Your Credit Union (as indicated during the sign-up process) is working with one of its software suppliers, NestEgg, to develop an app and email service. This will help members improve their credit profile and financial health. Users of the service should be more likely to be accepted for loans.
Before the service is launched, we will be testing it. By signing this agreement you will be participating in a test that we are undertaking as part of the Financial Conduct Authority’s regulatory sandbox. The regulatory sandbox allows firms to test innovative offerings in a live environment. More information on the FCA’s regulatory sandbox can be found here.
During this period of testing your Credit Union wants to share data with NestEgg. The data will not be shared with any other party and will be destroyed on 31 March 2021.
This data sharing agreement contains three parts:
- Background: an overview of the proposed project we are asking you to participate in;
- Data sharing: a summary of the data being shared, its use and destruction;
- Agreement: a detailed legal agreement to manage the data sharing arrangement.
- Background: an overview of the proposed project we are asking you to participate in;
- Data sharing: a summary of the data being shared, its use and destruction;
- Agreement: a detailed legal agreement to manage the data sharing arrangement.
This data sharing agreement is made on the day your agreed consent via the initial survey and is entered into between:
- NESTEGG LTD registered in England and Wales with company number 10427741, whose registered office is at Lynton House, 7-12 Tavistock Square, London, England, WC1H 9BQ (“NestEgg”);
- THE CREDIT UNION named during the sign up process which is registered in England and Wales
- YOU a member or potential member of your chosen Credit Union
(each a party and together the parties)
PART 1: BACKGROUND
- NestEgg and your Credit Union have joined together to develop an App and email service to help members improve their credit profile and financial health. Users of the service should be more likely to be accepted for loans.
- It is envisaged that a set of new Financial Health Indicators (FHIs) will become the basis for future credit assessment.
- During 2020 the service will be tested under guidance and supervision from the UK regulator – the Financial Conduct Authority.
- During this testing period your Credit union intends to make the email service and App available to existing and potential members, referring both successful and unsuccessful applicants to the service, which will be provided by NestEgg (“Referred Users”).
- Before the App is ready in late 2020, from September 2020, the service will be offered by email to referring both successful and unsuccessful applicants to the service (“Referred Users”).
- In order to fulfil these purposes, personal data will be transferred between the parties as detailed in Part 2, below:
(i) Your Credit Union will share data relating to Referred Users and their applications to assist them to better understand and improve their credit profiles using the App.
(ii) NestEgg will share applicant data with your Credit Union to alert them when an application qualifies for a loan
In compliance with Data Protection Legislation, the parties wish to enter into this Agreement.
PART 2: DATA SHARING BETWEEN NESTEGG, YOUR CREDIT UNION and YOU, a member or potential member of your chosen Credit Union (the name of the Credit Union is indicated during sign-up)
Part 2 describes the permitted processing and data sharing that may take place under this Agreement.
1. SCOPE, NATURE AND DURATION:
NestEgg has developed a mobile app and email service to help credit union members improve their financial health and credit profile. As a result, their financial wellbeing and chances of being accepted for a loan should improve.
This agreement enables the sharing of information during a period of testing of the Financial Health Indicators (FHIs). The purpose of the testing is to test that above solution by assessing how best to improve the financial health and credit profile of loan applicants.
In order to fulfil the test purpose, personal data will be transferred between the parties as follows:
- Your Credit Union will share data with NestEgg relating to Referred Users and their applications to assist them to better understand and improve their credit profiles using the email service and App. The types of data shared are set out in section 4, below.
- NestEgg will share applicant data with your Credit union, with the users’ consent, to assess whether that applicant would now be accepted for a loan
- You (the loan applicant – a member or potential member of you Credit Union) will be participating in a test that we are undertaking as part of the FCA’s regulatory sandbox. The regulatory sandbox allows firms to test innovative offerings in a live environment.
- NestEgg will share aggregated and anonymised information with both your Credit Union and the regulator to assess the impact of the email and App service.
The recipient will be permitted to process the Shared Personal Data, and in accordance with Clause 11 (Data Retention).
For clarity the data outlined in Section 4 of PART 2, above, will be destroyed on 31 March 2021.
2. AGREED PURPOSES OF PROCESSING
The parties agree to only process Shared Personal Data, for the following purposes (the “Agreed Purposes”):
- to enable your Credit Union to refer users to the email service and App, who may wish to use it to better understand their credit profile and financial health;
- to share credit profile and application data held by your Credit Unionwith users so they can better understand their credit profile and eligibility for your Credit Union products;
- to share credit profile and application data held by your Credit Unionwith NestEgg so NestEgg can better understand how best to provide tips and advice so that the user can improve their credit profile and eligibility for your Credit Union products;
- to enable users to apply for your Credit Union financial products within the App;
- to add the user to NestEgg’s mailing list, which the user can leave at any time
- NestEgg will not share the data with any other organisation at any time.
3. TYPES OF DATA SUBJECTS
- members of your chosen Credit Union;
- Potential members of your Credit Union– who have signed up for money tips
- Unsuccessful applicants for your Credit Union’s products;
4. DATA SOURCES
Data will be retrieved from:
- TransUnion Credit Reference Agency
- TrueLayer if you connect your bank account
- Information provided in the application form, online
5. CATEGORIES OF PERSONAL DATA
- Contact details, including email and first four digits of your postcode
- Credit score
- Electoral roll information
- Regular credit payments, including defaults and missed payments
- Publicly available information such as County Court Judgments and insolvencies
That is the end of the summary agreement. What follows is further legal detail.
PART 3: DETAILED AGREEMENT
- NOW THEREFORE in consideration of the agreements and undertakings given and received by it as set out in this Agreement, the receipt and sufficiency of which is acknowledged by each party, each of the parties agrees as follows:
2.1 The definitions and rules of interpretation in this clause apply to this Agreement.
- Agreement means this data sharing agreement.
- Referred Users means users who have been introduced or referred to NestEgg by your Credit Union. They may hold an existing product or account with your Credit Union, or have made an unsuccessful application for a Credit Union product or service.
- controller, processor, data subject, personal data, personal data breach and processing (and process) shall have the meanings given in Data Protection Legislation.
- Data Protection Legislation means all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including, (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any and all applicable national data protection laws made under or pursuant to (i) or (ii); in each case as may be amended or superseded from time to tim
- Shared Personal Data means any personal data collected or received by one party pursuant to this Agreement (i) in respect of which the other party is a controller; or (ii) where the data subject from whom the personal data is obtained has provided the personal data in the context of its relationship with the other party.
2.2 For the purposes of this agreement, the party that is sharing the Shared Personal Data with the other party shall be referred to as the “sender” and the party receiving the Data shall be the “recipient”.
2.3 Clause, Schedule and paragraph headings shall not affect the interpretation of this Agreement.
2.4 The Schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedules.
2.5 A reference to a company shall include any company, corporation, society, or other body corporate, wherever and however incorporated or established.
2.6 Unless the context otherwise requires, words in the singular shall include the plural and words in the plural shall include the singular.
2.7 A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time.
2.8 A reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision.
2.9 A reference to writing or written includes faxes and email.
2.10 any reference to a party or the parties means NestEgg, your Credit Union and YOU, the loan applicant – a member or potential member of your chosen Credit Union
2.11 Unless the context otherwise requires, references to clauses and Schedules are to the clauses and Schedules of this Agreement and references to paragraphs are to paragraphs of the relevant Schedule.
2.12 Any words following the terms including, include, in particular or for example or any similar phrase shall be construed as illustrative and shall not limit the generality of the related general words.
3.1 This agreement sets out the framework for the sharing of personal data between the parties. It defines the principles and procedures that the parties shall adhere to and the responsibilities the parties owe to each other.
3.2 The parties consider this data sharing initiative necessary as it will enable your Credit Union members to be referred to the App and email service, and it will allow potential Credit Union customers who have been declined a credit application to improve their credit profile using the App and email service and potential reapply for your Credit Union ‘s roducts. Information held by your Credit Union will be shared with NestEgg to help users to better understand their credit and financial profile, and also why their application may have been declined by your Credit Union if applicable.
3.3 The parties agree to only process Shared Personal Data for the Agreed Purposes as defined in PART 2. The parties shall not process Shared Personal Data in a way that is incompatible with the Agreed Purposes.
4. RELATIONSHIP BETWEEN THE PARTIES
4.1 The parties acknowledge and agree that they are both data controllers in respect of their processing of the Shared Personal Data for the Agreed Purposes.
4.2 The terms in this agreement, set out the rights and obligations of the parties, in respect of their processing of the Shared Personal Data, whether as separate and independent or joint controllers.
4.3 The recipient shall only process the Shared Personal Data for the Agreed Purposes in accordance with Part 2: Data Sharing.
5. SHARED PERSONAL DATA
5.1 The Shared Personal Data that will be shared between the parties is detailed in Part 2: Data Sharing. together with any access and processing restrictions as agreed and established by the parties.
5.2 Special categories of personal data will not be shared between the parties.
5.3 The Shared Personal Data must not be irrelevant or excessive with regard to the Agreed Purposes.
6. COMPLIANCE WITH LAW
6.1 Each party shall process the Shared Personal Data in accordance with Data Protection Legislation, and shall procure that any third party that it shares the Shared Personal Data with does the same.
6.2 Each party shall be individually and separately responsible for complying with the obligations that apply to it as a controller under Data Protection Legislation. In particular (and without limitation):
- the sender shall be responsible for complying with all necessary transparency and lawfulness requirements under Data Protection Legislation in order to disclose the Shared Personal Data to the Recipient to process for the Agreed Purposes; and
- the recipient shall be separately and independently responsible for complying with Data Protection Legislation in respect of its processing of the Shared Personal Data it receives from the sender.
- each party shall not cause the other party to be in breach of any obligations imposed on it by the Data Protection Legislation (in so far as they relate to this Agreement only);
7. OUR JOINT RESPONSIBILITIES
7.1 On occasion, the Agreed Purposes may require the parties to work closely together to achieve the data sharing initiatives, where this requires the parties to jointly determine the means and purposes of the processing, the parties must comply with Data Protection Legislation, sometimes as joint controllers of the Shared Personal Data.
7.2 When acting as joint controllers, the parties agree to comply with the following joint controller commitments:
- the parties will make sure that they are transparent about their joint purposes for processing of the Shared Personal Data, and explain how the data is used for the Agreed Purposes;
- the parties will make sure that anyone who wants to have access to their personal data, or to exercise other legal rights, has an easily accessible point of contact to make their request;
- the parties will make sure that when they work closely to introduce new programmes, the privacy of the people whose information are held by the parties will continue to be protected as necessary;
- the parties will make sure that their data protection policies properly govern the sharing initiatives, and that their personnel have a confident understanding of their responsibilities.
- the parties agree to comply with the remaining terms of this agreement, where applicable.
7.3 Notwithstanding the foregoing, where one party processes the Shared Personal Data in the exercise of its own functions only, it alone is responsible for determining the purpose and means of processing and consequently it is a separate and independent controller.
7.4 When acting as joint controllers, the parties will ensure that they independently comply with their respective duties as they relate to the processing of the Shared Personal Data in accordance with Data Protection Legislation. In particular, each party will independently:
- provide all necessary notices to data subjects and procures all necessary consents, or satisfies another legal basis, for it to process the Shared Personal Data in compliance with Data Protection Legislation;
- designate a point of contact for data subjects in their privacy notices;
- subject to clause 8 (Cooperation), comply with requests from data subjects in compliance with Data Protection Legislation.
8. SECURITY AND CONFIDENTIALITY
8.1 The recipient shall:
- ensure that its relevant employees, agents and sub-contractors will respect and maintain the confidentiality and security of the Shared Personal Data and are familiar with the requirements, duties and obligations of the Data Protection Legislation and this Agreement;
- having regard to the state of technological development, take all appropriate technical, security, and organisational measures necessary or desirable in relation to the processing of the Shared Personal Data which shall as a minimum include:
- ensuring that any Shared Personal Data in the possession or control of the recipient is protected against loss, destruction and damage, and against unauthorised access, use, removal, copying, modification, disclosure or other misuse; and
- ensuring a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the personal data to be protected
- at the request of the sender, promptly provide a written description of the technical and organisational methods employed by that party for processing personal data on behalf of the other party pursuant to this Agreement and any other information necessary to demonstrate compliance with that party’s obligations under this Data Transfer Agreement;
- make all reasonable endeavours to ensure that in the course of sharing data and information under, and otherwise in connection with this Agreement, it does not introduce any computer viruses, worms, software bombs or similar items into software programmes , platforms, items of hardware, databases or other systems used by the other;
- ensuring that relevant employees, agents and sub-contractors comply with this Agreement;
9.1 In the event that either party receives any correspondence, enquiry or complaint from a data subject, regulator or other third party (“Correspondence“) related to the disclosure of the Shared Personal Data by the disclosing party to the recipient for the Agreed Purposes or processing of the Shared Personal Data by the other party, it shall promptly inform the other party giving full details of the same, and the parties shall cooperate reasonably and in good faith in order to respond to the Correspondence in accordance with any requirements under Data Protection Legislation.
10. NOTIFICATION OF PERSONAL DATA BREACH
10.1 If a party becomes aware of, receives a notification regarding, or reasonably suspects a Personal Data Breach in respect of the Shared Personal Data it shall:
- without undue delay (and in any event no later than twenty four (24) hours after becoming aware of, receiving a notification regarding, or first suspecting the personal data breach) promptly inform the other party;
- without undue delay provide the other party with detailed information about:
- the nature of the personal data breach including the categories and approximate number of data subjects and data records concerned;
- the likely consequences of the personal data breach;
- the steps the notifying party has taken to address the personal data breach;
- to the extent it has access to the Shared Personal Data that is the subject of the personal data breach, take all necessary steps to mitigate the effects of and to minimise any damage resulting from the breach and to prevent a recurrence of such personal data breach; and
- each party shall provide the other party with reasonable assistance and cooperation as may be required in notifying any relevant regulatory or supervisory authority and/or data subjects of the personal data breach and other reasonable assistance required in responding to further correspondence or enquiries from any regulatory or supervisory authority and/or Data Subjects.
11.1 For the purposes of this clause, transfers of personal data shall mean any sharing of personal data by the recipient with a third party, and shall include, but is not limited to, the following:
- subcontracting the processing of Shared Personal Data;
- granting a third party controller access to the Shared Personal Data.
11.2 If the recipient appoints a third party processor to process the Shared Personal Data it shall comply with Article 28 and Article 30 of the GDPR and shall remain liable to the sender for the acts and/or omissions of the processor.
11.3 The recipient shall not process or transfer any Shared Personal Data (nor permit any processing of the Data) in a territory outside of the UK or the European Economic Area (“EEA”) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Data Protection Legislation.
11.4 Such measures may include (without limitation) transferring the Shared Personal Data to a recipient in a country that the UK authorities or the European Commission has decided provides adequate protection for personal data, to a recipient in the United States that maintains a valid and up-to-date EU-US Privacy Shield certification, or to a recipient that has executed standard contractual Sections adopted or approved by the European Commission or the UK (as applicable).
12. DATA RETENTION
12.1 Subject to any applicable statutory or professional retention periods, the recipient shall not retain or process any personal data made available and/or received from the other party for longer than is necessary to carry out the purpose(s) for which it has been made available and/or provided.
13. REVIEW AND TERMINATION OF AGREEMENT
13.1 In the event that a party terminates the Agreement, an amended and updated version of this Agreement will be drafted as soon as practicable and circulated to all other parties.
13.2 Parties shall review the effectiveness of this data sharing initiative every 12 months, having consideration to the aims and purposes set out in PART 2. The parties shall continue, amend or terminate the Agreement depending on the outcome of this review.
13.3 The review of the effectiveness of the data sharing initiative will involve:
- assessing whether the purposes for which the Shared Personal Data is being processed are still the ones listed in PART 2 of this Agreement;
- assessing whether the Shared Personal Data is still as listed in PART 2 of this Agreement;
- assessing whether the legal framework governing data quality, retention, and data subjects’ rights are being complied with; and
- assessing whether personal data breaches involving the Shared Personal Data have been handled in accordance with this Agreement and the applicable legal framework.
13.4 Each party reserves its rights to inspect the other party’s arrangements for the processing of Shared Personal Data and to terminate the Agreement where it considers that the other party is not processing the Shared Personal Data in accordance with this agreement.
14.1 Each party warrants and undertakes that it will:
- Process the Shared Personal Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments that apply to its personal data processing operations.
- Make available on request to the data subjects who are third party beneficiaries a copy of this Agreement, unless the agreement contains confidential information.
- Respond within a reasonable time to enquiries from the relevant Supervisory Authority in relation to the Shared Personal Data.
- Respond to Subject Access Requests in accordance with the Data Protection Legislation.
- Where applicable, pay the appropriate fees with all relevant supervisory authorities to process all Shared Personal Data for the Agreed Purposes.
- Take all appropriate steps to ensure compliance with the security measures set out in clause 7 above.
14.2 The sender warrants and undertakes that it is entitled to provide the Shared Personal Data to the recipient and it will ensure that the Shared Personal Data are accurate.
14.3 The recipient warrants and undertakes that it will not disclose or transfer the Shared Personal Data to a third party controller located outside the EEA unless it complies with the obligations set out in clause 10 above.
14.4 Except as expressly stated in this agreement, all warranties, conditions and terms, whether express or implied by statute, common law or otherwise are hereby excluded to the extent permitted by law.
15.1 The sender and recipient undertake to indemnify each other and hold each other harmless from any cost, charge, damages, expense or loss which they cause each other as a result of their breach of any of the provisions of this agreement, except to the extent that any such liability is excluded under clause 15.2.
15.2 Indemnification hereunder is contingent upon:
- the party(ies) to be indemnified (the indemnified party(ies)) promptly notifying the other party(ies) (the indemnifying party(ies)) of a claim,
- the indemnifying party(ies) having sole control of the defence and settlement of any such claim, and
- the indemnified party(ies) providing reasonable co-operation and assistance to the indemnifying party(ies) in defence of such claim.]]
16. LIMITATION OF LIABILITY
16.1 Neither party excludes or limits liability to the other party for:
- fraud or fraudulent misrepresentation;
- death or personal injury caused by negligence;
- a breach of any obligations implied by section 12 of the Sale of Goods Act 1979 or section 2 of the Supply of Goods and Services Act 1982; or
- any matter for which it would be unlawful for the parties to exclude liability.
16.2Subject to clause 15.1, neither party shall in any circumstances be liable whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, for:
- any loss (whether direct or indirect) of profits, business, business opportunities, revenue, turnover, reputation or goodwill;
- loss (whether direct or indirect) of anticipated savings or wasted expenditure (including management time); or
- any loss or liability (whether direct or indirect) under or in relation to any other contract.
16.3 Clause 16.2 shall not prevent claims, for:
- direct financial loss that are not excluded under any of the categories set out in clause 15.2(a); or
- tangible property or physical damage.
17. THIRD PARTY RIGHTS
17.1 Except as expressly provided elsewhere in this Agreement, a person who is not a party to this Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.
18.1 No variation of this agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
19.1 No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
20.1 If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement.
20.2 If any provision or part-provision of this agreement is deemed deleted under clause 19.1, the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
21. ENTIRE AGREEMENT
21.1 Each party acknowledges that in entering into this Agreement it does not rely on, and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement.
21.2 Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misrepresentation based on any statement in this Agreement.
22. GOVERNING LAW
22.1 This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
23.1 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this agreement or its subject matter or formation.
This agreement has been entered into on the date you ticked the consent on the initial questionnaire.