Data processor agreement
- When these terms apply
- 1. Shared data and agreed purpose
- 2. Scope and purpose of these Terms
- 3. Security of processing
- 4. Your key processing obligations
- 5. Sub-processing
- 6. Restricted Transfers
- 7. IMEX's rights and obligations
- 8. Information obligations
- 9. Security breaches
- 10. Indemnity
- 11. Reservation of rights
- 12. Consequences of termination
- 13. Law and jurisdiction
- 14. Data Controllers
- 15. Contacting us about these Terms
- 16. Changes to these Terms
- 17. Definitions
- 18. Privacy notice
When these terms apply
The Data Processor Agreement (‘Terms’) form part of the main agreement (‘Supplier Agreement’) between IMEX (Regent Exhibitions Limited and any of our group companies) (‘IMEX’, ‘we’, ‘us’) and its supplier (‘Supplier’, ‘you’) and apply when we engage you as our Data Processor to process IMEX Shared Data on our behalf. You agree to comply with the following Terms. Please see the Definitions section at the end of these Terms.
2. Scope and purpose of these Terms
These Terms reflect the parties’ commitment to abide by Data Protection Legislation concerning the processing of IMEX Shared Data, in connection with the Supplier Agreement. These Terms prescribe the minimum data protection and security standards that you, your agents or assigns must meet and maintain in order to protect IMEX Shared Data from unauthorised use, access, disclosure, theft, manipulation, reproduction, security breach or otherwise during the term of the Supplier Agreement and for any period thereafter during which you, your agents or assigns has possession of or access to any IMEX Shared Data.
The Processing of IMEX Shared Data by you shall take place within the framework of these Terms and only to the extent and for the duration that we have instructed you to do so in relation with the Supplier Agreement.
You shall be our Data Processor.
These Terms shall apply to IMEX and any other entity identified in the Supplier Agreement as third party beneficiaries thereto, who shall be deemed third party beneficiaries of these Terms. These Terms will become legally binding upon the effective date of the Supplier Agreement if referred to therein, or upon the date that parties sign these Terms, if completed later or separately. We reserve the right to revise these Terms from time to time upon reasonable prior written notice and approval by you.
3. Security of processing
You shall implement appropriate technical and organisational measures to ensure a level of Security appropriate to the risk involved under these Terms to:
- protect all IMEX Shared Data from unauthorised use, alteration, access or disclosure, and loss, theft, and damage, and to protect and ensure the confidentiality, integrity and availability of IMEX Shared Data
- prevent a Security Breach
You shall keep accurate records of the Security measures which you have in place and make such records available to us upon request.
You shall regularly test Security measures to assess the effectiveness of the measures in ensuring the security, confidentiality, integrity, availability and resilience of IMEX Shared Data, and your compliance with these Terms and Data Protection Legislation.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, you shall implement appropriate Security measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymising and encryption of IMEX Shared Data
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- the ability to restore the availability and access to IMEX Shared Data in a timely manner in the event of a physical or technical incident
- a process for regularly testing, assisting and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
- processes to prevent unauthorised persons from gaining access to data processing systems with which IMEX Shared Data are processed or used
- ensuring that it is possible to check and establish whether and by whom IMEX Shared Data has been input into data processing systems, modified or removed
- ensuring that, for commissioned processing of IMEX Shared Data, it is processed strictly in accordance with the instructions of IMEX (job control)
In addition to the above, you shall use all reasonable efforts to comply with any of IMEX’s prevailing Security policies, as the same may be advised to you from time to time.
Significant changes to the above Security measures by you must be agreed by us beforehand in writing.
4. Your key processing obligations
Under these Terms, you shall:
Process IMEX Shared Data only on documented instructions from IMEX
- ensure that persons authorised to process IMEX Shared Data have:
- committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality
- are appropriately trained personnel in relation to processing of Personal Data
- comply with the Security provisions in these Terms
- taking into account the nature of the processing, assist IMEX by appropriate technical and organisational measures, in so far as this is possible, for the fulfilment of IMEX’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Legislation
- assist IMEX in ensuring compliance with Data Protection Legislation taking into account the nature of processing and the information available to you
- at the choice of IMEX, delete or return all IMEX Shared Data to us after the end of the provision of services relating to processing, and delete existing copies unless required at law to store IMEX Shared Data
- make available to IMEX all information necessary to demonstrate compliance with the obligations laid down in these Terms and allow for and contribute to audits, including inspections, conducted by IMEX or another auditor mandated by IMEX and immediately inform IMEX if, in your opinion, an instruction infringes Data Protection Legislation
- notify IMEX immediately of any monitoring activities and measures undertaken by the relevant authority that has jurisdiction under Data Protection Legislation
- support IMEX regarding our obligations to provide information about the collection, processing or usage of Personal Data to a Data Subject
- ensure that IMEX Shared Data is not in any way used, manipulated, distributed, copied or processed for any other purpose than for the fulfilment of the contractual obligations as explicitly agreed upon and arising from these Terms
You shall not subcontract your obligations under these Terms to a sub-processor without the prior written consent of IMEX unless such sub-processor undertakes, by way of written agreement, equivalent obligations as imposed on you in these Terms. You shall inform us of your intention to engage a sub-processor and IMEX shall have the right to reasonably oppose the appointment of a new sub-processor if we shall have substantive and legitimate reasons for opposing the appointment and shall notify you of such objections in writing as soon as possible after receipt of your notice relating to such sub-processor. The addition or removal of a sub-processor shall not negatively affect the level of Security within these Terms.
We shall be granted control and examination rights according to these Terms and Data Protection Legislation. This also includes the right of IMEX to obtain information from you, upon written request, on the substance of the contract and the implementation of the data protection obligations within the sub-contract relationship, where necessary by inspecting the relevant contract documents. Where the sub-processor fails to fulfil its data protection obligations under such written agreement with you, you shall remain fully liable to us for the performance of the sub-processor’s obligations under such agreement.
6. Restricted Transfers
This clause applies where IMEX Shared Data is processed outside the UK, EEA or third country with an adequacy decision provided by the UK government or European Union.
In such cases, the EU Standard Contract Clauses (SCC) with the UK International Data Transfer Agreement (IDTA) Addendum must be completed and counter-signed prior to the transfer of IMEX Shared Data. Unless the transfer is required by Data Protection Legislation. In such case, you shall inform us of that legal requirement before processing, unless prohibited at law on grounds of public interest.
7. IMEX's rights and obligations
Rights to monitor: IMEX is entitled to appoint a third party independent auditor in the possession of the required professional qualifications and bound by a duty of confidentiality, which auditor must be reasonably acceptable to you, to inspect your compliance with these Terms and Data Protection Legislation and as may be required to determine the truthfulness and completeness of the statements submitted by you under these Terms. Our right to audit shall be subject to giving you at least two (2) weeks prior written notice of any such audit, except in cases of actual or suspected Security Breaches.
You shall deal promptly and properly with all enquiries from us relating to your processing of the IMEX Shared Data subject to these Terms.
Rectification, deletion and blocking of data: Upon instruction from us, you shall correct, rectify or block IMEX Shared Data.
8. Information obligations
If you cannot provide compliance or foresee that you cannot comply with your obligations as set out in these Terms, for whatever reasons, you agree to promptly inform IMEX of your inability to comply, in which case IMEX is entitled to suspend the transfer of IMEX Shared Data to you, without prejudice to any other right or remedy we may have.
You will notify IMEX as soon as practicable about:
- any legally binding request for disclosure of the IMEX Shared Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation
- any accidental, unauthorised or unlawful access or attempted unauthorised access, or destruction, loss, alteration or disclosure or other event that constitutes an IMEX Shared Data breach or other Security Breach and in any event within 1 working day of becoming aware of such event (and comply with the Security Breach Provisions below)
- any request received directly from Data Subjects without responding to that request, unless you have been otherwise authorised to do so and in any event within 7 days of receiving such request
9. Security breaches
Further to the above, in the event of a Security Breach, following your notification, you shall provide assistance and co-operation with us to mitigate the Security Breach, including to:
- immediately conduct a reasonable investigation of the reasons for and circumstances of such Security Breach
- take all necessary actions to prevent, contain, and mitigate the impact of, such Security Breach, and remediate such Security Breach, without delay
- remediate the effects of a Security Breach
- on our request, promptly produce a written report setting out all relevant details concerning such Security Breach, including without limitation any security, risk or compliance assessment and security control audit reports
- provide regular updates to us following a Security Breach
You shall indemnify IMEX against any claims by a third party or regulatory authority that arise as a result of your non-compliance with your obligations under these Terms or otherwise under Data Protection Legislation.
11. Reservation of rights
All IMEX Shared Data shall remain the property of IMEX where such proprietary rights arise at law. We reserve all rights in IMEX Shared Data. No rights, including intellectual property rights, in respect of IMEX Shared Data are granted to you and no obligations are imposed on IMEX other than those expressly stated in these Terms.
Except as expressly stated in these Terms, we make no express or implied warranty or representations concerning IMEX Shared Data, or the accuracy or completeness of IMEX Shared Data.
12. Consequences of termination
On the termination of the Supplier Agreement, you shall, at our choice, return all IMEX Shared Data transferred to you including any data storage media supplied to you, and all copies thereof or (at our option) destroy all IMEX Shared Data and certify to IMEX that you have done so, unless Data Protection Legislation prevents this. In that case, you warrant that you will guarantee the confidentiality of IMEX Shared Data transferred, you will not actively process remaining IMEX Shared Data. These Terms shall continue to apply to you for as long as any IMEX Shared Data remains in your custody or control.
13. Law and jurisdiction
These Terms are governed by the law and jurisdiction applicable to the Supplier Agreement.
14. Data Controllers
The Policy does not apply to situations in which we share Personal Data with third parties acting as a separate Data Controller, in which case our Data Sharing Agreement shall apply, unless otherwise agreed.
15. Contacting us about these Terms
If you have any questions or comments about data protection please contact us at [email protected] or by post using our registered office address. For any other questions or comments, please contact us
We are Regent Exhibitions Limited, company number 04244004 with our registered office at The Agora, First Floor, Ellen Street, Hove, East Sussex, BN3 3LN, United Kingdom.
16. Changes to these Terms
We’ll regularly review and update these Terms. Changes shall become effective when published on our website and shall apply to all further processing of IMEX Shared Data agreed from such date.
These Terms apply from 25 May 2018.
These Terms were last updated 28 October 2022.
Certain words used in these Terms have the following meanings, unless the context otherwise requires:
- ‘Agreed Purpose’ means the express purpose for which we share IMEX Shared Data with you as set out in the Supplier Agreement.
- ‘Data Protection Legislation’ means the General Data Protection Regulation ((EU) 2016/679) (GDPR) and any applicable national and state legislation protecting Personal Data (in each case, as all amended, updated or re-enacted from time to time).
- ‘Security’ means a party’s technological, physical, administrative, organisational and procedural safeguards, including, without limitation, policies, procedures, guidelines, practices, standards, controls, hardware, software, firmware and physical security measures, the function or purpose of which is, in whole or part, to:
- protect the confidentiality, integrity or availability of the IMEX Shared Data
- prevent the unauthorised use of or unauthorised access to the IMEX Shared Data
- prevent the loss, theft or damage of the IMEX Shared Data
- comply with Data Protection Legislation
- ‘Security Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the IMEX Shared Data.
- ‘Supplier Agreement’ means the commercial agreement in place between the parties.
- IMEX Shared Data means data (regardless of form, e.g. electronic, paper copy etc.) that is provided by us to you for the Agreed Purpose, and which for Personal Data you are not the Data Controller of in your own right.
- ‘Data Controller’, ‘Joint Controllers’, ‘Data Processor’, ‘Data Subject’ and ‘Personal Data’, ‘processing’ and ‘appropriate technical and organisational measures’ shall have the meanings given to them in the applicable Data Protection Legislation.
18. Privacy notice