Data Processing Agreement

 

Data Processing Agreement

PHOTOGRAPHER DATA PROCESSING AGREEMENT (“DPA”)

IMAGE 21

THIS DPA is made on 1st September 2023 (the “Effective Date“) BETWEEN:

  • [YOU, the Client]  and
  • Image 21

BACKGROUND

  • Image 21 provides to the Client certain photographic & film services described in Schedule 2 (the “Services“).
  • The provision of the Services by Image 21 involves it Processing the Personal Data described in Schedule 2 for the Clients.  These are the Data Protection Particulars.
  • The parties have agreed to enter into this DPA to ensure compliance with the provisions of EU regulation 2016/679 (the “GDPR“) in relation to all Processing of the Personal Data by Image 21 for the Client.

AGREED TERMS

1 Interpretation

1.1 The defined terms and expressions referred to in this DPA are set out in Schedule 1.

1.2 The provisions of this DPA shall be effective from the Effective Date and shall continue in full force and effect for so long as Image 21 is Processing Personal Data received from the Client.

2 Data Protection

2.1 In consideration of the parties mutually agreeing to waive the enforcement of any outstanding rights at the Effective Date in relation to the Processing of Personal Data, the parties agree to the terms of this DPA from the Effective Date.

2.2 The parties acknowledge that, under the terms of this DPA, Image 21 is acting as a Processor appointed by the Client and the Client is a Data Controller. The parties agree that the data to be Processed by Image 21 shall be Personal Data.

2.3 Image 21 aims to comply with the Data Protection Legislation in its Processing of the Personal Data required in the performance of the Agreement, and shall use all reasonable endeavours to provide such assistance and/or co-operation as is reasonably necessary or reasonably requested by the Client to assist the Client in complying with the Data Protection Legislation.

2.4 Each of the Parties acknowledges and agrees that Schedule 2 (Data Protection Particulars) of this DPA is an accurate description of the Data Protection Particulars.

2.5 Image 21 agrees that it will only Process the Personal Data in accordance with the Client’s documented instructions from time to time and shall not Process the Personal Data for any purpose other than expressly authorised by the Client except where required by Data Protection Legislation (and shall inform the Client of that legal requirement before Processing, unless Data Protection Legislation prevents it from doing so).

2.6 Image 21 shall promptly comply with any request from the Client to amend, transfer or delete the Personal Data.

2.7 At the Clients written request (and cost and expense), Image 21 shall provide the Client with a copy of all Personal Data held by it in the format as reasonably specified by the Client.

2.8 Image 21 shall promptly notify the Client if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable as a result of its acts or omissions.

2.9 Image 21 shall use all reasonable endeavours to keep the Personal Data confidential.

2.10 Image 21 agrees that it shall implement and maintain such technical and organisational measures as are required to enable the Personal Data to be Processed in compliance with the DPL.

2.11 Without prejudice to Image 21’s obligations with respect to Image 21’s Personnel, Image 21 shall use reasonable endeavours to:

  • take reasonable steps to ensure the reliability and integrity of any of Image 21’s Personnel who shall have access to the Personal Data;
  • ensure that only such members of Image 21’s Personnel required by it to assist it in fulfilling its obligations under the Agreement shall have access to the Personal Data (and no other member of Image 21’s Personnel shall have access to such Personal Data); and
  • ensure that each member of Image 21’s Personnel shall have:
    (i) undergone reasonable levels of training in Data Protection Legislation and in the care and handling of Personal Data; and
    (ii) entered in to appropriate contractually-binding confidentiality undertakings that shall apply to the Personal Data.

2.12 Image 21 shall not transfer any Personal Data outside the EEA without the Client’s prior written consent and where the Client consents to such transfer, to enter into our agreement which imposes on the parties substantially the same obligations as are imposed upon Image 21 by this DPA.

2.13 Image 21 may authorise a third party (subcontractor) to Process the Personal Data provided by the subcontractor’s contract is on terms which are substantially the same as those set out in these Conditions.  The Client shall ensure that it obtains any consent required from Data Subjects to allow Image 21 to Process Personal Data inside or, if applicable, outside the EEA should this be required.  In such an event Image 21 will advise the Client in writing and enter into an agreement with such a third party to ensure that the Data Subject has enforceable rights and effective legal remedies.

2.14 Image 21 shall promptly notify the Client upon becoming aware of any actual or suspected or ‘near miss’ Personal Data Breach, and will:

  • take all reasonable steps (and procure that its sub-contractors take all reasonable steps) to prevent or minimise the effects of the Personal Data Breach;
  • implement or attempt to procure that its sub-contractors implement measures necessary to restore the security of compromised Personal Data; and
  • provide the Client with reasonable co-operation and assistance to make any notifications to the ICO and affected Data Subjects.

2.15 Image 21 shall notify the Client following its receipt of any Data Subject Request, and shall:

  • not disclose any Personal Data in response to any Data Subject Request without the Client’s prior written consent; and
  • provide the Client with reasonable co-operation and assistance required by the Client in relation to any such Data Subject Request.

2.16 Image 21 will comply with the Client’s reasonable requirements in relation to the Client’s compliance with any Data Subject Request.

2.17 The Client shall co-operate with Image 21 in all matters relating to the Services and appoint a data manager in relation to the Services, who shall have authority to act for the Client on matters relating to the Services.

2.18 The Client warrants and agrees that:

  • it has complied and shall comply with the Data Protection Legislation as a Data Controller;
  • Image 21 is entitled to Process the Personal Data as part of the Services and such use will comply with the Data Protection Legislation;
  • it has the right to licence the Processing of the Personal Data to Image 21 under the Agreement;
  • the Processing of the Personal Data by Image 21 as part of the Services will not infringe the Intellectual Property Rights of any third party;
  • it has obtained the appropriate consent from a Data Subject to allow Image 21 to Process the Personal Data as part of the Services as anticipated by the Agreement and that the Client’s Customers know that their personal data will be processed by Image 21;
  • it is not aware of any circumstances likely to give rise to breach by it of any of the Data Protection Legislation in the future;
  • all Personal Data to be Processed by Image 21 is necessary, accurate and up-to-date; and
  • it consents to Image 21 appointing a sub-processor to process the Personal Data if Image 21 should need to do this in order to provide the Services.

2.19 If Image 21’s performance of any of its obligations under the Agreement is prevented or delayed by the Client’s act, omission or failure to perform any relevant obligation under this DPA (“Client Default“):

  • Image 21 shall have the right to suspend performance of the Services until the Client remedies the Client Default, and to rely on the Client Default to relieve it from the performance of any of its obligations to the extent the Client Default prevents or delays its performance of any of its obligations;
  • Image 21 shall not be liable for any costs or losses sustained or incurred by the Client arising directly or indirectly from Your failure or delay to perform any of its obligations as set out in clauses 2.18 to 2.21.

2.20 The Client shall indemnify Image 21 and keep Image 21 indemnified from and against any and all liabilities, losses, expenses, claims, damages and losses (including, but not limited to, any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal and other professional costs and expenses) suffered or incurred by Image 21 as a result of the Client’s breach of its obligations as set out in this DPA.

Schedule 1

Defined Terms

Data Controller“, “Data Processor“, “Processing” and “Data Subject” shall have the meaning set out in Article 4 of the GDPR;
Data Protection Legislation” or “DPL” means the Data Protection Act 1998 (as amended) and the GDPR:
Data Protection Particulars” means the data protection particulars set out in Schedule 2;
Data Subject Request” means an actual or purported request or notice or complaint from (or on behalf of) a Data Subject (or a third party acting on a Data Subject’s request) exercising his rights under the Data Protection Legislation;
DPA” means this agreement;
Image 21’s Personnel” means all individuals engaged by Image 21 in connection with this Agreement, including employees, consultants, contractors and permitted agents;
ICO” means the UK Information Commissioner’s Office, or any successor or replacement body from time to time;
Personal Data” has the meaning set out in the Data Protection Legislation and for the purposes of this DPA, includes Sensitive Personal Data;
Personal Data Breach” has the meaning set out in the Data Protection Legislation;
Sensitive Personal Data” means Personal Data that reveals such categories of data as are listed in Article 9(1) of the GDPR;
Services” means the services to be provided by Image 21 to the Client under the Agreement or as described in Schedule 2 (as applicable).

Schedule 2

Services

All photographic & film services as may be provided by Image 21 as part of an Order by the Client.

Data Protection Particulars

The type of Personal Data being Processed and class of Data Subjects

Names
Addresses
Email addresses
Telephone numbers
Photographs
Videos

The categories of Data Subjects
The data subjects will be client customers.

Any special categories of data
Not applicable

The duration of the Processing
A minimum of 6 years for HMRC inspection purposes.

 
Sign up for email promotions.
Your information is safe with us and won't be shared.
no thanks
Thank you for signing up!
Close
 
Loading More Photos
Scroll To Top
Close Window
Loading
Close