The Small Print…
Provisions to comply with the General Data Protection Regulation
Supplemental Terms and Conditions – Issue May 2018
A. UK Data Protection Law will change on 25 May 2018 when the EU General Data Protection Regulation ((EU) 2016/679) takes effect.
B. Either you and/or your affiliates, including subsidiaries and holding companies, have a sub-contract, supply agreement, consultancy agreement or other contractual agreement in place with a company within Oasis Studios Group.
C. The provisions of this Addendum will come into force between you and the Oasis Studio, from 25 May 2018, to coincide with the taking effect of the GDPR.
Oasis Studio: whose registered office is at The White House, 10-12 High Street Eckington, Derbyshire S21 4DN and its subsidiaries from time to time.
Contract: the sub-contract, supply agreement, consultancy agreement or other contractual agreement in place between you and the Oasis Studio Company.
Data Controller, Data Processor, Data Subject, Personal Data: have the meanings ascribed to them in the GDPR.
Data Protection Legislation: the UK Data Protection Legislation and (for so long as and to the extent that the law of the European Union has legal effect in the UK) the GDPR and any other directly applicable European Union regulation relating to privacy.
GDPR: the EU General Data Protection Regulation ((EU) 2016/679)
UK Data Protection Legislation: any data protection legislation from time to time in force in the UK including the Data Protection Act 1998 or 2018 or any successor legislation.
Data Protection Obligations
1.Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
2. Where we make available Personal Data to you in relation to the performance of the Contract:
the parties acknowledge that for the purposes of the Data Protection Legislation, the Relevant Oasis Studio Company is the Data Controller and you are the Data Processor.
the Relevant Oasis Studio Company will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Personal Data to you for the duration and purposes of the Contract.
3. Where you make available Personal Data to us in relation to the performance of the Contract:
the parties acknowledge that for the purposes of the Data Protection Legislation, you are the Data Controller and the Relevant Oasis Studio Company is the Data Processor.
you will ensure that you have all necessary appropriate consents and notices in place to enable lawful transfer of Personal Data to us for the duration and purposes of the Contract.
4. In relation to any Personal Data processed in connection with the performance by either party of its obligations under the Contract, the parties confirm that:
Personal Data shall only be processed on the written instructions of the Data Controller unless the Data Processor is required by Data Protection Legislation to otherwise process that Personal Data;
they will ensure that they have in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
they will ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
they will not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the other party has been obtained (which consent may include conditions relating to the transfer of that Personal Data);
They will assist the other party in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
They will notify the other party without undue delay on becoming aware of a Personal Data breach;
They will, at the written direction of the other party, delete or return Personal Data and copies thereof to the other party on termination of the agreement unless required by Data Protection Legislation to store the Personal Data;