ModernBuilder
Go to homepage
Create account

Oh no, something went wrong. Please check your network connection and try again.

Join 15,000+ people who will self-build in the UK over the next 12 months

Create a free account and get full access to a huge network of offsite construction suppliers. No credit card needed.

Already have an account? Login

Data sharing agreement

1. Introduction

1.1 In this Data Sharing Schedule, "Discloser" refers to The Modern Builder Limited and "Recipient" refers to you.

1.2 This Data Sharing Schedule sets out the terms, requirements, and conditions on which the Discloser shall transfer the personal data to the Recipient, and on which the Recipient shall process such personal data for the purposes of this Data Sharing Schedule, each as an independent controller of that personal data.

2. Interpretation

2.1 In this Data Sharing Schedule, the following words and expressions have the following meanings

Data Sharing Schedule, the following words and expressions have the following meanings

2.2 The terms “personal data”, “data subject”, “processor”, “controller”, “processing”, “personal data breach”, “pseudonymisation”, and “supervisory authority” will have the meanings given them by Data Protection Law. If that definition gives rise to any uncertainty, the meanings given within or pursuant to the UK GDPR should be preferred. The term “special category data” shall mean the personal data referred to in paragraph 1 of Article 9.

3. Agreed Purpose

3.1 The Parties consider the sharing of Planning Data (as defined in the Addendum), and as set out in Annex 1, necessary in order to achieve the Agreed Purpose. The Agreed Purpose is for the Recipient to view planning activity, and identify relevant development projects in order for the Recipient to identify potential opportunities. The data is used to support search, filtering, matching, and the presentation of individual planning records within the platform, with access limited to individual record views or downloads. Where the Recipient has independently established a lawful basis under the UK GDPR and PECR, to contact such individuals or companies about services that are reasonably relevant to their stated or reasonably inferred requirements. The Discloser does not itself rely on any lawful basis for, nor assume responsibility for, any marketing undertaken by the Recipient.

3.2 The Recipient shall:

3.2.1 Determine, document, and maintain evidence of its own lawful basis for any marketing;

3.2.2 Comply fully with PECR and all applicable Data Protection Laws when conducting any marketing activity; and

3.2.3 Indemnify and hold harmless the Discloser against any claim, loss, or regulatory action arising from the Recipient’s use of Shared Personal Data for marketing purposes.

3.3 The Recipient shall remain responsible for ensuring that its processing activities comply with all applicable Data Protection Laws and shall not assume any obligations of a processor towards the Discloser under UK GDPR.

3.4 The Discloser warrants and represents to the Recipient that it has the lawful
right to share the data with the Recipient for the Agreed Purpose.

4. Shared Personal Data

4.1 Each party shall, when processing Shared Personal Data:

4.1.1 Act as an independent data controller and process the Shared Personal Data only for the Agreed Purpose.

4.1.2 Ensure compliance with UK GDPR and all relevant Data Protection Laws.

4.1.3 Maintain independent responsibility for establishing a lawful basis for processing.

4.1.4 Process Shared Personal Data only on the basis of a lawful ground for processing as set out in Article 6 or Article 9 as applicable. Both parties agree to maintain documentation of their respective lawful bases for processing the shared personal data as outlined in clause 4 of this Data Sharing Schedule.

4.2 Where a party relies on consent as its lawful ground for processing Shared Personal Data, it shall:

4.2.1 Ensure that such consent is collected prior to the commencement of such processing, in a form compatible with the provisions of the Data Protection Law.

4.2.2 Cease processing and notify the other party as soon as reasonably practicable in the event that any data subject withdraws their consent for the processing.

4.3 The Discloser shall take reasonable measures to ensure the accuracy of Shared Personal Data at the point of disclosure, but each party shall remain responsible for the accuracy of the data it processes.

5. Special Category Data

5.1 The parties agree that, by design, the data shared under this Data Sharing Schedule does not include special category data. If such data is inadvertently included, the Recipient shall not process it and must promptly notify the Discloser to enable appropriate action, including secure deletion or additional safeguards.

5.2 However, where special category data is implied, inferred, or reasonably identifiable within the Shared Personal Data (e.g., through narratives, case notes, planning applications, or other descriptive fields), the Recipient must:

5.2.1 Not take any step to infer or otherwise generate special categories of data about any data subject based on the Shared Personal Data, except where the same is necessary in connection with the Agreed Purpose, or process such personal data in any way otherwise than in accordance with, or for the purposes of complying with, its obligations under this clause 5;

5.2.2 Recognise and treat such data as special category data, ensuring it is processed in compliance with UK GDPR;

5.2.3 Apply appropriate technical and organisational security measures, including:

5.2.3.1 Restricted access to authorised personnel only,

5.2.3.2 Data minimisation to limit processing to what is strictly necessary,

5.2.3.3 Secure storage until the data can be deleted or anonymised.

5.3 The Recipient shall ensure that all processing of inferred or implied special category data is proportionate and legally justified, with appropriate safeguards to protect the rights and freedoms of data subjects.

6. Rights of Data Subjects

6.1 Each party shall, in respect of Shared Personal Data, ensure that it provides clear and sufficient information to the data subjects of the purposes for which it will process their personal data, the legal basis for such purposes, and such other information as is required by Article 13 of the GDPR.

6.2 The parties agree to cooperate as necessary to respond to data subject rights requests, ensuring compliance with the obligations under Chapter III of the UK GDPR. Each party shall provide reasonable assistance to the other in fulfilling their respective responsibilities, including but not limited to:

6.2.1 Providing information required to respond to subject access requests.

6.2.2 Coordinating on requests for rectification or erasure of data.

6.2.3 Facilitating restrictions on data processing or objections raised by data subjects.

6.3 The requested party shall respond to data subject requests within the statutory timeframes and notify the assisting party of any relevant actions taken.

6.4 Each party shall maintain a record of Data Subject Requests, the decisions made, and any information that was provided to the data subject in response to Data Subject Requests.

7. Controller-to-Controller Relationship

7.1 The parties acknowledge and agree that each party is an independent data controller with respect to the personal data processed under this Data Sharing Schedule. Nothing in this Data Sharing Schedule shall be construed to imply a processor relationship between the parties. Each party independently determines the purposes and means of processing Shared Personal Data under this Data Sharing Schedule and remains solely responsible for its compliance with applicable Data Protection Laws.

7.2 The Recipient shall process Shared Personal Data only for the Agreed Purpose and in compliance with this Data Sharing Schedule, without engaging in further processing or sharing with third parties unless expressly permitted.

8. Termination of Data Sharing Schedule and No Precedent

8.1 This Data Sharing Schedule is valid for the duration of the Term and shall automatically terminate upon the expiry of the Addendum. The data shared under this Data Sharing Schedule is solely for the purposes outlined in the Agreed Purpose section and must not be used beyond this scope.

8.2 This Data Sharing Schedule does not establish a precedent for any future data sharing arrangements between the parties. Any subsequent data sharing will require a new Data Sharing Schedule.

9. Data Retention

9.1 The Recipient shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes, save that the Recipient may, where reasonably necessary:

9.1.1 store such copies as it is required to store to comply with a requirement imposed by applicable law; or

9.1.2 after termination of this Data Sharing Schedule, and subject to compliance with (insofar as permitted by) applicable law, retain Shared Personal Data that has been merged with or used to enrich pre-existing Recipient datasets.

9.2 Notwithstanding Paragraph 9.1, the Recipient may continue to retain Shared Personal Data in accordance with, and only to the extent required by, any statutory or professional retention periods applicable in its respective countries and/or industries.

9.3 Subject to Paragraphs 9.1 and 9.2, the Recipient acknowledges that it has the following obligations in respect of the Shared Personal Data:

9.3.1 during the duration of the Agreement, to process the Shared Personal Data only for the Agreed Purposes;

9.3.2 upon the termination of the Agreement or expiry of the Term, only to retain and process the Shared Personal Data for purposes for which the Recipient has a proper lawful basis;

9.3.3 to do all that is necessary to discharge its obligations to the data subjects to whom the Shared Personal Data relates, as controller of that Shared Personal Data (both during and after the duration of the Agreement);

9.3.4 to comply with such other obligations as it may be subject to from time to time as a controller of the Shared Personal Data, including (without limiting the generality of this obligation) in respect of record-keeping, data minimisation and retention, and secure destruction once it is no longer required.

9.4 The Recipient acknowledges and agrees that the obligations at Paragraph 9.3 above apply whether the Shared Personal Data is held in the form in which it was provided, or has been merged with or used to enrich pre-existing Recipient datasets even where its origin cannot be readily identified.

10. Transfers

10.1 For the purposes of this Paragraph 10, transfers of personal data shall mean any sharing of Shared Personal Data by the Recipient with a third party, including subcontracting processing of, and granting a third party controller access to, the Shared Personal Data.

10.2 The Recipient shall not transfer Shared Personal Data to a third party unless:

10.2.1 it has a written contract in place with such third party imposing conditions on the third party that are at least equivalent to the Recipient’s obligations under this Data Sharing Schedule.

10.2.2 where the third party is located outside the UK, either:

10.2.2.1 the designated Secretary of State has decided that the country or organisation to which the Shared Personal Data is to be transferred ensures adequate protection under Article 45; or

10.2.2.2 other appropriate safeguards are in place pursuant to Article 46; or

10.2.2.3 one or more of the derogations in Article 49 applies;

10.2.3 in the case of transfers to a third-party data processor, it complies with Article 28 and Article 30;

10.2.4 and in respect of any transfer the Recipient shall remain liable to the Discloser for the acts and omissions of the third party.

11. Security and Training

11.1 The parties shall each (to the extent that the said data is held within their systems or otherwise subject to their control) implement and maintain appropriate technical and organisational measures to:

11.1.1 prevent unauthorised or unlawful processing of, and accidental loss or destruction of, or damage to, the Shared Personal Data; and

11.1.2 ensure a level of security appropriate to the risk and the nature of the Shared Personal Data, and to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage.

11.2 In assessing the appropriate level of security measures to be taken under Paragraph 11.1 above, each party shall take account of the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

11.3 Each party shall comply with its obligations to report any Data Breach to the appropriate supervisory authority and (where applicable) data subjects under Article 33, and shall each:

11.3.1 inform the other party of any Data Breach without undue delay irrespective of whether there is a requirement to notify any supervisory authority or data subject(s), and thereafter provide details of the Data Breach including, where possible, the categories and approximate number of data subjects and Shared Personal Data concerned, the likely consequences of the Data Breach, and the measures it has taken or proposes to take to address and mitigate the Data Breach;

11.3.2 provide the other party with any information and assistance reasonably required by that other party in connection with any Data Breach; and

11.3.3 maintain a record of Data Breaches, the data and data subjects affected, and the actions taken in response to the Data Breach.

11.4 The Recipient shall ensure that its employees and any other persons with access to the Shared Personal Data:

11.4.1 have received, and shall continue to receive on a regular basis, appropriate training in their and the Recipient’s obligations under Data Protection Law and in the care and handling of personal data, and that they have been appropriately trained to handle the Shared Personal Data in accordance with the technical and organisational measures implemented in accordance with Paragraph 11.1; and

11.4.2 are subject to binding obligations of confidentiality relating to the processing of the Shared Personal Data.

12. Term

12.1 The duration to which this Data Sharing Schedule relates shall be the Term specified in the main Agreement from the date of signature of the main Agreement or, if earlier, the first date on which Shared Personal Data is made available to the Recipient. Thereafter, the Data Sharing Schedule shall automatically terminate, and the provisions of paragraphs 9.3 and 9.4 of this Data Sharing Schedule shall apply to the Shared Personal Data unless, by that time, the parties have entered into a binding agreement for the long-term provision of the Shared Personal Data by way of a live service, in which case, the provisions of that successor agreement shall prevail over these provisions.

12.2 Where the Discloser has reasonable grounds for believing that the Recipient is not processing or storing the Shared Personal Data in accordance with the terms of this Data Sharing Schedule (including, but not limited to, the Agreed Purpose, technical and organisational measures, or lawful basis for processing), the Discloser reserves the right:

12.2.1 to inspect the Recipient’s arrangements for the processing and storage of Shared Personal Data (save that the Recipient shall not be required to disclose or permit access to any of its or any third party’s confidential information); and/or

12.2.2 to issue a written notice specifying the nature of the suspected non-compliance and requiring the Recipient to take appropriate remedial action. Where such non-compliance is not remedied within a reasonable period, having regard to its nature, severity, and any risk posed to data subjects or to the Discloser’s legal or regulatory obligations, the Discloser may terminate the data sharing elements of this Agreement.

12.2.3 where the non-compliance or breach presents an immediate or significant risk to the rights and freedoms of data subjects, or where it undermines the Discloser’s ability to comply with Data Protection Law, the Discloser may suspend or terminate the data sharing elements of this Agreement with immediate effect.

13. Supervisory Authorities

13.1 Each party shall cooperate with any requests made by a supervisory authority in connection with this Data Sharing Schedule and shall notify the other party in writing as soon as reasonably practicable of the content of and response to any such request.

14. Indemnity

14.1 The Recipient undertakes to indemnify the Discloser and defend at its own expense the Discloser against all costs, claims, damages or expenses incurred by the Discloser or for which the Discloser may become liable due to any failure by the Recipient or its employees, subcontractors or agents to comply with any of its obligations under Data Protection Law or for any breach of their obligations in connection with this Data Sharing Schedule.

About usMarketplaceBlog
© 2025 ModernBuilder, Inc. All rights reserved.
Terms and conditionsPrivacy policyData sharing agreement