BACKGROUND:

This Data Processing Addendum (DPA) forms part of the Agreement between ImageRelease Ltd (the Processor) and the subscriber to the Processor’s ImageRelease platform (the Controller) to whom the Processor is providing the Services and sets out the terms that apply when processing Personal Data under the Agreement.

1. Definitions

1.1 In this DPA, the following terms shall have the following meanings:

Agreement: means the agreement between Processor and Controller for the purpose of providing the Services, incorporating the Processor’s Terms & Conditions (Paid Subscribers);
Data Protection

Legislation:

 means all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including the privacy of electronic communications);
Personal Data: means any information relating to an identified or identifiable natural person that is processed by Processor as part of providing the Services;
Platform: means the web-based platform and mobile app provided by the Processor through which the Services are provided;
Services: means the services provided by Processor to Controller as set out in the Agreement;
UK GDPR: means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019;

1.2 Terms such as "controller", "processor", "processing", "data subject" and "supervisory authority" shall have the meanings given in the Data Protection Legislation.

2. Role of the parties

2.1 The Controller and the Processor acknowledge that, for the purposes of the Data Protection Legislation:

2.1.1 The Controller is the controller of the Personal Data;

2.1.2 The Processor is the processor of the Personal Data;

2.1.3 The subject matter, nature, and purpose of the processing are the provision of image release creation and management services via the Platform as set out in the Agreement;

2.1.4 The types of Personal Data and categories of data subjects are set out in Annex 1 to this DPA.

3. Controller obligations

3.1 The Controller shall:

3.1.1 Ensure it has all necessary rights to transfer the Personal Data to the Processor;

3.1.2 Comply at all times with its obligations under the Data Protection Legislation;

3.1.3 Provide documented instructions to the Processor regarding the processing of Personal Data via the Platform.

4. Processor obligations

4.1 The Processor shall:

4.1.1 Process Personal Data only in accordance with the Agreement or as set out in documented instructions from the Controller via the Platform or otherwise given in writing;

4.1.2 Ensure persons authorised to process Personal Data are under confidentiality obligations;

4.1.3 Implement appropriate technical and organisational measures to ensure the security of processing;

4.1.4 Assist the Controller in responding to data subject rights requests (at the Controller’s expense);

4.1.5 Assist the Controller in ensuring compliance with security obligations (at the Controller’s expense);

4.1.6 Delete or return Personal Data at the end of the processing as set out in the Agreement; and

4.1.7 Make available to the Controller information necessary to demonstrate compliance.

5. Sub-processors

5.1 The Processor:

5.1.1 Has the Controller's general authorisation to engage sub-processors;

5.1.2 Shall maintain a list of sub-processors at Annex 3 to this DPA;

5.1.3 Shall give the Controller notice of intended changes to sub-processors;

5.1.4 Shall ensure sub-processors are bound by written agreements including equivalent obligations to those contained in this DPA.

6. International transfers

6.1 The Processor has the Controller’s general authorisation to transfer Personal Data outside the United Kingdom provided:

6.1.1 The transfer is to a country or territory designated as providing an adequate level of protection for Personal Data under the Data Protection Legislation; or

6.1.2 One of the following appropriate safeguards applies:

(a) Standard data protection clauses issued by the Information Commissioner;

(b) An approved certification mechanism or code of conduct; or

(c) Other contractual clauses authorised or approved by the Information Commissioner; or

6.1.3 The Processor:

(a) Has assessed the circumstances of the transfer;

(b) Can demonstrate appropriate safeguards for the data; and

(c) Will inform the Controller of any material changes; or

6.1.4 One of the specific derogations under Article 49 of the UK GDPR applies.

7. Security measures

The Processor shall implement appropriate technical and organisational measures as set out in Annex 2.

8. Personal data breach

8.1 The Processor shall:

8.1.1 Notify the Controller without undue delay upon becoming aware of a data breach;

8.1.2 Provide sufficient information to allow the Controller to meet its obligations in respect of that breach; and

8.1.3 Document any breaches and remedial action taken.

9. Demonstrating compliance

9.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and, subject to clause 9.2 and 9.3, shall allow for compliance audits by the Controller or its mandated auditor.

9.2 The Controller shall:

9.2.1 Give at least 30 days' written notice of any proposed audit;

9.2.2 Conduct audits no more than once per year unless required by law;

9.2.3 Bear all costs of any audit; and

9.2.4 Ensure any audit minimises disruption to the Processor's operations.

9.3 The Processor may satisfy an audit requirement by providing a recent third-party audit report or certification.

ANNEX 1: DETAILS OF PROCESSING

Categories of Data Subjects:

  • Individual signatories of image releases and associated documents signed and collected via the Platform
  • Models and individuals featured in images stored with those releases for identification purposes
  • Photographers
  • Authorised users of Controller accounts on the Platform
  • Guest users of the Platform nominated by the Controller
  • Children (only when personal data is by or on behalf of the Controller in a child model release completed and signed by an authorised adult)

Types of Personal Data:

  • Names and contact details
  • Age (models only)
  • Photographs of model release signatories (for identity purposes only)
  • Electronic signatures
  • Authorised user account information on Controller’s Platform account (log in details)
  • Release data (IP addresses, device data, signing actions)
  • Special category data (with data subject’s express consent only)

Processing Operations:

  • Correspondence with guest users and release signatories nominated by or on behalf of Controller
  • Creation, collection, signature and storage of image releases
  • Collection and storage of photographs attached for identification purposes to those releases
  • Management of electronic signature process
  • Management of stored releases and attached images on behalf of Controller
  • Authorised user authentication and access control
  • Service administration and support

ANNEX 2: SECURITY MEASURES

Technical Measures:

  • SSL/TLS encryption for data in transit and at rest
  • Access controls and authentication
  • Regular security updates and patch management
  • Secure backup procedures
  • Monitoring and logging
  • Vulnerability scanning and remediation
  • Regular security audits

Organisational Measures:

  • Staff confidentiality agreements
  • Regular staff training
  • Access on need-to-know basis only
  • Documented data protection policies and procedures
  • Data breach response procedures
  • Regular security reviews and audits
  • Physical security controls

ANNEX 3: AUTHORISED SUB-PROCESSORS

The Controller authorises the use of the following sub-processors for the specified processing activities.

The Processor may update this Annex 3 from time to time, provided that the then current version shall be displayed on the Platform.

Current Authorised Sub-processors:

1. Microsoft Azure

Processing Activities: Secure storage of images and model photographs

2. AC PM LLC (trading as Postmark)

Processing Activities: Transactional email provider for the Platform

3. Avoy Technologies Ltd (trading as Snapsea)

Processing Activities: secure storage of images on on behalf of Controllers who also subscribe to Snapsea, and linking those stored images with the related image releases on Our Platform

This DPA was last updated on 14 January 2025.