The following apply to all contracts (each a “Third-Party Contract”) between Rainlight Studio Ltd (“Rainlight”) and any third-party supplier of products or services including all vendors, designers, and manufacturers (each a “Third-Party Contractor”):
The following defined terms shall have the following meanings:
“Applicable Data Protection Laws” shall mean the data protection regulations with jurisdiction over a Third-Party Contract including, without limitation, the DPA and GDPR as defined below.
“EU” shall mean the European Union.
“GDPR” shall mean the General Data Protection Regulation (EU) 2016/679, read in conjunction with and subject to: (a) the UK Data Privacy Act of 1998; (b) from 25th May 2018, the UK Data Privacy Act of 2018; or (b) from the date of implementation, any applicable UK national legislation that supersedes or replaces the EU General Data Protection Regulation 2016/679 in the UK or which applies the operation of this regulation as if it were part of UK national law.
“UK” shall mean the United Kingdom of Britain, Wales, Scotland and Northern Ireland.
“Personal Information” shall have the meanings set out in the Applicable Data Protection Laws or, in the absence of a statutory definition, Personal Information shall mean any information relating to a person or their household that enables that person to be identified either directly or indirectly.
“data subject”, “consumer” “controller”, “processor”, “processing”, and “sell” shall have the meaning set out in the Applicable Data Protection Laws.
From the date written above, this Third-Party Data Privacy Addendum applies only to the Personal Information of residents of the EU and UK.
Rainlight and Third-Party Contractor:
- Shall comply with Applicable Data Protection Laws and this Third-Party Data Privacy Addendum and shall not perform their obligations under the Third-Party Contact in such a way as to cause the other to breach any of its applicable obligations under Applicable Data Protection Laws and this Third-Party Data Privacy Addendum;
- Agree that, under the GDPR, the factual arrangements between them may dictate the classification of Third-Party Contractor as a “data processor”;
- Acknowledge that Rainlight retains all rights, title and interest in the data (Personal Information or otherwise) including any amendments or alterations to such data made by Third-Party Contractor or on Third-Party Contractor’s behalf; and
- If any of these obligations are unclear, Third-Party Contractor shall notify Rainlight and seek clarification, in writing, by email to firstname.lastname@example.org or by mail to Rainlight Studio Ltd, Exmouth House 3-11 Pine Street, London EC1R 0JH; Attention: Rainlight Privacy.
4.0 PROCESSOR/HANDLER OF PERSONAL INFORMATION
Where Third-Party Contractor processes or otherwise handles Personal Information on behalf of Rainlight, Third-Party Contractor shall:
- Process and handle the Personal Information only in accordance with the Third-Party Contract and the documented instructions of Rainlight and not make any use of the Personal Information for its own purposes, regardless of whether the Personal Information is converted to an anonymised and/or aggregated form;
- Implement appropriate technical and organisational measures to protect the Personal Information against unauthorised or unlawful processing and handling and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm and risk which might result from any unauthorised or unlawful processing or handling, accidental loss, destruction or damage to the Personal Information and having regard to the nature of the Personal Information which is to be protected and shall include inter alia as appropriate:
- The pseudonymisation and encryption of the Personal Information;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing the Personal Information;
- The ability to restore the availability and access to the Personal Information in a timely manner in the event of a physical or technical incident; and
- A process for regular testing, assessing and evaluating the effectiveness of technical and organisation measures for ensuring the security of any processing;
- Only permit the Personal Information to be processed or handled by persons who are bound by enforceable obligations of confidentiality and take steps to ensure such persons only act on Third-Party Contractor’s instructions in relation to the processing or handling;
- Not transfer Personal Information outside of the European Economic Area without the prior written consent of Rainlight and, where Rainlight consents to such transfer, warrants that the transfer shall be made in such a way as to ensure that the level of protection offered to natural persons by the Applicable Data Protection Laws is not undermined;
- Obtain prior written consent from Rainlight to transfer the Personal Information to any agents, subcontractors, affiliates or any other third-parties and where Rainlight consents, Third-Party Contractor shall:
- Ensure that any such agents, subcontractors, affiliates or other third parties are subject to, and contractually bound by, at least the same obligations as Third-Party Contractor is to Rainlight under this Third-Party Data Privacy Addendum;
- Provide to Rainlight copies of any documentation to demonstrate compliance with the obligations in this Third-Party Data Privacy Addendum; and
- Remain fully liable to Rainlight for all acts and omissions of any agents, subcontractors, affiliates or third parties;
- Promptly alert and inform Rainlight of a Personal Information breach (including, but not limited to, any unauthorised or unlawful processing, handling, access to, loss of, damage to or destruction of Personal Information) suffered by Third-Party Contractor or by any agents, subcontractors, affiliates or third parties to which Personal Information has been transferred and provide all necessary cooperation and assistance to enable Rainlight to comply with its obligations under Applicable Data Protection Laws and to reduce the impact of the incident on its business operations and reputation. Third-Party Contractor shall not inform any third party of the Personal Information breach without first obtaining Rainlight’s prior written consent, except when law or regulation requires it;
- Permit Rainlight (subject to reasonable and appropriate confidentiality undertakings and to inspect and audit Third-Party Contractor’s data processing activities to enable Rainlight to verify and/or procure that Third-Party Contractor is complying with its obligations under this Third-Party Data Privacy Addendum;
- On Rainlight’s request, assist Rainlight to respond to requests from data subjects and consumers who are exercising their rights under Applicable Data Protection Laws (having obtained Rainlight’s consent to do so) and forward to Rainlight all communications it receives from third-parties relating to the processing or handling of any Personal Information which suggests non-compliance by Rainlight and / or Third-Party Contractor with Applicable Data Protection Laws and not do anything or enter into any communication with such third party unless expressly authorised to do so by Rainlight or required by applicable law;
- On Rainlight’s request, assist Rainlight to comply with Rainlight’s obligations pursuant to Articles 32-36 of the GDPR (or such corresponding provisions of the Applicable Data Protection Legislation), comprising (if applicable): (a) notifying a supervisory authority that Third-Party Contractor has suffered a data breach; (b) communicating a data breach to an affected individual; (c) carrying out an impact assessment; and (d) where required under an impact assessment, engaging in prior consultation with a supervisory authority;
- Unless applicable law requires otherwise, upon termination of the agreement at the option of Rainlight comply or procure compliance with the following (i) delete all Personal Information provided by Rainlight to Third-Party Contractor permanently, safely and securely and provide Rainlight with a certificate of destruction; and/or (ii) return to Rainlight all Personal Information and any other information provided by Rainlight to Third-Party Contractor; and (iii) cease to process the Personal Information; and
- Not sell to any third-party the Personal Information of any person
- Upon receipt of a request to know or a request to delete from a Consumer regarding the Personal Information and does not comply with such request, Third-Party Contractor shall explain the basis for the denial and inform the Consumer to submit the request directly to Rainlight and provide the Consumer with the contact information for Rainlight;
- Upon Rainlight’s written request, and subject to and in accordance with all applicable laws, Third-Party Contractor, as a Service Provider, agrees to promptly delete any and all Personal Information of a Consumer;
- Indemnify and keep indemnified Rainlight against all losses, costs, expenses, damages, liabilities, demands, claims, actions or proceedings which Rainlight may incur or suffer, including fines or penalties awarded against it by the relevant data protection regulator, because of any breach of any of the obligations set out in this Third-Party Data Privacy Addendum.
- If Third-Party Contractor is unable to comply with any of the foregoing obligations, promptly notify Rainlight in writing by email to email@example.com or by mail to Rainlight Ltd, Exmouth House 3-11 Pine Street, London EC1R 0JH; Attention: Rainlight Privacy.
5.0 PROCESSING PARTICULARS
Third-Party Contractor acknowledges that the factual description of the subject-matter, duration of the processing or handling, the nature and purpose of the processing or handling, the type of Personal Information and the categories of data subjects and consumers (the “Processing Particulars”) are as set out in the Third-Party Contract. Third-Party Contractor will notify Rainlight if the Processing Particulars are not set out in the Third-Party Contract to a reasonably satisfactory level of detail (taking into consideration any applicable regulatory guidance available from time to time).
6.0 CHANGES TO THIS POLICY
As we strive to improve our practices, we may review Rainlight’s Third-Party Data Privacy Addendum from time to time. We reserve the right to change this policy at any time and to notify you of those changes by posting an updated version of this policy on our website. It is your responsibility to check our policy each time before you access our website for any changes.
For questions about this Third-Party Data Privacy Addendum, please contact us by email at firstname.lastname@example.org or by mail to Rainlight Studio Ltd, Exmouth House 3-11 Pine Street, London EC1R 0JH; Attention: Rainlight Privacy.