POLYMEDIA LIMITED incorporated in England (04708453) whose registered office is at 6 The Gardens Office Village, Broadcut Fareham, Hants, PO16 8SS

These data processing terms and conditions (‘Data Processing Agreement’ or ‘DPA’) are supplemental to, and form an integral part of Polymedia’s Standard Terms and Conditions for Services. In case of any conflict or inconsistency with the Standard Terms and Conditions for Services, this DPA shall take precedence.



References to ‘us’ or ‘both of us’ means Polymedia and You together, and ‘each of us’ means each of Polymedia and You individually.


Data Protection Legislation

means all applicable laws and regulations relating to the processing of Personal Data and privacy including the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any statutory instrument, order, rule or regulation made thereunder, as from time to time amended, extended, re-enacted or consolidated.

The terms ‘Personal Data’, ‘Personal Data Breach’, ‘Data Protection Officer’, ‘Data Controller’, ‘Data Processor’, ‘Data Subject’, and ‘process’ (in the context of the use of Personal Data) shall have the meanings given to them in the Data Protection Legislation.



means whichever us is disclosing our Information to the other.



means, in this DPA, the European Economic Area and the United Kingdom.



means information (sometimes referred to more generally as ‘confidential information’) that each of us might share with the other that relates to the Discloser’s business, products, services, developments, intellectual property, original materials, trade secrets, know-how, personnel, methodologies, processes, plans or intentions, customers and suppliers, and which is not in the public domain, and includes Personal Data.


Personal Data

means as defined in the Data Protection Act 2018 and the General Data Protection Regulations, including data relating to employees, clients, suppliers, prospects and partners, which will be deemed as Personal Data.



means the reason each of us is sharing Information, which is for the purpose of the commercial relationship between us.



means whichever of us is receiving Information from the other.



means a third-party Data Processor engaged to provide processing services to a Data Processor who is party to this DPA.


1 Roles 

1.1  Each of us may receive Personal Data from the other to enable is to fulfil our respective roles in the Purpose, and Recipient shall process Personal Data in accordance with this DPA. Each of us agrees to comply with Data Protection Legislation in the event we receive Personal Data as Data Controllers.

1.2  Throughout the commercial relationship between us, each of us will be processing the Personal Data of the other’s employees to facilitate contact and co-operation between our respective organisations and achieve our respective business interests. Both of us agree and acknowledge that the other is a Data Controller of such Personal Data.

1.3  Aside from the Personal Data described in clause 1.2, Discloser, acting as Data Controller, may pass Personal Data to Recipient, as Data Processor, for the Purpose.


2 Processing

2.1 Personal Data shall be processed by Discloser:

2.1.1 by use of email and phone or postal correspondence, including occasionally recording calls and meetings; and

2.1.2 for the purpose of managing Recipient’s performance of services delivered to Discloser.

2.2 Personal Data shall be processed by Recipient:

2.2.1 by use of email and phone or postal correspondence, including occasionally recording calls and meetings; and

2.2.2 for the purpose of providing services to Discloser.

2.3 Categories of Data Subjects whose Personal Data will be processed under this DPA include employees, clients, suppliers, prospects and partners.

2.4 The types of Personal Data that will be processed under this DPA include:

2.4.1 identity data such as title, first name and last name;

2.4.2 contact data such as addresses, email addresses and telephone numbers; and

2.4.3 other data that the Data Subject chooses to share with either of us voluntarily in the course of the Purpose.


3 Instruction

3.1 Where the Recipient receives and processes Personal Data as a Data Processor, they shall:

3.1.1 act solely on the Data Controller’s instructions in relation to the processing of that Personal Data. In the event that a legal requirement prevents compliance with such instructions the Recipient shall, unless such legal requirement prohibits them from doing so, inform the Data Controller of the relevant legal requirement before carrying out the relevant processing activities;

3.1.2 at all times, ensure that the necessary technical and organisational measures are in place to prevent unauthorised and unlawful processing or disclosure of the Personal Data and such measures shall include taking reasonable steps to ensure the reliability of any staff who may have access to Personal Data and ensuring that such staff are subject to appropriate confidentiality undertakings.  Recipient shall, save where prohibited by law and as soon as reasonably practical, notify Data Controller of any legal obligation to disclose the Personal Data to a third party;

3.1.3 send Data Controller any communications received from individuals in relation to their Personal Data as soon as reasonably practicable.  Recipient shall provide reasonable co-operation to Data Controller in relation to any individuals exercising their rights under the Data Protection Legislation; 

3.1.4 give the Data Controller reasonable assistance in relation to their compliance with Data Protection Legislation;

3.1.5 take reasonable steps to ensure the confidentiality, integrity, availability and resilience of processing systems and services associated with the processing of Personal Data;

3.1.6 co-operate with Data Controller, and provide such information and access to any facilities, premises or equipment from or on which Personal Data is, has been, or is to be processed pursuant to this DPA (including any such facilities, premises or equipment used by staff and/or sub-contractors) as Data Controller may reasonably require to enable them to monitor compliance with the obligations in this DPA;

3.1.7 notify Data Controller promptly of any Personal Data Breach and assist Data Controller with any investigation into and remediation of a Personal Data Breach.  Recipient shall also provide Data Controller with reasonable assistance with any notifications made to relevant authorities and/or individuals in relation to a Personal Data Breach;

3.1.8 not subcontract any obligations under this DPA regarding the processing of Personal Data to a third-party Sub-Processor without Data Controller’s prior written consent. Recipient shall be liable for the acts and omissions of any Sub-Processors as if they were Recipient’s acts or omissions and Recipient shall ensure that there is a written contract executed between Recipient and the Sub-Processor that contains equivalent protections for Personal Data to those set out in this DPA;

3.1.9 when instructed by Data Controller, immediately cease processing the Personal Data and immediately return any Personal Data to the Data Controller or delete the Personal Data in accordance with Data Controller’s instructions;

3.1.10 submit to audits and inspections carried out directly upon Recipient by a supervisory authority or by the Data Controller, as the Data Controller reasonably believes necessary, based on evidence and providing such evidence in notification to Recipient, and co-operate in any audits and inspections carried out upon Data Controller by third parties; and

3.1.11 inform Data Controller immediately if Recipient receives any requests that would involve infringing Data Protection Legislation.


4 Sub-Processors and International Transfers 

4.1 Recipient shall not be entitled to use Sub-Processors to process, or to transfer outside the EEA, Personal Data received from the Discloser without the Discloser’s express consent.


5 Additional Obligations

5.1 Upon termination of the DPA, or at the end of our commercial relationship, Recipient shall on request return all Personal Data that Discloser has provided and shall delete all records of such from any systems used by Recipient. 

5.2 Nothing in this DPA relieves a Data Processor of its own direct obligations under Data Protection Legislation.

5.3 Data Processors should be aware of the following additional obligations:

5.3.1 to co-operate with supervisory authorities; and

5.3.2 to keep records of its own processing activities.


6 General

6.1 You may send any queries or concerns about our performance under this DPA to our data protection lead at info@polymediapr.co.uk.