Arcadia Agency
Still loading... Good things comes to those who wait :)

GDPR Data Processing Policy


This Data Processing Agreement (“Agreement”) is entered into between [Data Controller]
(“Controller”) and Data Processor (collectively referred to as the “Parties”) on this
30.05.2023.
BACKGROUND
A. The Controller is engaged in activities that require the processing of personal data as defined
under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018
(“DPA”).
B. The Processor provides certain services to the Controller that may involve the processing of
personal data.
C. The Parties wish to establish the terms and conditions under which the Processor will
process personal data on behalf of the Controller.

  1. DEFINITIONS
    1.1. “Data Protection Laws” means all applicable laws and regulations relating to data protection
    and privacy, including but not limited to the UK GDPR and the DPA.
    1.2. “Personal Data” means any information relating to an identified or identifiable natural
    person, as defined under the Data Protection Laws, that is processed by the Processor on
    behalf of the Controller.
    1.3. “Processing” has the meaning ascribed to it under the Data Protection Laws, and
    “Process,” “Processes,” or “Processed” shall be interpreted accordingly.
  2. SUBJECT MATTER
    2.1. The subject matter of this Agreement is the Processing of Personal Data by the Processor
    on behalf of the Controller for the purposes specified in Section 3.
  3. PURPOSE OF PROCESSING
    3.1. The Processor shall Process Personal Data on behalf of the Controller for the following
    purposes:
    ● Ease of Accounting and Processing Payments
    ● Marketing new projects and services to prospective, regular and past customers
  1. OBLIGATIONS OF THE PROCESSOR
    4.1. The Processor shall:
    ● Process Personal Data in accordance with the Controller’s documented instructions
    unless otherwise required by applicable laws. In such cases, the Processor shall inform
    the Controller of the legal requirement before Processing, unless prohibited by law.
    ● Ensure that persons authorized to process Personal Data have committed themselves to
    confidentiality.
    ● Implement appropriate technical and organizational measures to ensure a level of
    security appropriate to the risk, including but not limited to encryption, pseudonymization,
    and regular testing of security measures.
    ● Assist the Controller in fulfilling its obligations to respond to requests from data subjects,
    including rights to access, rectification, erasure, and restriction of Processing.
    ● Notify the Controller without undue delay after becoming aware of a Personal Data
    breach and provide necessary information to assist the Controller in meeting its breach
    notification obligations.
    ● Provide the Controller with the necessary information to demonstrate compliance with its
    obligations under the Data Protection Laws and allow for and contribute to audits,
    including inspections conducted by the Controller or another auditor mandated by the
    Controller.
  2. SUBPROCESSORS
    5.1. The Processor shall not engage any subprocessor without the prior written consent of the
    Controller. If the Controller provides its consent, the Processor shall enter into a written
    agreement with the subprocessor, imposing data protection obligations that are no less
    protective than those contained in this Agreement.
  3. DATA TRANSFERS
    6.1. The Processor shall not transfer Personal Data to any third country or international
    organization without the prior written consent of the Controller. If the Controller provides its
    consent, the Processor shall ensure that appropriate safeguards are in place to protect the
    Personal Data, including but not limited to the use of standard contractual clauses approved by
    the UK Information Commissioner’s Office.
  4. TERM AND TERMINATION
    7.1. This Agreement shall remain in effect for the duration of the Processor’s engagement by the
    Controller.
    7.2. Either Party may terminate this Agreement in the event of a material breach by the other
    Party, with notice provided to the breaching Party and a reasonable opportunity to cure the
    breach.
    7.3. Upon termination or expiration of this Agreement, the Processor shall, at the choice of the
    Controller, return or delete all Personal Data processed on behalf of the Controller, unless
    required to retain it by applicable laws.
  5. GOVERNING LAW AND JURISDICTION
    8.1. This Agreement shall be governed by and construed in accordance with the laws of The
    United Kingdom. Any disputes arising out of or in connection with this Agreement shall be
    subject to the exclusive jurisdiction of the courts of the United Kingdom.
    IN WITNESS WHEREOF, the Parties have executed this Data Processing Agreement as of the
    date first written above.

[Data Controller]
Name: Bryn Jones
Title: Founder

[Data Processor]
Name: Bryn Jones
Title: Founder