GDPR & Data Processing
Data Processing Terms
Insofar as the Press Information which you upload to the MediaHQ services contains Personal Data as defined by the General Data Protection Regulation and the Data Protection Acts 1988 to 2018 (“the Data Protection Laws”), you acknowledge and confirm that MediaHQ is instructed by you as Data Controller to process and publish the said Personal Data on your behalf and in its capacity as a Data Processor and in accordance with the requirements of the Data Protection Laws and the below terms.
Data Sharing
- You and MediaHQ (together “the Parties”) agree that they will each comply with their own obligations as determined under the Data Protection Laws in their respective capacities as Data Controller and Data Processors in respect of the Personal Data, as the case may be.
- The Parties consider it is necessary to share Personal Data with each other, on a Data Controller to Data Processor and on a Data Processor to Data Processor basis as the case may be, for the purpose of providing the Services. (“The Purpose”)
- The following types of Personal Data may be processed and shared between the Parties in accordance with the Purpose:
names, roles, contact details (postal address, telephone number, email), photographs, opinions, employment details, and all other personal data reasonably included in the Press Information (collectively the “Personal Data”).
- The Parties agree that the Personal Data shall be processed in accordance with these terms and kept in the strictest confidence.
- Without prejudice to any other Clause herein, the Parties agree that the responsibility for complying with any request to access data or any other request or communication from a data subject in accordance with their rights as set out in Chapter 3 of the GDPR (“Data Subject Request”) and in respect of the Personal Data held by that Party, falls to you as Data Controller. MediaHQ agrees to provide reasonable and prompt assistance to you, and in any event within three Business Days, as is necessary to enable you to comply with a Data Subject Request and/or to respond to any other queries or complaints received from Data Subjects.
- Each Party will promptly notify the other Party and provide assistance as reasonably requested, where it becomes aware of any complaint by a Data Subject in relation to the processing of Personal Data or any enquiry for formal action by the Data Protection Commission or other Supervisory Authority as to any Party’s compliance regarding processing of the Personal Data.
- The Parties shall maintain a record of any requests/communications received, decisions made, and information exchanged pursuant to these terms.
- The Parties shall not transfer any Personal Data outside the EEA or allow any access to such data from outside the EEA without the explicit consent of the other Party (such consent not to be unreasonably withheld) and subject to such reasonable terms as appropriate having regard to the requirements of the Data Protection Laws.
- Each Party shall have in place appropriate technical and organisational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
- For the purpose of these terms, MediaHQ’s data protection contact shall be dataprotection@mediahq.com and you confirm that your data protection contact point shall be the email address supplied upon subscribing to the Services.
Data Processing
In order for you to fulfil your obligations to Data Subjects, MediaHQ agree to the following terms.
- The subject matter of the processing is the Press Information.
- The term of the processing will commence upon the uploading of the Press Information to the MediaHQ Services and will continue until such time as your subscription is cancelled/ for a period of 24 months following the cancellation of your subscription.
- The nature of the processing will be:
- Storing of the Press Information for the duration of the Services and for a further period of 24 months. At the end of the 24 month period Press Information will be reviewed and sensitive information deleted.
- Publishing/disseminating the Press Information to such media contact as you select from our database as directed by you.
- The categories of data subject will include officers and employees of your company and any third party whose data is included in the Press Information.
Permitted Processing
The Parties agree that the provision of the Services may involve the processing of Personal Data by MediaHQ on your behalf. In such circumstances, MediaHQ agrees that:
- It will make reasonable efforts to assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to it;
- It shall only process such Personal Data in accordance with your documented instructions;
- It shall implement and maintain security measures aimed at protecting such Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing (“the Technical and Organisational Security Measures”);
- You shall be entitled at reasonable times and on reasonable notice, to verify the Technical and Organisational Security Measures adopted by the Data Processors to ensure that such measures comply with the data security obligations in the Data Protection Laws;
- It shall report any incident which gives rise to a risk of unauthorised disclosure, loss, destruction or alteration of such Personal Data to you immediately upon becoming aware of such an incident and shall provide such co-operation and assistance as may be reasonably required by you in the context of any dealings with the Office of the Data Protection Commissioner or other supervisory authority;
- It shall inform you promptly in the event of receiving a data subject access request and shall provide such co-operation and assistance as may be reasonably required to enable you to deal with any subject access request or other data subject right;
- It shall not transfer such Personal Data to a country outside of the European Economic Area;
- It shall disclose the Personal data to a third party only with your prior written consent or as directed by you through the use of the Services;
- It shall ensure that any of its personnel who have access to or deal with any Personal Data are aware of and comply with these provisions;
- MediaHQ shall not engage another processor without your prior specific or general written authorisation. In the case of general written authorisation, MediaHQ shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes
- Where MediaHQ engages another processor for carrying out specific processing activities on your behalf, the same data protection obligations as set out in this contract, or as otherwise agreed between MediaHQ and you, shall be imposed on that other processor by way of a contract or other legal act under European Union or Irish law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of GDPR. Where that other processor fails to fulfil its data protection obligations, MediaHQ shall remain fully liable to you for the performance of that other processor’s obligations.
- It shall take reasonable precautions to preserve the integrity of any Personal Data processed by it and to prevent any corruption or loss of such Personal Data.
- If it becomes aware of any unauthorised or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of your Data or that any Personal Data is lost or destroyed or becomes damaged or unusable (“Security Incident”), MediaHQ will notify you without unreasonable delay, but in any event within 12 hours from becoming aware of the Security Incident. MediaHQ will also reasonably cooperate with you with respect to any investigations and with preparing potentially required notices, and providing any information reasonably requested by you in relation to the Security Incident.
- It shall procure that any persons engaged in the Processing of Personal Data, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with respect to the Personal Data and have received appropriate training on their responsibilities
- On the determination of this Agreement or upon the conclusion of the provision of the services relating to the processing of the Personal Data, at the choice of the Data Controller, the Data Processors shall either delete or return all of the Personal Data to the Data Controller, save where it is required by law to retain any or all of the Personal data.