Joint Controllers Agreement (v. 1.0)

The Agreement between:

This Joint Controller Agreement along with Master Agreement and the Order Form constitute a contract between WorkInConfidence Limited (a company registered in England and Wales with registered address at Suite 601, Fountain House, 2 Queens Walk, Reading, RG1 7QF and registered number 08255296), (“WorkInConfidence”, “WIC”, “we” or “us”), and the client organisation identified in the Order Form (“Customer”).

1.              Background

a)     Customer and WIC agree to work together to allow Customer’s employees to access the platform for the purpose of giving employees an independent platform to voice workplace concerns and provide feedback and views.

b)     WIC works to ensure the identity of individuals who voluntarily choose to register on the platform are not disclosed to the Client, where this represents the wishes of individuals unless said individuals choose to self-identify.

c)     The Customer uses the platform for the purposes of sharing Personal Data (to provide access to the platform and enable use of it) of eligible registrants, as well as managing messages received, Consolidated Case Management (CCM), discussion boards and surveys.

d)     This Agreement sets out the responsibilities of each of the parties above in areas relating to the protection, security, sharing and processing of Personal Data that one or more of the parties require in order to conduct their individual or shared objectives and activities.

e)     This Agreement is intended to document compliance with the UK GDPR and the UK Data Protection Act 2018 (Data Protection Legislation) and EU Data Protection legislation. 

f)      In this document, (i) headings are included for convenience only and shall not affect the construction or interpretation of this document; (ii) any reference to a paragraph shall (unless expressly provided otherwise) be a reference to a paragraph of this document; (iii) any reference to the singular shall include the plural and vice versa and any reference to one gender shall include all genders including the neuter gender, (iv) any reference to a person shall, unless the context otherwise requires, include individuals, partnerships, companies  and all other legal persons; (v) the words “include”, “includes”, “including” and “included” will be construed without limitation unless inconsistent with the context; and (vi) any reference in this document to law or to any statute, statutory instrument, directive, regulation, order or other enactment shall mean the same as shall be amended, enacted, replaced, extended, modified, consolidated or repeated from time to time.

2.              Interpretation

The following definitions apply in this Agreement:

Controller, Controllers, Processor, Data Subject and Personal Data, Special Category Personal Data, processing/processed and Appropriate Technical and Organisational Measures shall have the meanings given to them in the applicable Data Protection Legislation.

Data Protection Authority: a national authority, as defined in the Data Protection Legislation: for the UK, this is the Information Commissioner’s Office.

Data Protection Legislation: The UK Data Protection Act 2018 and UK GDPR (the Retained Regulation (EU) 2016/679, as retained in UK law by means of the EU Exit Regulations 2019 (SI 2019/419)), any EU law or regulation applicable to Customers in the EU.

Individual Privacy Rights: refers to individuals’ rights as set out in Articles 12-23 of UK GDPR or equivalent EU law.  

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Related Personal Data.

Purpose/Purposes: has the meaning given to it in clause 3 of this Agreement.

Related Personal Data: the Personal Data shared and/or processed between the parties for the stated Purpose.

Registered Users/Registrants: Data Subjects who have been provided with voluntary access to the Platform by the Customer.

3.              Purpose

a)     The purpose of the agreement is to agree the respective rights and obligations of the Parties in relation to GDPR and for the Customer to grant WIC with the licence to provide the WorkInConfidence platform. 

b)     In providing this service WIC will act as the Controller of Related Personal Data for the following purposes:

                        i.         Registration process;

                       ii.         Implementing measures to protect the identity of registrants from being disclosed to the Customer (unless the registrant actively chooses to disclose their identity to the Customer via the platform); 

                      iii.         Ensuring the implementation of robust security measures within the platform; and

                     iv.         Ensuring any third-party suppliers contracted to provide the service meet their data protection obligations.

c)     In using this service the Customer will act as a Controller of any Personal Data processed for the following purposes:

                         i.         Providing email addresses to WIC for the purpose of registration;

                       ii.         Assigning manager or admin status to individuals within the Customer’s organisation;

                      iii.         Managing Consolidated Case Management (CCM);

                      iv.         Managing Surveys; and

                       v.         Managing Discussion Boards 

4.              Term of this Agreement

This Agreement shall apply from the date Customer first becomes a client of WIC and starts to use the WIC platform until the date all Customer data is removed from the WIC platform following Customer ceasing to be a client of WIC.  

5.              Compliance with Data Protection Legislation

a)     In relation to the provision of the WorkInConfidence platform by WIC to the Customer, each party is responsible for and agrees to ensure it does all it is required to i in order to comply with applicable Data Protection Legislation at all times.

b)     Both parties will collaborate, as necessary, in order to: 

                         i.         Comply with an Individual Privacy Rights requests at set out in Articles 15-22 of EU/UK GDPR;

                       ii.         Respond to notices served upon them by a Data Protection Authority (e.g. The UK’s Information Commissioner’s Office);

                      iii.         Respond to complaints from Data Subjects; and

                      iv.         Investigate any breach or alleged breach of Data Protection Legislation.

c)     Both parties will be responsible for ensuring the processing of Related Personal Data is conducted in line with the core data protection principles under UK GDPR.  

d)     WIC will retain Related Personal Data for the term of its licence, including agreed run off period.

e)     At the termination of the llicence, WIC will delete Related Personal Data and if required provide a data destruction notification to the Customer.

6.              Shared Personal Data

a)     The following types of Personal Data may be shared between the parties via the platform:

                i.         Email addresses of individuals invited to register on the platform;

              ii.         Full name, job title and opinions expressed by individuals, but only in such circumstances where individuals chooses to disclose this to the Customer within the platform; and

             iii.         Any Personal Data actively requested or elicited by the Customer via the platform (for example via a survey). 

7.              Individual privacy rights procedure

a)     The Parties agree to provide reasonable assistance to each other, where necessary, to facilitate the handling of any Individual Privacy Rights requests.

b)     For the avoidance of doubt, where such a request is received by WIC, and relates to Data Subject who has not disclosed their identity to the Customer, WIC will take sole responsibility for fulfilling the request.

8.              Security incidents and reporting procedures

a)     The Parties agree to provide reasonable assistance to each other to facilitate the handling of any data security incident in an expeditious and compliant manner.

b)     The Parties should notify each other without any undue delay of any relevant potential or actual losses of Related Personal Data and remedial steps taken, either through mechanisms specified by the parties from time to time or otherwise to the named contacts in this Agreement, to enable the parties to consider what further action is required either individually or jointly.

9.              Data Security

a)     WIC will ensure Appropriate Technical and Organisational Measures are implemented to protect Personal Data on its platform.

b)     In circumstances where Personal Data is extracted from the platform the Customer is responsible for ensuring Appropriate Technical and Organisational Measures are implemented to protect Personal Data on its own internal systems.

10.           Use, Disclosure and Publication

a)     WIC commits to process Related Personal Data solely for the Purpose.

b)     Related Personal Data shall not at any time be copied, broadcast, or disseminated to any other third Parties, except in accordance with this Agreement, or a party to it.

c)     The only exceptions to clauses 10(a) and 10(b) are where disclosure is required by law and in the fulfilment of individual privacy rights requests.  

d)     During the term of this Agreement, WIC will limit access to Personal Data to authorised employees or third party suppliers;

                i.         that require such access to fulfil the Purpose.

              ii.         that require access to enable the fulfilment of individual rights requests.

             iii.         who are aware of and trained in relation to the confidential nature of Personal Data, and in the use, care, protection and handling of Personal Data; and

             iv.         who have committed themselves to confidentiality or are under an appropriate statutory duty of confidentiality.

e)     For UK/EU Customers, no Personal Data supplied by the Customer or provided by Registered Users on the platform will be transferred to a country outside the UK or the EU by WIC, during the term of this Agreement, without gaining the agreement of both Parties. Personal Data transfers outside the UK or EU are restricted and if conducted, WIC agrees to ensure appropriate safeguards are in place in line with Article 45-46 of UK GDPR or other appropriate EU law.   

(f)   Without limiting the need to ensure appropriate safeguards if WIC requests permission to transfer outside of the UK or EU under sub clause (e) above, permission shall not be unreasonably withheld or delayed. Failure to give a valid reason for withholding consent within 10 business days of being notified of any proposed change shall be deemed as consent. If WIC reasonably deems this to be a necessary change or necessary service provider to reasonably maintain its service and Customer objects, WIC shall be entitled to terminate the contract with and provision to Customer provided that (i) it makes a proportion refund for any remaining part of the Agreement, and (ii) ensures a prompt, safe and orderly destruction of Customer data.   

11.           Destruction of Personal Data

In line with Clause 5 e) upon termination or expiry of this Agreement WIC shall delete all Related Personal Data and if requested by Customer provide a notification of such deletion to the Customer within 21 business days.

12.           Term and termination

This Agreement shall commence on the date on which Customer first become a client of WIC and will continue for as long as Customer is a customer of WIC plus any agreed run off period during which data is to be retained.

13.           Other

The WorkInConfidence Organisational Master Agreement also covers the relationship between the Parties.

Appendix A

WIC instructs the following third party Processors to provide services in order to fulfil the Purposes of this Agreement:

·       Amazon Web Services (AWS): Security, hosting, data storage and email delivery

·       CloudFlare: Network optimisation.

Appendix B

·       All aspects of data security are included in both employee and contractor contracts

·       Data transferred between the client and server is encrypted using SSL

·       All customers have their information and conversations held in separate databases

·       All passwords are salted and hashed

·       The system insists that users select strong passwords

·       Databases are regularly backed up

·       Systems are in place to prevent intrusion and logs are automatically scanned for anomalies.