the form of any notification to be made by each party to the ICO, other relevant supervisory authority, other regulator and/or affected Data Subjects. For the avoidance of doubt, nothing will prevent either Party from corresponding with the ICO, other supervisory authority, other regulator or Data Subjects in the way that it determines appropriate.
  6. International Data Transfers
    1. Neither party may transfer Protected Data to any country outside the UK unless that party ensures that (as required to comply with the Data Protection Legislation):
      1. the transfer is to a country approved by the UK Government as providing adequate protection;
      2. there are appropriate safeguards in place as required by applicable Data Protection Legislation; or
      3. it can rely on a derogation from the relevant obligations under Data Protection Legislation.
  7. Retention and Deletion of Protected Data and Termination
    1. Each party agrees to only process the Protected Data shared in accordance with this Agreement for as long as reasonably necessary for the Purpose.
    2. Nothing in this clause 7 will prevent either party from retaining and processing Protected Data in accordance with any statutory retention periods applicable to that party.
  8. Relevant Authorities and Enforcement/ Court Action
    1. Where one party interacts with the ICO or any other relevant supervisory authority in relation to the Protected Data (whether proactively, for example to review a data protection impact assessment or reactively, for example, in response to an inquiry from the ICO or other supervisory authority), the other party will provide such information and assistance as is reasonably required to assist in such interactions.
    2. In the event that any enforcement action is brought by the ICO or any other relevant supervisory authority or in the event of a claim brought by a Data Subject against any party, in both instances relating to the processing of Protected Data, the relevant party will promptly inform the other party about any such action or claim and will co-operate in good faith with the other party with a view to resolving it in a timely fashion.
  9. Joint Controllers
    1. This clause 9 applies to the extent that the parties are acting as Joint Controllers (as determined in accordance with clause 2.2).
    2. The parties acting as Joint Controllers will ensure that a privacy notice is provided to the relevant Data Subjects which sets out:
      1. the roles and responsibilities of the parties, as Joint Controllers;
      2. how a Data Subject can exercise their rights;
      3. (if applicable) the fact that the parties acting as Joint Controllers will share the Protected Data with other parties to this Data Transfer Agreement; and
      4. a primary point of contact (whether for one party or each party acting as Joint Controllers).
    3. The party which provides the privacy notice to the relevant Data Subjects (in accordance with clause 9.2 above) will ensure that the Data Subjects are notified of any changes to (i) the roles and responsibilities of the parties; and/or (ii) the point(s) of contact.
    4. If a Data Subject makes a claim for compensation under the Data Protection Legislation against one party (but not the other party) for damage suffered as a result of processing his or her Protected Data for the Purpose (a "Claim"):
      1. the party in receipt of the Claim (the "Affected Party") will promptly notify the other party (or parties) of the Claim;
      2. the Affected Party will keep the other party fully informed of the progress of, and all material developments in relation to, the Claim;
      3. the other party will, at its own cost, provide the Affected Party with reasonable co-operation and assistance in handling the Claim;
      4. the Affected Party will have sole discretion over conduct of the Claim, but will use reasonable endeavours to consult with the other party prior to agreeing any compromise or settlement, or making any admission of liability.
    5. If the Claim is successful and results in an award of compensation against the Affected Party, the parties agree that responsibility for the compensation awarded under the Claim shall be apportioned between the parties to such an extent as is just and equitable having regard to each party's share in the responsibility for the cause which gave rise to the Claim.
    6. If the Affected Party agrees to a compromise or settles a Claim, the parties agree that responsibility for the compensation awarded shall be apportioned between the parties to such an extent as is just and equitable having regard to each party's share in the responsibility for the cause which gave rise to the Claim provided that the Affected Party consulted with the other party (or parties) prior to the agreement of any such compromise or settlement.
    7. Any provisions in any other agreement amongst the parties which seeks to limit the liability of any party shall not apply to Claims under this clause 9.
  10. Changes to the Data Protection Legislation

    If during the term of this Data Sharing Agreement, the Data Protection Legislation changes in a way that this Data Sharing Agreement is no longer adequate or appropriate for compliance with the Data Protection Legislation, the parties agree that they shall negotiate in good faith to review this Data Sharing Agreement in light of the current Data Protection Legislation and amend, terminate and/or replace this Data Sharing Agreement as appropriate.

  11. Data Protection Contacts
    1. Each party will appoint a Data Protection Contact in relation to the transfer of Protected Data under this Data Sharing Agreement. The Data Protection Contact must be an individual associated with the respective organisation with sufficient knowledge and experience of the Data Protection Legislation so as to be able to take decisions on behalf of that party in relation to this Data Sharing Agreement.
    2. Any party may update its Data Protection Contact by written notice to the other party.
    3. Any notice to be provided under this Data Sharing Agreement is to be provided in writing to the relevant Data Protection Contact(s). For the avoidance of doubt in writing includes email.
  12. Counterparts

    This Data Sharing Agreement may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts together shall constitute the one agreement.

  13. Governing Law and Jurisdiction
    1. This Data Sharing Agreement and any disputes or claims (including non-contractual disputes or claims) arising out of or in connection with its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
    2. Each party irrevocably agrees that the courts of England and Wales have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this agreement, its subject matter or formation.

Schedule 1

Data Particulars

ITEM DETAILS
Protected Data Protected Data relating to staff of each party:
  • Names;
  • Contact details (including email addresses and phone numbers)
Protected Data relating to Candidates:
  • Names;
  • Contact details (including email addresses and phone numbers)
  • CVs (including information about job history and skills);
Special categories of personal data, criminal data, or otherwise sensitive data1 The parties may process special category data of Candidates (including data relating to health and/or race/ethnicity)
Purpose of the sharing of Protected Data The parties will share the Protected Data in order to enable the parties to comply with their obligations under this Agreement and to enable the Partner to review Candidates for the purposes of providing internships under the Foundation's Internship Programmes
Lawful bases for sharing the Protected Data (for EEA/ UK Members)
  • Lawful Basis under Article 6 UK GDPR:
    • The parties will rely on explicit consent
    • The parties will rely on legitimate interests;
  • Condition under Article 9 UK GDPR – The parties will rely on explicit consent to process any special category data that forms part of the Protected Data.
Will the parties share the Protected Data with any other parties (Third Party/Parties)?

(excluding processors)		 N/A

1 Special categories of personal data include: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. Criminal data includes: personal data relating to criminal convictions and offences.

About
Our Mission
Our Story
Our Impact
Programmes
10,000 Black Interns
10,000 Alumni
Network
Partners
Members
Employers
People
Meet The Team
Meet The Board
Join Us
Stories
Contact
Donate