Data Sharing Agreement

For School purposes only (not including nurseries)

The data processor (Kent Portrait Photographer Ltd – KPP) shall only process the personal data only further to documented instructions from the client, including the transfer of personal data to third countries or international organisations, unless provided otherwise by EU or Member State law to which the processor is subject; in the latter case, the processor shall inform the client of the statutory requirement prior to the processing, unless the law prohibits such disclosure on substantial public interest grounds.

Processing of data

Use of WeTransfer to transfer files to the client
The photos will not be processed or transferred through or stored within any other 3rd party products

Confidential Data

We will ensure that data is stored confidentially with sole access to data
We will store data on encrypted drives

Engaging Sub Processors

WeTransfer is agreed as the only sub-processor
It is highly unlikely within the scope of the project to require any other sub-processors. We will get, if required, written permission from compliance if required

Imposing on sub-processors the data protection obligations?

WeTransfer are a highly secure and recognised sub-processor, pre-approved by the client

Technical measures to meet obligational standards, assisting the controller and ensuring compliance with security and certain other obligations

Use of only approved WeTransfer
Data stored on encrypted SSD
Data deleted after usage or within 30 days (whichever is sooner)
Ensuring no use of personal mobile to take footage

Deletion of Data

Data deleted after usage or within 30 days (whichever is sooner)
KPP can be flexible to store data or share data in clients preferred method such as WeTransfer


Other relevant information

Personal data will not be transferred outside of the UK

If there is a data breach e.g. the company is hacked, we will tell the client as soon as possible (and definitely within 72 hours)

KPP complies with the UK GDPR, which does include the right of access. The images KPP processes do not have a corresponding name to identify the data subjects, KPP will rely on the legal exemption that the system is not reasonably searchable (because there is no corresponding identifying information)

Confirmation that the data controller has the right to request deletion prior to the 30 day retention period if required 

Signed by Bridge Houlton
for and on behalf of Kent Portrait Photographer Ltd