Data Sharing Agreement

Effective date: 14 April 2026  ·  Last updated: 14 April 2026

This Data Sharing Agreement governs the controller-to-controller transfer of supplier ESG credential data between Passpol Ltd and enterprise buyers accessing supplier data through the Passpol platform. By accessing supplier data on the platform, enterprise buyers agree to be bound by this agreement.

1. Parties and Roles

Passpol Ltd (Company No. 17156285, registered in England and Wales, registered office at 1 Carr View Avenue, Doncaster, DN4 8AY) is the Data Controller for supplier ESG data collected and held on the Passpol platform.

Enterprise buyers who access supplier ESG data through the platform are independent Data Controllers for their own processing of that data. This agreement governs the controller-to-controller data sharing relationship between Passpol Ltd and each enterprise buyer.

Controller-to-controller relationship: Both parties independently determine the purposes and means of their respective processing activities. Passpol Ltd is not a processor acting on the buyer's behalf, and the buyer is not a processor acting on Passpol's behalf.

2. Purpose of Data Sharing

Passpol Ltd shares supplier ESG credential data with enterprise buyers solely for the following permitted purposes:

  • Supplier evaluation and procurement decision-making
  • Supply chain ESG compliance reporting
  • Procurement due diligence in connection with tender processes

No other use of shared data is permitted without prior written consent from Passpol Ltd. Processing shared data for any other purpose — including marketing, profiling, or resale — constitutes a material breach of this agreement.

3. Data Categories Shared

The following categories of supplier data may be shared under this agreement:

  • Company name and registration details
  • ESG questionnaire responses (environmental, social, and governance metrics)
  • Framework mapping outputs (UK SRS, PPN 06/21, CSRD)
  • Verification status and completion scores
  • Shareable profile links

Self-declared data: All ESG data shared under this agreement is self-declared by suppliers. Passpol Ltd does not independently verify, audit, or guarantee the accuracy of any ESG data. Buyers must conduct their own due diligence before relying on this data for procurement or compliance purposes.

4. Buyer Obligations

Enterprise buyers must:

  • Process shared data only for the permitted purposes set out in Section 2.
  • Implement appropriate technical and organisational security measures to protect shared data, commensurate with the risks of the processing.
  • Not share, disclose, or transfer supplier data to any third party without prior written consent from Passpol Ltd.
  • Notify Passpol Ltd within 48 hours of becoming aware of any personal data breach involving shared supplier data, providing sufficient detail to allow Passpol to meet its own regulatory notification obligations.
  • Respond to data subject access requests relating to their own processing activities within one calendar month.
  • Delete or return shared supplier data when it is no longer needed for the permitted purpose, or upon termination of the buyer's Passpol subscription.
  • Comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 in respect of all processing of shared data.

5. Passpol Obligations

Passpol Ltd will:

  • Only share supplier data where the supplier has consented to sharing their profile with buyers through the platform, or where sharing is otherwise authorised under the Passpol Terms of Service.
  • Maintain appropriate technical and organisational security measures for the Passpol platform and the data held within it.
  • Notify buyers of any material changes to the categories of data shared under this agreement, with at least 14 days' prior notice where practicable.
  • Provide reasonable cooperation and assistance to buyers in responding to data subject rights requests where those requests relate to data originally collected by Passpol.

6. Data Subject Rights

Each party is independently responsible for responding to data subject rights requests relating to their own processing of shared data.

Where either party receives a data subject rights request that involves or affects the other party's processing, that party will:

  • Notify the other party within 5 working days of receiving the request.
  • Cooperate in good faith to enable each party to meet its own obligations.
  • Not respond on behalf of the other party without prior written agreement.

Data subjects wishing to exercise their rights in relation to data processed by Passpol Ltd should contact hello@passpol.co.uk.

7. International Transfers

All data sharing under this agreement occurs within the United Kingdom. Passpol Ltd does not transfer shared data outside the UK except as described in the Passpol Privacy Policy (in connection with platform infrastructure).

Any further transfer of shared data by the buyer to a recipient outside the UK requires compliance with UK GDPR Chapter V transfer mechanisms, including (where applicable):

  • An adequacy regulation made by the UK Secretary of State
  • Appropriate safeguards such as UK-approved standard contractual clauses
  • A derogation under Article 49 UK GDPR, where applicable

Buyers must notify Passpol Ltd before making any international transfer of shared supplier data.

8. Liability

Summary: Each party is liable only for its own data protection failures. Neither party is liable for the other's non-compliance. Liability is limited to direct losses.

  • Each party is solely responsible and liable for its own compliance with UK GDPR and this agreement in respect of data it processes.
  • Neither party is liable for the other party's failure to comply with UK GDPR, the Data Protection Act 2018, or this agreement.
  • Liability under this agreement is limited to direct losses only. Neither party shall be liable for indirect, consequential, or punitive losses arising from the other's data protection failures.
  • Nothing in this clause excludes liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be limited by law.

9. Term and Termination

This agreement remains in effect for the duration of the buyer's active Passpol subscription.

On termination of the buyer's subscription (for any reason), the buyer must:

  • Delete all shared supplier data obtained through the platform within 30 days of the termination date.
  • Confirm deletion in writing to Passpol Ltd at hello@passpol.co.uk within the same 30-day period.

Obligations that by their nature survive termination — including confidentiality obligations and liability provisions — continue after termination of this agreement.

10. Governing Law and Jurisdiction

This Data Sharing Agreement is governed by and construed in accordance with the laws of England and Wales.

Any dispute arising out of or in connection with this agreement (including non-contractual disputes or claims) shall be subject to the exclusive jurisdiction of the courts of England and Wales.

If you have any questions about this Data Sharing Agreement, please contact us:

Passpol Ltd

Company No. 17156285 · Registered in England and Wales

1 Carr View Avenue, Doncaster, DN4 8AY

Email: hello@passpol.co.uk

Passpol Ltd · Company No. 17156285 · Registered in England and Wales · hello@passpol.co.uk