GDPR - applies for Sole Traders

Data Processing Agreement pursuant to Art. 28 GDPR



Production Resource Group UK Ltd,
Unit 2 Cofton Centre
Grovely, Lane, Longbridge, Birmingham B31 4PT

- Controller - hereinafter referred to as the Client -


Freelance Crew
- Processor - hereinafter referred to as the Contractor -

[if applicable: Representative pursuant to Art. 27 GDPR:]

“The individual provisions of Article 28 paragraph 3 of the GDPR should be fully incorporated into the agreement and worked through as a checklist. The alternatives applicable to the specific service relationship should be ticked. Blank fields must be filled in according to the specific order. Remuneration and liability regulations for the Contractor’s individual service should be agreed in the main contract”

1. Subject and duration of the order
(1) Subject
The subject of the data handling order is the Contractor’s performance of the following duties:
• providing technical support for live events as defined by the Client
(2) Term
The term of this order is for an unlimited period and can be terminated by request in writing.
This is without prejudice to the option of terminating the agreement without notice.

2. Specification of the order contents
(1) For the purposes of this order, the following terms shall have the following meaning:
“Data Protection Laws” means all applicable data protection laws, including Regulation (EU) 2016/679 (the “GDPR”), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as each may be amended, updated or replaced from time to time) by the proposed Regulation on Privacy and Electronic Communications) and references to “Controller”, “ data subjects”, “personal data”, “process”, “processed”, “processing”, “Processor” and “Supervisory Authority” have the meanings set out in, and will be interpreted in accordance with, such Data Protection Laws
(2) Scope, nature and purpose of the proposed data processing
Detailed description of the order subject with regard to the nature and purpose of the Contractor’s tasks:
• Receiving of basic personal data of subcontractors, employees, clients and on site contacts via call sheets
• Receiving of contact information via crew and production schedules, contact sheets etc.
• Inclusion in shared/group itineraries (online and off-line)
• Inclusion in client Health & Safety site file
• Any other tasks that the client may instruct the contractor to carry out
(3) Type of data
The subject of the personal data processing is, in particular, the following types/categories of data (description of the data categories)
• Personal master data (basic information such as name, contact email, contact phone number)
(4) Categories of data subjects
The categories of data subjects affected by processing include:
• Subcontractors
• On site contact information
• Employees
• Suppliers

3. Technical and organisational measures
(1) The Contractor must document the implementation of the technical and organisational measures set out prior to the award of the order and prior to processing, with particular regard to the specific execution of the order, and hand them over to the Client for review. If accepted by the Client, the documented measures become the basis of the order. If the Client’s review/audit results in a need for adjustment, this must be implemented by mutual agreement.
(2) The contractor shall implement and maintain security measures in accordance with Data Protection Laws (including Articles 5(1) and (2), 28(3)(c) and 32 GDPR) to ensure a level of protection appropriate to the level of risk presented by processing personal data in connection with this order, in particular with regard to the confidentiality, integrity, availability and resilience of the systems. In performing these, the state of the art, the implementation costs and the nature, scope and purpose of the processing, as well as the different probability and severity of the risk for the rights and freedoms of those data subjects whose personal data is being processed. [Details in Appendix 2].
(3) The technical and organisational measures are subject to technical advances and further development. In this regard, the Contractor is permitted to implement alternative adequate measures. At the same time, the safety level of the specified measures must be upheld. Significant changes must be documented and promptly submitted to the Client.

4. Rectification, limitation and deletion of data
(1) The Contractor may not correct, delete or restrict the processing of personal data that is processed on behalf of the Client under its own responsibility, but only in accordance with documented instructions from the Client. If a data subject should contact the Contractor directly with regard to these, the Contractor shall immediately forward this request to the Client.
(2) Taking into account the nature of the processing, the Contractor shall directly ensure the deletion concept, the right to be forgotten, to rectification, to data portability and to information, according to the Client's documented instructions.

5. Quality assurance and Contractor’s other obligations
In addition to compliance with the provisions of this order, the Contractor must uphold statutory obligations in accordance with the Data Protection Laws (including Articles 28 to 33 GDPR).

6. Sub-contractual relations
(1) For the purposes of this order, sub-contractual relationships are those whereby the Contractor has engaged a third party to provide services which involve the processing of personal data on behalf of the Client.
(2) The Contractor may only commission subcontractors (other Processors) following prior express written consent from the Client.
(3) The transfer of the Client’s personal data to the subcontractor and its initial action shall only be permitted upon submission of all conditions for subcontracting as set out in this section 6.
(4) If the subcontractor provides the agreed service outside the EU/EEA, the Contractor shall ensure admissibility with regard to Data Protection Laws by taking appropriate measures. The same applies if service providers within the meaning of (1) (2) are to be used.
The processing of personal data by subcontractors in a third country is generally not permitted. If – in exceptional circumstances and following the Client’s prior authorisation – personal data is processed in a third country, it shall be exclusively performed on the basis of the standard contractual clauses for contract data processors in the form of Decision 2010/87/EU for the transfer of personal data to processors based in third countries. The Client responsible for data processing is hereby the data exporter and the subcontractor based in the third country is the data importer.

7. Client’s monitoring rights
(1) The Client or third parties authorised by it has the right to carry out checks of the order on the Contractor’s premises or to have these carried out by an auditor to be named in individual cases. It has the right to satisfy itself regarding the Contractor’s compliance with this agreement in its business by carrying out inspections.
(2) The Contractor shall ensure that the Client can satisfy itself regarding compliance with the Contractor’s obligations in this order and in accordance with Art. 28 GDPR. The Contractor undertakes to provide the Client with the necessary information upon request and, in particular, to prove the implementation of the technical and organisational measures.

8. Contractor’s obligations
The Contractor shall assist the Client in complying with obligations concerning the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, as referred to in Articles 32 to 36 of the GDPR. These include:

a) ensuring an adequate level of protection through technical and organisational measures, which take into account the circumstances and purposes of the processing and the predicted likelihood and severity of a possible breach of rights via security vulnerabilities, and enable the immediate detection of relevant occurrences of damage
b) the obligation to report violations of personal data immediately to the Client
c) the obligation to support the Client in providing information to the data subject and to provide it with all relevant information in this relation without delay
d) supporting the Client with its privacy impact assessment
e) supporting the Client with the supervisory authority’s prior consultations

9. Client’s authority
(1) The Client shall confirm any verbal instructions immediately afterwards in writing
(2) The Contractor must inform the Client without delay if it believes a directive to be in conflict with the provisions of data protection law. The Contractor is entitled to suspend the execution of the relevant instruction until it has been confirmed or changed by the Client.
(3) Persons authorised by the Client to issue instructions are entitled to authorise further persons to issue instructions for carrying out/organising/monitoring the jointly agreed scope of services.
Persons authorised by the Client to issue instructions: Crewing Services Department
Project Management Department
Account Management Department

10. Deletion and return of personal data
(1) No copies and duplicates of the personal data shall be created without the Client’s knowledge. Exceptions to this are security copies that are necessary to guarantee proper personal data processing, as well as personal data that is required for compliance with statutory retention obligations.
(2) After conclusion of the contractually agreed work, or sooner at the Client’s request – at the latest upon termination of the Service Agreement – the Contractor must hand over to the Client any documents, processing or usage results or databases connected to the contractual relationship that are still in its possession, or destroy these in accordance with data protection after prior consent. The same applies to test and scrap material. The log of the deletion must be submitted on request.
(3) Documentation serving as proof of orderly and proper data processing shall be kept by the Contractor according to the respective retention periods beyond the end of the contract. It may hand them over to the Client for its exoneration at end of the order.

11 Miscellaneous
(1) Should the Client’s property that lies with the Contractor be endangered by third-party measures (such as seizure or confiscation), by insolvency or composition proceedings or by other events, the Contractor must inform the Client without delay.
(2) Ancillary agreements must be made in writing.
(3) Should individual parts of this Agreement be or become ineffective, this shall not affect otherwise the validity of the Agreement.

Annex 2 - Technical and Organisational Measures - Basic Security

Annex 1 - Technical and organisational measures
1. Confidentiality (Article 32 (1) (b) GDPR)
• Access control No unauthorised access to data processing systems, for example: Magnetic or chip cards, keys, electric door openers, security or doorpeople, alarm systems, video installations;
• Access Control No unauthorised system usage, e.g. (secure) passwords, automatic locking mechanisms, two-factor authentication, encryption of data carriers;
• Access control No unauthorised reading, copying, alteration or removal within the system, e.g. Authorisation concepts and needs-based access rights, logging of accesses;
• Separation control Separate processing of data collected for different purposes, e.g. multi-client capability, sandboxing;
• Pseudonymisation (Article 32 (1) (a) GDPR; Article 25 (1) GDPR) Personal data shall be processed in such a way that the data can no longer be associated with a specific data subject without using additional information, provided that this additional information is stored separately and is subject to appropriate technical and organisational measures.

2. Integrity (Article 32 (1) (b) GDPR)
• Transfer Control No unauthorised reading, copying, alteration or removal during electronic transmission or transport, e.g. encryption, virtual private networks (VPNs) and electronic signatures.
• Entry monitoring Ascertainment of whether and by whom personal data was entered, changed or removed in the data processing systems. Logging, document management;

3. Availability and resilience (Article 32 (1) (b) GDPR)
• Availability control Protection against accidental or wilful destruction or loss, for example: Backup strategy (online/offline, on-site/off-site), uninterruptible power supply (UPS), antivirus, firewall, reporting and contingency plans;
• Fast recoverability (Article 32 (1) (c) GDPR)

4. Procedure for regular review, assessment and evaluation (Article 32 (1) (d) GDPR, Article 25 (1) GDPR)
• Privacy management;
• Incident response management;
• Default privacy settings (Article 25 (2) GDPR);
• Order monitoring No order data processing within the meaning of Article 28 GDPR without the Client’s corresponding instructions, for example: Clear order design, formalised order management, strict selection of the service provider, advance satisfaction obligation, follow-up checks.

UK Company Policy