1. Terms used in the Agreement
  2. Applicable Rules means the GDPR and the applicable EU laws.; The Principal Personal Data means any personal data made available or transferred by The Principal to the Service Provider and any personal data that the Service Provider processes as “data processor”.
  3. “Data Privacy Applicable Laws” means all applicable laws and regulations in relation to data protection and privacy i.e. protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data, or similar laws that apply in relation to the processing of personal data, including but not limited to the French Data Protection Act No.78-17 of 6 January 1978 as amended and the EU General Data Protection Regulation (EU 2016/679) (“GDPR”).
  4. “Processor”, “Controller”, “Data Subject”, “Joint Controllers”, “processing” “Personal Data” and “Personal Data Breach” shall have the meaning ascribed to each under Data Privacy Applicable Laws. In case of discrepancy between the definitions given by the Data Privacy Applicable Laws, the definitions provided at article 4 GDPR shall prevail.“Sub-Processor”, any processor’s provider which processes or has access to customer personal data. A sub-processor is a sub-contractor of the processor.Capitalised terms used in this Agreement shall have the meaning ascribed to them in the contract of services (“Contract”).In connection with the tasks set out in the Contract to be performed the Service Provider shall be considered as data processor, while the Principal shall be considered as data controller.
  5.  
  6. Subject of data processing (Contract)
  7. In line with Section 1 and Annex no. 1. (Price List) of the Contract.
  8.  
  9. Nature and purpose of data controlling
  10. Nature of data controlling: Making still and motion picture recordings at the venues, in the duration and according to the concept determined by the Principal.
  11. Purpose of data controlling: To implement the photo-artistic concept determined by the Principal in the course of which the Service Provider shall use their skills for taking and selecting suitable photos and performing the necessary post-production work.
  12.  
  13. Type of controlled personal data
  14. Still and motion picture recordings, the voice and image of data subjects. 
  15.  
  16. Categories of data subjects affected by the data controlling
  17. Persons attending the Event, primarily those identified by the Principal.
  18.  
  19. Duration of data processing
  20. The duration specified in Sections 5 and 10 of the Contract. The Data Processor shall retain the Raw Materials referred to in Section 11 of the Contract one year, and then erase the same.
  21.  
  22. Obligations related to Data Processing
  23. The Data Processor’s general obligations.
  24. The Data Controller is obliged to inform the Data Processor in writing of its instructions related to the data controlling (including also, but not limited to the eventual transfer of personal data). The method of giving instructions is in line with the following: The Data Controller sends its instructions related to the data processing to the Data Processor by e-mail to the e-mail address specified in the Contract. The Data Controller is obliged to send these instructions to the Data Processor within reasonable time but no later than 14 days before the event specified in Section 5 of the Contract, to enable their timely implementation. The Data Controller shall indicate any instructions for correction in accordance with Section 10 of the Contract, within 14 days after the delivery of the Results:
  25. The Data Processor’s general obligations:
  26. Data Processor processed Personal Data exclusively on the basis of the Data Controller’s written instructions, fully in accordance with these, except the Applicable rules provided otherwise by The Principal.
  27. the Data Processor has to meet the provisions included in the Applicable Rules and the present Agreement.
  28. the Data Processor is allowed to transfer Personal Data only and exclusively upon the basis of the Data Controller’s prior written instruction to third parties and/ or third country (if the transfert of the Personal is outside of the European Union, the Processor must signed the Standard Contractual Clauses from the European Commission with said third party).
  29.  
  30. Operations to be carried out by the Data Processor on Personal Data
  31. The tasks detailed in Section 1 and Annex no. 1 of the Contract, i.e.:
  32. making the still and motion picture recordings at the venue, using the equipment, in the duration and according to the concept determined by the Data Controller
  33. performing post-production works on the Results;
  34. delivering the Results.
  35.  
  36. Persons authorized to control Personal Data
  37. The Data Processor undertakes to take all reasonable steps in order to, and ensures in all cases that (i) access to Personal Data during the data processing is strictly limited to those persons who are strictly necessary and indispensable for the purpose of performance of the Contract, every persons non identified in the Contract and/ or in this Agreement must be validated by writing by The Principal, that (ii) those persons having access to the Personal Data act always in compliance with the Applicable Rules, including that (iii) these persons undertake a confidentiality obligation and confidentiality agreement, and that (iv) these persons do not process Personal Data except as provided under the Contract, unless required to do so by Union or Member State law.
  38.  
  39. Safety of data processing
  40. The Data Controller and the Data Processor, by taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate the measures defined in Article 32 (1) of the GDPR.
  41. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
  42. The Data Processor, pursuant to the present Section undertakes to perform the following technical and operational measures:
  43. access to Personal Data is limited only to the authorized persons, only for the processing defined by the Controller. ;
  44. necessary and regular maintenance or, if necessary, development of technical equipment used for dataprocessing ;
  45. placement of the technical equipment storing Personal Data in a closed room, and its physical protection.
  46.  
  47. Obligation of cooperation
  48. The Data Processor is obliged to help the Data Controller by adequate technical and organisational measures to the extent possible to be able to meet its obligations to answer data subjects’ requests (included in Section III. of the GDPR) when exercising their rights.
  49. By taking into account the nature of data processing the Parties agree that in order to fulfil the provisions in Section 11.1, the following technical and organisational measures are considered adequate from the Data Processor’s part:
  50. the Data Processor is obliged to inform the Data Controller immediately if it receives request from the data subject in connection with the Personal Data;
  51. the Data Processor is entitled to answer the request received from the data subject only upon the Data Controller’s prior written consent, or in case if the data Processor is required to do so by some of the Applicable Rules, but in the latest case, if the Applicable Rule authorizes the Data Processor to do so, before answering the request the Data Processor has to inform the Data Controller.
  52. By taking into account the nature of data controlling and the information in the possession of the Data Processor, the Data Processor is obliged to provide help to the Data Controller in connection with any of the tasks, the data protection impact assessment and prior consultation carried out by the authorities having supervisory or other competence and jurisdiction, the notification of a personal data beach and the safety of data controlling, detailed in Articles 32-36 of the GDPR.
  53.  
  54. Data protection incident
  55. If the Data Processor becomes aware of any data protection incident connected with Personal Data it must inform the Data Controller immediately by giving all of the necessary information, in order to ensure that the Data Controller can fulfil all of its notification and information obligation in connection with the data protection incident in due time, as specified in the relevant legislation.
  56. The notification shall cover particularly, but not exclusively the following:
  57. the nature of the data protection incident;
  58. the number of the affected people;
  59. the categories and the number of affected Personal Data;
  60. the expected risks of the data protection incident;
  61. the direct availability of the person who can give more information about the case.
  62. The Data Processor has to cooperate with the Data Controller in connection with the investigation if the data protection incident, the mitigation of its consequences, and the restoration.
  63.  
  64. Deletion and return of personal data
  65. The Data Processor shall without delay, but at the latest within one year after termination of provision of services, permanently delete the Personal Data (including any copies of the same) in accordance with Sections 10 and 11 of the Contract after the delivery of the final version of the Results.
  66. There is only one exception from application of Section 10.1., if the Applicable Rules prescribe the obligation of storage of the Personal Data for the Data Processor. In the latter case the Data Processor is entitled to store the Personal Data only to the extent and for the duration prescribed by the Applicable Rules, and as well in this case it has to grant that Personal Data is treated as confidential and only for the purpose prescribed by the Applicable Rules.
  67. The Data Processor has to provide written certification to the Data Controller without separate request within 7 working days after termination of data processing activity that it fully completed all of its obligations included in the present Section, in the decision of the Data Controller, and in the Applicable Rules within 5 working days after termination of data processing services, and it fully complies with these.
  68.  
  69. Right of control
  70. Upon the Data Controller’s request, the Data Processor has to provide the Data Controller with all information necessary or which can be necessary for the purpose of review of compliance with the obligations included in the present Agreement.
  71. With respect to the present Section of the Agreement the Data Processor has to immediately inform the Data Controller if it finds that any of the Data Controller’s instructions infringes the GDPR or Hungarian or EU’s data protection provisions.
  72. The Data Controller has to inform the Data Processor in due time in connection with the conduct of investigation described in Section 11.1, and the Data Controller has to take all reasonable measures in order to ensure that the investigation causes the slightest possible restriction and disadvantage to the Data Processor. The Data Processor has to provide access to the real estate where its activities take place, and provide access to the equipment which is used when carrying out its tasks for the Data Controller (or for the auditor appointed by the Data Controller), except in the following cases
  73. if the person who would carry out the investigation does not verify his/ her identity properly, and his/ her entitlement to conduct the investigation. Showing the person’s identification card shall be also considered as proper certification, if the Data Controller informed the Data Processor about the identity of the auditor in advance, in writing.
  74. in case of investigation outside working hours, except the investigation is carried out on exceptional, urgent basis and the Data Controller informed the Data Processor about the investigation’s nature before the launch of the investigation.
  75. if the investigation is misused. The Data Processor cannot refer to misused exercise of right if the investigation is based on a reasonable suspicion of unlawfulness of the Data Processor’s data processing activity and/ or its contrary nature to the present Agreement, or if it’s based on the order of the data protection authority having jurisdiction and competence.
  76. In the latter case the Data Controller has to inform the Data Processor of the suspicion raised in connection with the breach of law and/ or agreement, or of the request, decision, order prescribing the investigation.
  77. Transfer of personal data
  78. The Parties agree that if data transfer takes place in the future, the Parties will conclude a separate contract in this respect.
  79.  
  80. Miscellaneous
  81. Regarding the applicable law and jurisdiction the provisions of Section 15 of this Contract shall apply.
  82.  
  83. Use of cookies during the usage of the website
  84. Cookies can be “permanent” or “temporary”. The browser stores permanent cookies for a predefined period in case you do not delete these earlier. Temporary cookies will automatically be deleted when you close your browser.
  85. Cookies can also be “first-party” or “third-party” cookies. First-party cookies are used by the websites of Terrán, while third-party cookies (such as cookies used by Google Analytics) are used by Terrán but these are placed on your device by service providers independent of Terrán.
  86. Necessary cookies
  87. We need the necessary cookies in order to properly operate the website. Without these cookies the website cannot work property. Therefore the use of these cookies is necessary for the protection of the legitimate interest of Terrán. These cookies can be used without user consent and cannot be turned off.
  88. Name / typeProviderData processedPurposeValidity (term of data processingwp-settings-{X} HTTP cookieWordPressNecessary for using certain functions.Proper operation of the website.1 yearwp-settings-time-{X} HTTP cookieWordPressNecessary for using certain functions.Proper operation of the website.1 yeargdpr[allowed_cookies] HTTP cookieWordPressFact of approval.The approval of settings that is necessary for the operation of the Website.1 yeargdpr[consent_types] HTTP cookieWordPressFact of approval.This cookie stores information on which cookie settings has the user consented to.1 year
  89. Functionality cookies
  90. Functionality cookies are not necessary for using the Website, but by using these cookies, we can provide you with better user experience. These cookies store comfort functions in order to personalise the Website (e.g. storing the chosen language or the visited website types). We only use functionality cookies based on Your consent, which you can always withdraw by turning off these cookies in the Data Protection Centre. These cookies do not store personal data
  91. Name / typeProviderData processedPurposeValidity (term of data processinggdpr[privacy_bar] HTTP cookieWordPressFact of approval.This cookie is set, when you review and approve of the cookie notice.1 year
  92. Performance (statistical) cookies
  93. The performance (statistics) cookies are not necessary for using the website. We use these cookies to measure the functionality of our websites in an anonymised way and understand better the needs of our visitors also to provide you with personalised content. We can improve our websites by using these statistical data. We only use the performance cookies based on your consent, which you can always withdraw by turning of performance cookies in the Data Protection Centre.
  94. The performance cookies are installed by third parties therefore you can find detailed information on the use of these cookies in the data privacy policies of such third parties (see the links in the table below).
  95. Name / typeProviderData processedPurposeValidity (term of data processingGoogle Analytics
  96. _ga
  97. HTTP cookieGoogleUrl, website address, name of browser, size of browser window, size of screen, java, flash version, location, languageAnonym statistics.2 yearsGoogle Analytics
  98. _gat,
  99. HTTP cookieGoogleUrl, website address, name of browser, size of browser window, size of screen, java, flash version, location, languageAnonym statistics.It is deleted when you close the browserGoogle Analytics
  100. _gid
  101. HTTP cookieGoogleUrl, website address, name of browser, size of browser window, size of screen, java, flash version, location, languageAnonym statistics.1 day_pinterest_cmpinterest.comUsed by Pinterest to track the usage of services.Anonym statistics.1 year