Data Processing Agreement pursuant to Art. 28 GDPR
- Controller - hereinafter referred to as the Client -
Transition Video Ltd
Unit 4 Transition Video Ltd
- Processor - hereinafter referred to as the Contractor -
1. Subject and duration of the order
The subject of the data handling order is the Contractor’s performance of the following duties:
• Providing technical services and equipment for live events
• Providing services of freelance and full time employed technicians to the Client
The term of this order is for an unlimited period and can be terminated by request in writing. This is without prejudice to the option of terminating the agreement without notice.
2. Specification of the order contents
(1) For the purposes of this order, the following terms shall have the following meaning:
“Data Protection Laws” means all applicable data protection laws, including Regulation (EU) 2016/679 (the “GDPR”), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as each may be amended, updated or replaced from time to time) by the proposed Regulation on Privacy and Electronic Communications) and references to “Controller”, “ data subjects”, “personal data”, “process”, “processed”, “processing”, “Processor” and “Supervisory Authority” have the meanings set out in, and will be interpreted in accordance with, such Data Protection Laws
(2) The Client and the Contractor acknowledge and agree that the Client is the Controller and the Contractor is the Processor in respect of the personal data processed in connection with this order and the Service Agreement, if applicable, to which it relates.
(3) Scope, nature and purpose of the proposed data processing
Detailed description of the order subject with regard to the nature and purpose of the Contractor’s tasks:
• Occasional processing of passport details for travel and accommodation bookings
• Occasional processing of personal data required for Visa and A1 applications
• Occasional processing of National Insurance details, citizenship, employment status and financial/payment information as appropriate for calculation of foreign Social Security contributions
• Occasional processing of passport and citizenship details for Visa and Workers Authorisation purposes
• Inclusion in itineraries (online and off-line)
• Inclusion of contact information in crew and production schedules, contact sheets, call sheets etc.
• The below mentioned data listed under (4) Type of Data may be shared with event production staff for job specific visa, travel and workers authorisation requirement purposes
The contractually agreed data processing is carried out in the United Kingdom or a jurisdiction within the European Economic Area or the United States of America, due to the Contractor’s head office being based there. Any transfer to the USA will have a valid adequate transfer mechanism in place.
Any transfer to any other third party countries will have a valid adequate transfer mechanist in accordance with the Data Protection Laws, including (but not limited to) a transfer mechanism that:
- is confirmed by an adequacy decision from the European Commission (Article 45 (3) GDPR);
- is achieved with binding corporate rules (Articles 46(b) and 47 GDPR);
- is achieved with standard data protection clauses approved by the European Commission or the Information Commissioner’s Office (Article 46 GDPR);
- is achieved with approved codes of conduct (Article 46 (2) (e) in conjunction with Article 40 GDPR);
- is achieved with an approved certification mechanism (Article 46 (2) (f) in continuation with 42 GDPR).
- is achieved with other measures permitted by the Data Protection Laws (including those at Article 46(2)(a), (3)(a) and (b) GDPR).
(4) Type of data
The subject of the personal data processing is, in particular, the following types/categories of data (description of the data categories)
• Personal master data (basic information such as name, contact email, contact phone number)
• Passport details for travel arrangements
• Passport and address details for job specific accreditation purposes
• National insurance and A1 data for working in territories outside of the UK
• Visa information for working outside of the European Union as required
(5) Categories of data subjects
The categories of data subjects affected by processing include:
• Employees of a freelancer, registered as a Limited Company
• Individual freelancers
3. Technical and organisational measures
(1) The Contractor must document the implementation of the technical and organisational measures set out prior to the award of the order and prior to processing, with particular regard to the specific execution of the order, and hand them over to the Client for review. If accepted by the Client, the documented measures become the basis of the order. If the Client’s review/audit results in a need for adjustment, this must be implemented by mutual agreement.
(2) The contractor shall implement and maintain security measures in accordance with Data Protection Laws (including Articles 5(1) and (2), 28(3)(c) and 32 GDPR) to ensure a level of protection appropriate to the level of risk presented by processing personal data in connection with this order, in particular with regard to the confidentiality, integrity, availability and resilience of the systems. In performing these, the state of the art, the implementation costs and the nature, scope and purpose of the processing, as well as the different probability and severity of the risk for the rights and freedoms of those data subjects whose personal data is being processed. [Details in Appendix 1].
(3) The technical and organisational measures are subject to technical advances and further development. In this regard, the Contractor is permitted to implement alternative adequate measures. At the same time, the safety level of the specified measures must be upheld.
4. Rectification, limitation and deletion of data
(1) The Contractor may not correct, delete or restrict the processing of personal data that is processed on behalf of the Client under its own responsibility, but only in accordance with documented instructions from the Client. If a data subject should contact the Contractor directly with regard to these, the Contractor shall immediately forward this request to the Client.
(2) If included in the scope of services, the Contractor shall directly ensure the deletion concept, the right to be forgotten, to rectification, to data portability and to information according to the Client's documented instructions.
5. Quality assurance and Contractor’s other obligations
In addition to compliance with the provisions of this Contract, the Contractor must uphold statutory obligations in accordance with the Data Protection Laws (including Articles 28 to 33 GDPR); in particular, it shall ensure compliance with the following requirements:
a) The Contractor must provide contact details for,
A relevant department (with the details set out below) if, at the time the order is concluded, the Contractor is not obliged to appoint a data protection officer in accordance with the Data Protection Laws. The Contractor is liable for compliance with the statutory obligation to appoint.
b) The safeguarding of confidentiality (including pursuant to Articles 28 (3) (2) (b), 29, 32 (4) GDPR) such that the Contractor shall use only employees who are committed to confidentiality and who have been previously familiarised with the Data Protection Laws that are relevant to them. The Contractor and any person subordinated to the Contractor who has access to personal data may only process such data in accordance with the Client’s instructions, including the powers granted in this Contract, unless they are legally obliged to the processing.
c) The implementation and adherence to all technical and organisational measures required for this Contract pursuant to the Data Protection Laws (including pursuant to Articles 28 (3) (2) (c), 32 EU GDPR) [details in Appendix 1].
d) Upon request, the Client and the Contractor shall work together with the Supervisory Authority on the fulfilment of its tasks.
e) The Client must be promptly informed regarding the Supervisory Authority’s monitoring actions and measures, as far they relate to this Contract. This also applies if a competent authority investigates the Contractor in the context of a non-compliance or criminal procedure regarding the processing of personal data.
f) If the Client itself is subject to inspection by the Supervisory Authority, an administrative offence or criminal procedure, a data subject’s liability claim or that of a third party or any other claim in connection with ordered processing by the Contractor, the Contractor shall support it to the best of its ability.
g) The Contractor shall from time to time review internal processes and technical and organisational measures to ensure that the processing within its sphere of responsibility complies with the requirements of the Data Protection Laws and ensures protection of the data subject’s rights.
6. Sub-contractual relations
(1) For the purposes of this order, sub-contractual relationships are those whereby the Contractor has engaged a third party to provide services which involve the processing of personal data on behalf of the Client.
(2) The Contractor may reasonably commission subcontractors (other processors) in order to carry out the purposes set out in Clause 2(3) above.
(3) The transfer of the Client’s personal data to the subcontractor and its initial action shall only be permitted upon submission of all conditions for subcontracting as set out in this section 6.
(4) If the subcontractor provides the agreed service outside the EU/EEA, the Contractor shall ensure admissibility with regard to Data Protection Laws by taking appropriate measures. The same applies if service providers within the meaning of (1) or (2) are to be used. The processing of personal data by subcontractors in a third country is generally not permitted. If – in exceptional circumstances and following the Client’s prior authorisation – personal data is processed in a third country, it shall be exclusively performed on the basis of the standard contractual clauses for contract data processors in the form of Decision 2010/87/EU for the transfer of personal data to processors based in third countries. The Client authorises the Contractor to conclude on its behalf (Client) a contract with the Contractor’s subcontractors based in third countries containing the standard contractual clauses. The Client responsible for data processing is hereby the data exporter and the subcontractor based in the third country is the data importer.
7. Client’s monitoring rights
(1) The Client or third parties authorised by it has the right to carry out checks of the order on the Contractor’s premises or to have these carried out by an auditor to be named in individual cases. It has the right to satisfy itself regarding the Contractor’s compliance with this agreement in its business by carrying out inspections. Inspections must be notified in advance and are carried out during the Contractor's business hours. The Client shall take appropriate account of the Contractor's operational processes.
(2) If the Client commissions a third party to carry out the inspection, the Client shall oblige the third party in writing to maintain confidentiality and secrecy with regard to the Contractor, unless the third party is obliged to confidentiality by virtue of its profession. The Client shall immediately submit the confidentiality obligation to the Contractor at its request. The Client may not appoint a competitor of the Contractor to carry out the inspection. The Contractor may demand an appropriate remuneration for its efforts in carrying out the inspections.
(3) The Contractor shall ensure that the Client can satisfy itself regarding compliance with the Contractor’s obligations in this order and in accordance with Art. 28 GDPR. The Contractor undertakes to provide the Client with the necessary information upon request and, in particular, to prove the implementation of the technical and organisational measures.
(5) The proof of such measures, which not only concern the specific order (basic protection measures), can be provided in the form of
o compliance with approved codes of conduct pursuant to Article 40 GDPR
o certification in accordance with an approved certification process pursuant to Article 42 GDPR
o up-to-date certificates, reports or report extracts from independent bodies (e.g. auditors, auditors, data protection officers, IT security department, privacy auditors, quality auditors);
o appropriate certification by IT security or privacy audit.
8. Contractor’s employees
The Contractor shall assist the Client in complying with obligations concerning the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, as referred to in Articles 32 to 36 of the GDPR. These include:
a) ensuring an adequate level of protection through technical and organisational measures, which take into account the circumstances and purposes of the processing and the predicted likelihood and severity of a possible breach of rights via security vulnerabilities, and enable the immediate detection of relevant occurrences of damage
b) the obligation to report violations of personal data immediately to the Client
c) the obligation to support the Client in providing information to the data subject and to provide it with all relevant information in this relation without delay
d) supporting the Client with its privacy impact assessment
e) supporting the Client with the supervisory authority’s prior consultations
9. Client’s authority
(1) The Client shall confirm any verbal instructions immediately afterwards in writing.
(2) The Contractor must inform the Client without delay if it believes a directive to be in conflict with the provisions of data protection law. The Contractor is entitled to suspend the execution of the relevant instruction until it has been confirmed or changed by the Client.
(3) Persons authorised by the Client to issue instructions are entitled to authorise further persons to issue instructions for carrying out/organising/monitoring the jointly agreed scope of services.
10. Deletion and return of personal data
(1) No copies and duplicates of the personal data shall be created without the Client’s knowledge. Exceptions to this are security copies that are necessary to guarantee proper personal data processing as well as personal data that is required for compliance with statutory retention obligations.
(2) After conclusion of the contractually agreed work or sooner at the Client’s request – at the latest upon termination of the Service Agreement – the Contractor must hand over to the Client any documents, processing or usage results or databases connected to the contractual relationship that are still in its possession, or destroy these in accordance with data protection after prior consent. The same applies to test and scrap material. The log of the deletion must be submitted on request.
(3) Documentation serving as proof of orderly and proper data processing shall be kept by the Contractor according to the respective retention periods beyond the end of the contract. It may hand them over to the Client for its exoneration at end of the order.
(1) Should the Client’s property that lies with the Contractor be endangered by third-party measures (such as seizure or confiscation), by insolvency or composition proceedings or by other events, the Contractor must inform the Client without delay.
(2) Ancillary agreements must be made in writing.
(3) Should individual parts of this Agreement be or become ineffective, this shall not affect otherwise the validity of the Agreement.
Annex 1 - Technical and Organisational Measures
Annex 1 - Technical and organisational measures
1. Confidentiality (Article 32 (1) (b) GDPR)
• Access control No unauthorised access to data processing systems, for example: Magnetic or chip cards, keys, electric door openers, security or doorpeople, alarm systems, video installations;
• Access Control No unauthorised system usage, e.g. (secure) passwords, automatic locking mechanisms, two-factor authentication, encryption of data carriers;
• Access control No unauthorised reading, copying, alteration or removal within the system, e.g. Authorisation concepts and needs-based access rights, logging of accesses;
• Separation control Separate processing of data collected for different purposes, e.g. multi-client capability, sandboxing;
• Pseudonymisation (Article 32 (1) (a) EU GDPR; Article 25 (1) EU GDPR) Personal data shall be processed in such a way that the data can no longer be associated with a specific data subject without using additional information, provided that this additional information is stored separately and is subject to appropriate technical and organisational measures.
2. Integrity (Article 32 (1) (b) EU GDPR)
• Transfer Control No unauthorised reading, copying, alteration or removal during electronic transmission or transport, e.g. encryption, virtual private networks (VPNs) and electronic signatures.
• Entry monitoring Ascertainment of whether and by whom personal data was entered, changed or removed in the data processing systems. Logging, document management;
3. Availability and resilience (Article 32 (1) (b) EU GDPR)
• Availability control Protection against accidental or wilful destruction or loss, for example: Backup strategy (online/offline, on-site/off-site), uninterruptible power supply (UPS), antivirus, firewall, reporting and contingency plans;
• Fast recoverability (Article 32 (1) (c) EU GDPR)
4. Procedure for regular review, assessment and evaluation (Article 32 (1) (d) EU GDPR, Article 25 (1) EU GDPR)
• Privacy management;
• Incident response management;
• Default privacy settings (Article 25 (2) GDPR);
• Order monitoring No order data processing within the meaning of Article 28 GDPR without the Client’s corresponding instructions, for example: Clear order design, formalised order management, strict selection of the service provider, advance satisfaction obligation, follow-up checks.