GDPR

GDPR

This Data Processing Addendum (the “DPA”) forms part of the Services Agreement (the “Agreement”) between CREATIVEWORLD and the Client specified in the Services Agreement (“Client”).

Client enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Client Affiliates, if and to the extent CREATIVEWORLD processes Personal Data for which such Client Affiliates qualify as the Controller. In providing the Services to Client pursuant to the Agreement, CREATIVEWORLD may Process Personal Data on behalf of Client, and the parties agree to comply with the following provisions with respect to any Personal Data. The Client that is the contracting party to the Agreement shall remain responsible for coordinating all communication with CREATIVEWORLD under this DPA, and shall be entitled to transmit and receive any communication in relation to this DPA on behalf of its Client Affiliate(s).

Except as modified below, the terms of the Agreement shall remain in full force and effect. Capitalised terms not otherwise defined herein shall have the meaning set forth in the Agreement. In case of a conflict between the terms of the DPA and the Agreement, the terms of the DPA shall prevail. This DPA supersedes and replaces all prior agreements between Client and CREATIVEWORLD regarding the subject matter of this DPA.

DEFINITIONS
In this DPA, the following terms shall have the meanings set out below: CREATIVEWORLD ” means CW Advertising Agency Limited trading as CREATIVEWORLD . CW Advert Ltd is a company registered in England and Wales, number 3116388 and its trading address is Saturn House, 6-7 Mercury Rise, Altham Business Park, BB5 5BY.

CREATIVEWORLD” means CREATIVEWORLD and CREATIVEWORLD Affiliates (if any) engaged in the Processing of Personal Data.
“Controller” means “controller” as defined in the GDPR. “Client Affiliate” means any of Client’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Client and CREATIVEWORLD, but has not signed its own Order with CREATIVEWORLD and is not a “Client” as defined under the Agreement.
“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“EEA” means the European Economic Area.
CREATIVEWORLD” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Personal Data” means “personal data” as defined in the GDPR that is subjected to the Services under Client’s Agreement.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means “processor” as defined in the GDPR.
“Services” means the services provided by CREATIVEWORLD to Client as agreed in the Agreement.
“Sub-processor” means any Processor engaged by CREATIVEWORLD.
“Supervisory Authority” means an independent public authority, which is established by an EU Member State pursuant to the GDPR.

DPA TERMS

CREATIVEWORLD and the Client hereby enter into this DPA effective as of the last signature date on the Services Contract. This DPA is incorporated into and forms part of the Agreement.

  1. DATA PROCESSING

1.1 Scope and Roles.
This DPA applies when Personal Data is Processed by CREATIVEWORLD as part ofCREATIVEWORLD ’s provision of Services as agreed in the Agreement and the applicable Order. In this context, Client is the Data Controller and CREATIVEWORLD is the Data Processor with respect to Personal Data.

1.2 Client’s Processing of Personal Data.
Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Client’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data.

1.3 CREATIVEWORLD’s Processing of Personal Data.
CREATIVEWORLD shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Client’s documented instructions as set forth in Section 2.

1.4 Details of the Processing.
The subject matter of Processing of Personal Data by CREATIVEWORLD  is the performance of the Services pursuant to the Agreement. CREATIVEWORLD will Process Personal Data as necessary to perform the Services pursuant to the Agreement and for the term of the Agreement. The type of Personal Data and categories of Data Subjects, the nature and purpose of the processing are further specified in the CREATIVEWORLD Privacy Policy available at https://www.creativeworld.co.uk/terms-conditions/

1.5 Compliance with Laws. Each party will comply with all applicable laws, rules and regulations, including the Data Protection Laws and Regulations.

  1. CLIENT INSTRUCTIONS

CREATIVEWORLD will process Personal Data only in accordance with Client’s instructions. The parties agree that this DPA and the Agreement are Client’s complete and final documented instructions at the time of signature of the Agreement to CREATIVEWORLD  in relation to the Processing of Personal Data. Additional or modified instructions require a documentation similar to this DPA and any such instructions leading to additional efforts by CREATIVEWORLD beyond the scope of the Services agreed in the Agreement and the Order may result in additional service fees payable by Client that need to be documented in writing. Client shall ensure that its instructions comply with Data Protection Laws and Regulations and that the Processing of Personal Data in accordance with Client’s instructions will not cause CREATIVEWORLD to be in breach of the GDPR.

  1. CREATIVEWORLD PERSONNEL

3.1 Limitation of Access.
CREATIVEWORLD shall ensure that CREATIVEWORLD ’s access to Personal Data is limited to those personnel who require such access to perform the Agreement.

3.2 Confidentiality.
CREATIVEWORLD shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. CREATIVEWORLD shall ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.

3.3 Reliability.
CREATIVEWORLD shall take commercially reasonable steps to ensure the reliability of anyCREATIVEWORLD personnel engaged in the Processing of Personal Data.

3.4 Data Protection Officer.
Effective from 25 May 2018, CREATIVEWORLD shall have appointed, or shall appoint, a Data Protection Officer if Data Protection Laws and Regulations require such appointment. Any such appointed person may be reached at privacy@creativeworld.co.uk

  1. SUB-PROCESSORS
    4.1 Sub-processors. Client acknowledges and agrees that (a) CREATIVEWORLD’s Affiliates may be retained as Subprocessors; and (b) CREATIVEWORLD and its Affiliates respectively may engage third-party Sub-processors in the performance of the Services. CREATIVEWORLD or its Affiliate has entered into a written agreement with each Subprocessor containing data protection obligations not less protective than those in this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor. Client hereby consents toCREATIVEWORLD ’s use of Sub-processors as described in this Section.

4.2 List of Current Sub-processors and Information about New Sub-processors.
Client may request a current list of Sub-processors for the Services at privacy@creativeworld.co.uk

4.3 Objection Right for new Sub-processors.
Client may object to ’s use of a new Sub-processor by notifying CREATIVEWORLD promptly in writing within 10 business days after CREATIVEWORLD’s update in accordance with the mechanism set out in Section 4.2 above. In the event Client objects to a new Sub-processor, and that objection is not unreasonable, CREATIVEWORLD will use reasonable efforts to make available to Client a change in the Services or recommend a commercially reasonable change to Client’s configuration or use of the Services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Client. If CREATIVEWORLD is unable to make available such change within a reasonable period of time, which shall not exceed 30 days, Client may terminate the applicable Order(s) in respect only to those Services which cannot be provided by CREATIVEWORLD without the use of the objected-to new Sub-processor, on the condition that Client provides such termination notice within 90 days of being informed of the engagement of the Sub-processor as described in Section 5.2 above. CREATIVEWORLD will then refund Client any prepaid fees covering the remainder of the term of such terminated Order(s) following the effective date of termination with respect of such terminated Services. This termination right is Client’s sole and exclusive remedy if Client objects to any new Sub-processor.

4.4 Liability.
CREATIVEWORLD shall be liable for the acts and omissions of its Sub-processors to the same extentCREATIVEWORLD would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise agreed.

  1. RIGHTS OF DATA SUBJECTS
    CREATIVEWORLD shall, to the extent legally permitted, promptly notify Client if CREATIVEWORLDreceives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, CREATIVEWORLD shall assist Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfillment of Client’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Client, in its use of the Services, does not have the ability to address a Data Subject Request, CREATIVEWORLD shall upon Client’s request provide commercially reasonable efforts to assist Client in responding to such Data Subject Request, to the extent CREATIVEWORLD is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Client shall be responsible for any costs arising from CREATIVEWORLD ’s provision of such assistance.
  2. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION
    CREATIVEWORLD maintains a security incident management policy and shall notify Client without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed byCREATIVEWORLD  or its Sub-processors of which CREATIVEWORLD becomes aware (a “Personal Data Incident”), as required to assist the Client in ensuring compliance with its obligations to notify the Supervisory Authority in the event of Personal Data breach. CREATIVEWORLD shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as CREATIVEWORLDdeems necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within CREATIVEWORLD’s reasonable control. The obligations herein shall not apply to incidents that are caused by Client or Client’s users.
  3. DATA PROTECTION IMPACT ASSESSMENT
    With effect from 25 May 2018, upon Client’s request, CREATIVEWORLD shall provide Client with reasonable cooperation and assistance needed to fulfill Client’s obligation under the GDPR to carry out a data protection impact assessment related to Client’s use of the Services. CREATIVEWORLD shall provide reasonable assistance to Client in the cooperation or prior consultation with the Supervisory Authority (e.g. ICO) in the performance of its tasks relating to this Section.
  4. RETURN OR DELETION OF PERSONAL DATA
    At the choice of Client, CREATIVEWORLD  shall return Personal Data to Client or delete Personal Data after the end of the provision of Services relating to Processing in accordance with the timeframe specified in the Agreement, unless applicable law requires storage of Personal Data.
  5. TRANSFERS OF PERSONAL DATA
    CREATIVEWORLD will not move the Personal Data without Client’s prior written consent or unless required to comply with applicable law.
  6. LIABILITY
    The total and aggregate liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement.
  7. TERM AND TERMINATION OF THE DPA
    This DPA will become legally binding once both parties have received a countersigned copy of the Services Contract and the DPA shall continue in force until the termination of the Agreement.

Updated – 01 June 2018

Automatic Data Collection
Cookies:  Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

The table below explains the cookies we use and why.

Cookie

Name

Purpose

More information

Google Analytics

_utma

_utmb

_utmc

_utmz

These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.

Click here for an overview of privacy at Google

Creativeworld site cookie acceptance

civicAllowCookies

This cookie is used to record if a user has accepted the use of cookies on the Creativeworld website.

Creativeworld show cookie icon

civicShowCookieIcon

This cookie is used to record if a user has accepted the use of cookies on the Creativeworld website and sets the cookie notification to not display

PHPSESSID

PHPSESSID

This cookie collects information in an anonymous form. This cookie expires when you close your browser.

Expires: At end of session

Performance Tracking: We sometimes use cookies, as well as tracking technology, such as web beacons, within the promotional emails that we send to our subscribers or advertisements for our Site. These performance tracking devices help us to track whether an e-mail recipient has completed an event, such as signing up for a free trial for example. Such information is non-personally identifying and collected on an aggregate level. We sometimes utilise third party service providers to help us track the activity within our Site. These third parties may use temporary cookies and/or web beaconing technology to facilitate such tracking but the data would not be tracked in a personally identifiable way. Third parties whose products or services are accessible on our Site may also use cookies, and we advise you to check their privacy policies for information about their cookies and other privacy practices.

Security

Creativeworld endeavours to protect the security of your personal information and your choices for its intended use. We use Secure Socket Layers or SSL technology to protect the transmission of sensitive personal information. We store your personal information on a secure server, and use procedures designed to protect the personal information we collect from unauthorised access, destruction, use, modification or disclosure.

Although we will take (and require our third-party providers to take) commercially reasonable security precautions regarding your personal information collected from and stored on the Site, due to the open nature of the Internet, we cannot guarantee that any of your personal information stored on our servers, or transmitted to or from a user, will be free from unauthorised access, and we disclaim any liability for any theft or loss of, unauthorised access or damage to, or interception of any data or communications. By using the Site, you acknowledge that you understand and agree to assume these risks.

Modification of Your Information, Choices, and Preferences
Opt-out Right: If you would like to opt out of any of our marketing programs, or wish to withdraw your consent to us contacting you via your e-mail, phone number or if your personal details change, please contact us through one of the following: (i) by telephone, at 01282 858200; (ii) by email, by following the Opt-Out instruction contained in the body of any marketing e-mail from us or by sending us an e-mail at info@creativeworld.co.uk by including a copy of the e-mail you have received and by typing “Remove” in the subject line of your e-mail; or (iii) by mail, Creativeworld, Saturn House. Mercury Rise, Altham Business Park, Altham, Lancashire, BB5 5BY

Access: Creativeworld will provide reasonable opportunity for individuals to review and correct personal information that is maintained by Creativeworld about them. Requests to alter personal information can be sent to info@creativeworld.co.uk

Your election not to receive newsletters or promotional and marketing correspondence from us will not: (a) preclude us from corresponding with you, by email or otherwise, regarding your existing or past relationship with us, and (b) preclude us, including our employees, contractors, agents and other representatives, from accessing and viewing your personal information in the course of maintaining and improving the Site.

Your Acceptance of this Privacy Policy: By using this Site, you signify your acceptance of our Privacy Policy. If you do not agree to this Privacy Policy, please do not use our Site. We reserve the right, at our discretion, to change, modify, add, or remove portions from this Privacy Policy at any time so visitors are encouraged to review this Privacy Policy from time to time. Your continued use of our Site following the posting of changes to these terms means you accept these changes.

By 25th May 2018, your company will have to be compliant. If you’re unsure what GDPR is and how it will affect your business, below are a couple of useful links:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr

https://www.gdpr.school/free-resources/

https://www.gdpr.school/news/

GDPR DEADLINE 25th MAY 2018