Data protection Schedule

Data protection

1. Introduction

1.1 Parties must at all times comply with the provisions of Data Protection Legislation, in relation to all processing of Personal Data for the Services.

1.2 Definitions have the meaning given to them in the Contract.

2. Relationship of the parties

2.1 The parties agree that Zoopla and the Member are separate and independent Controllers of the following Personal Data: business contact information including names, addresses, job titles, telephone numbers, email addresses and bank account information for the purposes of account management and Member management including, but not limited to, contractual engagement, invoicing and billing and direct B2B marketing. To the extent that Zoopla and the Member are separate and independent Controllers, they shall each comply with their own obligations under Data Protection Legislation.

2.2 The parties agree that the Member instructs Zoopla to Process the Personal Data described in Data Processing Description ('Annex I') on its behalf (the "Member Personal Data") and for the purposes specified therein. In respect of such processing of the Member Personal Data, the Member shall be the Controller and Zoopla shall be a Processor. Zoopla will process the Member Personal Data on behalf of the Member in accordance with Annex I, and in compliance with Data Protection Legislation including but not limited to Article 28 of the UK GDPR.

2.3 Notwithstanding Clause 2.2 above, the parties agree Zoopla may be a Controller of Personal Data, including Member Personal Data, for the provision of the Services; for the purposes of Zoopla's own products and services; and for Personal Data collected directly from Data Subjects or via any other means other than from the Member.

3. Responsibilities of the parties

3.1 Where a party is a Controller under Clause 2.1, 2.2 and 2.3, it shall be responsible for:

a. ensuring Personal Data is not irrelevant or excessive with regard to the purposes for which it is being collected, shared, stored or otherwise processed;

b. ensuring the Personal Data it provides to the other party is accurate and up to date;

c. ensuring Special Category Personal Data and Criminal Offence Data is not shared between the parties unless required for the Services;

d. ensuring the rights of Data Subjects are complied with and statutory timescales met, and such party receives a request or inquiry from a Data Subject regarding matters covered by the other party's responsibilities, the request shall be forwarded to that Controller without undue delay;

e. ensuring that it has a valid lawful basis under Article 6 (and where required, Article 9) of the UK GDPR for processing of Personal Data such as obtaining consent where required and meeting the right to be informed by providing privacy notices where relevant;

f. assisting the other party to the extent this is relevant and necessary in order to facilitate the handling of any Personal Data Breach in an expeditious and compliant manner; and

g. shall only, and shall procure that any Processors or Subprocessor(s) shall only, transfer or otherwise process Personal Data pursuant to this Data Protection Schedule outside the United Kingdom ("UK") or the European Economic Area ("EEA") where the exporting party complies with Clause 4 below.

3.2 To the extent that Zoopla processes the Member Personal Data as Processor under Clause 2.2 for purposes detailed in Annex I, Zoopla shall:

a. process the Member Personal Data as necessary for the purposes set out in Annex I or in accordance with the Member's reasonable instructions and shall not Process the Member Personal Data for any other purpose or in any other manner, unless lawful to do so, or as required by Applicable Law to which parties are subject; 

b. inform the Member if, in its opinion, any instruction of the Member infringes Data Protection Legislation, in which case the Member shall use best endeavours to promptly remediate such infringement and, should the Member not remediate such infringement within thirty (30) days, Zoopla shall have the right to terminate the Contract in accordance with Clause 6.3;

c. provide reasonable information to the Member that demonstrates compliance by Zoopla with the Data Protection Legislation;

d. use reasonable endeavours to: (i) ensure that any person that it authorises to process the Member Personal Data (including Zoopla's agents, contractors, subcontractors, Subprocessors, employees and members of its group) (an "Authorised Person") shall be subject to a duty of confidentiality (whether a contractual duty or a statutory duty); (ii) to not permit any person to process the Member Personal Data who is not under such a duty of confidentiality; and (iii) ensure that Authorised Persons process the Member Personal Data as necessary for the purposes set out in Annex I;

e. implement appropriate technical and organisational measures, which may be updated from time to time, to protect the Member Personal Data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access (a "Security Incident"). Zoopla shall use reasonable endeavours to ensure that such measures and controls maintain a level of security appropriate to: (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and (ii) the nature of the Member Personal Data to be protected;

f. engage third party Subprocessors to process the Member Personal Data by general authorisation by the Member provided that: (i) Zoopla provides the Member with details of such Subprocessors on written request of the Member and on its Website(s) and shall inform the Member of any intended changes concerning the addition or replacement of such Subprocessors; (ii) Zoopla imposes data protection terms on any Subprocessor it appoints that protect the Member Personal Data, in substance, to a similar standard of protection provided for in this Data Protection Schedule; (iii) Zoopla shall provide Subprocessors with access to the Member Personal Data only as is necessary to enable delivery when processing for the purposes as set out under Annex I; and (iv) Zoopla remains liable for any breach that is caused by a negligent act, error or omission of its Subprocessor;

g. provide all reasonable assistance to the Member at the Members own expense, where permitted by Data Protection Legislation, including without limitation: (i) to enable the Member to respond to any request from a Data Subject to exercise any of its rights under Data Protection Legislation (including its rights of access, rectification, objection, and erasure, as applicable); (ii) to enable the Member to respond to any other correspondence, enquiry or complaint received from a Data Subject, regulator, Supervisory Authority or other third party in connection with the processing of the Member Personal Data in compliance with Data Protection Legislation. In the event that any such request, correspondence, enquiry or complaint is made directly to Zoopla, Zoopla shall promptly inform the Member, where reasonable, providing details of the same; (iii) to assist with data protection impact assessments and mitigate risks to data protection compliance; (iv) meeting the right to be informed where lawfully required; and (v) consulting with supervisory authorities (including the ICO), to the extent legally required;

h. upon becoming aware of a Security Incident regarding the Member Personal Data as detailed in Annex I, Zoopla shall inform the Member without undue delay and shall provide the Member where reasonable and possible with a description of the Security Incident, and the type of Member Personal Data that was the subject of the Security Incident, as soon as such information can be collected or otherwise becomes available, as well as reasonable periodic updates to this information and any other information the Member may reasonably request relating to the Security Incident to the extent necessary to allow the Member to comply with its own Data Protection Legislation obligations. All actions taken by Zoopla will be at the reasonable cost of the Member; and

i. allow the Member, its employees or authorised agents, upon reasonable prior written notice to Zoopla of at least sixty (60) days, reasonable access to any relevant resources where possible, used in connection with the provision of the Services for the purposes set out under Annex I, during normal business hours, to inspect compliance with the data protection terms within the Data Protection Schedule.

3.3 The parties agree:

a. that during the provision of the Services the Member instructs Zoopla to delete the Member Personal Data in accordance with Zoopla's policies. Upon termination or expiry of the Services, Zoopla shall, where reasonable to do so (at the Member's election and cost), retain, destroy or return to the Member the Member Personal Data processed for the Services and purposes set out under Annex I. Where the Member fails to make such an election within thirty (30) days of the termination or expiry of the Services, Zoopla shall make such an election on the Member's behalf. This requirement shall not apply to the extent (i) that Zoopla may lawfully retain or use Personal Data including Member Personal Data, or ii) is required by Applicable Law to retain some or all of the Member Personal Data in which event Zoopla shall protect the Member Personal Data from any further processing except to the extent required by such law until erasure is possible;

b. when using a third party to provide services to the Member, the Member authorises Zoopla to transfer the Member Personal Data to the third party as required to provide those services;

c. the Member hereby instructs Zoopla, where applicable, to carry out marketing activities on the Member's behalf where required to perform or promote the Services, and to perform or promote other products and services provided or facilitated by Zoopla relevant to the Member or Services. The Member warrants that the Member has a legal right to store its contact base or any other Member Personal Data within the Services and the Website(s) and any other systems of Zoopla or its Group Companies or subcontractors or Processors/Subprocessors and that any marketing or other required consents, authorisations and confirmations appended to the contact database or within related products or services provided or facilitated by Zoopla or its Group Companies, subcontractors or Processors/Subprocessors are up to date and correctly ascribed to the email addresses, consumer or property to which they relate, for the duration of the provision of the Services under the Contract. Further, the Member warrants that: (i) it has provided all relevant Data Subjects with appropriate fair processing information and/or privacy notices in accordance with Data Protection Legislation; and (ii) it has obtained all necessary consents to enable the Member and Zoopla to process Member Personal Data for electronic mail marketing purposes in compliance with Data Protection Legislation; 

d. where Zoopla may collect (from any source), process or share property information, such as a property's address and attributes about the property or a property transaction, where data relates to a property or property transaction, and such data is not directly or indirectly related to an individual, the requirements of, or rights provided by Data Protection Legislation and requirements of these data protection terms do not apply. Parties agree such information is not Personal Data; and

e. Member shall provide Zoopla with a means to be able to meet the right to be informed (including the provision of privacy notices) and obtain consent, where required, for the processing of Member Personal Data via autonomous technology (fully or partial), machine learning and other analogous technologies.

4. International transfers

4.1 In the event of a transfer of Personal Data including Member Personal Data outside of the UK under this Contract would be prohibited by Data Protection Legislation in the absence of appropriate safeguards, the parties (or any third party engaged by or on behalf of Zoopla to process Member Personal Data) shall enter into the Standard Contractual Clauses, together with the UK Addendum, or alternatively the UK International Data Transfer Agreement or successor or equivalent transfer mechanism approved by a competent Supervisory Authority in the UK.

4.2 In the event the ICO or any other relevant Supervisory Authority's decision which authorises the transfer of the Personal Data outside the UK or EEA is held to be invalid or any Supervisory Authority requires the transfers of Personal Data to be suspended, then parties may, at their discretion, require the exporting party where reasonable to: (i) ensure that transfers of Personal Data are forthwith ceased; or (ii) require the exporting party to promptly cooperate to facilitate the use of an alternative data transfer mechanism that will permit parties to continue to benefit from the Services in compliance with Data Protection Legislation.

5. Business to business privacy notice 

5.1 The Member must ensure that the Zoopla business to business privacy notice as found on the Website(s) is brought to the attention of their agents, contractors, employees and members of its group. 

6. Term and termination

6.1 This Data Protection Schedule will remain in full force and effect so long as:

a. the Contract remains in effect; or

b. either party retains any of the Personal Data for the purposes of the Services and related to the Contract in its possession or control.

6.2 Any provision of this Data Protection Schedule that expressly or by implication should come into or continue in force on or after termination of the Contract in order to protect the Personal Data will remain in full force and effect.

6.3 The Member's failure to comply with the terms of this Data Protection Schedule is a material breach of the Contract. In such an event, in accordance with clause 11 of the Contract, Zoopla may terminate the Contract or any part of it by written notice to the other party without further liability or obligations to the other party.

6.4 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of the Contract, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within sixty (60) days, the parties may negotiate in good faith to alter the Services provided to ensure compliance with Data Protection Legislation. To the extent this is not possible within thirty (30) Business Days, either party may terminate the Contract with immediate effect.

7. Changes to the Applicable Law

7. 1 If any change in Data Protection Legislation results in this Contract no longer containing adequate data protection provisions for the parties' protection, the parties shall negotiate in good faith to review these data protection terms in light of the new or changed legislation.

8. Limitation of liability

8.1 Limitation of liability is as detailed within the Contract.

8.2 The Member indemnifies Zoopla from and against all losses suffered or incurred by Zoopla with respect to the processing of any Personal Data for which the Member is the Controller, where such processing is carried out on and in accordance with the instructions of the Member, including in accordance with its obligations under the Contract and provided that this indemnity shall not apply to losses incurred by Zoopla to the extent they arose as a direct result of the negligent act or omission or breach of the Contract by Zoopla.

9. Authorised Entities To the extent that the Member enters into the Contract for the benefit of an Authorised Entity, and such Authorised Entity is the Controller of the Personal Data processed by Zoopla pursuant to the Contract, the following terms shall apply:

9.1 the Member warrants that it is authorised to represent the Authorised Entity and is entering into this Data Protection Schedule on the Authorised Entity's behalf;

9.2 A reference in this Data Protection Schedule to 'the Member' shall be construed as meaning:

a. the Member, to the extent it is itself a Controller of Personal Data processed by Zoopla pursuant to the Contract; and

b. each Authorised Entity that is a Controller of Personal Data processed by Zoopla pursuant to the Contract ("Authorised Entity Data") as such Authorised Entity is represented by the Member;

9.3 Any instructions, whether such instructions are set out in the Contract, this Data Protection Schedule, or otherwise, from the Member to Zoopla in relation to Authorised Entity Data ("Instructions") shall reflect the instructions of the relevant Authorised Entity and Zoopla shall be entitled to act on such Instructions as if they had been received directly from such Authorised Entity;

9.4 The Member in entering into this Data Protection Schedule, acts on the instructions of the Authorised Entity and has the necessary authorisations and consents to make decisions in relation to the processing of any Personal Data of an Authorised Entity processed by Zoopla pursuant to the Contract, including under this Data Protection Schedule;

9.5 The Member shall procure that each Authorised Entity:

a. complies with the obligations of the Member under this Data Protection Schedule as if the Authorised Entity were the Member; and

b. exercises any audit right, right to receive information and rights to assistance under this Data Protection Schedule through the Member that is a party to the Contract and shall not itself exercise such rights; and

9.6 The Member indemnifies Zoopla from and against all losses suffered or incurred by Zoopla with respect to the processing of any Personal Data for which an Authorised Entity is the Controller, where such processing is carried out on and in accordance with the instructions of the Member, including in accordance with its obligations under the Contract and provided that this indemnity shall not apply to losses incurred by Zoopla to the extent they arose as a direct result of the negligent act or omission or breach of the Contract by Zoopla.

Annex I - Data Processing Description

Categories of Data Subjects: The Member and Authorised Entities' customers and potential customers.

Subject-matter of the Processing: The provision of the Services as detailed in the Contract.

Types of Personal Data: Any Member Personal Data provided to Zoopla by the Member for the provision of the Services as detailed in the Contract. 

Special Category Personal Data (if any):  Special Category Personal Data should not be shared or processed unless required for the Services.

Nature and purpose(s) of the Processing: Where acting on the instructions of the Member subject to requirements within the Contract for the purposes of processing Member Personal Data to provide the Services. 

Duration of Processing: The term of the Contract, unless further processing is required to ensure compliance with Applicable Law.