DATA PROCESSING AGREEMENT
Storm Model Management (the “Controller”); and
The Client or Supplier (the “Processor”)
This Data Processing Agreement (“Agreement“) sets out the basis on which the Processor shall process the Controller’s Personal Data pursuant to the Principal Agreement (as such terms are defined in Annex 1).
Unless otherwise stated, all defined terms have the meaning given in Annex 1 (Definitions and Interpretation).
- Authority to process Controller Personal Data
1.1 The Controller hereby instructs the Processor (and authorises the Processor to instruct each Subprocessor) to process the Controller Personal Data strictly in accordance with the terms of this Agreement, and only so far as is reasonably necessary for the provision of the Services and consistent with the Principal Agreement.
1.2 The Processor shall process the Controller Personal Data strictly in accordance with the applicable Data Protection Legislation and using an approach which at all times accords with Good Industry Practice and Applicable Law.
2. Security and Confidentiality
2.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Controller Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
2.2 In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by processing, in particular from a personal data breach.
2.3 The Processor shall ensure that access to the Controller Personal Data is limited to those employees or authorised subcontractors who need access to the Controller Personal Data to meet the Processor’s obligations under the Principal Agreement and that all employees and authorised subcontractors are informed of the confidential nature of the Controller Personal Data and the terms of this Agreement.
3. Personal Data Breaches
3.1 The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Controller Personal Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform data subjects and/or the relevant supervisory authority of the personal data breach under the Data Protection Legislation.
3.2 The Processor shall co-operate with the Controller and take such steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such personal data breach.
4. Data Protection Impact Assessment and Prior Consultation
The Processor shall provide assistance to the Controller with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities, which the Controller reasonably considers to be required under the applicable Data Protection Legislation.
5. Data Subject Rights
5.1 Taking into account the nature of the processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures for the fulfilment of the Controllers’ obligations to respond to requests for exercising the data subject’s rights under the Data Protection Legislation.
5.2 Without prejudice to the generality of clause 5.1, the Processor shall:
5.2.1 promptly notify the Controller if the Processor receives a request from a data subject under any Data Protection Legislation in respect of the Controller Personal Data; and
5.2.2 ensure it does not respond to that request except on the documented instructions of the Controller or as required by any Applicable Law to which the Processor is subject, in which case the Processor shall to the extent permitted by the Applicable Law inform the Controller of that legal requirement before the Processor responds to the request.
6. Deletion or Return of Controller Personal Data
6.1 Subject to clauses 6.2 and 6.3, the Processor shall promptly and in any event within fourteen (14) days of the date of cessation of any Services (the “Cessation Date“), delete and procure the deletion of the Controller Personal Data and all existing copies maintained on any media.
6.2 Subject to clause 6.3, the Controller may in its absolute discretion by written notice to the Processor within seven (7) days of the Cessation Date require the Processor to:
6.2.1 return a complete copy of all Controller Personal Data to the Controller by secure file transfer in such format as is reasonably notified by the Controller to the Processor; and
6.2.2 delete and procure the deletion of all other copies of the Controller Personal Data.
The Processor shall comply with any such written request within fourteen (14) days of the Cessation Date.
6.3 The Processor may retain the Controller Personal Data to the extent required by any Applicable Law, and only to the extent and for such period as required by such Applicable Law, provided always the Processor shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
6.4 The Processor shall provide written certification to Controller that it has fully complied with this Clause 6 within fourteen (14) days of the Cessation Date.
7. Audit Rights
The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the processing of the Controller Personal Data by the Processor.
8. Restricted Transfers
8.1 The Processor shall not transfer the Controller Personal Data to countries outside the EEA unless the Processor obtains the prior written consent of the Controller and in seeking such consent, complies with the following obligations:
8.1.1 provides the Controller with details of the following in writing:
i) the Controller Personal Data which will be processed and/or transferred outside the EEA;
ii) the country or countries in which the Controller Personal Data will be processed and/or to which the Controller Personal Data will be transferred outside the EEA; and
iii) any Subprocessor who will be processing and/or transferring Controller Personal Data outside the EEA;
8.1.2 ensures it has regard to and shall comply with Applicable Laws and the current government and Information Commissioner Office’s policies, procedures, guidance and codes of practice on, and any approval processes in connection with, the processing and/or transfers of the Controller Personal Data outside the EEA and/or overseas generally; and
8.1.3 complies with such other instructions and shall carry out such actions as the Controller may notify in writing including entering into Standard Contractual Clauses.
9.1 The Controller authorises the Processor to appoint (and permits each Subprocessor appointed in accordance with this clause 9 to appoint) Subprocessors strictly in accordance with this clause 9 and any restrictions in the Principal Agreement.
9.2 The Processor may continue to use those Subprocessors already engaged by the Processor as at the date of this Agreement, subject to the Processor as soon as practicable meeting the obligations set out in clause 9.4.
9.3 The Processor shall give the Controller prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within seven (7) days of receipt of that notice, the Controller notifies the Processor in writing of any objections to the proposed appointment, the Processor shall not appoint (nor disclose any Controller Personal Data to) the proposed Subprocessor except with the prior written consent of the Controller.
9.4 With respect to each Subprocessor, the Processor shall:
9.4.1 before the Subprocessor first processes Controller Personal Data, carry out adequate due diligence in accordance with Good Industry Practice to ensure the Subprocessor is capable of providing the level of protection for the Controller Personal Data required by the Principal Agreement;
9.4.2 ensure the arrangement between the Processor and Subprocessor is governed by a written contract including terms which offer at least the same level of protection for the Controller Personal Data as those set out in this Agreement and meet the requirements of article 28(3) of the GDPR; and
9.4.3 provide to the Controller for review such copies of the Processors’ agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Agreement) as the Controller may request from time to time.
9.5 The Processor shall ensure that each Subprocessor performs the applicable obligations under this Agreement, as they apply to processing of Controller Personal Data carried out by that Subprocessor, as if it were party to this Agreement in place of the Processor.
9.6 The Processor shall be liable for any failure of the Subprocessor to comply with its obligations pursuant to clause 5, and shall fully indemnify and keep fully indemnified the Controller against any and all actions, costs, claims, demands, damages, expenses (including legal fees), liabilities, losses and proceedings in connection with any failure of the Subprocessor to comply with its obligations pursuant to clause 9.5.
10. General Terms
10.1 Nothing in this Agreement reduces the Processor’s obligations under the Principal Agreement in relation to the protection of personal data or permits the Processor to process (or permit the processing of) personal data in a manner which is prohibited by the Principal Agreement.
10.2 In the event of inconsistencies between the provisions of this Agreement and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Agreement, the provisions of this Agreement shall prevail.
10.3 The Controller may propose any amendments to this Agreement which the Controller reasonably considers to be necessary to address the requirements of any Data Protection Legislation. The Processor shall promptly co-operate (and ensure that any affected Subprocessors promptly co-operate) with any such variations.
10.4 No person who is not a party to this Agreement shall have any right to enforce this Agreement (or any agreement or document entered into pursuant to this Agreement) pursuant to the Contracts (Rights of Third Parties) Act 1999.
10.5 The Processor shall fully indemnify and keep fully indemnified the Controller against any and all actions, costs, claims, demands, damages, expenses (including legal fees), liabilities, losses and proceedings arising in connection with any breach by the Processor of any of its obligations under this Agreement.
10.6 Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
10.7 Without prejudice to any other rights or remedies that the Controller may have, the Processor acknowledges and agrees that damages alone would not be an adequate remedy for any breach of the terms of this Agreement by the Processor. Accordingly, the Controller shall be entitled to the remedies of injunction, specific performance or other equitable relief for any threatened or actual breach of the terms of this Agreement.
10.8 No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
10.9 This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England. Each party irrevocably agrees that the courts of England shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this agreement or its subject matter or formation.
ANNEX 1 DEFINITIONS AND INTERPRETATION
In this Agreement, the following terms shall have the meanings set out below:
“Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with the Processor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
“Applicable Law” means any statute, statutory provision or subordinate legislation (including that statute, statutory provision or subordinate legislation as amended, modified, consolidated, re-enacted or replaced and in force from time to time, and including any previous statute, statutory provision or subordinate legislation amended, modified, consolidated, re-enacted or replaced by such statute, statutory provision or subordinate legislation) whether before or after the date of this Agreement and including, without limitation, the Data Protection Legislation;
“Controller Personal Data” means any personal data processor by the Processor on behalf of the Controller pursuant to or in connection with the Principal Agreement;
“Data Protection Legislation” means (as applicable) the Data Protection Act 1998, the GDPR, and the Privacy and Electronic Communications Regulations (SI 2426/2003) as amended and/or updated from time to time and including all statutory instruments, orders, regulations or other subordinate legislation made pursuant to such legislation and the Information Commissioner’s guidance and advice on the GDPR as amended from time to time, and to the extent applicable, the data protection or privacy laws of any other country;
“EEA” means the European Economic Area;
“GDPR” means EU General Data Protection Regulation 2016/679;
“Good Industry Practice” means the exercise of that degree of professionalism, experience, skill, diligence, prudence and foresight which would reasonably and ordinarily be expected from a highly skilled and experienced market leading processor engaged in the same type of undertaking under the same or similar circumstances;
“Principal Agreement” means the agreement dated ______________between the Controller and Processor;
“Services” means the specific services and other associated activities to be supplied to or carried out by or on behalf of the Processor pursuant to the Principal Agreement;
“Standard Contractual Clauses” means the standard contractual clauses as issued by the European Commission from time to time; and
“Subprocessor” means any person (including any third party and any Affiliate, but excluding an employee of the Processor or any of its sub-contractors) appointed by or on behalf of the Processor to process Controller Personal Data in connection with the Principal Agreement.
The terms “controller“, “data subject“, “member state“, “personal data“, “personal data breach“, “processing” and “supervisory authority” shall have the same meaning as in the applicable Data Protection Legislation.
ANNEX 2: DETAILS OF PROCESSING OF CONTROLLER PERSONAL DATA
This Annex 2 includes certain details of the processing of Controller Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the processing of Controller Personal Data
The subject matter and duration of the processing of the Controller Personal Data are set out in the Principal Agreement and this Agreement.
The nature and purpose of the processing of Controller Personal Data
To take photos of and use in advertising as per booking confirmation agreement
The types of Controller Personal Data to be processed
Name, physical details, imagery, email, contact number
The categories of data subject to whom the Controller Personal Data relates
Current Storm talent and Storm employees
The obligations and rights of Controller
The obligations and rights of the Controller are set out in the Principal Agreement and this Agreement.