- When this agreement applies
- Shared data and agreed purpose
- Your obligations in relation to IMEX Shared Data
- Data subjects' rights
- Direct marketing
- Security standards
- Reservation of rights
- Restricted Transfers
- Security breaches
- Data Processors
- Contacting us about this Agreement
- Changes to this Agreement
- Privacy notice
When this agreement applies
The Data Sharing Agreement applies when IMEX (Regent Exhibitions Limited or any of our group companies) shares certain Personal Data with you as a speaker, exhibitor, sponsor or other separate Data Controller working with us. In consideration of the benefits of us sharing any Personal Data with you, you agree to comply with the following terms. Please see the Definitions section at the end of this Agreement.
Shared data and agreed purpose
To the extent that we disclose IMEX Shared Data to you, you shall Process it only for and compatible with the Agreed Purpose outlined in our privacy notice: when we share your personal information with others.
IMEX is committed to the lawful, fair and transparent use of Personal Data. Whenever we share Personal Data with others, or enable you to collect it directly at our shows, we require you to comply with this Agreement.
This Agreement sets out the framework for the lawful transfer of the relevant Personal Data of exhibition attendees to you as an independent Data Controller and the responsibilities we owe to each other in this regard.
Your obligations in relation to IMEX Shared Data
You shall comply with this Agreement and your obligations under Data Protection Legislation in respect of all IMEX Shared Data disclosed to you pursuant to this Agreement.
You shall at all times remain responsible for the acts and omissions of your respective personnel and suppliers, contractors and agents in respect of the IMEX Shared Data.
IMEX Shared Data shall only be Processed for the Agreed Purposes and in compliance with your own privacy policies, which you shall ensure comply with Data Protection Legislation.
You shall ensure that you Process the IMEX Shared Data under one or more of the legal bases set out in Data Protection Legislation.
You shall provide us with a copy of your privacy policies upon request.
You shall bear your own compliance costs in relation to this Agreement.
Data subjects' rights
Data Subjects have the right to obtain certain information about the processing of their Personal Data through a Subject Access Request. In certain circumstances, Data Subjects may also request rectification, erasure or blocking of their personal data and may exercise other rights. Accordingly, you should endeavour to maintain a record of individual requests from Data Subjects, including the decisions made and actions taken.
You and we agree to provide reasonable assistance as is necessary to each other to enable them to comply with Subject Access Requests and to respond to any other rights requests, queries or complaints from Data Subjects.
If you intend to process the IMEX Shared Data for the purposes of direct marketing, you shall ensure that:
- effective procedures and communications are in place to allow the Data Subject to exercise their right to opt out from direct marketing
- effective procedures are in place to enable you to advise relevant third parties of any opts
- an appropriate legal basis has been confirmed (and, where necessary, evidenced) for the IMEX Shared Data to be used for the purpose of direct marketing
You shall implement appropriate technical and organisational measures to ensure a level of Security appropriate to the risk involved under this Agreement to:
- protect all Shared Data from unauthorised use, alteration, access or disclosure; and loss, theft and damage, and to protect and ensure the confidentiality, integrity and availability of Shared Data
- prevent a Security Breach
You shall keep accurate records of the Security measures which you have in place and make such records available to us upon request.
You shall regularly test Security measures to assess the effectiveness of the measures in ensuring the security, confidentiality, integrity, availability and resilience of Shared Data, and your compliance with this Agreement and Data Protection Legislation.
Reservation of rights
All Shared Data shall remain the property of IMEX where such proprietary rights arise at law. We reserve all rights in Shared Data except to the extent expressly granted hereunder. No rights, including intellectual property rights, in respect of Shared Data are granted to you and no obligations are imposed on IMEX other than those expressly stated in this Agreement.
This clause applies where we transfer the IMEX Shared Data to you, outside the UK, EEA or third country with an adequacy decision provided by the UK government or European Union.
In such cases, the EU Standard Contract Clauses (SCC) accompanied by the UK International Data Transfer Agreement (IDTA) Addendum apply. These terms are available below for your reference and receiving IMEX Shared Data from us binds you to these. Unless the transfer is required by Data Protection Legislation. In such case, you shall inform us of that legal requirement before processing, unless prohibited at law on grounds of public interest.
After our transfer of the IMEX Shared Data to you, within the UK, EEA or UK, EEA or third country with an adequacy decision provided by the UK government or European Union. You are then responsible for any transfers thereafter, notably restricted transfers to third countries.
EU SCC (controller to controller)
EU Annex SCC (controller to controller)
ICO IDTA (controller to controller)
In the event of a Security Breach, you shall notify us without undue delay after you, or your suppliers, contractors and or agents discovered such Security Breach.
Following this notification, you shall provide assistance and co-operation with us to mitigate the Security Breach, including to:
- immediately conduct a reasonable investigation of the reasons for and circumstances of such Security Breach
- take all necessary actions to prevent, contain, and mitigate the impact of, such Security Breach, and remediate such Security Breach, without delay
- remediate the effects of a Security Breach
- on our request, promptly produce a written report setting out all relevant details concerning such Security Breach, including without limitation any security, risk or compliance assessment and security control audit reports
- provide regular updates to us following a Security Breach
Nothing in this Agreement shall impose or imply any obligation or liability on IMEX in respect of a Security Breach for which you are responsible.
You shall indemnify IMEX against any claims by a third party or regulatory authority that arise as a result of your non-compliance with your obligations under this Agreement or otherwise under Data Protection Legislation.
This Agreement does not apply to situations in which we share Personal Data with third parties acting as our Data Processor, in which case our Data Processor Agreement shall apply, unless otherwise agreed.
Contacting us about this Agreement
If you have any questions or comments about data protection please contact us at [email protected] or by post using our registered office address. For any other questions or comments, please contact us.
We are Regent Exhibitions Limited, company number 04244004 with our registered office at The Agora, First Floor, Ellen Street, Hove, East Sussex, BN3 3LN, United Kingdom.
Changes to this Agreement
We’ll regularly review and update this Agreement. Changes to it shall become effective when published on our website and shall apply to all further sharing of IMEX Shared Data from such date.
This Agreement applies from 25 May 2018.
This Agreement was last updated 28 October 2022.
Certain words used in these Terms have the following meanings, unless the context otherwise requires:
‘Agreed Purpose’ means the express purpose for which we share Personal Data with you as set out in this Agreement or otherwise specified in the Supplier Agreement.
‘Data Protection Legislation’ means the General Data Protection Regulation ((EU) 2016/679) (GDPR) and any applicable national and state legislation protecting Personal Data (in each case, as all amended, updated or re-enacted from time to time).
‘Security’ means a party’s technological, physical, administrative, organisational and procedural safeguards, including, without limitation, policies, procedures, guidelines, practices, standards, controls, hardware, software, firmware and physical security measures, the function or purpose of which is, in whole or part, to:
- protect the confidentiality, integrity or availability of the IMEX Shared Data
- prevent the unauthorised use of or unauthorised access to the IMEX Shared Data
- prevent the loss, theft or damage of the IMEX Shared Data
- comply with Data Protection Legislation
‘Security Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the IMEX Shared Data.
‘Supplier Agreement’ means the commercial agreement in place between the parties.
IMEX Shared Data means data (regardless of form, e.g. electronic, paper copy etc.) that is provided by us to you for the Agreed Purpose, and which for Personal Data you are not the Data Controller of in your own right.
‘Data Controller’, ‘Joint Controllers’, ‘Data Processor’, ‘Data Subject’ and ‘Personal Data’, ‘processing’ and ‘appropriate technical and organisational measures’ shall have the meanings given to them in the applicable Data Protection Legislation.