INFORMATION SHARING AGREEMENT

STANDARD ISA FOR 2 PARTY AGREEMENTS

1 TABLE OF CONTENTS

2 STANDARD INFORMATION SHARING AGREEMENT (SISA)

2.1 PREAMBLE
2.2 TERMS AND DEFINITIONS
2.3 SUBJECT MATTER OF THIS INFORMATION SHARING AGREEMENT
2.4 CONFIDENTIALITY AND PRIVACY
2.5 SECURITY
2.6 DATA PROCESSING TRANSPARENCY
2.7 INCIDENT AND BREACH NOTIFICATION AND MANAGEMENT
2.8 COMPLETE PERSONAL DATA LIFE CYCLE
2.9 RETURNING OR DESTRUCTION OF PERSONAL DATA
2.10 LIABILITY AND INDEMNITY
2.11 DURATION AND TERMINATION
2.12 PRIMACY OF THE SISA
2.13 ELECTRONIC SIGNATURE

3 APPENDICES

3.1 NOTICE TO USERS
3.2 STANDARD INFORMATION SHARING AGREEMENT SUMMARY

2 STANDARD INFORMATION SHARING AGREEMENT (SISA)

Between: The rights holder, the entity or natural person setting out the permissions for the processing of personal data. The rights holder shall be either the natural person whose personal data is the subject of this agreement or will be a natural person or entity whose authority to set out the permissions for the processing of personal data is derived from the natural person whose data is being processed or an equivalent legal authority (hereinafter to be referred to as the “Rights Holder”). And

The data custodian, a company, or other legal entity operating under the legal name specified, and incorporated or organized under the laws of the country specified, having its registered office and principal place of business at the address specified, and registered with the appropriate governmental authority using the appropriate identifying number specified, where all of the forgoing information has been accurately specified though the JLINC software (hereinafter to be referred to as the “Data Custodian”), Hereby agree as follows:

2.1 PREAMBLE

The purpose of this JLINC Standard Information Sharing Agreement is to enable personal data processing to proceed with the ongoing knowledge, consent (where allowable by law) and control of the natural person whose personal data is being processed in the context of the terms, conditions, and policies established by the Data Custodian. This is accomplished by the various means as described below, and as implemented by software and systems that conform to the JLINC protocol.

By entering into this agreement, both parties agree to process personal data as directed by the Rights Holder, and to ensure that any information sharing agreements entered into with other parties will enforce these terms.

2.2 TERMS AND DEFINITIONS

Authority for Processing: An underlying assumption in the JLINC suite of protocols and software is that the Data Custodian will not process any data from the Rights Holder without some form of authority, such as consent, received from the Rights Holder directly or derived from a contractual, regulatory, or legal obligation that is binding on the Data Custodian.

Data Custodian: This is the entity that is processing data as received from and/or as directed by the Rights Holder.

Data Processing: The Rights Holder and the Data Custodian shall jointly determine the scope, purposes, and manner by which Personal Data may be collected, used, disclosed, retained, or disposed of by the Data Controller Custodian or any subsequent Data ProcessorCustodian. Where not otherwise required by regulation, the determination of allowable data processing will be asserted by the Rights Holder through the JLINC protocol and this SISA. This may be referred to as ‘processing’ or ‘processed’ in the body of the document below.

JLINC protocol: The technical specification for implementing permissioned data as set out in the JLINC protocol specification and API documentation.

JLINC software: The suite of protocols, software and web services that implement the JLINC Protocol.

Personal Data: Information about a natural person. At implementation of the JLINC software Personal Data shall be deemed to be that information about people that is protected by the privacy legislation that applies to the Data ControllerCustodian. In the absence of such legislation, the General Data Protection Regulation shall be deemed to be the applicable legislation for the definition of Personal Data.

Privacy Legislation: At implementation of the JLINC software this shall be the privacy legislation that applies to the Data Controller in the jurisdiction where the Data Controller collects the Personal Data. In the absence of such legislation, the General Data Protection Regulation shall be deemed to be the applicable legislation.

Rights Holder: This is the entity that supplies data and/or permissions to the Data Custodian to enable the Data Custodian to process that data.

Standard Information Sharing Agreement: This document is a Standard Information Sharing Agreement that sets out in prose what how permissioned is implemented by the JLINC suite of protocols, software and web services.

2.3 SUBJECT MATTER OF THIS INFORMATION SHARING AGREEMENT

The subject matter and scope of this agreement is the Personal Data that is processed by the Data Custodian.

2.4 CONFIDENTIALITY AND PRIVACY

Without prejudice to any existing contractual arrangements between the Parties, the Data Custodian shall treat all Personal Data as strictly confidential and it shall inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Data Custodian shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality

2.5 SECURITY

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the Parties, the Data Custodian shall implement appropriate technical and organizational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. These measures shall include as appropriate:

a) measures to ensure that the Personal Data can be accessed only by authorized personnel;

b) In assessing the appropriate level of security account shall be taken in particular of all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access or disclosure of Personal Data;

c) the pseudonymization and encryption of personal data;

d) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

e) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

f) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of Personal Data;

g) measures to identify vulnerabilities with regard to the processing of Personal Data in systems used to provide services to the Data Custodian.

The Data Custodian shall at all times have in place an appropriate written security policy, with procedures and systems to give effect to that policy, with respect to the processing of Personal Data.

2.6 DATA PROCESSING TRANSPARENCY

The Data Custodian shall make available to the Rights Holders information about the uses and disclosures, including data transfers to other countries, of the Personal Data of the Rights Holder. To the extent commercially feasible, and where not prohibited by law, this information shall be made available in real time through the JLINC protocols, software and web services.

2.7 INCIDENT AND BREACH NOTIFICATION AND MANAGEMENT

When the Data Custodian becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the SISA, it shall promptly notify the Rights Holder about the incident, shall at all times cooperate with the Rights Holder, and shall follow industry best practices and regulatory guidelines with regard to such incidents, in order to enable the Data Custodian to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.

The Data Custodian shall at all times have in place written procedures which enable it to promptly respond to the Rights Holder about an incident. Where the incident is reasonably likely to require a data breach notification to or by the Rights Holder under applicable Data Protection Law, the Data Custodian shall implement its written procedures in such a way that it is in a position to notify the Rights Holder no later than 48 hours of having become aware of such an incident.

2.8 COMPLETE PERSONAL DATA LIFE CYCLE

The Data Custodian shall not subcontract any of its Service-related activities consisting (partly) of the processing of the Personal Data or requiring Personal Data to be processed by any third party without the permission of the Rights Holder.

Where the Rights Holder authorizes the Data Custodian named in the SISA to engage sub-processors for Personal Data Processing, those sub-processors shall become Data Custodians to the Data Custodian named in this SISA. The named Data Custodian then becomes the delegated Rights Holder for that processing, provided that only permissions expressed by the original Rights Holder of this SISA may be granted to a sub-processor as a delegated Data Custodian. Further, any permissions withdrawn by the Rights Holder to this SISA will be transmitted and similarly withdrawn by all subsequent Data Custodians.

Notwithstanding any authorization by the Rights Holder within the meaning of the preceding paragraph, the Data Custodian shall remain fully liable vis-à-vis the Rights Holder for the performance of any such sub-processor that fails to fulfill its data protection obligations.

The Data Custodian shall ensure that the sub-processor is bound by the same data protection obligations of the Data Custodian under this Data Processing Agreement, shall supervise compliance thereof, and must in particular impose on its sub-processors the obligation to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of applicable Data Protection Law.

The Rights Holder may request that the Data Custodian audit a Third-Party Sub-processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist customer in obtaining a third-party audit report concerning the Third-Party Sub-processor’s operations) to ensure compliance with its obligations imposed by the Data Custodian in conformity with this Agreement.

2.9 RETURNING OR DESTRUCTION OF PERSONAL DATA

Upon termination of this Standard Information Sharing Agreement, upon the Rights Holder’s written request, or upon fulfillment of all purposes agreed in the context of the Services whereby no further processing is required, the Data Custodian shall, at the discretion of the Rights Holder, either delete, destroy or return all Personal Data to the Rights Holder and destroy or return any existing copies.

The Data Custodian shall notify all third parties supporting its own processing of the Personal Data of the termination of the Data Processing Agreement and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Rights Holder, at the discretion of the Rights Holder.

2.10 LIABILITY AND INDEMNITY

The Data Custodian indemnifies the Rights Holder and holds the Rights Holder harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Rights Holder and arising directly or indirectly out of or in connection with a breach of this Standard Information Sharing Agreement and/or the Applicable Data Protection Law by the Data Custodian. The Rights Holder indemnifies the Data Custodian and holds the Data Custodian harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Data Custodian and arising directly or indirectly out of or in connection with a breach of this Data Processing Agreement and/or the Applicable Data Law by the Rights Holder.

2.11 DURATION AND TERMINATION

This Standard Information Sharing Agreement shall come into effect upon the date of the cryptographically signed exchange of a copy of this SISA between the Rights Holder and the Data Custodian.

Termination or expiration of this Standard Information Sharing Agreement shall not discharge the Data Custodian from its confidentiality obligations set out above.

The Data Custodian shall process Personal Data until the date of termination of the agreement, unless instructed otherwise by the Rights Holder, or until such data is returned or destroyed on instruction of the Rights Holder.

2.12 PRIMACY OF THE SISA

In the event of any inconsistency between the provisions of this Standard Information Sharing Agreement and the provisions of any other agreement pertaining to the processing of personal data, the provisions of this Standard Information Sharing Agreement shall prevail, unless specifically overridden by a signed direction from the natural person who is the subject of the Personal Data or their authorized representative.

2.13 ELECTRONIC SIGNATURE

This Standard Information Sharing Agreement shall be deemed to be signed with legal effect when both parties to the agreement complete the cryptographic signing portion of the JLINC protocol and both parties have received a copy of mutually signed agreement. 

3 APPENDICES

3.1 NOTICE TO USERS

The following notice shall always be presented to individual Rights Holders when first entering into a Standard Information Sharing Agreement with another entity. The notice shall include a link to enable the individual Rights Holder to view the Information Sharing Agreement Summary. The Summary shall include a link to proceed to the full text of the Standard Information Sharing Agreement.

This Standard Information Sharing Agreement (SISA) with [Data Custodian] gives you control over how information about you may be held, shared and processed, except where [Data Custodian] may already have legal or contractual obligations to use your information.

By clicking Sign SISA I agree to share my personal data with [Data Custodian] under the terms of this SISA.

3.2 STANDARD INFORMATION SHARING AGREEMENT SUMMARY

A Standard Information Sharing Agreement (SISA) provides a human and machine-readable framework to control personal data sharing between you and a Data Custodian that you grant permission to hold, control, or process, your data. It gives you, the Data Rights Holder, a way to manage personal data sharing across the Internet and to control exactly what each party can do with your information. It provides the Data Custodian with clear authority to process data as directed under the SISA and as expressed through the JLINC protocol.

The Data Custodian hereby agrees to abide by the data sharing controls and permissions set by you, the Data Rights Holder using the JLINC protocol and as set out in the SISA. Where the Data Custodian has a legal or contractual obligation to process personal data outside the terms of this SISA, the Data Custodian will notify you of any activity at the first available opportunity.

JLINC automatically generates a signed “SISA Event”, and holds a copy for you each time you change a data control instruction for personal data content, or permissions associated with personal data, communication preference, buying intent, or marketing consent.

A digital proof of each SISA Event is also sent to an audit trail to verify compliance by the Data Custodian and establish their reputation under the SISA. Any unresolved violation of the terms of the SISA by a Data Custodian will be recorded on their public reputation. The audit trail is public and could also be cited in any complaint, litigation, or defense under applicable regulations.

By signing this SISA you agree to share your data with the Data Custodian under your control using JLINC.