1. DEFINITIONS
Agreed Purposes: The Company will gather, store and process personal data relating to capture of ANPR and/or CCTV images of Vehicle Registration Marks (VRM) of vehicles that enter and exit the car park (Premises) which are the subject of this substantive Agreement. The Client may, from time to time, provide the Company with other personal data, including but not limited to VRM data, for the purposes of obtaining exemption permits for staff, guests, visitors and other authorised users and also in forwarding other requests which may include personal data. The Parties may also agree to share other personal data as part of the substantive Agreement and any such sharing arrangements will, by inference, be incorporated into this Data Sharing agreement unless expressly excluded in writing.
Controller, processor, data subject, personal data, personal data breach, processing and appropriate technical and organisational measures: as set out in the Data Protection Legislation.
Data Discloser: a party that discloses Shared Personal Data to the other party.
Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Information Commissioner or other relevant regulatory authority and applicable to a party.
EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
Permitted Recipients: the parties to this agreement, the employees of each party, any third parties engaged to perform obligations in connection with this agreement, and
Shared Personal Data: the personal data to be shared between the parties under clause 1.1 of this agreement. Shared Personal Data shall be confined to the following categories of information relevant to the following categories of data subject: Data relating to the Client’s requests for Exemption Permits for vehicles and requests to cancel parking charges or otherwise process information relating to vehicles or persons who have visited or are connected to the Client’s car parking facilities at the Premises;
Any personal data which the Parties have agreed to share as part of the substantive Agreement and which is in writing or is evidenced in writing and forms part of that Agreement.
2. DATA PROTECTION
Shared Personal Data. This clause sets out the framework for the sharing of personal data between the parties as controllers. Each party acknowledges that one party (referred to in this clause as the Data Discloser) will regularly disclose to the other party Shared Personal Data collected by the Data Discloser for the Agreed Purposes.
Effect of non-compliance with Data Protection Legislation. Each party shall comply with all the obligations imposed on a controller under the Data Protection Legislation, and any material breach of the Data Protection Legislation by one party shall, if not remedied within 30 days of written notice from the other party, give grounds to the other party to terminate this agreement with immediate effect.
Particular obligations relating to data sharing. Each party shall:
ensure that it has all necessary notices and consents and lawful bases in place to enable lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes;
give full information to any data subject whose personal data may be processed under this agreement of the nature of such processing. This includes giving notice that, on the termination of this agreement, personal data relating to them may be retained by or, as the case may be, transferred to one or more of the Permitted Recipients, their successors and assignees;
process the Shared Personal Data only for the Agreed Purposes;
not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients;
ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this agreement;
ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
not transfer any personal data received from the Data Discloser outside the EEA unless the transferor ensures that (i) the transfer is to a country approved under the applicable Data Protection Legislation as providing adequate protection; or (ii) there are appropriate safeguards or binding corporate rules in place pursuant to the applicable Data Protection Legislation; or (iii) the transferor otherwise complies with its obligations under the applicable Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; or (iv) one of the derogations for specific situations in the applicable Data Protection Legislation applies to the transfer.
Mutual assistance. Each party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, each party shall:
consult with the other party about any notices given to data subjects in relation to the Shared Personal Data; promptly inform the other party about the receipt of any data subject rights request;
provide the other party with reasonable assistance in complying with any data subject rights request;
not disclose, release, amend, delete or block any Shared Personal Data in response to a data subject rights request without first consulting the other party wherever possible;
assist the other party, at the cost of the other party, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, personal data breach notifications, data protection impact assessments and consultations with the Information Commissioner or other regulators;
notify the other party without undue delay on becoming aware of any breach of the Data Protection Legislation;
at the written direction of the Data Discloser, delete or return Shared Personal Data and copies thereof to the Data Discloser on termination of this agreement unless required by law to store the Shared Personal Data;
use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers;
maintain complete and accurate records and information to demonstrate its compliance with this clause;
permanently delete, destroy or return, all Personal Data to the Controller following termination or expiry of this Agreement and delete existing copies of such Personal Data unless (and only to the extent) the Processor is required to retain copies to comply with Applicable Law or, in the case of the Company, to benefit from any and all accrued rights; and
provide the other party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the parties’ compliance with the Data Protection Legislation.
3. CONFIDENTIAL INFORMATION
Disclosure
It is agreed that the Company will be providing Confidential Information to the Client in relation to the Agreed Purpose(s) and for any additional services which may or will be provided under the substantive or any additional Agreement.
Confidential Information means all confidential or proprietary information (however recorded or preserved) relating to the Purpose that is disclosed or made available whether before or after the date of this agreement (in any form or medium), directly or indirectly, by the Company to the Client.
In consideration of the Company agreeing to disclose Confidential Information to the Client, the Client undertakes to the Company that it shall: keep the Confidential Information secret and confidential; not use or exploit the Confidential Information in any way, except for or in connection with, the Purpose; and only make disclosure of the Confidential Information in accordance with paragraph 1.4 and paragraph 1.5. Any other disclosure can only be made with the Company’s prior written consent.
The Client may disclose the Confidential Information to any of its officers, and employees, advisers, subcontractors and contractors that need to know the relevant Confidential Information for the Purpose only, provided that: the Client procures that each such person to whom the Confidential Information is disclosed complies with the obligations set out in this agreement as if they were the Client; and procures that any such person to whom disclosure is made enters into a confidentiality agreement with the Client on terms equivalent to those contained in this agreement.
The Client may disclose the Confidential Information to the minimum extent required by:
any order of any court of competent jurisdiction or any regulatory, judicial, governmental or similar body or taxation authority of competent jurisdiction; the rules of any listing authority or stock exchange on which the Client’s shares are listed; or the laws or regulations of any country to which the Client’s affairs are subject.
Limitations on obligations
The obligations set out in the above section shall not apply, or shall cease to apply, to Confidential Information which the Client can show to the Company’s reasonable satisfaction: that it is, or becomes, generally available to the public, other than as a direct or indirect result of the information being disclosed by the Client in breach of this agreement; or was already lawfully known to the Client before it was disclosed by the Company; or has been received by the Client from a third party source that is not connected with the Company and that such source was not under any obligation of confidence in respect of that information.
Return of the Confidential Information
If requested by the Company at any time, the Client shall immediately destroy or return to the Company all documents and other records of the Confidential Information or any of it in any form that have been supplied to or generated by the Client. If the Confidential Information is stored in electronic form, the Client shall permanently erase all such Confidential Information from its computer and communications systems and devices used by it.
The Company may request the Client to certify in writing that it has complied with any of the obligations in this paragraph.
Term and termination
If the Company decides not to continue to be involved in the Purpose with the Client, it shall notify the Client immediately. Notwithstanding the termination of discussions between the parties in relation to the Purpose pursuant to paragraph 4.1, the obligations of the Client shall continue for a period of two (2) years from the termination of this agreement. The termination of this agreement shall not affect any accrued rights or remedies to which either party is entitled.
Acknowledgment and inadequacy of damages
The Client acknowledges and agrees that:
the Confidential Information may not be accurate or complete and the Company makes no warranty or representation (whether express or implied) concerning the Confidential Information, or its accuracy or completeness; and damages alone would not be an adequate remedy for any breach of the terms of this agreement by the Client. Accordingly, the Company shall be entitled to the remedies of injunction, specific performance or other equitable relief for any threatened or actual breach of the terms of this agreement.
Indemnity
Each party shall indemnify the other against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other [reasonable] professional costs and expenses) suffered or incurred by the indemnified party arising out of or in connection with the breach of the Data Protection Legislation by the indemnifying party, its employees or agents, provided that the indemnified party gives to the indemnifier prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and sole authority to manage, defend and/or settle it.
Updated September 12, 2025.
