Data Processor Agreement

Please read through and complete the below consent.
This agreement forms a contract detailing your instruction, and therefore the consent, for The School Photography Company to process data that you provide as specified below. To complete this consent; enter your name, confirm your email address and tick both boxes before pressing "Submit". You will receive a confirmation email with a copy of this document to the email address entered.

1. Introduction and Subject Matter

1.1 This agreement re processing of personal data (the “Data Processor Agreement”) regulates The School Photography Company, Company registration no. 5639678 (the “Data Processor”) processing of personal data on behalf of the School (the “Data Controller”). This is on the basis that the parties have agreed for the Data Processor’s delivery of student photographic services (the “Main Services”) with the use of student names data (the “Personal Data”) provided by the Data Controller.

1.1.1 Student Portrait Photographs is one of the Main Services provided. The Personal Data required to complete this service is only needed when the Data Controller requests a data matched images to update the School database records. This isn’t a requisite of the service as there is the option of completing these photographs without the transfer of Personal Data; this will however result in not being able to provide the school with a data matched images, the images that can be presented

will only have the student image without any corresponding student information.

1.1.2 Group Photographs is another of the Main Services provided. The Personal Data required to complete this service is only needed when the Data Controller requests that all people present in the photograph have their names printed underneath the photograph. This isn’t a requisite of the service as there is the option of completing these photographs without the transfer of Personal Data; this will however result in not being able to provide the school with a group photograph with names, the photograph can be produced with a title of the group underneath instead.

2. Applicable Law and Supervisory Authorities

2.1 The Data Processor Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation (the “Applicable Law”), and any relevant supervisory authorities including in particular:

i. The UK General Data Protection Regulation, 31st December 2020 (“GDPR”) which sits alongside an amended version of the DPA 2018.

ii. The Copyright, Designs and Patents Act 1988.

iii. Co-operate with supervisory authorities such as the Information Commissioners Office (“ICO”).

3. Processing of Personal Data

3.1 In connection with the Data Processor’s delivery of the Main Services to the Data Controller, the Data Processor will process certain categories and types of the Data Controller’s Personal Data on behalf of the Data Controller.

3.2 “Personal data” includes “any information relating to an identified or identifiable natural person” as defined in GDPR, article 4 (1) (the “Personal Data”). The categories and types of Personal Data processed by the Data Processor on behalf of the Data Controller are:

i. Student and/or staff name

ii. Student form/class

iii. Student admission number

3.3 The Data Processor only performs processing activities that are necessary and relevant to perform the Main Services. The parties shall update the above list whenever changes occur that necessitates an update.

3.4 The Data Processor shall have and maintain a register of processing activities in accordance with GDPR, article 30 (2).

3.5 The Data Processor processes personal data provided by the Data Controller to enable the Data Processor to produce the photographic product requested by the Data Controller, to administer orders and deliver photographs. The Personal Data is not comprised by this Data Processor Agreement, because the Data Processor is data controller for said personal data, and reference is made to the Data Processor’s data protection and privacy policy available on the Data Processor’s website.

4. The Data Controller’s Obligations and Rights

4.1 The Data Processor may only act and process the Personal Data further to documented instruction from the Data Controller (the “Instruction”). The Instruction is at the time of entering into this Data Processor Agreement and is continued on each and every occasion that the Data Controller provides the Personal Data, this is on the basis that the Data Processor will only process the Personal Data with the purpose of delivering the Main Services.

4.2 The Data Controller guarantees that the Personal Data transferred to the Data Processor is processed by the Data Controller in accordance with the Applicable Law, including the legislative requirements re lawfulness of processing.

4.3 The Data Processor shall give notice without undue delay if the Data Processor considers that the Instruction to be in conflict with the Applicable Law.

5. The Data Processor’s Obligations

5.1 Confidentiality

5.1.1 The Data Processor shall treat all the Personal Data as strictly confidential information. The Personal Data will be processed in accordance with the Main Services as agreed by the Data Controller. However the Personal Data may not be copied or transferred in conflict with the Instruction, unless the Data Controller in writing has agreed hereto.

5.1.2 The Data Processor’s employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data under this Data Processor Agreement with strict confidentiality and in accordance with our General Data Protection Regulation Policy.

5.2 Security

5.2.1 The Data Processor shall implement the appropriate technical and organizational measures as set out in this Agreement and in the Applicable Law, including in accordance with GDPR, article 32.

5.3 The Data Processor shall ensure that access to the Personal Data is restricted to only the employees to whom it is necessary and relevant to process the Personal Data in order for the Data Processor to perform the Main Services and obligations specified under this Data Processor Agreement.

5.4 The Data Processor shall also ensure that the Data Processor’s employees working on processing the Personal Data and that they only process the Personal Data in accordance with the Instruction to provide the Main Services.

5.4.1 The Data Processor shall provide documentation for the Data Processor’s security measures if requested by the Data Controller in writing.

5.5 Data protection impact assessments and prior consultation

5.5.1 If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments in accordance with GDPR, article 35, along with any prior consultation in accordance with GDPR, article 36.

5.6 Rights of the data subjects

5.6.1 If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.

5.6.2 If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Controller, the Data Processor will immediately inform the Data Controller of this request.

5.7 Personal Data Breaches

5.7.1 The Data Processor shall give immediate notice to the Data Controller if a breach of the data security occurs, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed re the Personal Data processed on behalf of the Data Controller (a “Personal Data Breach”).

5.7.2 The Data Processor shall have and maintain a register of all Personal Data Breaches. The register shall at a minimum include the following:

i. A description of the nature of the Personal Data Breach, including, if possible, the categories and the approximate number of affected Data Subjects and the categories and the approximate number of affected registrations of personal data.

ii. A description of the likely as well as actually occurred consequences of the Personal Data Breach.

iii. A description of the measures that the Data Processor has taken or proposes to take to address the Personal Data Breach, including, where appropriate, measures taken to mitigate its adverse effects.

5.7.3 The register of any relevant Personal Data Breaches shall be provided to the Data Controller in copy if so requested in writing by the Data Controller or the relevant Data Protection Agency.

5.8 Documentation of compliance

5.8.1 The Data Processor shall after the Data Controller’s written request hereof provide documentation substantiating that:

i. the Data Processor complies with its obligations under this Data Processor Agreement and the Instruction; and

ii. the Data Processor complies with the Applicable Law in respect of the processing of the Data Controller’s Personal Data.

5.8.2 The Data Processor’s documentation of compliance shall be provided within 28 days.

5.9 Location of the Personal Data

5.9.1 The Personal Data is only processed by the Data Processor at the Data Processor’s address. The Data Processor does not transfer the Personal Data to other countries or international organisations.

6. Sub-Processors

6.1 The Data Processor does not engage third-parties to process the Personal Data (“Sub-Processors”). Therefore a sub-processor will not be used without obtaining written, specific authorization from the Data Controller.

7. Duration

7.1 The Data Processor Agreement shall remain in force with the Data Controller until the Data Controller no longer chooses to use the Main Services of the Data Processor.

7.2 All Personal Data provided by the Data Controller will be retained for a minimum period of 2 months and for a maximum period of 6 months following the Personal Data received date, this is to ensure that we can complete the duties required for the Main Services provided. After this date the data received is permanently deleted.

8. Termination of Main Services

8.1 The Data Processor’s authorisation to process Personal Data on behalf of the Data Controller shall be annulled at the termination of the Main Services and therefore this Data Processor Agreement.

8.2 The Data Processor shall continue to process the Personal Data for up to three months after the termination of the Data Processor Agreement to the extent it is necessary and required under the Applicable Law. In the same period, the Data Processor is entitled to include the Personal Data in the Data Processor’s backup. The Data Processor’s processing of the Data Controller’s Personal Data in the three months after the termination of the Main Services and therefore this Data Processor Agreement shall be considered as being in accordance with the Instruction.

8.3 At the termination of the Main Services and therefore this Data Processor Agreement, the Data Processor shall return the Personal Data processed under this Data Processor Agreement to the Data Controller, provided that the Data Controller is not already in possession of the Personal Data. The Data Processor is hereafter obliged to delete all the Personal Data and provide documentation for such deletion to the Data Controller.