Foreign Agency Joint Controller Agreement

This agreement (the “Agreement”) is made


Storm Model Management Limited incorporated and registered in England and Wales with company number 2138622 whose registered office is at 5 Jubilee Place, 1st Floor, London, SW33 TD; and

Foreign / Apointee Agency:__________________________________________ incorporated and registered in  _____________________________________ with company number ____________________________________________        whose registered office is at ________________________________________

(each referred to as a “Party” and together the “Parties”).

1. Interpretation

1.1 Definitions:

Agreed Purposes: shall mean those purposes necessary to enable the Parties to fulfil their obligations under the Principal Agreement as set out therein.

Business Days: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.

Child/Children: means a child/children under the age of 16.

Data Discloser: the Party transferring the Personal Data to the Data Receiver.

Data Protection Authority: the relevant data protection authority in the territories where the Parties to this Agreement are established (in the UK, the Information Commissioner’s Office (ICO)).

Data Receiver: The Party receiving the Personal Data from the Data Discloser.

Data Security Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data.

Data Protection Legislation: the Data Protection Act 2018 (DPA), the General Data Protection Regulation (2016/679) (GDPR), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) (as amended) and all applicable laws and regulations relating to the processing of the Personal Data and privacy in force from time to time, including where applicable the guidance and codes of practice issued by the relevant Data Protection Authority.

Principal Agreement: means the agreement dated _______________________    between the Parties, governing their relationship as model agencies.

Shared Personal Data: the Personal Data and Special Category Data to be shared between the Parties for the Agreed Purposes.

Subprocessor: has the meaning given in clause 10.1.

Term: shall mean the term specified in clause 3.1.

Data Controller, Data Processor, Data Subject, Legitimate Interests, Personal Data, Special Category Data, Processing, Right to Object, Subject Access Request and appropriate technical and organisational measures shall have the meanings given to them in the DPA and GDPR. References to Personal Data shall, where applicable, refer to Special Category Data.

1.2 Save as set out in clause 3.1, the Principal Agreement shall remain unaltered in all other respects.

1.3 In the event of inconsistencies between the provisions of this Agreement and the data protection provisions of:

1.3.1 any other agreements between the parties (including, but not limited to, the Principal Agreement); and

1.3.2 agreements entered into or purported to be entered into after the date of this Agreement (except where explicitly agreed otherwise in writing, signed on behalf of the parties),

the provisions of this Agreement shall prevail.

2. Nature and Purpose

2.1 This Agreement sets out the framework for the sharing of Personal Data between the Parties as Data Controllers and defines the principles and procedures that the Parties shall adhere to and the responsibilities the Parties owe to each other.

2.2 The Parties shall process Shared Personal Data solely for the Agreed Purposes and in accordance with their obligations under the Data Protection Legislation.

3. Termination and suspension

3.1 When signed by the Parties, this Agreement shall be incorporated into and form part of the Principal Agreement subject to the terms herein and shall automatically and immediately terminate on expiry or earlier termination of the Principal Agreement (the “Term”).

3.2 In addition to the Parties’ rights of termination under the Principal Agreement, either Party (“terminating party”) may terminate the Principal Agreement if the other party:

3.2.1 commits a material breach of this Agreement, or, if requested by the terminating Party, has failed to remedy such material breach within the reasonable time specified by that Party; or

3.2.2 the terminating Party needs to do so to comply with the Data Protection Legislation.

3.3 The Parties’ obligations under this Agreement will survive expiration or termination of the Principle Agreement for so long as the Parties continue to process Shared Personal Data.

4. Compliance with National Data Protection Laws

4.1 Each Party must ensure compliance with the applicable Data Protection Legislation at all times during the Term.

4.2 Each Party has a valid registration with its national Data Protection Authority if required which, by the time that the data sharing is expected to commence, covers the intended data sharing pursuant to this Agreement.

a) Storm Model Management Registration Number Z6822933

b) Foreign / Apointee Agency Data Protection Registration Number (if applicable)_________________________________

5. Fair and Lawful Processing

5.1 Each Party shall ensure that it Processes the Shared Personal Data fairly and lawfully during the Term in accordance with the terms of this Agreement and its obligations under the Data Protection Legislation.

5.2 Each Party shall ensure that it Processes Shared Personal Data on the basis of one of the following legal grounds under Article 6 of the GDPR:

5.2.1 Processing is necessary for performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;

5.2.2 Processing is necessary for the purposes of the Legitimate Interests pursued by that Party or by a third party, except where such Legitimate Interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a Child;

5.2.3 the Data Subject has given consent to the Processing of his or her Personal Data for one or more specific purposes; or

5.2.4 Processing is necessary for compliance with a legal obligation to which that Party is subject.

5.3 Where Special Category Data is shared this will be on the following additional grounds: Processing of Special Category Data is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the Data Subject (GDPR Art 9.2 (g)).

5.4 Both Parties shall, in respect of Shared Personal Data, ensure that their privacy notices are clear and provide sufficient information to Data Subjects in order for them to understand what of their Personal Data the Parties are sharing, the circumstances in which it will be shared, the purposes for the data sharing and either the identity with whom the data is shared or a description of the type of organisation that will receive the Personal Data.

5.5 Each Party undertakes to inform Data Subjects of the purposes for which it will Process their Personal Data, and provide all information required under the relevant Data Protection Legislation, to ensure Data Subjects understand how their Personal Data will be Processed by that Party.

5.6 Each Party undertakes to obtain all necessary consents from Data Subjects, where required under the relevant Data Protection Legislation, in respect of the Shared Personal Data, and to record such consents.

6. Data Quality

6.1 The Data Discloser shall ensure that Shared Personal Data is accurate.

6.2 Where either Party becomes aware of inaccuracies in Shared Personal Data, they will notify the other Party.

6.3 Shared Personal Data shall be limited to the Personal Data shared for the Agreed Purposes.

7. Data Subjects’ Rights

7.1 The Parties shall maintain a record of Subject Access Requests, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request.

7.2 The Parties agree that the responsibility for complying with a Subject Access Request falls to Party receiving the Subject Access Request in respect of the Personal Data held by that Party.

7.3 The Parties agree to provide reasonable and prompt assistance (within 5 Business Days of such a request for assistance) as is necessary to each other to enable them to comply with Subject Access Requests and to respond to any other queries or complaints from Data Subjects.

8. Data Retention and Deletion

8.1 Neither Party shall retain or Process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes.

8.2 Notwithstanding clause 8.1, the Parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and/or industry.

8.3 The Data Receiver shall ensure that any Shared Personal Data are returned to the Data Discloser or destroyed in the following circumstances:

8.3.1 on termination of this Agreement for whatever reason; or

8.3.2 once processing of the Shared Personal Data is no longer necessary for the Agreed Purposes.

9. Restricted Transfers

9.1 Neither Party shall transfer Shared Personal Data which is undergoing processing or is intended for processing after transfer to a country outside the EEA (“third country”) or an international organisation unless the conditions in Chapter 5 of the GDPR are complied with, including for onward transfers of Personal Data from such third country or an international organisation to another third country or to another international organisation. Such conditions include but are not limited to:

9.1.1 transfers of personal data to a third country or an international organisation may only take place where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection pursuant to Article 45(3) GDPR;

9.1.2 in the absence of a decision pursuant to Article 45(3), the Parties have provided appropriate safeguards as specified under Article 46 GDPR including:

a) binding corporate rules in accordance with Article 47 GDPR;

b) standard data protection clauses adopted by the European Commission from time to time; or

c) standard data protection clauses adopted by a Data Protection Authority and approved by the European Commission.

9.2 Each Party shall ensure it has regard to and shall comply with the Data Protection Legislation and the current policies, procedures, guidance and codes of practice on, and any approval processes in connection with, the processing and/or transfers of the Shared Personal Data outside the EEA and/or overseas generally issued by the relevant Data Protection Authority.

10. Subprocessing

10.1 The Parties shall ensure any third party processor involved in the Processing of any Shared Personal Data (“Subprocessor”) strictly in accordance with this clause 10.

10.2 With respect to each Subprocessor, each Party shall:

10.2.1 before the Subprocessor first Processes Shared Personal Data, carry out adequate due diligence in accordance with Good Industry Practice to ensure the Subprocessor is capable of providing the level of protection for the Shared Personal Data required by this Agreement;

10.2.2 ensure the arrangement between that Party and the Subprocessor is governed by a written contract including terms which offer at least the same level of protection for the Shared Personal Data as those set out in this Agreement and meet the requirements of article 28(3) of the GDPR; and

10.2.3 ensure each Subprocessor performs the applicable obligations under this Agreement, as they apply to processing of Shared Personal Data carried out by that Subprocessor, as if it were party to this Agreement in place of the relevant Party.

10.3 Each Party shall be liable for any failure of any of its Subprocessors to comply with their obligations as required by this Agreement, and shall fully indemnify and keep fully indemnified the other Party against any and all actions, costs, claims, demands, damages, expenses (including legal fees), liabilities, losses and proceedings in connection with any failure of the Subprocessor to comply with its obligations pursuant to clause 10.2.3.

11. Security and Training

11.1 The Data Discloser shall be responsible for the security of transmission of any Shared Personal Data in transmission to the Data Receiver by using the appropriate technical and organisational methods detailed in clause 2 below.

11.2 The Parties agree to implement appropriate technical and organisational measures to protect the Shared Personal Data in their possession against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure, including but not limited to:

11.2.1 ensuring IT equipment, including portable equipment is kept in lockable areas when unattended;

11.2.2 not leaving portable equipment containing the Personal Data unattended;

11.2.3 ensuring that staff use industry standard and appropriate secure passwords for logging into systems or databases containing the Personal Data;

11.2.4 ensuring that all IT equipment is protected by industry standard antivirus software, firewalls, passwords and suitable encryption devices;

11.2.5 in particular ensure that any Special Category Data is stored and transferred (including where stored or transferred on portable devices or removable media) using industry standard 256-bit AES encryption or suitable equivalent;

11.2.6 limiting access to relevant databases and systems to those of its officers, staff agents and sub-contractors who need to have access to the Personal Data, and ensuring that passwords are changed and updated regularly to prevent inappropriate access when individuals are no longer engaged by the Party;

11.2.7 conducting regular threat assessment or penetration testing on systems;

11.2.8 ensuring all staff handling Personal Data have been made aware of their responsibilities with regards to handling of Personal Data; and

11.2.9 allowing for inspections and assessments to be undertaken by the other Party in respect of the security measures taken, or producing evidence of those measures if requested.

12. Data Security Breaches and Reporting Procedures

12.1 The Parties are under a strict obligation to notify any potential or actual losses of the Shared Personal Data to the other Party as soon as possible and, in any event, within one (1) Business Day of identification of any potential or actual loss to enable the Parties to consider what action is required in order to resolve the issue in accordance with the applicable Data Protection Legislation.

12.2 Clause 12.1 also applies to any breaches of security which may compromise the security of the Shared Personal Data.

12.3 The Parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Data Security Breach in an expeditious and compliant manner.

13. Resolution of Disputes with Data Subjects or the Data Protection Authority

13.1 In the event of a dispute or claim brought by a Data Subject or the Data Protection Authority concerning the Processing of Shared Personal Data against either or both Parties, the Parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.

13.2 The Parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Data Protection Authority. If they do participate in the proceedings, the Parties may elect to do so remotely (such as by telephone or other electronic means). The Parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.

13.3 In respect of breaches relating to this Agreement, each Party shall abide by a decision of a competent court of the Data Discloser’s country of establishment or of any binding decision of the relevant Data Protection Authority.

14. Warranties

14.1 Each Party warrants, represents and undertakes that it will:

a) Process the Shared Personal Data in compliance with the Data Protection Legislation and all applicable laws, enactments, regulations, orders, standards and other similar instruments that apply to the Processing of Shared Personal Data;

b) respond within a reasonable time and as far as reasonably possible to enquiries from the relevant Data Protection Authority in relation to the Shared Personal Data;

c) respond to Subject Access Requests in accordance with the terms of this Agreement and in accordance with the applicable Data Protection Legislation;

d) where applicable, maintain registration with all relevant Data Protection Authorities to Process all Shared Personal Data for the Agreed Purpose;

e) take all appropriate steps to ensure compliance with the security measures set out in clause 11; and

f) only transfer Shared Personal Data to third parties either within or outside the EEA unless it complies with the obligations set out in clauses 9 and 10.

14.2 The Data Discloser warrants, represents and undertakes it shall ensure any Personal Data transferred to the Data Recipient is accurate and has been obtained lawfully.

15. Indemnity

15.1 Each Party (the “Indemnifying Party”) agrees and undertakes to indemnify on demand and keep indemnified the other Party (the “Indemnified Party”) and defend at its own expense, and hold the Indemnified Party harmless from and against all and any demands, claims, actions, proceedings, liabilities, costs, expenses (including legal expenses calculated on a full indemnity basis, and all other professional expenses and costs), losses and all interest, regulatory penalty, fine or penalties, injury or damages whatsoever directly incurred or suffered by the Indemnified Party or for which the Indemnified Party becomes liable due to any failure by the Indemnifying Party directly arising out of the breach by the Indemnifying Party or its employees, agents and/or sub-contractors, of any of its data protection obligations under this Agreement.

15.2 In relation to any claim under clause 1, the indemnity therein is subject to the conditions that:

15.2.1 the Indemnifying Party is given notice of such claim as soon as the Indemnified Party is notified of the claim;

15.2.2 the Indemnifying Party is given immediate and complete control of such claim;

15.2.3 the Indemnified Party does not prejudice the Indemnifying Party’s defence of such claim; and

15.2.4 the Indemnified Party gives the Indemnifying Party all reasonable assistance with such claim.

16. Roles and Responsibilities

16.1 Each Party shall nominate a single point of contact within their organisation who can be contacted in respect of queries or complaints regarding the DPA, GDPR and/or compliance under the terms of this Agreement.

Storm Model Management Foreign / Appointee Agency




17. General

17.1 In case the Data Protection Legislation changes in a way that the Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the Parties agree that they will negotiate in good faith to review the Agreement in light of the new legislation.

17.2 This Agreement and the Principal Agreement constitute the entire agreement between the Parties in relation to the subject matter contained therein, and supersede and extinguish all previous agreements, promises, assurances, warranties, representations and understandings between the Parties, whether written or oral, relating to the subject matter of this Agreement and the Principal Agreement.

17.3 This Agreement may be executed in any number of counterparts, each of which when executed and delivered shall constitute a duplicate original, but all the counterparts shall together constitute the one agreement. No counterpart shall be effective until each Party has executed and delivered at least one counterpart.

17.4 This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales. Each Party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Agreement or its subject matter or formation.