THIRD PARTY DATA PROTECTION AGREEMENT
THIS AGREEMENT DATED IS MADE BETWEEN:
(1) MEPC2 Duplication UK, a charity registered with the Office of the Scottish Charity Regulator with no. SC044781, of 34 Montgomerie Street, Ardrossan, North Ayrshire KA22 8HP (the ‘Data Processor’)
AND
(2) [name] of [address][company or other number/description] (the ‘Data Processor’).
WHEREAS:
The terms ‘Data Controller’, ‘Data Processor’ and ‘personal data’ in this agreement shall have the meanings and definitions given to them in the Data Protection Act 2018, the UK General Data Protection Regulation and such other data protection laws and regulations in force in the United Kingdom from time to time (‘Data Protection laws’).
The Data Controller processes personal data and does so in accordance with its duties and obligations in law as a data controller and as set out in its Privacy Policy, which appears on the Data Controller’s website and is available to view on request.
The Data Processor will receive personal data from the Data Controller or will otherwise come into possession of personal data by virtue of its relationship with the Data Controller (the ‘shared data’) exclusively in the course of furthering the Data Controller’s legitimate activities and purposes and in accordance with the said Privacy Policy and all relevant laws and regulations.
IT IS AGREED AS FOLLOWS:
1.1 The Data Processor shall process the shared data only in accordance with the Data Controller’s lawful instructions from time to time and in compliance with the Data Controller’s Privacy Policy, and shall not process such data for any purposes other than those expressly authorised by the Data Controller.
1.2 Where the shared data is or includes photographs or film, whether taken by the Data Processor or otherwise, such photographs or film shall not be used in any way which is inconsistent with the rights of the data subject or subjects depicted therein, notwithstanding any other rights relating to those images that might accrue in law to any other party.
1.3 For the avoidance of doubt, the provisions of clause 1.1 shall mean that the Data Processor will return to the Data Controller or, at the Data Controller’s direction, delete or securely destroy the shared data once the purpose for which it was shared by the Data Controller with the Data Processor has ceased and/or at the termination of the parties’ relationship, if sooner.
1.4 The Data Processor may, with the knowledge and written permission of the Data Controller, authorise a third party (subcontractor) to process the personal data provided that the subcontractor enters into a written agreement with the Data Processor that:
(a) includes terms relating to the shared data which are substantially the same as those set out in this agreement; and
(b) terminates automatically on termination of the relationship, for any reason, between the Data Controller and Data Processor.
1.5 The Data Processor shall take reasonable steps to ensure the reliability of any and all of its employees or subcontractors who have access to the shared data and ensure that they are aware of their and the Data Processor’s obligations herein.
1.6 The Data Processor warrants that, having regard to the state of technological development and the cost of implementing any measures, it and any subcontractor will:
(a) take appropriate technical and organisational measures against the unauthorised or unlawful processing of the shared data and against the accidental loss or destruction of, or damage to the shared data to ensure a level of security appropriate to:
(i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and
(ii) the nature of the data to be protected.
(b) take reasonable steps to ensure compliance with those measures.
1.7 The Data Controller agrees to furnish the Data Processor with all necessary consents, permissions, facilities and information to enable the Data Processor to fulfil its obligations under this agreement, including but not limited to its ability to comply with its and the Data Controller’s legal obligations.
1.8 The Data Processor agrees:
(a) To notify the Data Controller of any data breaches as soon as possible and, in any event, within 48 hours;
(b) To notify the Data Controller of any Subject Access Requests made in respect of the shared data as soon as possible and in any event within 72 hours;
(c) To use all reasonable endeavours to assist the Data Controller in complying with its legal obligations, including in responding to a Subject Access Request or any other request made by a data subject in respect of their data;
(d) To indemnify and keep indemnified and defend at its own expense the Data Controller against all costs, claims, damages or expenses incurred as a result of the failure of the Data Processor or its employees or agents to comply with any of its obligations under this agreement.
1.9 Should any provision of this Agreement be held by a court of competent jurisdiction to be illegal, invalid or unenforceable, such provision may be modified by such court in compliance with the law giving effect to the intent of the parties and enforced as modified. All other terms and conditions of this Agreement shall remain in full force and effect and shall be construed in accordance with the modified provision.
1.10 The parties’ obligations to each other and in law to act in accordance with all relevant Data Protection laws and regulations shall survive the termination of this agreement.
1.11 This Agreement shall be governed by and construed in accordance with the laws of England.