Terms and conditions
Terms and conditions

Data sharing agreement

This Data Sharing Agreement is part of the Contract between IDP Connect and the Customer for the provision of digital marketing services and should be read in line with the Contract. This Data Sharing Agreement governs the provision of sharing Personal Data between the Parties and explains the purposes and legal basis of the sharing arrangements.

Parties

  1. IDP Connect: IDP Connect Limited, a company Registered in England, Company Number: 02471319 whose registered office is at First Floor, Bedford House, Fulham Green, 69-79 Fulham High Street, London SW6 3JW; and
  2. Customer: The Customer (however described) in the Order Confirmation.

Background

  1. The Parties have entered into the Contract for IDP Connect to provide the Customer with services to: 1) expand their reach by promoting learning opportunities on IDP Connect owned or affiliated websites, 2) engage with Prospective Students by enabling enquiries, information requests and marketing subscriptions when part of the Services, 3) monitor Prospective Student engagements using an enrolment matching tool, 4) understand data and trends in the educational sector, 5) allow the Customer or its representatives, students and alumni to engage with each other and with Visitors on a peer-to-peer basis, 5) any other services provided by IDP Connect as described in the Order Confirmation (the Services).

    2. The Services may cover the provision of platforms for:

    1. An online service for prospective students enabling them to find relevant courses, make informative choices, make enquiries, subscribe to marketing updates or book open days;
    2. A management tool to manage course inventory, editorial content, privacy related content and view and download a list of prospective students that have made an enquiry or subscribed to marketing updates;
    3. Enrolment matching tool for checking referrals from IDP Connect against the Customer's own data;
    4. Data and intelligence services to monitor trends in educational demand and student user behaviour;
    5. Engagement between representatives of the Customer and Customer Visitors through the P2P Service.
  2. In order to deliver the Service, IDP Connect is required to collect, process and share Personal Data from Visitors with the Customer. Some Personal data will be shared for billing purposes also.
  3. IDP Connect will develop secure applications and services based on privacy by design and privacy by default principles
  4. IDP Connect will use this information to 1) help Visitors find applicable courses, make an enquiry or subscribe to the Customer marketing updates, participate in peer-to-peer engagements 2) help the Customer run reports on student referrals received from IDP Connect in order to fulfil their contractual obligation to the Customer.
  5. The Customer will use this information for a compatible purpose only and will ensure data is processed in line with applicable law. The Customer will not sell or share this data.
  6. The Parties agree that, other than where IDP Connect is specified to act as a Processor, they both act as Data Controllers in relation to the Personal Data collected in the provision of the Service and will fulfil their Data Controllers' responsibilities as required by the DP Law.

Agreement

  1. In this Data Sharing Agreement, the following terms shall have the following meanings:

    "Contract" means the agreement comprising an Order Confirmation and the IDP Connect Digital Services Terms and Conditions and which incorporates this Data Sharing Agreement.

    "Cookie" means a small text file placed on a User's computer or device by IDP Connect when the User visits certain parts of the Service and/or when the User uses certain features of the Service.

    "Cookie Data" means any data (including Personal Data) collected via Cookies or other similar technologies placed on the User's device.

    "Customer Visitor" means a Visitor who the Customer invites to engage with The Ambassador Platform through the Website integration or The Ambassador Platform Mobile Application.

    "Data Controller" means any natural or legal person, public authority, agency or other body which, alone or jointly with others, de­termines the purposes and means of the Processing of Personal Data.

    "Data Processor" means any natural or legal person, public authority, agency or other body which processes Personal Data on behalf of a Data Controller.

    "Details of Processing" means those details set out in Annex 1.

    "Data Sharing Agreement" means this data sharing agreement including all schedules, annexures and any other incorporated documents.

    "DP Law" means any applicable law to which a Party is subject from time to time in any territory in which they Process Personal Data and which relates to the protection of individuals with regards to the Processing of Personal Data and privacy rights, including without limitation the GDPR and the e-Privacy Directive and relevant member state laws in the European Economic Area ("EEA") and in relation to the United Kingdom ("UK") the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (amended by SI 2011 no. 6) and the GDPR (as incorporated into UK law under the UK European Union (Withdrawal) Act 2018) as the same are amended in accordance with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended by SI 2020 no. 1586), as amended to be referred to as PECR, DPA 2018 and the UK GDPR respectively, as the same are amended, consolidated, modified, re-enacted or replaced from time to time; any code of practice or guidance published by a Regulator from time to time; and/or any binding pronouncements (including findings, orders, decisions and/or judgements) issued by a Regulator or a court.

    "Employee" includes any freelancer, director or officer, permanent, temporary, full time or part time data subject employed by IDP Connect or the Customer.

    "EMT" or "Enrolment Matching Tool" is an IDP Connect product that enables enrolment matching.

    "GDPR" means the General Data Protection Regulation.

    "Joint Controllers" means two or more controllers jointly determining the purposes and means of processing.

    "Management Tool" is an IDP Connect product that enables the Customer to access, add, amend course, advertising and privacy related content; view and download enrolment data.

    "Mobile Application" means IDP Connect's mobile application for accessing the Services, and includes the "P2P Mobile Application" for accessing the P2P Service.

    "Party" means each of the Customer and IDP Connect and together the Customer and IDP Connect are the "Parties".

    "Personal Data" means any information that can identify a person as defined in the DP Law.

    "Processing" means every operation, or set of operations, which is performed with regards to Personal Data, including, without limitation, the collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, combining, linking to other data, blocking, erasure or destruction of Personal Data.

    "Prospective Students" means any data subject using the online application service on IDP Connect platforms.

    "Purpose" means the instructions under which the Parties can process Personal Data.

    "P2P Service" means the peer-to-peer software tool for connecting Customer Visitors with Customer Ambassadors commonly known as "The Ambassador Platform", which is made available to the Customer by IDP Connect on behalf of The Ambassador Platform Ltd.

    "Services" means the services provided by the IDP Connect under the Contract.

    "Visitor(s)" means any person, including a Prospective Student, who engages with the Customer or its representatives or IDP Connect through a Website or Mobile Application, whether by submitting an enquiry form, subscribing to marketing, requesting prospectuses or information, engaging in peer-to-peer communications or otherwise interacting with the Service.

    "Website" means any websites under the control of IDP Connect and/or any third party websites on which IDP Connect places advertising profiles of the Customer (or any of IDP Connect's advertisers).

    "Working Day" means a day other than a Saturday, Sunday or a public holiday in England when banks in London are closed for business.

  2. The Parties agree the Details of Processing and that:
    1. to the extent that IDP Connect makes available the P2P Service to Customer Visitors, IDP Connect in providing the P2P Service:
      1. processes Personal Data on behalf of the Customer and IDP Connect acts only as the Customer's Processor and the provisions of clause 23 shall apply;
      2. shall be an independent Controller only where:
      1. it processes Personal Data so that it becomes anonymised and/or aggregated data. The Customer further acknowledges that IDP Connect may use any anonymised and/or aggregated data for its own purposes and disclose that anonymised and/or aggregated to any third party (including the Customer) at its sole discretion; and
      2. IDP Connect is collecting Cookie Data via Cookies or other similar technologies owned by IDP Connect in connection with the provision of the Service; and
    2. to the extent that IDP Connect makes any Services other than the P2P Services available to the Customer, both IDP Connect and the Customer are Data Controllers in their own right in respect of Personal Data processed in the provision of the Services and shall both be responsible for the storage, processing, transmission and protection of any Personal Data that it collects or otherwise acquires in connection with this Data Sharing Agreement.
  3. Each Party (when acting as a Data Controller) shall be responsible for determining the purposes and means of such data Processing, and shall have the duties, responsibilities and liabilities of a Data Controller in respect of that Processing and shall be liable for any penalties or enforcement action imposed by a supervisory authority, in respect of its responsibilities as a Data Controller.
  4. Each Party shall provide and maintain relevant Privacy Notices and inform Visitors of this Data Sharing Agreement. Unless agreed otherwise in writing with IDP Connect, the Customer is solely responsible for:
    1. maintaining valid consent;
    2. managing withdrawals;
    3. notifying Visitors that IDP Connect and the Customer are Data Controllers.
    4. ensuring its Employees and representatives (including ambassadors) comply with any notice and consent requirements before any third party's Personal Data is uploaded to any Service.
  5. IDP Connect is not a party to, and has no obligations under, any contract or arrangement between the Customer and a Visitor. For Personal Data shared as part of the Services, IDP Connect will forward any deletion requests it receives to the Customer, who is solely responsible for handling them.
  6. No Personal Data will be shared between the Parties which has not been identified to the data subjects by Privacy Notices or similar, unless the sharing is justified by DP Law, or required by other applicable law.
  7. Any data shared as part of the Services that was rendered anonymous shall remain as such and the Parties shall not try to re-identify it by matching anonymous data with publicly available information, or auxiliary data, in order to discover the individual to whom the data belongs.
  8. The Parties acknowledge that the Personal Data is confidential information and will be treated with the same degree of care and confidentiality as any of their own confidential information.
  9. Personal Data that is shared must be relevant and adequate, and not excessive for the purposes of the sharing between the Parties.
  10. Each Party shall ensure that it has a lawful basis for processing Personal Data and all processing shall be performed in line with the applicable DP Law.
  11. Each Party shall retain Personal Data for the periods specified in its own retention schedule but will consult with the other Party when retention periods are set in relation to the shared information, to avoid discrepancies which could be detrimental.
  12. If any request for fulfilment of data subject rights is received by any Party, that Party shall be responsible for responding to the external requests directly (unless the request ought properly to have been addressed to the other Party, in which case the Party receiving the request will promptly pass it to the other Party).
  13. For complaints relating to the use of Personal Data (whether from a data subject or a regulator) or, if applicable, a request made under the Freedom of Information Act 2000 or Environmental Information Regulations 2004, the Parties will co-operate to ensure that each of them can appropriately investigate and manage any such request or complaint relating to Personal Data in respect of which they are Data Controller. Each Party that is the Data Controller in respect of the Personal Data shall respond to the individual or the regulator in respect of that request for access or complaint.
  14. In order to protect the confidentiality and integrity of the Personal Data, each Party shall implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, including but not limited to:
    1. ensuring IT equipment, including portable equipment is kept in lockable areas when unattended;
    2. not leaving portable equipment containing any Personal Data unattended;
    3. ensuring that staff use appropriate secure passwords for logging into systems or databases containing the Personal Data;
    4. ensuring that all IT equipment is protected by antivirus software, passwords and suitable encryption devices where appropriate;
    5. ensuring that any Personal Data is stored and transferred (including where stored or transferred on portable devices or removable media) securely, using appropriate technical and organisational measures to guard against unauthorised or unlawful access to or processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data;
    6. limiting access to relevant databases and systems including the Management Tool (accessed via https://portal.partners.idp.com) to those of its Employees, agents and sub-contractors who need to have access to the Personal Data, and ensuring that measures are in place to prevent inappropriate access when individuals are no longer engaged by the Party;
    7. conducting regular (not less than annually) threat assessment, if applicable and making the results of these available to the other Party on request;
    8. ensuring all staff handling Personal Data or having access to the Management Tool have been made aware of their responsibilities with regards to handling of Personal Data;
    9. ensuring all Employees with access to the Management Tool applications are made aware of their responsibility with regards of information security and the application's access control;
    10. on request, providing the other Party with a written description of any such technical and organisational measures prior to initial receipt of the Personal Data, and from time to time as required;
    11. on request by the other Party (in its capacity as Data Controller), provide a copy of all Personal Data relating in any way to the Services, in the format and on the media reasonably specified by the Party; and
    12. keeping a record of Processing activities in connection with the Services, and if applicable providing the other Party with a copy of the log on request.

    IDP Connect reserves the right to suspend the Services, including denying the Customer and its Visitors access to and use of the Websites, Mobile Applications and any the management applications accessed via https://portal.partners.idp.com should there be any reasonable suspicion that any of the above conditions are not met.

  15. The Parties shall ensure that only those Employees, agents or contractors who need to have access to the Personal Data in receiving the Services do so and shall take reasonable steps to ensure the reliability of such individuals, and ensure that they are informed of, and understand the confidential nature of, the Personal Data, and the obligations set out in these clauses.
  16. The Parties shall not, in connection with the Services transfer, publish, disclose or divulge any Personal Data to any third party, including any agent or sub-contractor, without disclosing this information to each other and the data subject in the Privacy Notice first, and ensuring there are appropriate data processing and sharing controls in place. Without limiting the foregoing, the Customer shall not pass on the personal data provided by IDP Connect to third parties unless it is in accordance with the provisions of the Data Sharing Agreement and to satisfy the original purpose (namely providing requested information, answering an enquiry or sending marketing content). Without limiting the other obligations under this Data Sharing Agreement, when that happens the Customer shall ensure that:
    1. secure methods are in place prior to personal data/confidential information being passed to these authorised third parties; and
    2. such third parties are subject to same obligations as the Customer has to IDP Connect under this Data Sharing Agreement.
  17. If any Party transfers Personal Data to a specific agent or sub-contractor (the "sub-processor"), the Party acknowledges that it will be responsible for the relationship with the sub-processor and will be primarily liable for the actions or omissions of the sub-processor. Any such sub-processor must enter into a written agreement with the Party that reflects the terms and obligations set out in this Data Sharing Agreement before any Personal Data is transferred. The sub-processor shall not be allowed to retain or use the Personal Data for any purposes other than the provision of a specific pre-agreed element of the overall Services.
  18. The Parties may not process or otherwise transfer Personal Data received in the provision of the Services outside (a) the UK (b) the European Economic Area (EEA) or (c) any country not deemed adequate by the European Commission pursuant to Article 45 of REGULATION (EU) 2016/679, without implementing appropriate controls to ensure the adequacy of protection of such Personal Data.
  19. Each Party will promptly notify the other Party as soon as reasonably practicable (and within 24 hours) if it becomes aware of any security breach, including any inappropriate use of or disclosure of Personal Data received in the provision of the Services. Where applicable, the Parties will cooperate with each other to investigate the cause of and mitigate the effects of any such security breach. The notification will be sent to the contact details asset out in Annex 2 and will include, as a minimum, the categories of data, the number of data subjects affected and the records concerned, as well as the likely consequences of the breach and any steps taken to address or mitigate the effects of the breach.
  20. Each Party will indemnify and keep indemnified the other Party against all losses, damages, fines, penalties, costs or expenses and other liabilities (including reasonable legal fees) incurred by, awarded against or agreed to be paid by the other Party arising from any breach of its obligations under this Data Sharing Agreement or any applicable DP Law. The liability of each Party arising out of the indemnity in this clause 20 shall not exceed £1 million.
  21. The Parties agree to any reasonable amendment to this Data Sharing Agreement to bring it into line with any amendment to or re-enactment of any DP Law , or to allow each of the Parties to comply with any requirement or recommendation of the Information Commissioner or any other data protection or supervisory authority in relation to the Processing of Personal Data.
  22. The provisions of this Data Sharing Agreement will survive the termination of the Contract.
  23. Additional Processor Obligations (IDP Connect as Processor)

    24. To the extent IDP Connect processes Personal Data of Customer Visitors on behalf of Customer as its Processor, with respect to such Processing, IDP Connect shall:

    1. Process the Personal Data only in accordance with the Contract (including this Data Sharing Agreement) and the documented instructions of the Customer given from time to time. The Customer acknowledges that IDP Connect is under no duty to investigate the completeness, accuracy or sufficiency of such instructions and any additional instructions outside the scope of this Data Sharing Agreement require prior written approval between IDP Connect and Customer (including agreement on any fees payable by Customer to IDP Connect for carrying out such instructions);
    2. only permit the Personal Data to be Processed by persons who are bound by enforceable obligations of confidentiality and take steps to ensure such persons only act on IDP Connect's instructions in relation to the Processing;
    3. protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm and risk which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected (and the Customer shall notify IDP Connect immediately if the nature of such Personal Data changes in a material way);
    4. IDP Connect is generally authorised to appoint third-party sub-processors. Where IDP Connect appoints a third-party sub-processor, it shall, with respect to data protection obligations:
      1. ensure that the third party is subject to, and contractually bound by, at least the same obligations as IDP Connect; and
      2. remain fully liable to Customer for all acts and omissions of the third party, and all sub-processors engaged by IDP Connect as at the date of the Order Confirmation shall be deemed authorized;
    5. in addition to the sub-processors engaged pursuant to clause 23(d), be entitled to engage additional or replacement sub-processors, subject to:
      1. the provisions of clauses 23(d)(i) and 23(d)(ii) being applied; and
      2. IDP Connect notifying the Customer of the additional or replacement sub-processor, and where Customer objects to the additional or replacement sub-processor, the Parties shall discuss the objection in good faith;
    6. notify Customer without undue delay after becoming aware that it has suffered a Personal Data breach;
    7. at Customer's cost and not more than once in any 12-month period permit Customer (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit (on reasonable notice) IDP Connect's Data Processing activities to enable Customer to verify and/or procure that IDP Connect is complying with its obligations under clause 23(a). Customer shall ensure that it adheres to any applicable IDP Connect site and security policies in the performance of such audit or inspection;
    8. on Customer's reasonable request, assist Customer in responding to requests from Data Subjects who are exercising their rights under the DP Law (insofar as it is reasonable for IDP Connect to do so);
    9. not Process Personal Data outside the EEA, save for where IDP Connect has ensured that adequate protections and safeguards are in place to protect the Personal Data as required under DP Law or where the recipient countries have been deemed by the European Commission to be providing an adequate level of protection pursuant to the relevant provisions of DP Law;
    10. on Customer's reasonable request, assist (insofar as it is reasonable to do so, taking into account the nature of the information available to IDP Connect and any restrictions on disclosing the information, such as confidentiality) Customer to comply with the Customer's obligations pursuant to Articles 32-36 of the GDPR (or such corresponding provisions of the DP Law), comprising (if applicable):
      1. notifying a supervisory authority that a Customer has suffered a Personal Data breach;
      2. communicating a Personal Data breach to an affected individual;
      3. carrying out an impact assessment; and
      4. where required under an impact assessment, engaging in prior consultation with a supervisory authority;
    11. save for any Personal Data is contained in any "Ambassador Content" assigned to the Customer and licensed to IDP Connect, unless applicable law requires otherwise, upon termination of the Contract delete or return (as specified by the Customer) all Personal Data provided by Customer to IDP Connect (except to the extent this is not reasonably technically possible or prohibited by law). Subject to the foregoing, the Customer agrees that IDP Connect is entitled to delete any accounts on its Service after 36 months unless stated otherwise in the dashboard settings. The Customer further agrees that IDP Connect is entitled to delete any Personal Data associated with a deleted account within 3 days of such account being deleted;
    12. where under this clause 23, IDP Connect is obliged to provide assistance to Customer, or to third parties at the request of Customer (including submission to an audit or inspection and/or the provision of information), such assistance shall be provided at the sole cost and expense of Customer, unless such cost of assistance directly arises from IDP Connect's breach of its obligations under this section.

     

    Annex 1

    Details of Processing

    • Scope/nature/purpose: IDP Connect will process Prospective Students' personal information to support online enquiries, open days bookings, marketing subscriptions and enrolment matching. The processing will involve passing Personal Data to and from the Customer.
    • The Customer will use this data to assist Prospective Students with their enquiries or to send marketing content if the Prospective Student has given consent.
    • IDP Connect will use Personal Data loaded into the EMT by the Customer to produce aggregate reports for the Customer and where relevant to charge fees to the Customer for number of students that IDP Connect has matched in the EMT.
    • If Services include provision of the P2P Service:
      • IDP Connect or its related entity, The Ambassador Platform Ltd, will process Customer Visitor's data for the purpose of facilitating peer-to-peer interactions between individuals. IDP Connect processes Personal Data in order to facilitate creation and sharing of content such as text, images and videos; communication services between Users of the platform; and provide a more personalized user experience.
      • Any information Processed by IDP Connect in relation to the P2P Service shall not be co-mingled with any other data held by IDP Connect in relation to any other Services provided under the Contract.
      • IDP Connect shall ensure that at all times the P2P Service is managed and hosted securely, including the following measures:
        • appropriately sized computer and storage resource within a leading cloud provider facility within the UK or EEA;
        • the ability to re-deploy the Service from a backup taken which is less than 24 hours old within 2 hours;
        • server access via SSH restricted to local IP address and database access only from server; and
        • passwords saved in an encrypted format.
        • IDP Connect shall ensure daily backups of all data on the application server are taken. All platform data shall be stored in the UK or EEA by leading cloud or service providers.
    • Duration: for the duration of the Contract.
    • Types of Personal Data:
      Student Name (first and last)
      Gender;
      Email Address;
      Telephone Number, if provided;
      Full Postal Address, if provided;
      Nationality of student;
      Year of intake
    • Categories of data subject:
      Personal, but not special category, information for Visitors

     Annex 2

    Contact details

    In event of a data breach affecting Personal Data shared as part of the Services, please contact privacy@idp-connect.com without undue delay and in no event longer than 24 hours.

    For the right to be forgotten, please contact the above address within 5 days from receiving a request from a data subject whose Personal Data was shared as part of the Services.

     

    Dated: December 2025