When taking personal information as part of a booking process, you become a data controller (referred to as a Controller below), and take on legal responsibilities around protecting that data. Use this page to understand the role and the formal agreement you are entering into with Bikeability.
After making a Bikeability cycle training booking, you'll receive an email from the Bikeability Project Manager, confirming the training session dates for your school. You will need to respond by email, confirming your acceptance of the sessions offered. In sending your acceptance, you are entering into the data sharing agreement below. The agreement becomes effective when we receive your confirmation email.
Select any topic to read in detail what is involved.
The First Controller is B&NES Council Bikeability Team and the Second Controller is the school confirming a Bikeability training with B&NES Council Bikeability Team.
The following document reflects the arrangements that have been agreed and are detailed in the terms and conditions of business and the contractual agreement. The following document forms part of this agreement and has been put in place to facilitate the sharing of personal information between the parties.
This agreement allows for data to be shared between the parties and to be processed by the parties for the stated purposes and in accordance with the obligations set out in this agreement. The agreement sets out the framework for the sharing of personal data between the parties as data controllers and defines the principles and procedures that the parties shall adhere to and the responsibilities of the parties to each other. This agreement may be amended from time to time upon written agreement between the parties when deemed necessary.
Under this Agreement, both Parties acknowledge and agree that they will each process personal data independently as separate controllers.
Some terms in this Agreement have very specific meanings, as follows:
- "Agreement" means this agreement between the parties.
- "Data subjects’ information" means the personal data of an adult or child shared between the parties in connection with this Agreement.
- "Data Protection Law" means any laws and regulations relating to the use or processing of personal data in the UK including:
- The UK General Data Protection Regulation ("UK GDPR")
- the Data Protection Act 2018 ("DPA")
- the Privacy and Electronic Communications (EC Directive Regulations 2003)
- all other applicable laws and regulations relating to the processing of personal data and/or Special categories of Personal data and/or governing individuals rights to data privacy, including statutory instruments;
- "DP Regulator" means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws including the Information Commissioner’s Office (ICO)
- "Enquiry" means any request, complaint, investigation, notice or communication from a Data Subject or a DP Regulator.
- "Party" or "Parties" means either (or both) First Controller and Second Controller.
- "Personal Data Breach" shall have the meaning set out in Article 4 of the UK GDPR.
- “Purpose” refers to the purposes for processing data.
- "Third Party" means any third party participating in either parties work, as it pertains to the Agreement.
- The terms "Data Subject", "Personal Data", “special categories of personal data”, "processing", "Processor" and "Controller" (and their derivatives) shall have the meanings set out in the applicable Data Protection Laws.
Each Party shall nominate a single point of contact within the organisation who can be contacted in respect of queries or complaints, this person being accountable for the processing activities.
First Controller
Role: Bikeability Project Manager at B&NES Council
Contact Details: bikeability@bathnes.gov.uk
Second Controller
Role: Headteacher or Deputy Headteacher
Contact Details: School contact details available on school’s website
When processing personal data, the Parties shall (and shall procure that any of their staff involved in connection with the activities under this Agreement shall) at all times:
comply with the provisions and obligations imposed on them by the Data Protection Laws at all times when processing Personal Data in connection with this Agreement, including all relevant notification requirements contained therein.
- comply with the obligations set out in this agreement and only process the Protected Data for the Purpose and in accordance with the Annex A and B to this Agreement.
- not do, cause or permit anything to be done which may result in a breach by the other Party of Data Protection Laws.
If either Party materially breaches the obligations set out in this Agreement, and, if remediable, such breach is not remedied within 30 days, the other Party shall be entitled to terminate this Agreement upon immediate effect.
General Obligations
- Each Party shall ensure that it has in place all necessary notices and lawful basis to enable lawful transfer of Data subjects’ Data in accordance with this Agreement.
- As part of its compliance with sub-paragraph 1) above and in accordance with Article 13 and 14 of the UK GDPR, the First Controller will share its Privacy Notice with the data subjects (specify when e.g. at the point of first engagement).
- In accordance with Article 14 of UK GDPR, the Second Controller shall be responsible for providing data subjects with the privacy notice in relation to its own processing of personal data as a data controller. Therefore, the Second Controller will share its Privacy notice with the data subjects (specify when e.g. at the point of first engagement.
- Each Party shall implement and maintain adequate and appropriate technical and organisational security measures in order to protect Participant Data against unauthorised or unlawful processing, and against accidental loss, destruction or damage. Participant Data should at a minimum always be password protected and the number of staff who can access Participant Data should be restricted to those for whom access is strictly necessary for the relevant processing.
- Each party shall ensure that the Shared Personal Data are accurate.
- Notwithstanding any of the provisions of this Agreement, each Party acknowledges that it is responsible for its own compliance with Data Protection Laws.
- Each party shall be individually responsible towards their obligations as Data Controllers under the Data Protection Laws (which include obligations towards the data subjects and their rights) and provide reasonable assistance, information and co-operation where reasonably requested by the other Party in respect of data protection matters relevant to this agreement, including (but not limited to):
- any claim, complaint and/or exercise or purported exercise of rights by a Data Subject under the Data Protection Laws (including Subject Access Request)
- any investigation or enforcement activity by the applicable data protection authority, which relates to or is connected with the other Party’s processing of the Protected Data
- assisting the other Party in complying with its obligations as a Controller. Such assistance may relate to or include responding to a complaint by a Data Subject, investigating a Data Breach, informing the applicable data protection authority and the affected Data Subjects of a Data Breach in accordance with the Data Protection Laws, providing information to Data Subjects on the other Party’s behalf as required by the Data Protection Laws and communicating the other Party’s privacy notices and/or policies to the relevant Data Subjects.
- If a party receives an Enquiry which relates directly or indirectly to its sharing of personal data pursuant to this Agreement, or to the other party's compliance with the Data Protection Laws, it shall notify the other party as soon as reasonably practicable.
- Each party shall maintain records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Laws and shall make such information available to any Data Protection Regulator on request.
- Each Party shall conduct a data protection impact assessment before processing the Protected Data, in circumstances where a data protection impact assessment is required pursuant to Article 35 of the UK GDPR.
- Each party shall provide evidence of its compliance with the Data Protection Laws upon reasonable request of the other Party.
- Each party shall implement appropriate technical and organisational measures so as to ensure an appropriate level of security is adopted to mitigate the risks associated with its processing of the Protected Data.
- Each party shall promptly notify the other Party in the event that it receives updates or corrections to any of the Protected Data.
- Each party shall notify the other in the event of a data breach, suspected or actual. Such notification should be made where possible within 24 hours.
Neither party shall retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes subject to its obligation to continue to retain Shared Personal Data in accordance with any statutory or industry or professional retention periods applicable under the Data Protection Legislation.
When the Parties are acting as data controllers separately or jointly, and in accordance with relevant Data Protection Laws or any other legislation, each party shall hold the other parties acting a controller of data harmless against any liabilities, losses, damages, costs or expenses: including but not limited to any direct, indirect or consequential losses, loss of profit, loss of or damage to reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and any other reasonable professional costs and expenses suffered or incurred by the other party to this agreement arising out of or in connection with any claim made against the other party in relation to any breach by other party of the UK GDPR or other obligations under this agreement.
The data discloser and importer shall be jointly responsible for the security of transmission using appropriate technical methods.
Where data is shared by a controller with a data processor or sub-processor (as defined in the UK GDPR Article 4(8)), and where a contract has been made in accordance with Art.28(1-3)(a-h), each of those parties, no matter the number, will be bound by the provision of Data Protection Law and guarantees to implement sufficient technical and organisational measures to protect the data for which the controller or controllers are responsible.
The processor will be liable to the relevant controllers for any losses or damages suffered by any party to this agreement who is acting as a controller of data in accordance with Data Protection Law. It is acknowledged by all parties, including processors and their approved sub-processors, that liability for compensation for an infringement of the regulation is not limited to the controllers and that in accordance with UK GDPR Art.82(4) each party may be held liable for the entire damage to ensure effective compensation.
No failure or delay by either Party in exercising any right or remedy under this Agreement will operate as a waiver of such right or remedy, nor will any single or partial exercise or waiver of any such right or remedy preclude its further exercise or the exercise of any other right or remedy.
Neither Party shall transfer any Personal Data received from the other party to any location which is outside the EEA (unless the recipient is based in a country which the European Commission has decided offers sufficiently adequate protection for personal data when compared with the EU (an “Adequate Country”)) without the other party’s prior written consent. If the other party consents to the transfer of Protected Data to a recipient located outside of the EEA and not in an Adequate Country, the Party transferring the Protected Data shall:
- consider if any exception applies that would permit the transfer, without undertaking a transfer risk assessment and identifying any appropriate safeguards.
- in the absence of any applicable exception, undertake a Transfer Risk Assessment, identify and apply an appropriate safeguard (e.g. IDTA – International Data Transfer Agreement; UK Addendum - to replace existing EU standards contractual clauses which are no longer valid after 21.03.24; UK binding corporate rules, ICO approved contract clauses).
This Agreement shall be governed by and construed in accordance with the laws of England and Wales, and the Parties hereby submit to the exclusive jurisdiction of the courts of England and Wales.
- Nothing in this Agreement is intended to or shall operate to create a partnership or joint venture between the parties, or to authorise either party to act as agent for the other and neither party shall have authority to act in the name of or on behalf of the other, or to enter into any commitment or make any representation or warranty or otherwise bind the other in any way.
- For the purposes of this clause and in accordance with the GDPR Articles 44, 45 and 46, a transfer of personal data shall mean any sharing of personally identifiable information by any party to another party to this agreement. This agreement does not include:
- onward sharing of the personal data with any other third party acting as a data controller without a legal or contractual obligation
- without prior agreement, the publication of the shared personal data via any medium, including, but not limited to, social media, websites and publicly available communications.
- If any court or competent authority finds that any provision of this Agreement (or part of any provision) is invalid, illegal or unenforceable, that provision (or part) shall, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this Agreement shall not be affected. If any invalid, unenforceable or illegal provision of this Agreement would be valid, enforceable and legal if some part of it were deleted, the parties shall negotiate in good faith to amend such provision such that, as amended, it is legal, valid and enforceable, and, to the greatest extent possible, achieves the parties' original commercial intention.
- This Agreement constitutes the entire agreement and understanding of the parties with respect to the subject matter of this Agreement and supersedes any prior agreements, representations, understandings, or arrangements between the parties (oral or written) in relation to such subject matter. Each party acknowledges that: (a) upon entering into this Agreement, it does not rely and has not relied, upon any representation (whether negligent or innocent), statement or warranty made or agreed to by any person (whether a party to this Agreement or not) except those expressly set out in this Agreement; and (b) the only remedy available in respect of any misrepresentation or untrue statement made to it shall be a claim for damages for breach of contract under this Agreement. Nothing in this paragraph 8) shall limit or exclude any liability for fraud.
- If any provision or part-provision of this Agreement is or becomes invalid, illegal, or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement. If any one or more of the provisions contained in this Agreement is, in whole or in part, invalid, illegal or unenforceable in any respect, the validity, legality or enforceability of the remaining provisions, the Parties agree to negotiate in good faith to review the Agreement in the light of the new legislation.
- Nothing in this agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party.
This Agreement together with the Contract/Service Agreement/Funding agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
The Parties acknowledge that the arrangements outlined in this Agreement may need to be changed to comply with any changes in the requirements of the Data Protection Laws. Each Party shall cooperate with the other Party in good faith to review and agree and document appropriate and reasonable changes to this Agreement to ensure that it addresses any change in the Data Protection Laws in accordance with good market practice.
This Agreement shall continue in force until the sooner of the following:
- the Bikeability Programme Purpose no longer being pursued by the Parties
- a Party serving at least 4 weeks' written notice on the other Party to terminate the Agreement