PHOTOGRAPHER DATA PROCESSING AGREEMENT (“DPA”)
FOLIO ALBUMS LIMITED
THIS DPA is made on 25 May 2018 (the “Effective Date“) BETWEEN:
- [YOU, the account holder] [whose details are set out in the account opening form] (the “Client“); and
- FOLIO ALBUMS LIMITEDincorporated and registered in England and Wales with company number 05373725 whose registered office is at Unit 7b, Shortwood Court, Shortwood Business Park, Hoyland, Barnsley S74 9LH (“Folio“).
- Folio provides to the Client certain photographic services described in Schedule 2 (the “Services“).
- The provision of the Services by Folio involves it Processing the Personal Data described in Schedule 2 for the Clients. These are the Data Protection Particulars.
- The parties have agreed to enter into this DPA to ensure compliance with the provisions of EU regulation 2016/679 (the “GDPR“) in relation to all Processing of the Personal Data by Folio for the Client.
1.1 The defined terms and expressions referred to in this DPA are set out in Schedule 1.
1.2 The provisions of this DPA shall be effective from the Effective Date and shall continue in full force and effect for so long as Folio is Processing Personal Data received from the Client.
2 Data Protection
2.1 In consideration of the parties mutually agreeing to waive the enforcement of any outstanding rights at the Effective Date in relation to the Processing of Personal Data, the parties agree to the terms of this DPA from the Effective Date.
2.2 The parties acknowledge that, under the terms of this DPA, Folio is acting as a Processor appointed by the Client and the Client is a Data Controller. The parties agree that the data to be Processed by Folio shall be Personal Data.
2.3 Folio aims to comply with the Data Protection Legislation in its Processing of the Personal Data required in the performance of the Agreement, and shall use all reasonable endeavours to provide such assistance and/or co-operation as is reasonably necessary or reasonably requested by the Client to assist the Client in complying with the Data Protection Legislation.
2.4 Each of the Parties acknowledges and agrees that Schedule 2 (Data Protection Particulars) of this DPA is an accurate description of the Data Protection Particulars.
2.5 Folio agrees that it will only Process the Personal Data in accordance with the Client’s documented instructions from time to time and shall not Process the Personal Data for any purpose other than expressly authorised by the Client except where required by Data Protection Legislation (and shall inform the Client of that legal requirement before Processing, unless Data Protection Legislation prevents it from doing so).
2.6 Folio shall promptly comply with any request from the Client to amend, transfer or delete the Personal Data.
2.7 At the Clients written request (and cost and expense), Folio shall provide the Client with a copy of all Personal Data held by it in the format as reasonably specified by the Client.
2.8 Folio shall promptly notify the Client if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable as a result of its acts or omissions.
2.9 Folio shall use all reasonable endeavours to keep the Personal Data confidential.
2.10 Folio agrees that it shall implement and maintain such technical and organisational measures as are required to enable the Personal Data to be Processed in compliance with the DPL.
2.11 Without prejudice to Folio’s obligations with respect to Folio’s Personnel, Folio shall use reasonable endeavours to:
- take reasonable steps to ensure the reliability and integrity of any of Folio’s Personnel who shall have access to the Personal Data;
- ensure that only such members of Folio’s Personnel required by it to assist it in fulfilling its obligations under the Agreement shall have access to the Personal Data (and no other member of Folio’s Personnel shall have access to such Personal Data); and
- ensure that each member of Folio’s Personnel shall have:
(i) undergone reasonable levels of training in Data Protection Legislation and in the care and handling of Personal Data; and
(ii) entered in to appropriate contractually-binding confidentiality undertakings that shall apply to the Personal Data.
2.12 Folio shall not transfer any Personal Data outside the EEA without the Client’s prior written consent and where the Client consents to such transfer, to enter into our agreement which imposes on the parties substantially the same obligations as are imposed upon Folio by this DPA.
2.13 Folio may authorise a third party (subcontractor) to Process the Personal Data provided by the subcontractor’s contract is on terms which are substantially the same as those set out in these Conditions. The Client shall ensure that it obtains any consent required from Data Subjects to allow Folio to Process Personal Data inside or, if applicable, outside the EEA should this be required. In such an event Folio will advise the Client in writing and enter into an agreement with such a third party to ensure that the Data Subject has enforceable rights and effective legal remedies.
2.14 Folio shall promptly notify the Client upon becoming aware of any actual or suspected or ‘near miss’ Personal Data Breach, and will:
- take all reasonable steps (and procure that its sub-contractors take all reasonable steps) to prevent or minimise the effects of the Personal Data Breach;
- implement or attempt to procure that its sub-contractors implement measures necessary to restore the security of compromised Personal Data; and
- provide the Client with reasonable co-operation and assistance to make any notifications to the ICO and affected Data Subjects.
2.15 Folio shall notify the Client following its receipt of any Data Subject Request, and shall:
- not disclose any Personal Data in response to any Data Subject Request without the Client’s prior written consent; and
- provide the Client with reasonable co-operation and assistance required by the Client in relation to any such Data Subject Request.
2.16 Folio will comply with the Client’s reasonable requirements in relation to the Client’s compliance with any Data Subject Request.
2.17 The Client shall co-operate with Folio in all matters relating to the Services and appoint a data manager in relation to the Services, who shall have authority to act for the Client on matters relating to the Services.
2.18 The Client warrants and agrees that:
- it has complied and shall comply with the Data Protection Legislation as a Data Controller;
- Folio is entitled to Process the Personal Data as part of the Services and such use will comply with the Data Protection Legislation;
- it has the right to licence the Processing of the Personal Data to Folio under the Agreement;
- the Processing of the Personal Data by Folio as part of the Services will not infringe the Intellectual Property Rights of any third party;
- it has obtained the appropriate consent from a Data Subject to allow Folio to Process the Personal Data as part of the Services as anticipated by the Agreement and that the Client’s Customers know that their personal data will be processed by Folio;
- it is not aware of any circumstances likely to give rise to breach by it of any of the Data Protection Legislation in the future;
- all Personal Data to be Processed by Folio is necessary, accurate and up-to-date; and
- it consents to Folio appointing a sub-processor to process the Personal Data if Folio should need to do this in order to provide the Services.
2.19 If Folio’s performance of any of its obligations under the Agreement is prevented or delayed by the Client’s act, omission or failure to perform any relevant obligation under this DPA (“Client Default“):
- Folio shall have the right to suspend performance of the Services until the Client remedies the Client Default, and to rely on the Client Default to relieve it from the performance of any of its obligations to the extent the Client Default prevents or delays its performance of any of its obligations;
- Folio shall not be liable for any costs or losses sustained or incurred by the Client arising directly or indirectly from Your failure or delay to perform any of its obligations as set out in clauses 2.18 to 2.21.
2.20 The Client shall indemnify Folio and keep Folio indemnified from and against any and all liabilities, losses, expenses, claims, damages and losses (including, but not limited to, any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal and other professional costs and expenses) suffered or incurred by Folio as a result of the Client’s breach of its obligations as set out in this DPA.
“Data Controller“, “Data Processor“, “Processing” and “Data Subject” shall have the meaning set out in Article 4 of the GDPR;
“Data Protection Legislation” or “DPL” means the Data Protection Act 1998 (as amended) and the GDPR:
“Data Protection Particulars” means the data protection particulars set out in Schedule 2;
“Data Subject Request” means an actual or purported request or notice or complaint from (or on behalf of) a Data Subject (or a third party acting on a Data Subject’s request) exercising his rights under the Data Protection Legislation;
“DPA” means this agreement;
“Folio’s Personnel” means all individuals engaged by Folio in connection with this Agreement, including employees, consultants, contractors and permitted agents;
“ICO” means the UK Information Commissioner’s Office, or any successor or replacement body from time to time;
“Personal Data” has the meaning set out in the Data Protection Legislation and for the purposes of this DPA, includes Sensitive Personal Data;
“Personal Data Breach” has the meaning set out in the Data Protection Legislation;
“Sensitive Personal Data” means Personal Data that reveals such categories of data as are listed in Article 9(1) of the GDPR;
“Services” means the services to be provided by Folio to the Client under the Agreement or as described in Schedule 2 (as applicable).
All photographic services as may be provided by Folio as part of an Order by the Client.
Data Protection Particulars
|The type of Personal Data being Processed and class of Data Subjects||Names
Date of Birth
|The nature and purpose of the Processing||By Folio in order to perform the Services or as otherwise agreed to between the Parties and not further or otherwise.|
|The categories of Data Subjects||The data subjects will be client customers.|
|Any special categories of data||Not applicable|
|The duration of the Processing||A minimum of 6 years for HMRC inspection purposes.|