Personal Data Processing Agreement (PDPA)

July 1, 2023

Background

a. The Client and Catch Photo have entered into an Agreement that will require Catch Photo to process Personal Data on behalf of the Client.

b. This PDPA sets out all obligations that Catch Photo are subject to under the Data Protection Legislation.

Agreed Terms

1. Definitions and interpretation

The following definitions and rules of interpretation apply in this PDPA.

1.1. Definitions:

Agreement: the agreement for Catch Photo to provide services to the Client in order to meet the Business Purposes.

Business Purposes: the services to be provided by Catch Photo to the Client as described in ANNEX A.

Controller, Processor, Data Subject, Data Subject Rights, Personal Data, Data Protection Impact Assessments, Personal Data Breach, Processing and Third Country:have the meanings given to them in the Data Protection Legislation.

Data Protection Legislation:

a) To the extent the UK GDPR applies that regulation.

b) To the extent the EU GDPR applies that regulation.

Data Subject(s): the identifiable individual(s) whose Personal Data is processed by Catch Photo.

EU GDPR: the General Data Protection Regulation ((EU) 2016/679).

EEA: the European Economic Area.

Personal Data: means any information relating to an identified or identifiable living individual.

Regulator: for the UK the Information Commissioner and for any other country within the EU or other country subject to the Data Protection Legislation their data protection authority.

Standard Contractual Clauses (SCCs):the ICO’s International Data Transfer Agreement for the transfer of personal data from the UK and/or the ICO’s International Data Transfer Addendum to EU Commission Standard Contractual Clauses and/or the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries.

UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

1.2. This PDPA is subject to the terms of the Agreement and is incorporated into the Agreement.

1.3. Annex A forms part of this PDPA and will have effect as if set out in full in the body of this PDPA.

1.4. A reference to writing or written includes email.

2. Personal data types and processing purposes

2.1. The Client and Catch Photo agree and acknowledge that for the purpose of the Data Protection Legislation the Client is the Controller and Catch Photo is the Processor.

3. Catch Photo’s obligations

3.1. Catch Photo must only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Client’s written instructions.

3.2. ANNEX A describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which Catch Photo may process the Personal Data to fulfil the Business Purposes.

3.3. Catch Photo must not process the Personal Data for any other purpose unless required to do so by domestic law. In such a case, Catch Photo must inform the Client of that legal requirement before processing, unless that law prohibits such notice on important grounds of public interest.

3.4. Catch Photo must promptly notify the Client if, in its opinion, the Client’s instructions do not comply with the Data Protection Legislation.

3.5. Catch Photo (and any persons authorised to process it) must maintain the confidentiality of the Personal Data.

3.6. Catch Photo must reasonably assist the Client with meeting the Client’s compliance obligations under the Data Protection Legislation, taking into account the nature of Catch Photo’s processing and the information available to Catch Photo, including in relation to security, notifying the Regulator and where appropriate Data Subjects where there has been a Personal Data Breach and undertaking of Data Protection Impact Assessments including any consulting with the Regulator.

4. Security

4.1. Catch Photo must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.

5. Personal Data Breach

5.1. Catch Photo will without undue delay notify the Client if it becomes aware of any Personal Data Breach.

5.2. Where Catch Photo becomes aware of a breach, it shall also provide the Client with the following information:

(a) description of the nature of the breach including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;

(b) the likely consequences; and

(c) a description of the measures taken or proposed to be taken to address the breach including measures to mitigate its possible adverse effects.

5.3. Following any Personal Data Breach, the parties will coordinate with each other to investigate the matter. Further, Catch Photo will reasonably cooperate with the Client in the Client’s handling of the matter.

6. Cross-border transfers of personal data

6.1. Catch Photo (and any subcontractor) must not transfer or otherwise process the Personal Data outside the UK or EEA without obtaining the Client’s prior written consent.

6.2. Where such consent is granted, Catch Photo may only process, or permit the processing, of the Personal Data outside the UK or EEA under the following conditions:

(a) Catch Photo is processing the Personal Data in a third country which is subject to adequacy regulations under the Data Protection Legislation, or,

(b) Catch Photo participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Catch Photo (and, where appropriate, the Client) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the Data Protection Legislation; or

(c) the transfer otherwise complies with the Data Protection Legislation.

7. Subcontractors

7.1. Client provides a general authorisation to Catch Photo to engage where necessary a third party (subcontractor) to process some or all of the Personal Data.

7.2. Those subcontractors approved as at the commencement of this Agreement are as set out in ANNEX A.

7.3. Where a sub-contractor is to be replaced or added Catch Photo will notify the Client and provide them with an opportunity to object to the change within 14 working days after Catch Photo supplies the Client with full details in writing regarding such subcontractor.

7.4. Catch Photo must enter into a written contract with the subcontractor that contains terms substantially the same as those set out in this PDPA, in particular, in relation to requiring the putting into place of appropriate technical and organisational security measures.

8. Data Subject requests

8.1. Catch Photo must assist the Client by having in place such technical and organisational measures as may be appropriate to enable the Client to comply with requests of Data Subjects made under the Data Protection Legislation.

9. Data return and destruction

9.1. Subject to Schedule A on termination of the Agreement for any reason or expiry of its term, Catch Photo will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to this PDPA in its possession or control unless domestic law requires storage of the Personal Data.

10. Audit

10.1. Catch Photo will make available all information that the Client reasonably requires to prove its compliance with the Data Protection Legislation.

10.2. Catch Photo will permit the Client and its third-party representatives to audit Catch Photo’s compliance with its obligations under the Data Protection Legislation, on at least 5 days’ notice, during the Term. Catch Photo will give the Client and its third-party representatives all reasonably necessary assistance during such audits.

Annex A

Personal Data processing purposes and details

The capture and editing of vehicle image files using artificial intelligence

Duration of Processing:

For the length of the Agreement plus 90 days after which point personal data is erased.

Nature of Processing:

The transfer of data to Client automatically in response to Client requests. Catch Photo has read-only access to data of Client.

Business Purposes:

The capture and editing of vehicle image files using artificial intelligence including branding by inclusion of Client business name, brand mark and/or slogan.

Data Subject Types:

1) Client

2) Employees of Client

Personal Data Categories:

1) Client-Name; contact details (email/ phone/ physical address/ secondary locations if applicable); vehicle details (VIN/ licence plate/ Registration certificate)

2) Employees of Client-Name and contact details

Amazon Web Services-storage of data of Client

The capture and editing of vehicle image files using artificial intelligence including branding by inclusion of Client business name, brand mark and/or slogan.