Data Processor Agreement
Contents:
- When this Agreement applies
- 1. Definitions
- 2. Shared Data and Agreed Purpose
- 3. Scope and purpose of this Agreement
- 4. Your key Processing obligations
- 5. Security and training
- 6. Sub-processing
- 7. Restricted Transfers
- 8. Audit
- 9. Information obligations
- 10. Personal Data Breach
- 11. Indemnity
- 12. Reservation of rights
- 13. Consequences of termination
- 14. Data Controllers
- 15. Contacting us about these terms
- 16. Changes to this Agreement
- 17. Privacy notice
When this Agreement applies
This Data Processor Agreement (the Agreement) forms part of the main Supplier Agreement between IMEX and its Supplier ("you” or "the Company") and applies when we engage you as our Data Processor to process Shared Personal Data on our behalf. When receiving the Shared Personal Data, you agree to comply with the following terms.
1. Definitions
Certain words used in this Agreement have the following meanings, unless the context otherwise requires:
- Agreed Purpose: the express purpose for which we share Shared Personal Data with you as set out in the Supplier Agreement
- Data Protection Legislation: the UK Data Protection Legislation and any other European Union legislation relating to Personal Data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications), including but not limited to the General Data Protection Regulation ((EU) 2016/679) (“GDPR”); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended
- Data Controller, Data Processor, Data Subject, Personal Data and Processing: all have the meaning given to them in the UK Data Protection Legislation in force at the time
- IMEX: Regent Exhibitions Limited or IMEX America Limited (together "we" or "us") companies incorporated and registered in England and Wales having their registered offices at 113-118 Davigdor Road, Hove, BN3 1RE
- Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data
- Shared Personal Data: Any information relating to an identified or identifiable person (regardless of form) that is provided by IMEX to you for the Agreed Purpose, and which you are not the Data Controller of in your own right
- Supplier Agreement: the commercial agreement in place between the parties to which this data sharing arrangement relates
- Term: starting from the commencement date of the Supplier Agreement and continuing until the Company is no longer required to process the Shared Personal Data
3. Scope and purpose of this Agreement
IMEX and the Company are entering the Supplier Agreement, which as a result means that you are required to process Personal Data on behalf of IMEX.
IMEX and the Company agree and acknowledge that for the purpose of the Data Protection Legislation:
- IMEX is the controller of the Personal Data and you are the Processor of the Personal Data
- IMEX retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation
4. Your key Processing obligations
Under this Agreement, you shall:
- only process the Personal Data to the extent, and in such a manner, as is necessary for the Agreed Purpose and in accordance with IMEX's written instructions
- not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation
- comply promptly with any IMEX written instructions requiring you to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorized Processing
- maintain the confidentiality of the Personal Data and not disclose the Personal Data to third parties unless IMEX or this Agreement specifically authorizes the disclosure, or as required by domestic law, court or regulator
- reasonably assist IMEX, at no additional cost to IMEX, with meeting IMEX's compliance obligations under the Data Protection Legislation, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner under the Data Protection Legislation
- ensure that persons authorized to process the Shared Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality
- at the choice of IMEX, delete or return all Shared Personal Data after the end of the Term, and delete existing copies unless required at law to store the Shared Personal Data
- make available to IMEX all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by IMEX or another auditor mandated by IMEX
- support IMEX regarding our obligations to provide information about the collection, Processing or usage of Personal Data to a Data Subject
- ensure that Shared Personal Data is not in any way used, manipulated, distributed, copied or processed for any other purpose than for the fulfilment of the contractual obligations as explicitly agreed upon and arising from this Agreement
5. Security and training
The Company must at all times implement appropriate technical and organizational measures against unauthorized or unlawful Processing, access, copying, modification, reproduction, display or distribution of the Shared Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
The Company must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
- the pseudonymization and encryption of Personal Data
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
- a process for regularly testing, assessing and evaluating the effectiveness of the security measures
It is your responsibility to ensure that your staff members are appropriately trained to handle and process the Shared Personal Data in accordance with the technical and organizational security measures, together with any other applicable Data Protection Legislation and guidance, and have entered into confidentiality agreements relating to the Processing of Personal Data.
6. Sub-processing
You shall not subcontract your obligations under this Agreement to a sub-processor without the prior written consent of IMEX and unless such Sub-processor undertakes, by way of written agreement, equivalent obligations as imposed on you in this Agreement.
If you appoint a third-party Processor to process the Shared Personal Data it shall comply with the relevant provisions of the Data Protection Legislation and shall remain liable to IMEX for the acts and/or omissions of the Processor, in respect of the Shared Personal Data.
You shall inform us of your intention to engage a Sub-processor and IMEX shall have the right to reasonably oppose the appointment if we have substantive and legitimate reasons for opposing the appointment.
Where a Sub-processor fails to fulfil its obligations under the written Agreement, you remain fully liable to IMEX for the Sub-processor's performance of its Agreement obligations.
On IMEX's written request, the Company will audit a Sub-processor's compliance with its obligations regarding the Personal Data and provide IMEX with the audit results.
7. Restricted Transfers
If IMEX are transferring the Shared Personal Data to you, and you are located outside the UK, EEA or a third country to which there is no adequacy decision provided by the UK government or European Union, the transfer of the Shared Personal Data is a restricted transfer.
The Information Commissioners Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses for the transfer of Personal Data to third countries (pursuant to regulation (EU) 2016/679 set out in the Annex to Commission Implementing Decision (EU) 2021/91) have been completed and are attached below. By entering into this Agreement, and receiving the Shared Personal Data, you agree that the Safeguards, are hereby incorporated, into this Agreement to enable the transfer of Shared Personal Data (and the data sharing activities anticipated under this Agreement) to comply with Data Protection Legislation.
You agree that once IMEX has transferred the Shared Personal Data, any onward transfer of the Shared Personal Data must be done by you in compliance with the remainder of this clause below.
You may not transfer Shared Personal Data to a third party located outside the UK unless you have the consent of IMEX and you;
- comply with the provisions of the Data Protection Legislation in the event the third party is a joint controller
- ensure that (i) the transfer is to a country approved under the applicable Data Protection Legislation as providing adequate protection; or (ii) there are appropriate Safeguards or binding corporate rules in place pursuant to the applicable Data Protection Legislation; or (iii) the transferee otherwise complies with your obligations under the applicable Data Protection Legislation by providing an adequate level of protection to any Shared Personal Data that is transferred; or (iv) one of the derogations for specific situations in the applicable Data Protection Legislation applies to the transfer
EU SCC (controller to processor)
EU Annex SCC (controller to processor)
together with the UK International Data Transfer Addendum (IDTA) apply.
IDTA - Data Processing - IMEX America Limited.pdf
IDTA - Data Processing - Regent Exhibitions Limited.pdf
For the purpose of the IDTA’s linked above, you shall be considered the Data Importer and the Data Importer contact name, job title and contact details shall be as set out in the Supplier Agreement and incorporated into the IDTA accordingly.
8. Audit
IMEX is entitled to appoint a third-party independent auditor in the possession of the required professional qualifications and bound by a duty of confidentiality, to inspect your compliance with these terms and Data Protection Legislation and as may be required to determine the truthfulness and completeness of the statements submitted by you under this Agreement. Our right to audit shall be subject to giving you at least two (2) weeks prior written notice of any such audit, except in cases of actual or suspected Security Breaches.
9. Information obligations
If you cannot provide compliance or foresee that you cannot comply with your obligations as set out in this Agreement, for whatever reasons, you agree to promptly inform IMEX of your inability to comply, in which case IMEX is entitled to suspend the transfer of Shared Personal Data to you, without prejudice to any other right or remedy we may have.
The Company must notify IMEX immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the Processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.
The Company must notify IMEX within five (5) days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
The Company will give IMEX, at no additional cost to IMEX, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
The Company must not disclose the Personal Data to any Data Subject or to a third party other than in accordance with IMEX's written instructions, or as required by domestic law.
10. Personal Data Breach
You will immediately notify IMEX if you become aware of:
- the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data (the Company will restore such Personal Data at its own expense as soon as possible)
- any accidental, unauthorized or unlawful Processing of the Personal Data
- any Personal Data Breach
In the event of a Personal Security Breach you shall provide assistance and co-operation with us to mitigate the Personal Data Breach, including but not limited to:
- immediately conducting a reasonable investigation of the reasons for and circumstances of the Personal Data Breach
- taking all necessary actions to prevent, contain, and mitigate the impact of, the Personal Data Breach, and remediate the effects of the Personal Data Breach, without delay
- on our request, promptly produce a written report setting out all relevant details concerning the Personal Data Breach, including without limitation any security, risk or compliance assessment and security control audit reports
- provide regular updates to us following a Personal Data Breach
Nothing in this Agreement shall impose or imply any obligation or liability on IMEX in respect of a Personal Data Breach for which you are responsible.
You will not inform any third party of any accidental, unauthorized or unlawful Processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining IMEX's written consent, except when required to do so by domestic law.
You will cover all reasonable expenses, and reimburse IMEX for actual, reasonable expenses we incur, associated with the performance of the obligations under this clause, unless the matter arose from IMEX's specific written instructions, negligence, wilful default or breach of this Agreement, in which case IMEX will cover all reasonable expenses.
11. Indemnity
You agree to indemnify, keep indemnified and defend at your own expense IMEX against all costs, claims, damages or expenses incurred by IMEX or for which IMEX may become liable due to any failure by you or your employees, subcontractors or agents to comply with any obligations under this Agreement or the Data Protection Legislation.
Any limitation of liability set forth in the Supplier Agreement will not apply to this Agreement's indemnity or reimbursement obligations.
12. Reservation of rights
All Shared Personal Data shall remain the property of IMEX. IMEX reserves all rights in the Shared Personal Data. No rights, including intellectual property rights, in respect of the Shared Personal Data are granted to you and no obligations are imposed on IMEX other than those expressly stated in this Agreement.
Except as expressly stated in this Agreement, IMEX makes no express or implied warranty or representations concerning the Shared Personal Data, or the accuracy or completeness of the Shared Personal Data.
13. Consequences of termination
On the termination of the Supplier Agreement, for any reason or expiry of its Term, the Company will securely delete or destroy or, if directed in writing by IMEX, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control.
This Agreement shall continue to apply to you for as long as any Shared Personal Data remains in your custody or control.
14. Data Controllers
This Agreement does not apply to situations in which we share Personal Data with third parties acting as a separate Data Controller, in which case our Data Sharing Agreement (https://imexevents.com/data-sharing-agreement) shall apply, unless otherwise agreed.
15. Contacting us about these terms
If you have any questions or comments about data protection contact us at [email protected] or by post using our registered office address. For any other questions or comments, contact us.
16. Changes to this Agreement
We’ll regularly review and update this Agreement. Changes shall become effective when published on our website and shall apply to all further Processing of Shared Personal Data agreed from such date.
These terms apply from May 25, 2018.
This Agreement was last updated June 24, 2024.
17. Privacy notice
View here