Capture your story in a
- Vandercom Films Ltd, herein referred to as ‘Vandercom’ and the Customer have entered into Principal Agreements (as defined below) which involve the processing of Personal Data (as defined below) of Data Subjects (as defined below) and such processing is subject to Data Protection Laws (as defined below).
- This data processing addendum (Addendum) shall govern the processing of Personal Data of Data Subjects in the context of the Services and/or Products (as defined below).
- The terms set out below supersede and replace any existing privacy and data protection terms contained in the Principal Agreements pertaining to the processing of Personal Data and this Addendum shall amend the Principal Agreements to that extent. If there is any conflict between the provisions of this Addendum and the data protection terms contained in the Principal Agreements, the provisions of this Addendum shall take precedence. Silence on any particular matter shall be deemed not to give rise to a conflict.
- DEFINITIONS AND INTERPRETATION
1.1 In this Addendum, unless the context otherwise requires, the following definitions shall apply:
Addendum Means these data processing provisions;
Applicable Law Means as applicable and binding on the Customer, Vandercom and/or the Services and/or Products:
(a) any law, statute, regulation, byelaw or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services and/or Products are provided to or in respect of;
(b) the common law and laws of equity as applicable to the parties from time to time;
(c) any binding court order, judgment or decree; or any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;
Business Day Means a day (other than a Saturday, Sunday or a public holiday in England) when the banks in London are open for business;
Data Client Means in relation to any Protected Data which ever of;
(a) the Customer or member of the Customer’s Group; or
(b) any customer or end-customer of the Customer; is the Controller in relation to that Protected Data;
Data Protection Laws All Applicable Laws relating to data protection, the processing of personal data and privacy, including without limitation:
(a) the Data Protection Act 2018;
(b) the GDPR; and
(c) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as may be amended by the proposed Regulation on Privacy and Electronic Communications); and references to Controller, Processor, Data Subjects, Personal Data, Process, Processed, Processing, Processor and Supervisory Authority have the meanings set out in, and will be interpreted in accordance with such Data Protection Laws;
Data Protection Losses Means all liabilities, including all:
(a) reasonable costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and
(b) to the extent permitted by Applicable Law: (i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; (ii) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and (iii) the reasonable costs of compliance with investigations by a Supervisory Authority;
Data Security Incident A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Protected Data transmitted, stored or otherwise Processed;
Data Subject Request Means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
GDPR Means the General Data Protection Regulation (EU) 2016/679;
GDPR Date Means 25 May 2018;
International Transfer A transfer to a country outside the European Economic Area (as it is made up from time to time) of Protected Data which is undergoing Processing, or which is intended to be Processed after transfer;
Principal Agreements The agreements between Vandercom and the Customer for the provision of telecommunications and/or IT related Services and/or Products;
Processing Instructions Has the meaning given to that term in clause 1.2;
Protected Data Personal Data which has been passed to Vandercom and is required to be Processed under the Principal Agreements and this Addendum by Vandercom as a Processor which is more particularly described in Schedule 1 of this Addendum;
Services and/or Products Means the production of film, video, audio or photography (as applicable) which are provided by Vandercom as a Supplier pursuant to the Principal Agreements;
Sub-Processor Means any third party appointed by Vandercom to Process the Protected Data.
Vandercom means Vandercom Films Ltd, a company registered in England and Wales with company registration number 7108491 whose registered office is at 505 Pinner Road, Harrow, Middlesex, HA2 6EH.
1.2 In this Addendum (except where the context otherwise requires):
1.2.1 headings are inserted for ease of reference only and shall not affect construction;
1.2.2 the expression “person” means any individual, firm, body corporate, unincorporated association, partnership, government, state or agency of state or joint venture;
1.2.3 the Schedules form part of this Addendum and will have the same force and effect as if expressly set out in the body of this Addendum and any reference to this Addendum will include a reference to the Schedules;
1.2.4 references to any statute or statutory provision will include any subordinate legislation made under it and will be construed as references to such statute, statutory provision and/or subordinate legislation as modified, amended, extended, consolidated, re-enacted and/or replaced and in force from time to time;
1.2.5 where the context requires, words denoting the singular include the plural and vice versa and words denoting any gender include all genders; and
1.2.6 any words following the words “include”, “includes”, “including”, “in particular” or any similar words or expressions will be construed without limitation and accordingly will not limit the meaning of the words preceding them.
- PROCESSOR AND CONTROLLER
2.1 The parties acknowledge and agree that, for the Protected Data, the Customer (or the relevant Data Client) shall be the Controller and Vandercom shall be the Processor or sub-processor.
2.2 The Customer authorises Vandercom responsible for providing the Services and/or Products to the Customer pursuant to the Principal Agreements to Process the Protected Data pursuant to this Addendum as a Processor or sub-processor for the purpose set out in Schedule 1.
2.3 Vandercom shall Process Protected Data in compliance with:
2.3.1 the obligations of Processors under Data Protection Laws in respect of the performance of its obligations under this Addendum; and
2.3.2 the terms of this Addendum.
2.4 The Customer shall (and shall if the Customer is not the Controller ensure that the relevant Controller shall) comply with:
2.4.1 all Data Protection Laws in connection with the Processing of Protected Data, the Services and/or Products and the exercise and performance of its respective rights and obligations under this Addendum, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
2.4.2 the terms of this Addendum.
2.5 The Customer warrants to Vandercom that:
2.5.1 it has all necessary rights to authorise Vandercom to Process Protected Data in accordance with this Addendum and the Data Protection Laws;
2.5.2 all data sourced by the Customer for use in connection with the Services and/or Products, shall comply in all respects, including in terms of its collection, storage and Processing (which shall include the Customer providing all of the required fair processing notices and information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws;
2.5.3 it will not send any Protected Data to Vandercom which is not necessary for Vandercom to provide the Services and/or Products;
2.5.4 its instructions Vandercom relating to Processing of Protected Data and will not put Vandercom in breach of Data Protection Laws, including with regard to International Transfers; and
2.5.5 it has undertaken due diligence in relation to Vandercom’s Processing operations, and it is satisfied that:
(a) Vandercom’s Processing operations are suitable for the purposes for which the Customer proposes to use the Services and/or Products and engage the relevant member of Vandercom to Process the Protected Data; and
(b) Vandercom has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
2.6 If Vandercom reasonably considers that any instructions from the Customer relating to Processing of Protected Data may put Vandercom in breach of Data Protection Laws, Vandercom will be entitled not to carry out that Processing and will not be in breach of this Addendum or otherwise liable to the Customer as a result of its failure to carry out that Processing
2.7 The Customer shall remain fully liable for the acts or omissions of each Data Client as if they were its own.
- INSTRUCTIONS AND DETAILS OF PROCESSING
3.1 Insofar as Vandercom Processes Protected Data on behalf of the Customer in connection with the provision of the Services and/or Products to the Customer under the Principal Agreements, Vandercom:
3.1.1 unless required to do otherwise by Applicable Law, shall (and shall ensure that any Sub-Processor shall) Process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in this clause 3 and Schedule 1 (Data Processing Details) (Processing Instructions);
3.1.2 shall, if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, notify the Customer of any such requirement before Processing the Protected Data (unless Applicable Law prohibits such information on grounds of public interest); and
3.1.3 promptly inform the Customer if Vandercom becomes aware of a Processing Instruction that, in Vandercom’s opinion, infringes Data Protection Laws in the course of providing the Services and/or Products, provided that:
(a) this shall be without prejudice to clauses 2.4 and 2.5;
(b) to the maximum extent permitted by law, Vandercom shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any Processing in accordance with the Customer’s Processing Instructions following the Customer’s receipt of that information; and
(c) this clause 3.1.3 shall only apply from the GDPR Date.
3.2 The Processing of Protected Data to be carried out by Vandercom under this Addendum as a Processor shall comprise the Processing set out in Schedule 1 (Data Processing Details), as may be updated from time to time as agreed between the parties.
3.3 In respect of the Personal Data which Vandercom Processes as a Controller in connection with the Services and / or Products (for example, in relation to Customer account management and billing), the Customer will:
3.3.1 provide reasonable assistance to Vandercom, including to provide fair processing notices to the relevant Data Subjects and obtaining consents if necessary, to enable Vandercom to comply with the Data Protection Laws;
3.3.2 ensure that it is not subject to any prohibition or restriction which would:
(a) prevent or restrict it from disclosing or transferring the relevant Personal Data to Vandercom, as required under the Principal Agreements or this Addendum; or
(b) prevent or restrict Vandercom from Processing the Personal Data as envisaged under the Principal Agreements or this Addendum.
- TECHNICAL AND ORGANISATIONAL MEASURES
4.1 Vandercom shall implement and maintain, at its cost and expense, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
- USING STAFF AND OTHER PROCESSORS
5.1 The Customer acknowledges and agrees that Vandercom may engage third-party Sub-Processors in connection with the provision of the Services and/or Products. Vandercom has entered or will enter into a written agreement with each Sub-Processor containing data protection obligations not less protective than those in this Addendum with respect to the protection of Protected Data to the extent applicable to the nature of the Services and/or Products provided by each Sub-Processor.
5.2 Vandercom shall make available to the Customer the current list of Sub-Processors. Vandercom will inform the Customer of any proposed addition or replacement of a Sub-Processor thereby giving the Customer an opportunity to object (acting promptly, reasonably and in good faith towards Vandercom) to such changes. If the Customer does not provide any objections within 30 days of notice from Vandercom regarding the proposed changes to Sub-Processors, without limiting any of its rights or remedies under the Data Protection Laws, the Customer shall be deemed to have consented to such changes.
5.3 In the event that the Customer rejects any proposed addition or replacement of a Sub-Processor in accordance with clause 5.2 without prejudice to any other rights and remedies of Vandercom:
5.3.1 Vandercom shall not be liable to the Customer for any failure to perform or delay in the performance of its obligations under this Addendum and/or Principal Agreement arising as a result of such rejection by the Customer of any proposed addition or replacement of a Sub-Processor; and
5.3.2 the Customer shall bear all costs incurred by Vandercom in the procurement of a suitable replacement Sub-Processor to replace the rejected Sub-Processor (if applicable).
5.4 With effect from the GDPR Date, if Vandercom appoints a Sub-Processor, Vandercom shall:
5.4.1 prior to the relevant Sub-Processor carrying out any Processing activities in respect of the Protected Data, appoint such Sub-Processor under a written contract which imposes the same (in substance) terms to those imposed on this Addendum that is enforceable by Vandercom; and
5.4.2 remain fully liable for the acts and omissions of each Sub-Processor as if they were its own.
5.5 With effect from the GDPR Date, Vandercom shall ensure that all persons authorised by it (or by any Sub-Processor) to Process Protected Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (except where disclosure is required in accordance with Applicable Law, in which case Vandercom shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure).
- ASSISTANCE WITH THE CUSTOMER’S COMPLIANCE AND DATA SUBJECT RIGHTS
6.1 Vandercom shall, to the extent permitted under Applicable Law, promptly notify the Customer if it receives a Data Subject Request relating to the Services and/or Products. Taking into account the nature of the Processing, Vandercom shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s (or the relevant Data Client’s) obligation to respond to a Data Subject Request under Data Protection Laws, provided that if the number of Data Subject Requests exceeds 3 per calendar month, the Customer shall pay Vandercom’s charges calculated on a time and materials basis at Vandercom’s then current prevailing rates for recording and referring the Data Subject Requests in accordance with this clause 6.1.
6.2 From the GDPR Date, Vandercom shall provide such reasonable assistance as the Customer reasonably requires (taking into account the nature of Processing and the information available to Vandercom) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:
6.2.1 complying with its obligations under the Data Protection Laws relating to the security of Processing Protected Data;
6.2.2 conducting privacy impact assessments of any Processing operations and consulting with Supervisory Authorities, Data Subjects and their representatives accordingly (as such term is defined in Data Protection Laws);
6.2.3 responding to requests for exercising Data Subjects’ rights under the Data Protection Laws, including by appropriate technical and organisational measures, insofar as this is possible
6.2.4 prior consultation with a Supervisory Authority regarding high risk processing; and
6.2.5 notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Data Security Incident, provided the Customer shall pay Vandercom’s charges for providing the assistance in this clause 6.2, such charges to be calculated on a time and materials basis at Vandercom’s then current prevailing rates.
- INTERNATIONAL DATA TRANSFERS
7.1 Vandercom will only make an International Transfer if:
7.1.1 a competent authority or body of the United Kingdom or the European Commission (as applicable) makes a binding decision that the country or territory to which the International Transfer is to be made ensures an adequate level of protection for Processing of Personal Data;
7.1.2 Vandercom or the relevant Sub-Processor provides adequate safeguards for that International Transfer in accordance with Data Protection Laws, in which case the Customer will execute (and ensure the relevant Data Client(s) execute) any documents (including data transfer agreements) relating to that International Transfer which Vandercom or the relevant Sub-Processor requires it to execute from time to time; or
7.1.3 Vandercom or the relevant Sub-Processor is required to make the International Transfer to comply with Applicable Laws, in which case Vandercom will notify the Customer of such legal requirement prior to such International Transfer unless such Applicable Laws prohibit notice to the Customer on public interest grounds.
- RECORDS, INFORMATION AND AUDIT
8.1 Vandercom shall maintain, in accordance with Data Protection Laws binding on Vandercom, written records of all categories of Processing activities carried out on behalf of the Customer.
8.2 Vandercom shall, in accordance with Data Protection Laws, upon prior written request make available to the Customer:
8.2.1 a summary of the audit reports demonstrating Vandercom’s compliance with their respective obligations as a Processor under Data Protection Laws; and
8.2.2 confirmation that the audit has not revealed any material vulnerability in Vandercom’s systems, or to the extent that any such vulnerability was detected, that Vandercom has taken steps to remedy such vulnerability.
8.3 If the measures set out at clause 8.2 are not sufficient to confirm Vandercom’s compliance with Data Protection Laws, Vandercom will allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) as is reasonably necessary to demonstrate Vandercom’s compliance with its obligations under Article 28 of the GDPR (and under any Data Protection Laws equivalent to that Article 28), subject to the Customer:
8.3.1 giving Vandercom reasonable prior notice of such information request, audit and/or inspection being required by the Customer;
8.3.2 the parties mutually agreeing upon the scope, timing and duration of the audit;
8.3.3 ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law);
8.3.4 ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to Vandercom’s business, the Sub-Processors’ business and the business of other customers of Vandercom; and
8.3.5 paying Vandercom’s reasonable charges for assisting with the provision of information and allowing for and contributing to inspections and audits.
- BREACH NOTIFICATION
9.1 In respect of any Data Security Incident involving Protected Data;
9.1.1 Vandercom shall, without undue delay, notify the Customer of the Data Security Incident; and
9.1.2 Vandercom shall, without undue delay, provide the Customer with relevant details of the Data Security Incident; and
9.1.3 Customer, if it is not the Controller, shall ensure it provides such notification to the relevant Controller without undue delay.
- DELETION OR RETURN OF PROTECTED DATA AND COPIES
10.1 Vandercom shall, at the Customer’s written request, either delete or return all the Protected Data to the Customer in such format as the Customer reasonably requests within a reasonable time after the earlier of:
10.1.1 the end of the provision of the relevant Services and/or Products related to the Processing of Protected Data; or
10.1.2 once Processing by Vandercom of any Protected Data is no longer required for the purpose of Vandercom’s performance of its relevant obligations under this Addendum, and delete existing copies (unless storage of any Protected Data is required by Applicable Law and, if so, Vandercom shall inform the Customer of any such requirement).
- LIABILITY AND COMPENSATION CLAIMS
11.1 Subject to clauses 11.2, 11.3 and 11.4 Vandercom will only be liable to the Customer for direct losses incurred by or awarded against the Customer (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with this Addendum only to the extent caused by the Processing of Protected Data under this Addendum and directly resulting from Vandercom’s breach of this Addendum.
11.2 In no circumstances shall Vandercom be liable under this Addendum or the Principal Agreements to the extent that any losses (or the circumstances giving rise to them) are contributed to or caused by any breach of (i) this Addendum or the Principal Agreements (including in accordance with clause 3.1.3(b)), or (ii) the Data Protection Laws by the Customer, relevant Data Client or any third party.
11.3 Subject to clause 11.4, the total liability of Vandercom taken together in the aggregate, arising under or in connection with the performance or contemplated performance of its obligations of this Addendum, the Data Protection Laws and all Principal Agreements, to the Customer and all members of the Customer’s Group, all Data Clients and all Data Subjects in respect of all Data Protection Losses, shall not exceed the lower of 100% of the annual charges paid or payable by the Customer under the directly affected Principal Agreement or the applicable cap to such liabilities in such Principal Agreement.
11.4 Nothing in this Addendum excludes or limits the liability of Vandercom for:
11.4.1 death or personal injury caused by Vandercom’s negligence;
11.4.2 fraud or fraudulent misrepresentation; or
11.4.3 any liability which cannot by law be limited or excluded.
11.5 If a party receives a compensation claim from a person relating to Processing of Protected Data (Data Compensation), it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
11.5.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
11.5.2 consult fully with the other party in relation to any such action, but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible for paying the compensation.
11.6 This clause 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Laws to the contrary, except:
11.6.1 to the extent not permitted by Applicable Law (including Data Protection Laws); and
11.6.2 that it does not affect the liability of either party to any Data Subject.
This Addendum shall commence on the later of 25 May 2018 or the date of the applicable Principal Agreement, and shall immediately terminate when Vandercom is no longer in possession of any Protected Data.
This Addendum may be varied by Vandercom uploading the new form of Addendum to the company website and such variation being brought to the attention of the Customer.
To the extent that any provision of this Addendum is found by any court or competent authority to be invalid, unlawful or unenforceable in any jurisdiction, that provision shall be deemed not to be a part of this Addendum, it shall not affect the enforceability of the remainder of this Addendum nor shall it affect the validity, lawfulness or enforceability of that provision in any other jurisdiction.
- CONTRACTS RIGHTS OF THIRD PARTIES
15.1 Save as expressly provided in clause 15.2, no express term of this Addendum or any term implied under it is enforceable pursuant to the Contracts (Rights of Third Parties) Act 1999 by any person who is not a party to it, but this does not affect any right or remedy of a third party which exists, or is available, apart from pursuant to that Act.
15.2 This Addendum shall be for the benefit of Vandercom and Vandercom shall be entitled to enforce the benefits set out in this Addendum.
15.3 The parties may without limit or restriction terminate, rescind this Addendum, agree any waiver or settlement or vary it in accordance with its terms without reference to, or the consent of any such third party referred to in clause 15.2.
- RELEASES AND WAIVERS
16.1 Any right, power or remedy of a party under or pursuant to this Addendum or by law shall not be capable of being waived otherwise than by an express waiver in writing signed by an authorised representative of the relevant party.
16.2 No single or partial exercise, or failure or delay in exercising any right, power or remedy by any party shall constitute a waiver by that party of, or impair or preclude any further exercise of, that or any right, power or remedy arising under this Addendum or otherwise.
- CHANGES TO LAW
Vandercom may change any provision of this Addendum to the extent required to comply with any Applicable Law without the consent of the Customer.
- GOVERNING LAW AND JURISDICTION
18.1 This Addendum and any dispute, claim or obligation (whether contractual or non-contractual) arising out of or in connection with it, its subject matter or formation shall be governed by English law.
18.2 The parties irrevocably agree that the English courts shall have exclusive jurisdiction to settle any dispute or claim (whether contractual or non-contractual) arising out of or in connection with this Addendum, its subject matter or formation.
SCHEDULE 1 DATA PROCESSING DETAILS
1 Subject-matter of processing: For the purposes of Vandercom performing the Principal Agreements.
2 Duration of the processing: The Processing shall continue for the duration of the Principal Agreements and for any period thereafter that Vandercom continues to Process any Protected Data.
3 Nature and purpose of the processing: To perform and/or deliver (as applicable) the Services and/or Products as set out in the Principal Agreements and as further instructed by the Customer.
4 Type of Personal Data: Names, telephone numbers, email addresses, addresses of the Data Subjects set out below and any other Personal Data required to be provided to Vandercom as Protected Data in the performance of the Principal Agreements, including without limitation the performance and/or delivery (as applicable) of the Services and/or Products.
5 Categories of Data Subjects: Employees and customers (being natural persons) of the Customer or the relevant Controller.