17. Data Processing Agreement
Where the data controller engages a service provider whose services include processing personal data the service provider will be a Data Processor. It is the responsibility of the data controller to put a Data Processing Agreement in place defining the parties’ responsibilities.
The following template forms the basis for such an agreement between the data controller and VeriFi although similar content may be applicable to other service providers such as guarding, systems maintenance, visitor management and ANPR software as a service.
SAMPLE DATA PROCESSING AGREEMENT
This agreement is between:
- [Name of customer] a company registered in England and Wales with company number [number] of [registered office or principal place of business] and who is registered with the ICO as a data controller with registered number [insert] (the “Customer”); and
- VeriFi CCTV Limited a company registered in England and Wales with company number 07307582 of 23 Glasshouse Studios, Fryern Court Road, Fordingbridge, Hampshire SP6 1QX (the “Service Provider”)
- “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “processing” and “appropriate technical and organisational measures”: have the meanings given to them in the Data Protection Legislation.
- “Data Protection Legislation”: the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications).
- “UK Data Protection Legislation”: all applicable data protection and privacy legislation in force from time to time in the UK including the UK General Data Protection Regulation, the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
- Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 1 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation. In this clause 1, “Applicable Laws” means (for so long as and to the extent that they apply to the Service Provider) the law of the European Union, the law of any member state of the European Union and/or Domestic UK Law; and “Domestic UK Law” means the UK Data Protection Legislation and any other law that applies in the UK.
- The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Service Provider is the Processor. Clause 8 sets out the scope, nature and purpose of processing by the Service Provider, the duration of the processing and the types of Personal Data and categories of Data Subject.
- Without prejudice to the generality of clause 1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Service Provider, and/or lawful collection of the Personal Data by the Service Provider on behalf of the Customer, for the duration and purposes of this agreement.
- Without prejudice to the generality of clause 1, the Service Provider shall, in relation to any Personal Data processed in connection with the performance by the Service Provider of its obligations under this agreement:
a – process that Personal Data only on the documented written instructions of the Customer unless the Service Provider is required by Applicable Laws to otherwise process that Personal Data. Where the Service Provider is relying on Applicable Laws as the basis for processing Personal Data, the Service Provider shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Service Provider from so notifying the Customer;
b – ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
c – ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
d – not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:
.i – the Customer or the Service Provider has provided appropriate safeguards in relation to the transfer;
ii – the data subject has enforceable rights and effective legal remedies;
iii – the Service Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
iv – The Processor complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
e – assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
f – notify the Customer without undue delay on becoming aware of a Personal Data Breach;
g – at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data; and
h – maintain complete and accurate records and information to demonstrate its compliance with this clause 4.
5 – The Customer hereby grants its general consent to the Service Provider appointing third party processors to assist the Service Provider processing Personal Data under this agreement. The Service Provider’s current third party processors are set out in clause 8.6. Prior to appointing a new third party processor, the Service Provider shall notify the Customer in writing of the intended appointment.
6 – The Service Provider confirms that it has entered or (as the case may be) will enter into a written agreement with the third-party processor incorporating terms which are substantially similar to those set out in this agreement and in either case which the Service Provider confirms reflect and will continue to reflect the requirements of the Data Protection Legislation. As between the Customer and the Service Provider, the Service Provider shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to clause 5.
7 – Either party may, at any time on not less than 30 days’ notice, revise this agreement by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).
8 – Processing, Personal Data and Data Subjects
8.1 Scope – The processing is limited to as permitted in this agreement.
8.2 Nature and purpose of processing – To assist the Customer in achieving Data Protection Legislation compliance by provision of services, documentation and equipment as defined in the VeriFi Data Compliance Procedures & Policy that may be viewed at www.verifi-fms.com.
8.3 Duration of the processing – Duration will be for the duration of the contract term which will expire 12 months following the date of submission of the audit report or the commencement of the handover of EIDOS software unless the contract is extended by the Customer. In either case any related archive data will be made available on the demand of the client for up to 90 days from the expiry date.
8.4 Types of Personal Data – Surveillance and security related data that includes the identity or identifiers of individuals. Data processed may include names, job titles, visual images, personal appearance and behaviours, criminal offence data.
8.5 Categories of Data Subject – The Customer’s staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance.
8.6 Third party processors – Amazon Web Services (AWS) a subsidiary of Amazon that provides cloud computing platform.