1.1 This agreement re processing of personal data (the “Data Processor Agreement”) regulates Ward-Hendry,

Company registration no. 5639678, as a part of The School Photography Company (the “Data Processor”)

processing of personal data on behalf of the School (the “Data Controller”). This is on the basis that the

parties have agreed for the Data Processor’s delivery of student photographic services (the “Main Services”)

with the use of student names data (the “Personal Data”) provided by the Data Controller.

1.1.1 Student Portrait Photographs is one of the Main Services provided. The Personal Data required to

complete this service is only needed when the Data Controller requests a data matched images to

update the School database records. This isn’t a requisite of the service as there is the option of

completing these photographs without the transfer of Personal Data; this will however result in not

being able to provide the school with a data matched images, the images that can be presented

will only have the student image without any corresponding student information.

1.1.2 Group Photographs is another of the Main Services provided. The Personal Data required to

complete this service is only needed when the Data Controller requests that all people present in

the photograph have their names printed underneath the photograph. This isn’t a requisite of the

service as there is the option of completing these photographs without the transfer of Personal

Data; this will however result in not being able to provide the school with a group photograph with

names, the photograph can produced with a title of the group underneath instead.

2.1 The Data Processor Agreement shall ensure that the Data Processor complies with the applicable data

protection and privacy legislation (the “Applicable Law”), and any relevant supervisory authorities including

in particular:

i. The UK General Data Protection Regulation, 31 st December 2020 (“GDPR”). This replaced the EU-GDPR

post Brexit.

ii. The Copyright, Designs and Patents Act 1988.

iii. Co-operate with supervisory authorities such as the Information Commissioners Office (“ICO”).

3.1 In connection with the Data Processor’s delivery of the Main Services to the Data Controller, the Data

Processor will process certain categories and types of the Data Controller’s Personal Data on behalf of the

Data Controller.

3.2 “Personal data” includes “any information relating to an identified or identifiable natural person” as defined

in GDPR, article 4 (1) (1) (the “Personal Data”). The categories and types of Personal Data processed by the

Data Processor on behalf of the Data Controller are:

i. Student and/or staff name.

ii. Student form/class.

iii. Student admission number.

3.3 The Data Processor only performs processing activities that are necessary and relevant to perform the Main

Services. The parties shall update the above list whenever changes occur that necessitates an update.

3.4 The Data Processor shall have and maintain a register of processing activities in accordance with GDPR,

article 30 (2).

3.5 The Data Processor processes personal data provided by the Data Controller to enable the Data Processor to

produce the photographic product requested by the Data Controller, to administer orders and deliver

photographs. The Personal Data is not comprised by this Data Processor Agreement, because the Data

Processor is data controller for said personal data, and reference is made to the Data Processor’s data

protection and privacy policy available on the Data Processor’s website.

4.1 The Data Processor may only act and process the Personal Data further to documented instruction from the

Data Controller (the “Instruction”). The Instruction is at the time of entering into this Data Processor

Agreement and is continued on each and every occasion that the Data Controller provides the Personal Data,

this is on the basis that the Data Processor will only process the Personal Data with the purpose of delivering

the Main Services.

4.2 The Data Controller guarantees that the Personal Data transferred to the Data Processor is processed by the

Data Controller in accordance with the Applicable Law, including the legislative requirements re lawfulness of

processing.

4.3 The Data Processor shall give notice without undue delay if the Data Processor considers that the Instruction

to be in conflict with the Applicable Law.

5.1 Confidentiality

5.1.1 The Data Processor shall treat all the Personal Data as strictly confidential information. The

Personal Data will be processed in accordance with the Main Services as agreed by the Data

Controller. However the Personal Data may not be copied or transferred in conflict with the

Instruction, unless the Data Controller in writing has agreed hereto.

5.1.2 The Data Processor’s employees shall be subject to an obligation of confidentiality that ensures

that the employees shall treat all the Personal Data under this Data Processor Agreement with

strict confidentiality and in accordance with our General Data Protection Regulation Policy.

5.2 Security

5.2.1 The Data Processor shall implement the appropriate technical and organizational measures as set

out in this Agreement and in the Applicable Law, including in accordance with GDPR, article 32.

5.3 The Data Processor shall ensure that access to the Personal Data is restricted to only the employees to whom

it is necessary and relevant to process the Personal Data in order for the Data Processor to perform the Main

Services and obligations specified under this Data Processor Agreement.

5.4 The Data Processor shall also ensure that the Data Processor’s employees working on processing the Personal

Data and that they only process the Personal Data in accordance with the Instruction to provide the Main

Services.

5.4.1 The Data Processor shall provide documentation for the Data Processor’s security measures if

requested by the Data Controller in writing.

5.5 The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and the Clauses and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.

5.6 Data protection impact assessments and prior consultation

5.6.1 If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data

Controller in preparing data protection impact assessments in accordance with GDPR, article 35,

along with any prior consultation in accordance with GDPR, article 36.

5.7 Rights of the data subjects

5.7.1 If the Data Controller receives a request from a data subject for the exercise of the data subject’s

rights under the Applicable Law and the correct and legitimate reply to such a request necessitates

the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the

necessary information and documentation. The Data Processor shall be given reasonable time to

assist the Data Controller with such requests in accordance with the Applicable Law.

5.7.2 If the Data Processor receives a request from a data subject for the exercise of the data subject’s

rights under the Applicable Law and such request is related to the Personal Data of the Data

Controller, the Data Processor will immediately inform the Data Controller of this request.

5.8 Personal Data Breaches

5.8.1 The Data Processor shall give immediate notice to the Data Controller if a breach of the data

security occurs, that can lead to the accidental or unlawful destruction, loss, alteration,

unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed

re the Personal Data processed on behalf of the Data Controller (a “Personal Data Breach”).

5.8.2 The Data Processor shall have and maintain a register of all Personal Data Breaches. The register

shall at a minimum include the following:

i. A description of the nature of the Personal Data Breach, including, if possible, the

categories and the approximate number of affected Data Subjects and the categories and

the approximate number of affected registrations of personal data.

ii. A description of the likely as well as actually occurred consequences of the Personal Data

Breach.

iii. A description of the measures that the Data Processor has taken or proposes to take to

address the Personal Data Breach, including, where appropriate, measures taken to

mitigate its adverse effects.

5.8.3 The register of any relevant Personal Data Breaches shall be provided to the Data Controller in

copy if so requested in writing by the Data Controller or the relevant Data Protection Agency.

5.9 Documentation of compliance

5.9.1 The Data Processor shall after the Data Controller’s written request hereof provide documentation

substantiating that:

i. the Data Processor complies with its obligations under this Data Processor Agreement and

the Instruction; and

ii. the Data Processor complies with the Applicable Law in respect of the processing of the

Data Controller’s Personal Data.

5.9.2 The Data Processor’s documentation of compliance shall be provided within 28 days.

5.10 Location of the Personal Data

5.10.1 The Personal Data is only processed by the Data Processor at the Data Processor’s address. The

Data Processor does not transfer the Personal Data to other countries or international

organisations.

6.1 The Data Processor does not engage third-parties to process the Personal Data (“Sub-Processors”). Therefore

a sub-processor will not be used without obtaining written, specific authorization from the Data Controller.

7.1 The Data Processor Agreement shall remain in force with the Data Controller until the Data Controller no

longer chooses to use the Main Services of the Data Processor.

7.2 All Personal Data provided by the Data Controller will be retained for a minimum period of 2 months and for

a maximum period of 6 months following the Personal Data received date, this is to ensure that we can

complete the duties required for the Main Services provided. After this date the data received is permanently

deleted.

7.3 Data audits are completed every six months to ensure that the data being held is up-to-date, relevant and

necessary. The data storage rules are detailed in our GDPR policy.

8.1 The Data Processor’s authorisation to process Personal Data on behalf of the Data Controller shall be

annulled at the termination of the Main Services and therefore this Data Processor Agreement.

8.2 The Data Processor shall continue to process the Personal Data for up to three months after the termination

of the Data Processor Agreement to the extent it is necessary and required under the Applicable Law. In the

same period, the Data Processor is entitled to include the Personal Data in the Data Processor’s backup. The

Data Processor’s processing of the Data Controller’s Personal Data in the three months after the termination

of the Main Services and therefore this Data Processor Agreement shall be considered as being in accordance

with the Instruction.

8.3 At the termination of the Main Services and therefore this Data Processor Agreement, the Data Processor

shall return the Personal Data processed under this Data Processor Agreement to the Data Controller,

provided that the Data Controller is not already in possession of the Personal Data. The Data Processor is

hereafter obliged to delete all the Personal Data and provide documentation for such deletion to the Data

Controller.